A “user-up” approach would protect people as well as hardware and software
Today, Access called on [PDF] the Obama Administration to craft cybersecurity policies that better protect users’ security and privacy. Much of the Administration’s focus has been on funneling data to the government while increasing the military’s cybersecurity capabilities. Such policies put users’ rights on the chopping block by unnecessarily exposing their information to the government. Instead, Access called for a user-up approach to cybersecurity that recognizes that security and privacy are intertwined. The entire security ecosystem benefits from policies that protect people as well as hardware and software.
Access made the request in a comment submitted to the National Telecommunications and Information Administration (NTIA) as part of the Department of Commerce’s Internet Policy Task Force (IPTF). The Task Force was established to conduct a “comprehensive review of the nexus between privacy policy, copyright, global free flow of information, cybersecurity, and innovation in the Internet economy.” The IPTF requested comments to identify cybersecurity issues best addressed through a multistakeholder process.
In the submission, Access made the following four policy suggestions:
- evaluate the impact of any cybersecurity process on user rights, including privacy and freedom of expression;
- develop rules to support adoption of strong digital security tools and technologies, including end-to-end and device encryption;
- coordinate with companies on an education campaign instructing users on precautions to reduce the risk of malware and other malicious activities; and
- encourage international cooperation guided by principles such as due process, oversight, and transparency.
In the submission, Access further detailed the user-up approach to cybersecurity:
The user-up approach to cybersecurity, which implicates strong encryption, user education, and rapid fixes for vulnerabilities that put users at risk, seeks to improve the entire security ecosystem. It recognizes that no individual effort will provide a perfect solution, but instead that cybersecurity is a shared responsibility. Cooperation between users, companies, and the government is critical.
The Obama Administration has not yet made the commitment to protect users. A number of Administration officials have recently called for rules requiring technology companies to intentionally weaken encryption for law enforcement access. Companies, security experts, and civil society organizations have pushed back [PDF] over concerns that vulnerabilities will sacrifice security.
Access believes the IPTF effort is preferable to sweeping legislative or regulatory action that sacrifices user rights in the name of security. We look forward to working with the IPTF to establish policies that better protect the security of the security ecosystem while ensuring the internet remains a platform for users to exercise their rights.