ESA Talking Points on Encryption

Encryption Is Important, For Both Consumers and theVideo Game Industry

  • Our industry sits at the intersection of media and technology because of the nature of our product – we develop interactive software meant to entertain our consumers.
  • Like other industries that provide services and products to consumers, encryption plays acritical role in our offerings.
  • First, encryption plays a key role inprotecting consumer privacy including payment information in some instances.
  • Second, our member companies rely on encryption to maintain the integrity of corporate data and network security.
  • Third, encryption plays an important role in protecting the copyrighted content game publishers create.

How We Interact With Law Enforcement and Government on Investigative Matters

  • When ESA members receive valid legal process compelling the production of information that is available to them, they take appropriate actions to comply with those requests, in a manner consistent with their legal obligations to consumers.
  • Pursuant to those parameters, ESA and its members regularly interact with law enforcement agencies – ranging from the Department of Justice to the Department of Homeland Security – on a variety of issues, including cybercrime, fraud and intellectual property infringement.
  • Additionally, ESA members that make game consoles comply with U.S. Export Administration Regulations and prevent the sale of their game consoles to countries, entities and individuals when doing so is prohibited by applicable legal restrictions.

Creating “Back Doors” Will Not Increase the Ability to CatchBad Actors

  • Forcing companies to retain the ability to decrypt encrypted data, or to assist in the circumvention of their own encryption technology, will not stop bad actors. Instead, bad actors – and legitimate consumers alike –will migrate to more secureservicesoffered by foreign companiesthat are not subject to similar restrictions.
  • Also, bad actors may exploit the decryption capabilities that were initially designed to catch them.
  • Moreover, bad actorsoften use obscure communications channels to hide in plain sight through the use of public blogs, prepaid cell phones, etc. Degrading technological protections on secure networks and devices will not disruptthese techniques.

Degrading Encryption Represents the Wrong Approach

  • Weakening the ability to protect networks, data and devicesraises substantial national security and commercial concerns. Overseas hackers and state-sponsored cyber brigades have already launched successful attacks against the U.S. Government and leading firms. In the current environment, more protection is needed, not less.
  • Weakening encryption, even in pursuit of bad actors, would compromise the security of millions of Americans’data – particularly at a time when consumers are increasingly concerned about the security of their personal information and companies are doing everything they can to safeguard their networks from intrusion and data breaches.
  • Weakening encryption would undermine our ability to sell products and services in overseas markets, where consumers may be leery of participating in U.S.-operated video game networks if they fear their privacy might be at risk because of encryption workarounds.
  • The requirement to have any company break its own encryption undermines the cybersecurity ecosystem that companies like ESA’s members have been working hard to develop.
  • Encryption serves as a sturdy shield against censorship and persecution. If Congress forces industries to weaken the protections offered by encryption tools, it may embolden other countries, including those hostile to democracy, to demand that American companies operating in their jurisdictions disclose decrypted data for other, less noble purposes.

The Burr-Feinstein Approach Is Not the Right Solution

  • Congress should avoid the misguided impulse to force an expedient solution to this complex issue that will harm both consumers and the companies they have entrusted with their personal data.
  • For example, granting law enforcement access to encrypted data would establish a dangerous precedent that could lead to ever-expanding requests for other forms of not-yet-attainable data useful for surveillance – both in the U.S. and abroad.
  • Although the draft bill stops short of mandating a “back door,” the duty to render the data in an “intelligible format,” either directly or indirectly, essentially requires that such a capability be built into networks.
  • Additionally, under the draft bill, there are no limitations on the situations under which law enforcement may seek a court order – and no limitations on the amount of fines a company might face for non-compliance.
  • Rather than mandating that tech firms weaken their protections, a better approach would be for Congress to study the value of encryption, drawing upon the nation’s top experts and affected stakeholders, to develop carefully considered legislative recommendations. A commission, such as the one proposed by the McCaul-Warner bill, could provide Congress much needed technical insight into the challenges and opportunities inherent in a variety of approaches (e.g., improved cyber forensics).

1

86749.1