Any compromises we make in the security of our systems are compromises that can and will be exploited by those who would seek to do us harm. This includes malicious hackers, identity thieves, authoritarian governments, and corporate rivals. Your own Defense Department has identified insecure devices and networks as a key threat to our nation’s cybersecurity.
There are people whose lives are literally at risk who depend on the security of their phones: domestic violence victims, law enforcement agents, investigative journalists, judges, and those working for change in authoritarian regimes. But mostly, encryption protects hundreds of millions of regular people, who may not have anything to hide but don’t want their private lives exposed or their identities stolen because of lost or stolen smartphones, security flaws, and data breaches.
We’ve seen all too well the perils of imperfect security in Apple’s systems. In 2014, Apple suffered a major security breach in iCloud that resulted in a hacker accessing and publishing nude photos of celebrities like Jennifer Lawrence, Kate Upton and Ariana Grande. And while celebrities may have gotten the most press attention, the data breach could have affected anyone with an iPhone. It’s no surprise Apple sought to improve its security in the years since; its customers understood their personal lives were at stake.
Many of your advisors and former government officials know that vulnerabilities in our computer systems pose serious threats to our national security. Last year, millions of government workers and their families faced exposure of their most personal information when the Office of Personnel Management was breached, and the federal government is expected to spendhalf a billion dollars cleaning up in the wake of data breaches in the next few years. The OPM hack is just one in a series of high-profile breaches where extraordinarily sensitive information was stolen. The experts have been telling you that, faced with these challenges, we need to strengthen cryptography, not undermine it.
We’ve also seen the ramifications of bad policies that tried to weaken security. In the 1990s, there was a concerted effort by certain outspoken law enforcement officials to weaken our cryptography and insert backdoors into our systems. Last year, university researchers discovered how these policies have had long-term, unintended consequences: weakened security persisted in our software for decades. The researchers demonstrated that this resulted in massive, ongoing vulnerabilities in thousands of Internet services. We still don’t know how many millions of people’s personal communications were put at risk because of these shortsighted policies.