Startups for Encryption

The Honorable Mitch McConnell
Majority Leader U.S. Senate
Washington, DC 20510

The Honorable Paul Ryan
Speaker U.S. House of Representatives
Washington, DC 20515

The Honorable Harry Reid
Democratic Leader U.S. Senate
Washington, DC 20510

The Honorable Nancy Pelosi Democratic Leader U.S. House of Representatives Washington, DC 20515

Dear Leader McConnell, Leader Reid, Speaker Ryan, and Leader Pelosi,

We are a group of startups, entrepreneurs, and innovators who believe that strong encryption is a necessary tool for digital security and critical to the functioning of the internet economy. We are concerned about the anti­-encryption rhetoric that has increasingly come to dominate conversations in Washington D.C. We appreciate your efforts to explore this complex topic further in forums removed from a politically charged environment. We request that you consider the unique perspective of startups like ours when exploring proposals that would impact the future of encryption technologies and digital security.

While much of the dialogue on cybersecurity has focused on whether the government can and should enlist large technology companies to assist in decrypting information for law enforcement purposes, there has been little discussion of the impact that legislation relating to encryption would have on the startups that are responsible for all new net job growth in this country. Encryption is at the heart of many of our products and services. Without the security and confidence that encryption provides, it would be difficult or impossible for us to find customers and investors, and ultimately, grow our businesses. While some proposals put forth to date, such as Senators Richard Burr and Dianne Feinstein’s draft “Compliance with Court Orders Act,” would have a broad and devastating impact on the nation’s economy and security, startups face unique challenges that make such anti­-encryption proposals particularly dangerous.

Unlike larger technology companies, startups like ours lack the resources necessary to comply with the anti­-encryption proposals some legislators have put forward. In its dispute with the FBI, Apple estimated that building a decrypted version of its operating system would require the company to devote six to ten engineers working full time for two to four weeks. Even for the subset of startups that have six engineers on staff, losing a month of those employees’ time could bankrupt the company. Additionally, even if a startup could afford to design a “backdoor” for government access, it would be excessively difficult to adequately protect that “backdoor” from the innumerable cybercriminals and bad actors that would try to exploit it. To secure a single decrypted operating system, Apple estimated it would have to build one or two secure facilities that could cost $50 million. No startup has anywhere near that kind of free capital to devote to protecting government ­mandated vulnerabilities. Consequently, imposing anti­-encryption mandates on startups will inevitably result in massive security threats. It is not a question of whether criminals will get access to these backdoors, but when and how much damage they will cause.

The fallout of this increase in cybercrime will hit startups harder than larger, well ­known companies. Startups do not have the name recognition or consumer trust that would allow us to weather the security breaches that will occur if we are forced to abandon encryption technologies and provide backdoor access into our systems. Many of us have already lost business from international clients over the perceived vulnerability of U.S. companies to government surveillance and data collection. If Congress mandates that we create backdoors or otherwise weaken encryption, even more customers will abandon our services for competitors in countries that still recognize the importance of encryption and security.

Our defense of encryption is meant to promote public safety, privacy, and security, not undermine them. We share the law enforcement community’s interest in preventing crime, and we will continue to cooperate with the government to combat terrorism. However, because wrongdoers will always have access to encryption tools and services created overseas, weakening encryption in the U.S. will only make U.S. citizens and companies vulnerable to cyberattacks without any significant benefit to law enforcement.

As you continue to explore the policy landscape surrounding encryption, it is our hope that you will take the concerns of our community into account. Attached hereto is testimony from startups around the country highlighting their unique perspectives on encryption and why it is important to their companies. We look forward to continued engagement with you and your colleagues over the coming months and appreciate your consideration.

Sincerely,

Garmentory Inc. Seattle, WA

GitHub San Francisco, CA

Help Scout Boston, MA

Infinit New York, NY

Nourishwise Nashville, TN

Optimizely San Francisco, CA

Patient IO Austin, TX

Pitch Data New York, NY

Plickers San Francisco, CA

SafeLogic Palo Alto, CA

Sandberg Tech of North Dakota; Devils Lake, ND

Soha Sunnyvale, CA

Sportzpeak San Francisco, CA

Starry, Inc. Boston, MA

The Community Company Inc. Crystal City, VA

Vera Palo Alto, CA

Virtru Washington, DC

Waterfall International San Francisco, CA

Aire London

Binary Formations, Mechanicsville, VA 

Biometrica Systems, Las Vegas, NV 

Bracket Computing Mountain View, CA 

Canary New York, NY 

Capitol Bells Washington, DC 

Inflection Redwood City, CA 

Keen IO San Francisco, CA 

Lean Team Tuning LLC Plattsburgh, NY 

LyteShot Chicago, IL 

Mapbox Washington, DC 

Welcome (formerly ChatID) New York, NY 

CitiQuants Corporation Miami, FL 

Convo San Francisco, CA 

Descartes Biometrics, Inc. Blaine, WA 

Devbright Peoria, IL

Development Seed Washington, DC 

DevNetwork San Francisco, CA

Dwolla Des Moines, IA

Estate Map, LLC Minneapolis, MN

FireboxGaming Charleston, WV

Foursquare New York, NY