Twilio recently had the opportunity to meet with members of Congress and their staff who have taken on the difficult task of balancing security and privacy. We were struck by the sincere desire to understand how actions proposed by those in Washington impact smaller technology businesses.
It’s been clear to us for some time that, in order to get the full picture, Congress needs to hear from tech companies at all stages of growth; we were encouraged to see that realization dawning on the Hill, as well.
Congress faces a difficult challenge in striking a balance between securing the data that powers our economy and allowing law enforcement access to that data in the interests of public safety and national security. Companies like Apple, Amazon, Facebook, Google and Microsoft have cautioned against mandating weakened information security measures, a view shared by info security experts, data scientists and the technology sector. However, if members of Congress only hear from the largest technology companies, they won’t hear the full story. U.S. startups and small businesses also stand to be greatly impacted by the words and actions of our legislators.
As we and our customers bring communication services to users outside of the U.S., one of the things we frequently hear is an increasing level of concern about how our government handles personal data. We see these concerns creating a ripple effect with far-reaching impact on smaller businesses attempting to do business abroad.
As an example, after revelations about how the NSA obtains and analyzes mass amounts of private citizens’ communications, last year the European Court of Justice invalidated the Safe Harbor agreement between the U.S. and the EU. For larger companies, the death of Safe Harbor was certainly inconvenient, but the impact was relatively manageable, because these companies have global legal teams and are resourced to deal with the resulting legal and operational repercussions. For smaller companies the impact was much greater.
This is not the time for knee-jerk legislation.
Those who previously relied on Safe Harbor were largely left with only one option for doing business in the EU: sign model contractual clauses with each and every EU customer. This is a massive undertaking for small companies that don’t have the global legal teams that larger companies have. Companies like Microsoft have come up with an even more drastic solution: spinning up data processing facilities or physical locations in new countries, an approach that comes at enormous cost and is simply not a viable option for most small businesses.
The fallout from privacy concerns only serves to worsen the uncertainty that already exists around compliance requirements for U.S. companies. European authorities continue to express concerns about insufficient assurances that personal data originating in the EU will not be subjected to mass and indiscriminate collection by U.S. government agencies, going so far as to indicate this may be a potential obstacle to adopting the newly proposed Privacy Shield.
Anti-encryption legislation, such as the bill proposed by Senators Burr and Feinstein, exacerbates these privacy concerns. In addition to further undermining the trust required for small businesses to compete globally (which is very hard-earned to begin with), we are concerned about the ramifications of such a bill and the resources it would require for tech companies, especially those just starting to do business outside the U.S.
Requiring smaller technology companies to circumvent proven design principles without unintentionally introducing broader security vulnerabilities is virtually guaranteed to introduce error and unintended consequences.
While the economic and operational impact on small businesses of compliance with such a mandate would be significant, the impact on innovation is potentially even greater and longer lasting. Redeveloping technology and deploying the extensive legal resources required to evaluate and respond to demands or ensure compliance is simply not feasible for many, if not most, small businesses. These are the very businesses driving enormous innovation and adding significantly to our economy.
The tone around security and privacy in Washington has a ripple effect, and the rest of the world is listening. For U.S. companies to remain competitive at home and abroad, our commitment to time-tested security design principles can’t be compromised. This is not the time for knee-jerk legislation, but rather it’s the time to pause, engage in discussion and seek to understand all viewpoints and potential consequences before imposing mandates and additional requirements on businesses.
We are encouraged by the time we’ve spent with the legislators and their staff who are seeking to broaden the discussion and strike a more collaborative and inclusive tone. That’s why we’re asking other small technology companies to join us in sharing their concerns and engaging in this important conversation with Congress. By helping our legislators understand the realities faced by our businesses today, we can help Congress forge a path to reasonable security measures that don’t undermine data security design principles, privacy expectations or our global competitiveness.