As the largest security software company in the world, Symantec has earned the trust of consumers, businesses and governments alike to secure and manage their information and identities. We place the highest priority on maintaining this trust and believe it is imperative to be transparent about our business positions as questions arise across the globe on data security and privacy. We have always been clear that:
- Symantec does not introduce hidden functionality (back doors) in its technologies.
- Symantec does not whitelist malware in its security solutions.
- As a Certificate Authority, Symantec does not keep copies of encryption keys that its customers use. Consequently, Symantec does not have the ability to comply with requests to produce such keys.
- Symantec uses the highest known standards for encryption and we believe that our encryption technology is secure and has not been undermined.
Symantec is committed to complying with all relevant rules, laws, and regulations in the countries where we operate. When requested by a lawful authority to share customer data, Symantec will only do so following the appropriate due process of law. In such cases, Symantec will endeavor to be transparent with its customers to the extent permissible by applicable law.
Symantec has stated publicly that we will collaborate with authorities to share information on cyberattacks in order to facilitate the detection and prevention of cybercrime. We believe this benefits our customers and the global community at large. There are a number of examples where Symantec has contributed to the disruption of cybercrime activities through cooperation with law enforcement around the world. Among these were the recent takedowns of financial fraud botnet Gameover Zeus and the ransomware network Cryptolocker. Both were used by cybercriminals to steal tens of millions of dollars by compromising millions of computing devices.
Around the world, companies are being put in a position to have to choose whether they should comply with one government’s law or break another’s. The broader issue of state surveillance is putting companies in the middle of national security debates between sovereign governments. We welcome a discussion among the international community focused around the permissible boundaries of government security activities on the Internet. It is important, however, that the conversation focuses on solutions and transparency and that it does not become a finger-pointing exercise. To be clear, we enter this dialogue with the strong and long-held belief that the infrastructure underlying essential Internet functions should be trustworthy. Commercial software and hardware should not be targets for intelligence collection or manipulation.
The role of industry in a globalized economy is to promote technological innovation and economic growth. Unfortunately, we see governments using national security as a justification for protectionist agendas. The public debate on surveillance is necessary around the world, and for that debate to be effective the participants should not use it to advance unrelated agendas or to make their points at the expense of the private sector.
The bottom line is that companies should not become the long arm of intelligence for any government, nor should they be perceived as such by their customers. Such perceptions risk undermining the trust on which the Internet and its underlying technology have been built.
Equally, the role of government is to ensure national security, the protection of individual privacy, and the economic well-being of its citizens. However, neither of these objectives will be served in the long run by restricting the ability of industry to reach national markets or to take advantage of economies of scale by limiting global data flows.
Symantec remains committed to maintaining the trust we have earned, to being a constructive participant in the fight against international cybercrime, and to contributing to the global dialogue on security and privacy.