Governments in the post-Snowden era have been increasingly strident in their desire to regulate digital communications and to access data when needed. However, users have been just as ardent in their demand for privacy. Events such as the recent head-butting between Apple and the FBI over an iPhone belonging to a terrorist have done nothing to assuage users’ worries about privacy. If anything, it taught a generation of digital users, especially in the United States, about end-to-end encryption. Many users are now demanding end-to-end encryption from their technology providers, and they want to hold the encryption keys.

...

While this shift is taking place, more governments are giving themselves the legal right—often on a broad basis—to bypass or break encryption or technical protection measures, often without the knowledge of the manufacturer, communication provider, or the user. This is creating tension not only between authorities and technology firms but also between governments, who are not necessarily keen to see their citizens’ data accessed by third-country authorities. Many governments collect information about zero-day exploits and vulnerabilities that they discover in vendor software; however, they are not always transparent with vendors about the information they possess, or sharing it in a timely manner.

Hoarding such valuable information prevents vendors from improving security in their products and providing users with better protection from threats. Even though governments may have good reason to hold some of this intelligence close, there is also a need for greater transparency and trust in the global cybersecurity landscape. Governments therefore should conduct a frank assessment of their current policies regarding the hoarding of zero-day exploits. They should start from the default position that sharing information with vendors can only lead to a far more secure digital environment for everyone.

High