US Congress locks and loads three anti-encryption bullets

We might ban it, we might not, but we will be in charge

US Congress is preparing no fewer than three new bills over the ongoing encryption debate: one banning end-to-end encryption, one setting up a commission to review the issue, and a third to make sure that it is Congress that gets to decide what happens next.

Leading member of the Senate Intelligence Committee Dianne Feinstein (D-CA) – who has been criticized for being too close to the NSA – has said she will introduce a new bill that will impose limits on encrypted devices.

She may be beaten to the punch, however, by Representative Michael McCaul (R-TX), chair of the House Homeland Security Committee, who has announced he will put forward a bill to create "a national commission on security and technology challenges in the digital age" – in large part to dig into the issue of encryption.

And then there is the Encrypt Act, put forward Wednesday by Representative Ted Lieu (D-CA) and Blake Farenthold (R-TX). Their bill seeks to override other proposed bills in their home state's legislative bodies that would ban encryption by declaring that only Congress is allowed to make such laws.

All three efforts show how political the issue of protected communications has become in recent months. Sadly, none of them address the core issue at the heart of the debate: how can you give law enforcement access to encrypted comms without introducing a backdoor that others can use?

And another

Senator John McCain has also jumped into the debate, publishing an op-ed this week in which he reiterated the same line as a host of other politicians and presidential candidates: that Silicon Valley needs to "do something" to give law enforcement access to encrypted data but that something should not be a backdoor.

The question as to what that something actually is, then, has been notable by its persistent absence.

McCain appears to represent the establishment's view that there needs to be a 2016 equivalent of the 1990s when "legislation ensured law enforcement agencies are able to lawfully wiretap without mandating how those systems ought to be designed."

Unfortunately that "just do it" bellowing from the political sidelines fails to address the fundamental problems that sparked the encryption debate in the first place.

First, Apple, Google, Facebook et al were appalled to discover in Snowden documents that the NSA was abusing its access rights to carry out mass surveillance of all of their customers' communications, including tapping their data centers.

As a result of that, and the privacy outcry of their customers, Silicon Valley decide to increase the level of protection around data, increasing and expanding the amount of encryption it applies.

Critical among these changes has been Apple's decision to introduce end-to-end encryption on its phones so that even if it is presented with a warrant to hand over information, it is not in a position to decrypt that data into a readable format.

That approach means law enforcement loses its ability to act in secret and it also removes the ability of Congress to pass laws that enable law enforcement to insist on the handing over of information. Unsurprisingly, neither party has been keen on that loss of power.

Magical thinking

On a second related topic, technologists have been repeatedly making the point that if you introduce a flaw into encryption technology in order to enable it to be unencrypted later, then that flaw can also be used by others. And by others, everyone means the security services who do all that they can to access the data and don't bother with court orders or warrants.

The term "magical thinking" has been used to refer to the concept that it is possible to create a system that would grant law enforcement access to unencrypted data, but no one else.

Despite that term gaining wide usage in Washington however, politicians and law enforcement personel continue to insist that it is possible to do exactly that. Unable to come up with a solution, they have resorted to pressuring Silicon Valley to come up with an answer by passive-aggressively calling on their "brightest minds" to work on the issue.

As such, of the three proposed Congressional bills, only the one creating a special commission is likely to prove feasible.

Feinstein's plan to simply ban end-to-end encryption will hit a brick wall of objections, not least of which will be President Obama, who has said publicly he will not seek legislation on the issue.

Likewise McCain's call for 1990s legislation – which, incidentally, completely ignores that fundamental point that the information stored and shared on mobile phones these days is magnitude-of-orders more personal and private than simple phone conversations.

States rights

The bill to grant the Congress sole rights to an encryption solution is likely to face opposition from Congressmen with a strong states-rights philosophy. Plus its constitutionality would almost certainly be challenged by the states.

And that leaves the bill to create a commission to dig into the issue and come up with a reasoned solution – rather than knee-jerk legislative fixes. It may be the only practical outcome in an increasingly noisy and content-free debate.

Unfortunately, Congress does not have the best track record when it comes to reasonable and logical progress, so there is likely to be a lot more heat before a solution is found. ®

Broader topics

Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading

Biting the hand that feeds IT © 1998–2022