Strong non-backdoored encryption is vital – but the Feds should totally be able to crack it, say House committees
We want to have our cake and stuff our faces with it
A bipartisan House working group on encryption has today come to the conclusion that encryption is vital to US national interests, even as it seeks to mitigate the problem the technology can pose for law enforcement.
Citing the Federal Bureau of Investigation's effort earlier this year to force Apple to help the agency decrypt an iPhone used by one of the shooters in a 2015 terror attack in San Bernardino, California, the House Judiciary Committee & House Energy and Commerce Committee's Encryption Working Group (EWG) report explores the tension between authorities' desire for access to digital data and the increasingly necessary use of encryption to keep data secure.
Fred Upton (R-MI), Frank Pallone, Jr (D-NJ), Bob Goodlatte (R-VA), and John Conyers (D-MI) presented the dossier.
"The widespread adoption of encryption poses a real challenge to the law enforcement community and strong encryption is essential to both individual privacy and national security," their report reads. "A narrative that sets government agencies against private industry, or security interests against individual privacy, does not accurately reflect the complexity of the issue."
Amid its effort to find a way to secure data while also preserving access for authorities, the EWG at least argues that encryption should not be subverted for convenience.
"Congress should not weaken this vital technology because doing so works against the national interest," the report states. "However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities."
In other words, encryption should not be weakened, but there may be times when it should be weakened. So much for clarity of vision.
A rival commission, set up by House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA), frames encryption in similar terms. As that commission's report, updated in September, noted, "Encryption plays a vital role in modern society, and increasingly widespread use of encryption in digital communications and data management has become a 'fact of life'."
The European Union Agency for Network and Information Security (ENISA) recently adopted a similar stance, declaring, "The use of backdoors in cryptography is not a solution, as existing legitimate users are put at risk by the very existence of backdoors."
The EWG offers four main findings:
Any measure that weakens encryption works against the national interest.
Encryption technology is a global technology that is widely and increasingly available around the world.
The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the 'going dark' phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge.
Congress should foster cooperation between the law enforcement community and technology companies.
While these observations may mute calls for backdoors, they don't really offer any way to resolve the seemingly incompatible goals of security and access.
If a device is properly encrypted with an accepted algorithm, there are only a few ways to gain access to the data. These include:
- A legal regime that can compel people to reveal passwords (third-party companies can already be compelled to reveal what they know).
- Technical methods or flaws that facilitate decryption.
- A key storage regime like iCloud that provides convenience in exchange for security.
So when the EWG refers to cooperation between law enforcement and technology companies, that partnership, if mutual distrust can be overcome, might take the form of vulnerability sharing and encouraging people to entrust encryption keys to third-party providers.
The EWG report also advises further exploration of the utility and limits of metadata as a way around encryption, the viability of "legal hacking," the constitutional implications of compelled disclosure of passwords, and the proper role of government in data privacy.
Further discussion of these topics, while potentially useful, will need to be calibrated to the incoming administration. President-elect Trump has suggested he will take a less nuanced approach to encryption policy, having declared that Apple should have unlocked the iPhone in question. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Trusted Platform Module
- Zero trust