Continuing a long-running debate about the role default encryption plays in consumer products and the obstacles it presents to law enforcement investigating terrorism and criminal activity, federal officials testified Wednesday in front of the Senate Judiciary Committee calling for Silicon Valley to come up with a solution to the so-called "going dark" issues around encrypted technology.
Both FBI Director James Comey and Deputy Attorney General Sally Yates were measured in their calls for a solution, admitting they didn’t have one. They were clear they didn’t think there should be a federal law requiring so-called “backdoors” allowing law enforcement to gain access to users’ communications, but they did call for placing the onus of finding a solution on private industry.
“I don’t come here with a solution,” said Comey, adding, “I think Silicon Valley is full of folks” that can find a technological solution that would both give users privacy and law enforcement access to targeted subjects.
Yates said the administration “is not looking for a one-sized-fits-all solution” but that law enforcement “wants to work with communications providers” to “figure out a way to get access through them.” She added, “We are not seeking a front door, back door or any kind of door.”
Yet, not all senators were convinced thwarting encryption is a good idea.
“Consumers demanded greater privacy, and the technology industry has responded and provided better encryption,” said Sen. Mike Lee (R-UT). “Enactment of a federal mandate threatens to undermine consumer choice and creates a back door” for bad actors and state-sponsored cyber-espionage.
Sen. Al Franken (D-MN) asked whether the FBI or Department of Justice (DoJ) had hard numbers on how many investigations have been thwarted by encryption to better determine the scope of the problem. Neither the FBI nor the DoJ did have such numbers, but Yates said she would work to aggregate them for the future.
However, New York County District Attorney Cyrus Vance did have numbers for his district. He said that starting from September 2014 his office retained 93 devices as evidence in investigations that were running Apple’s iOS 8, which encrypts communications by default, and that of those, 74 were locked.
At issue, according to Comey and Yates, is tech companies positioning encryption as the default in communication services. Comey several times during the morning Judiciary and the afternoon Senate Intelligence hearing on the same issue said he had no issue with strong encryption itself but that making it the default creates unnecessary obstacles for law enforcement.
With a different tone from previous hearings, the Obama administration wants the solution to reside in the hands of the technology industry. Yates said, for example, that unlike the initial “Crypto Wars” seen in the 1990s, the government does not propose it handle any of the encryption keys and that it should be left up to companies to handle keys as they see fit, so long as they comply with getting access to content after receiving a court order.
But in the wake of massive hacks of the Office of Personnel Management in the public sector, and a bevvy of private-sector breaches, including this week's hack of security firm Hacking Team, confidence that organizations could keep such keys protected was low among several senators.
Yates went on to recommend that Congress engage with the technology industry to find a technological solution to provide limited government access.
“We have been engaging with the technology industry,” Yates said. “The companies are not the villains here. They’re reacting to market demands of privacy from their customers. It’s important that we not mandate a solution across the board, but work with them individually.”
Finding such a solution, however, may not be feasible. On Tuesday, a group of 13 of the world’s leading cryptographers, computer scientists and security specialists released a report detailing the inherent dangers of implementing back doors into communications technology. In anticipation of Comey’s comments, they wrote in the report, “Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend.” They added that the “costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict.”
That sentiment was echoed at the hearing, by Georgia Institute of Technology Prof. Peter Swire, CIPP/US, and Hoover Institution Senior Research Scholar Herbert Lin, who both added to the arguments that finding ways around encryption will not only hurt user privacy but will make the Internet less secure and hurt U.S. businesses around the world, especially in the EU.
Swire, who calls this the “Golden Age of Surveillance,” testified that mandating avenues around encryption would have ramifications on the EU-U.S. Safe Harbor agreement. The Snowden disclosures, for one, may have cost U.S. businesses hundreds of billions of dollars, and these “encryption debates reinforce the tendency in other countries to stay away from U.S. products,” he said.
NY DA Cyrus Vance said he recently met with executives at both Apple and Google, calling them “cordial” and “interesting” but added that he left with more questions than answers.
In a letter to Apple Senior Director of Global Policy Jane Horvath, CIPP/G, CIPP/US, Vance asked further questions about its Apple iCloud backup and how it manages encryption keys. “Is there any ‘key’ or similar device that Apple might keep without sacrificing the security of iPhones from hackers?” Similarly, Vance asked Google Senior Vice President and General Counsel Kent Walker questions about the company's cloud backup, how many users used it and whether keeping a key would make them more vulnerable to hackers.
According to Vance, neither company has yet responded.
It looks like more testimony will be forthcoming. During the afternoon Senate Intelligence hearing, Sens. Martin Heinrich (D-NM) and Barbara Mikulski (D-MD) both called for an additional hearing to include security and privacy experts as well as some of the tech industry’s CEOs. Until then, without a proposal on the table from the Obama administration, the debate will continue.
If you want to comment on this post, you need to login.