In a highly anticipated hearing Tuesday, officials from Apple and the FBI appeared before the House Judiciary Committee to discuss the ongoing and heated debate about law enforcement access to encrypted devices. The five-hour hearing did not provide any solutions to the problem, but brought forth difficult political issues surrounding the debate, including whether law enforcement is exploiting a national tragedy to sway public opinion, whether Apple is putting its marketing strategy above lawful access, and what branch of the U.S. government should ultimately deal with the conundrum.
A main question throughout was whether it should be Congress or the courts that are the appropriate venue to solve the encryption issue. After watching all five hours, I'm not convinced people are asking the right question. It's not so much which venue can "solve the encryption issue," but rather which venue is the appropriate place to decide whether or not the encryption benefits outweigh the encryption drawbacks. Do we in the United States want to be able to protect all of our private effects or not? With encryption, there are no half measures.
During the committee meetings, it sometimes sounded like everyone was trying to figure out how to have their cake and eat it, too.
It seems clear to me that encryption provides a vital public service. It protects us all from criminals, terrorists, hackers, and nation-states. Yes, it's true that it can be a stumbling block for law enforcement, but we are in the Golden Age of Surveillance and there are more data points to track and surveillance tools for law enforcement than ever before.
And perhaps that's the conclusion we're coming to as a society. The hearing came a day after Eastern District of New York Magistrate Judge James Orenstein ruled that Apple did not have to help the FBI extract data from an iPhone in a drug case because the government’s use of the All Writs Act was too broad. Apple is also fighting a court order in California that compels the iPhone maker to provide the FBI with technical assistance – essentially compelling it to create a specialized operating system to disarm built-in security features built so that the FBI can brute force the password to gain access into the phone used by one of the San Bernardino shooters.
A number of lawmakers said it was Congress – not the courts – that should provide that solution. Ranking Democrat John Conyers, D-N.Y., for one, even expressed concern that the FBI was attempting an “end run around Congress” to get access to encrypted devices. This comes only months after the Obama administration decided not to advocate for encryption legislation.
“Citizens have rights; Government has power,” said Rep. Ted Poe, R-Texas, a former federal judge. “It’s Congress’s job to determine my expectation of privacy.”
The issue is also being watched by other nations. Rep. Zoe Lofgren, D-Calif., pointed out that the U.S. tends to set the precedent in the technology industry, and providing backdoor access would set a dangerous precedent for U.S. businesses around the world. Apple Senior Vice President and General Counsel Bruce Sewell agreed that how the U.S. deals with the issue will have repercussions around the world. “America should be leading on this issue,” he said, “and the world is watching today on this particular debate.”
Apple's decision to fight the FBI was also brought into focus. At one point, FBI Director James Comey was asked if Apple was engaging in corporate irresponsibility. “I wouldn’t characterize it like that,” he said. But, in the broader context of the debate, he added, "We need to stop talking past one another."
In answering whether Apple was putting its brand above U.S. law, hearing such a comparison makes his “blood boil.” He added, “We don’t take out ads about our encryption. We think it’s the right thing to do. To say it’s a marketing ploy really diminishes what should be a serious conversation with Congress and the American people.”
Not all the Congressmen took Apple’s side, however. Rep. Jim Sensenbrenner, R-Wis. – who wrote the USA PATRIOT Act and led the charge in reforming it after the Snowden revelations – expressed a series of pointed questions at Sewell: “You say encryption questions should be decided by Congress. Why is Congress the best venue?”
Sewell answered, “Ultimately, Congress must address this issue. We find ourselves in an odd situation in San Bernardino because the FBI in ex parte fashion is compelling us” to weaken our security. “We view that as a way to cut off the debate.”
When asked if Apple has a legislative solution, Sewell said, no, it does not. “I don’t think you’re going to like what comes out of Congress,” said Sensenbrenner, who accused Apple of being obstructionist. “You don’t have anything positive to say, all you’re saying is ‘no, no, no, no,’” he said. Sewell retorted, “I do think we’ve said what we stand for.”
Sewell also pointed out the difficult position companies are being put in by the U.S. government. On one side, the FBI and other law enforcement essentially want companies like Apple to weaken built-in security protections for lawful access, while at the same time, the Federal Trade Commission is policing industry for strong data security.
Many lawmakers expressed frustration with the Department of Justice and the FBI regarding their strategy on encryption. Rep. Conyers, for example, pointed to an email obtained by The Washington Post last fall that was sent from a senior intelligence lawyer stating that public opinion around encryption could change in light of a terrorist attack and that there could be “value in ‘keeping our options open for such a situation.’”
“I am deeply concerned by this cynical mindset. And I would be deeply disappointed if it turns out that the government is found to be exploiting a national tragedy to pursue a change in the law,” Conyers warned.
Worcester Polytecnic Institute Cybersecurity Prof. Susan Landau, who also testified and has an extensive cryptology background, provided another avenue to solve the encryption issue.
She says the FBI needs to realize what the NSA realized in the 1990s: that back doors make everyone unsafe, including government employees. What the FBI should do, she argued, is to bolster its technological expertise and join the digital arms race. “The FBI focuses too much on investigations,” she testified, “and not enough on preventative measures.”
Landau also said that encrypting smartphones is essential because they not only hold incredibly sensitive data about individuals, but are also quickly becoming authenticators. Using two-factor authentication, for example, requires the use of smartphones, and the financial industry is aiming to make smartphones the modern wallet.
Others in the intelligence community have also supported strong encryption. “In this room, just last Thursday, former Secretary of Homeland Security Michael Chertoff testified that, in his experience, strong encryption helps law enforcement more than it hinders any agency in any given case,” said Rep. Conyers in his opening statement.
Moving forward, new legislation was introduced this week by Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, that would establish a 9/11-style commission on data security and law enforcement access. Whether Congress ultimately becomes the venue to solve the encryption issue remains to be seen. It's tough to imagine anything comprehensive coming out of Congress that would solve this issue – Rep. Sensenbrenner would agree. Plus, laws dealing with technology become outdated quickly. And updating them is next to impossible – just look at how difficult it is for Congress to update the Electronic Communications Privacy Act.
For Apple, and other companies, a move to more widespread encryption is likely – as Apple, for example, is reportedly planning to encrypt its iCloud service – and that's a good thing. I recognize that law enforcement is put in a difficult position with the rise of encryption, but even putting laws around it in the U.S. will not prevent criminals from making their own apps or finding other services outside the country. And it would not prevent other countries from requiring companies like Apple to provide government access either.
As data breaches continue to hurt both the public and private sectors – from the Office of Personnel Management and the IRS to Target and Apple's iCloud – it's time to accept encryption as the norm.
Whether this happens or not, however, it will be the U.S. courts that continue to resolve individual issues on an ad hoc basis for the time being.
If you have five extra hours, here's the complete hearing:
If you want to comment on this post, you need to login.