Encryption

House Report: 'Any measure that weakens encryption works against the national interest'

A call for strong data protection even in the face of law enforcement demands.

|

iPhone
Mikael Damkier / Dreamstime.com

Bipartisan members of an Encryption Working Group connected to the House's Judiciary and Energy and Commerce committees have put out a year-end report pushing for American policies that support and defend strong data encryption.

Sure it's just a report and not an indicator of where policy might end up, but it's important in the wake of the United Kingdom passing a new surveillance bill that gives its government the authority to order tech and communication companies to provide back doors or bypasses in order to access encrypted data.

The report was signed by ten members of the House, five from each party. After meeting and discussing issues and concerns with various parties over the past six months, they concluded the year with four observations.

This first observation is exactly what's up in the headline: Weakening encryption harms our national interest. Even government officials within the national security community agreed:

[S]takeholders from all perspectives acknowledged the importance of encryption to our personal, economic, and national security. Representatives of the national security community told the EWG [Encryption Working Group] that strong encryption is vital to the national defense and to securing vital assets, such as critical infrastructure. Civil society organizations highlighted the importance of encryption for individual privacy, freedom of speech, human rights, and protection against government intrusion at home and abroad. Private sector stakeholders—in particular, their information security officers—and members of the academic community approached the question from an engineering perspective—against a wide array of threats, foreign and domestic, encryption is one of the strongest cybersecurity tools available.

The second observation was simply a reminder that encryption tools are developed internationally and that the government probably can't actually control access to it anyway. The end result could actually make the law enforcement "going dark" problem even worse:

Encryption technology is free, widely available, and often open source.5 Law enforcement stakeholders acknowledged to the EWG that a Congressional mandate with respect to encryption—requiring companies to maintain exceptional access to data for law enforcement agencies, for example—would apply only to companies within the United States. The consequences for such a policy may be profound, but they are not likely to prevent bad actors from using encryption.

The group's third observation is to warn that there's no "one-size fits all" solution to dealing with encryption to the extent that it presents a challenge to law enforcement and anti-terror information gathering. Without directly saying so, it's a crack at the absurdly vague legislation crafted by Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.) that simply ordered tech companies to assist law enforcement in bypassing and compromising their own security whenever a judge told them to.

The final observation is a bland call for cooperation between tech companies and law enforcement. They do notice that part of the problem involves communication. They seem to kind of be diplomatically suggesting that law enforcement agencies think they can just demand tech companies give them information and don't understand why that doesn't work:

Stakeholders from all sides were nearly unanimous in describing a significant gap in the technical knowledge and capabilities of the law enforcement community, particularly at the state and local levels. This results in a range of negative consequences that not only hinder law enforcement's ability to pursue investigations but also contribute to its tension with the technology community. For example, from the perspective of law enforcement, routine requests for data are often challenged by the companies, unnecessarily delayed, or simply go unanswered. From the perspective of the companies, these requests often lack appropriate legal process, are technically deficient, or are directed to the wrong company altogether.

Read the full report here. Keep in mind that incoming President-Elect Donald Trump took an extremely dim view (even careless) toward Apple's cybersecurity in the fight for access to the iPhone in possession of one of the San Bernardino terrorist's. He demanded that Apple simply "open" the phone for the FBI (which is actually more than they were even asked to do) and called for a boycott of the company when they resisted. What Congress might establish as law for encryption protections is going to be very important.