Modern field guide to security and privacy
The US Capitol is lit at sunset.
Joshua Roberts
|
Caption

Opinion: What some lawmakers still don't get about encryption

A congressional report says encryption makes America safer. Why are these two Representatives refusing to sign on?

“Any measure that weakens encryption works against the national interest.”

That statement in support of strong security measures on consumer devices comes from an unexpected source: The House of Representatives.

The bipartisan Encryption Working Group, composed of 12 members of the Judiciary and Energy and Commerce committees, has been working since March to assess whether Congress should require tech companies to guarantee law enforcement access to encrypted data.

While the FBI Director and some lawmakers want to require companies to build in ways for law enforcement to get around otherwise strong security measures designed to protect consumers from criminal hackers and other digital threats, digital security experts universally accept that encryption is crucial to secure communications, from Apple’s iMessage to online banking.

And privacy advocates like myself are happy to see the panel’s nearly unanimous findings renouncing so-called “backdoors” in encrypted communications.

But everyone should be dismayed by the refusal of two representatives in the working group, Joe Kennedy (D) of Massachusetts and Adam Kinzinger (R) of Illinois, to sign onto the findings. That decision underscores an unfortunate lack of commitment to Americans’ privacy, fundamental ignorance about encryption and how it keeps people safe, or both.  

The now-public findings of the Encryption Working Group rightly notes that efforts to mandate companies build workarounds to their otherwise strong encryption are not in the national interest.

To reach that conclusion, lawmakers talked to the national security community, which argued encryption was critical to secure critical infrastructure. Civil society organizations explained the importance of encryption in protecting “individual privacy, freedom of speech, [and] human rights,” and to guard “against government intrusion at home and abroad.” And private sector stakeholders described encryption as one of the “strongest cybersecurity tools available” to protect users’ information against a wide array of foreign and domestic digital threats.

The report also concluded that there is no “one-size-fits-all solution” to the difficulty encryption may pose to law enforcement, sometimes referred to as the “going dark” phenomenon.

There are fairly moderate, well-considered conclusions. But Representatives Kennedy and Kinzinger did not sign onto the report that the other 10 representatives in the working group published. Those who did sign on included high-powered members, such as the chairmen and ranking members of both committees.

I asked both abstaining representatives to comment. Only Representative Kennedy’s office responded before deadline, writing: “Congressman Kennedy believes that encryption has critical implications for consumers, law enforcement and our national security.  Each demand serious attention and care from policymakers. The Congressman ultimately did not feel that the working group had the time to give this topic the due diligence it deserves.  

Dissenting from the the working group’s findings, nine months in the making, is concerning on its own. But it appears to be just the latest in a long and problematic history that Kennedy and Kinzinger share: One that strongly suggests these representatives support backdoors in encryption.

Both Kennedy and Kinzinger have faced this issue before. The Massie-Lofgren amendment would have prohibited warrantless searches of Americans’ communications that get collected through mass surveillance programs. (The collection in question is, by statute, supposed to be focused on foreign actors.) The amendment would have also prohibited the Department of Defense from mandating backdoors in encryption.

Kennedy and Kinzinger have opposed the Massie-Lofgren amendment all three times it was considered. The first time, in 2014, it was supported by an overwhelming, 293-member majority, but leadership stripped the provision from the final spending package.

Both lawmakers also opposed a 2013 amendment offered by Rep. Justin Amash (R) of Michigan designed to end bulk collection of Americans’ records under Section 215 of the Patriot Act. That amendment failed by 12 votes, meaning only seven Representatives could have swung the vote in favor of reining in that authority. Kennedy, it is worth noting, was the only member of the Massachusetts delegation to vote no

Taken altogether, it appears these representatives stand for a political position that is as problematic as it is untenable. They apparently support warrantless, mass surveillance of Americans, the warrantless targeting of Americans in databases explicitly authorized for foreign intelligence purposes, and they claim to support these things for the sake of national security.

But Kennedy and Kinzinger cannot plausibly claim to be focused on the country’s security while failing to oppose backdoors. If they were committed to security in any serious capacity, they would have concluded at least what the Encryption Working Group and what every other expert has been saying for decades: You cannot have an encryption backdoor that isn’t also a vulnerability. Their abstention and voting records reveal they either don’t understand that or they don’t care – and in any event that they definitely do not support a ban on backdoors in the technology that keeps Americans safe.

This is a debate that’s only going to intensify next year.  

We’ve already seen how the San Bernardino shooting in 2015 rejuvenated the debate over whether encryption stops investigators from getting access to important information. 

After FBI Director James Comey said the FBI was unable to access an iPhone found during the San Bernardino investigation, he called on Congress to require tech companies have ways for law enforcement to decrypt data.

After that, Intelligence Committee leaders Senators Richard Burr (R) of North Carolina and Dianne Feinstein (D) of California introduced legislation along those lines. Apple – with the support of many other tech companies – challenged the FBI. 

Companies, along with security and privacy experts, noted weakened encryption simply puts holes in the armor we depend on to protect consumers and critical infrastructure. Experts also argued and eventually explained, step-by-step, that there were other ways for the FBI to break into the phone.

The anti-backdoor coalition also earned the support of national security hawks. Even Michael Hayden, former director of the CIA and NSA, agreed that requiring companies to build backdoors is an extraordinarily bad idea: “I think on balance that actually harms American safety and security,” he told Capital Download.

After feverish public debate, the FBI dropped its case after admitting there were other ways to break into the phone. But threats from insecure data are only increasing. Hackers played a major role in the presidential election by stealing and leaking communications from American political organizations. And the public learned that 1 billion Yahoo accounts were compromised in what might be the biggest hack ever.

It will be more important than ever for lawmakers to understand encryption. But Kennedy and Kinzinger’s refusal to oppose cryptographic backdoors means they are not only sacrificing Americans’ privacy – they are pushing bad policy at the expense of security. Unfortunately, it’s their constituents who will pay the price.

Sean Vitka serves as counsel for Demand Progress and Fight for the Future and is a fellow with X-Lab. He also serves as director of the Fourth Amendment Advisory CommitteeFollow him on Twitter @SeanVitka.