Modern field guide to security and privacy

Both sides of data encryption debate face off in Congress

Congress hears from technologists who favor stronger encryption on consumer devices and those who say such technology could hamper law enforcement efforts. 

Brendan McDermid/Reuters
A customer uses an iPhone and a Macbook computer at the Genius Bar in the Apple Store at Grand Central Station in New York.

The debate over whether more robust encryption technology on devices such as Apple's iPhone will hamper law enforcement efforts erupted in Congress on Wednesday.

Some of the strongest voices in favor of tougher encryption faced off against law enforcement officials, who say those kinds of technologies could impede investigators trying to obtain data needed to fight violent crime, at a hearing of the House Subcommittee on Information Technology.

"As technology continues to evolve and encryption capabilities become a part of everyday life for all Americans, this debate will only grow larger," said subcommittee chairman Rep. Will Hurd (R) of Texas, who helped build a cybersecurity company before he was elected to Congress and appeared deeply skeptical of law enforcement's position during the hearing.  "I believe we can find a way to protect the privacy of law-abiding citizens and ensure that law enforcement have the tools they need to catch the bad guys."

Both Google and Apple have said they would begin offering encryption by default on their mobile operating systems, meaning phones out of the box would store data in a format that hackers – or the government – would have more trouble accessing.

Those changes led the heads of the Federal Bureau of Investigation, National Security Agency, and Department of Homeland Security to express strong concerns that their agencies would face potentially harmful barriers to accessing data on cellphones even with a warrant. As a result, law enforcement and national security officials have called for tech companies to allow access to protected files – something known in cryptography as a “back door."

But the problem with that concept, the experts agreed at Wednesday's hearing, is that building in another access point to security software increases the vulnerabilities in encryption for anyone to exploit, including criminals or nation-state actors. 

"Every technical expert that has spoken publicly on this controversy ... has concluded that it is impossible to devise a system that provides government access to data on encrypted devices, or to end-to-end encrypted communications, while also ensuring that it remains secure against other attackers, be they computer criminals, industrial spies, Chinese intelligence, or anyone else," said Kevin Bankston, policy director of the digital advocacy group Open Technology Institute, in his prepared remarks. 

Rep. Blake Farenthold (R) of Texas asked the panel witnesses to raise their hands if they believed encryption built with back doors could be as secure as encryption without built-in government access. Not one – even those arguing for the backdoor – made that claim. 

Matthew Blaze, a cryptographer at the University of Pennsylvania, noted there would even be problems with a "split key" approach floated as a possible solution to allow law enforcement access to data. This system would require consent from two parties other than the owner to break encryption. Blaze, however, said that adding more people to guard the keys, the technology is still inherently weakened. "There are still fundamental problems." 

Amy Hess, the FBI's executive assistant director for its science and technology branch, said the agency generally favors encryption technology, and was optimistic that some balance will be reached between technology companies and law enforcement.

"To be clear, we in the FBI support and encourage the use of secure networks and sophisticated encryption to prevent cyberthreats," Ms. Hess said. "We know that adversaries will exploit any vulnerability they find. But we believe security risks associated with the implementation of lawfully authorized access are better addressed during the design phase rather than resorting to a patchwork solution after the product or service has been deployed."

“Companies must continue to provide strong encryption for their customers and make every effort to protect their privacy," she said. "But so, too, does law enforcement have a real need to obtain certain communications data when ordered by a court of law. We care about the same things – safety, security, and prosperity.”

For instance, Suffolk County (MA) District Attorney Daniel Conley argued that cell phone video – that using the same technology today would have been encrypted – was an important part of the Boston Marathon bombing investigation, though he did acknowledge that most of the data was turned over voluntarily so there would have been no need for law enforcement to break it in this instance.

Mr. Conley also said he believed the new default encryption policies were hypocritical on the part of cell phone manufacturers. “[Apple and Google’s] nominal commitment to privacy rights would be far more credible if they were forbidding themselves from access to their customer’s interests, search terms and consumer habits,” he said. 

But members of Congress showed little sympathy for law enforcement's arguments. Ted Lieu (D) of California, who holds a computer science degree, called back doors "technologically stupid."

"There's a reason the world's largest technology companies are increasingly developing stronger and more frequently used encryption technologies," said Rep. Jason Chaffetz (R) of Utah. "It's not because they're anti-law enforcement. On the contrary. It's because sophisticated cyberhacks are nearly daily events."


of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.