Encryption advocates registered a big win this week when it became abundantly clear at a Congressional oversight hearing that lawmakers are skeptical of the FBI’s warnings about the purported dangers of encryption technology.
On Wednesday, five expert witnesses testified before the House Oversight and Government Reform Committee’s Subcommittee on Information Technology on the topic of “Encryption Technology and Potential U.S. Policy Responses.” One of those experts was Kevin Bankston, OTI’s Policy Director, whose written testimony laid out 10 reasons why backdoor mandates are a bad idea. (Read Bankston's shorter oral statement here.) Bankston was joined on the panel by technical expert Dr. Matthew Blaze, a respected computer science professor who, among other things, discovered a fatal flaw in the U.S. government's Clipper Chip proposal in 1994; Jon Potter, President of the Application Developers Alliance, who discussed the impact of backdoor mandates on companies; Amy Hess, from the Science and Technology Branch of the FBI, who explained the agency’s concerns about strong encryption; and Daniel Conley, District Attorney of Suffolk County, a representative of local law enforcement interests.
Although Blaze, Potter, and Bankston made a compelling case in favor of strong encryption, many of the best arguments against the idea of mandated backdoors came from the members of Congress themselves. Three of the fiercest critics at the hearing, Subcommittee Chairman Will Hurd, Representative Ted Lieu, and Representative Rod Blum, account for a significant percentage of the total number of Congressmen with backgrounds in computer science, a potent reminder of the need for greater technical expertise in government.
Here are some highlights from the exchanges between members and the witnesses on Wednesday afternoon:
Representative Jason Chaffetz (R-UT), Chairman of the House Oversight and Government Reform Committee:
“I have three general concerns about Director Comey’s proposal. First, it’s impossible to build just a backdoor for just the good guys… just the good guys can get this. If somebody at the Genius Bar can figure it out, so can the nefarious folks in a van down by the river...
“Second, we already live in what some experts refer to as the “Golden Age of Surveillance” for law enforcement. Federal, state, and local law enforcement have never had… more tools at their disposal to detect, prevent, and prosecute crime. It seems that every day there is a new, often startling, story about the United States’ government’s ability to track its own citizens. I recognize technology can be a double-edged sword and many pose challenges for law enforcement, but we’re certainly not going to go dark, and in many ways we’ve never been brighter.
“Third, strong encryption prevents crime and is a part of the economy. People keep their lives on their mobile phones. A typical mobile phone might hold a person’s pictures, contacts, communications, finances, schedule, and much more personal information.... If your phone is lost or stolen you want to know your information is protected, and encryption does that.
“There’s a reason the world’s largest technology companies are increasingly developing stronger, more frequently used encryption technologies. It’s not because they’re anti-law enforcement, on the contrary it’s because sophisticated cyber hacks are nearly daily events. No one is immune from digital snooping, from the White House, to corporate America, to private citizens. The opportunity brought to us by the modern technologies are near limitless… but not if the system is compromised.
“Strong encryption helps ensure data is secure and allows companies and individuals to operate with confidence and trust… we have choices to make. Do we allow the 99% of Americans who are good, honest, decent, hardworking, patriotic people to have encrypted phones? Or do we need to leave the backdoor open and create vulnerability for all of them. Cause vulnerability, it’s all or none folks. It’s not just a little bit, not just for the good guys. And that’s why we’re having this hearing today.”
Rep. Chaffetz (after the FBI’s Amy Hess asserts that, in her opinion, encryption also helps prevent crimes):
“But the policies that the FBI is advocating, specifically the director, don’t necessarily fall in line with that, do they? I mean I struggle with what the director is asking for. Because are you going to have encryption? Not encryption?
“That’s the concern, if you create a key, now let’s pretend it’s a key to your house, you go down to Ace Hardware you make a copy of it, right somebody’s going to be able to figure it out, you have a locksmith who can go and open your front door. It’s the same principle and unless you have some new technology that we don’t know about, that’s the concern and that’s the disconnect between what we hear from the FBI and the reality of, do you create the hardest, strongest encryption possible, which means not having a key…?”
Representative Ted Lieu (D-CA): “As a recovering computer science major, it is clear to me that creating a pathway for decryption only for good guys is technologically stupid. You just can’t do that.”
Rep. Lieu: “I’m going to reserve the balance of my time to make a statement, which is primarily directed at Mr. Conley [the Suffolk County District Attorney]. I respect your public service; I take great offense at your testimony today. You mentioned that unaccountable corporate interests such as Apple and Google are essentially protecting those who rape, defraud, assault, and kill. I think that’s offensive; it’s a fundamental misunderstanding of the problem. Why do you think Apple and Google are doing this? It’s because the public is demanding it. People like me, privacy advocates, a public that doesn’t want an out of control surveillance state. It is the public that is asking for this, Apple and Google didn’t do this because they thought they’d make less money. This is a private sector response to government overreach.
“Then you make another statement, that somehow these technology companies are not credible because they also collect private data. Well here’s the difference: Apple and Google don’t have coercive power. District Attorneys do, the FBI does, the NSA does. And to me it’s very simple to draw the privacy balance when it comes to law enforcement and privacy – just follow the damn Constitution. And because the NSA didn’t do that, and other law enforcement agencies didn’t do that, you are seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated Fourth Amendment rights of every American citizen for years by seizing all of our phone records, by collecting our internet traffic, and now this is spilling over to other aspects of law enforcement. And if you want to get this fixed I suggest that you write to NSA, and the FBI should tell the NSA, stop violating our rights. And then maybe you’d have the public much more on the side of supporting some of what law enforcement is asking for. And then let me just conclude by saying I do agree with law enforcement that we live in a dangerous world. And that is why our Founders put in the Constitution of the United States, why they put in the Fourth Amendment. Because they understand that an Orwellian, overreaching federal government is one of the most dangerous things this world can have.”
Rep. Lieu: “Currently right now there is nothing preventing two people, anywhere in the world, from downloading an encryption program to encrypt end to end, those two communications that would make this pathway essentially meaningless… and is it your understanding that sometimes terrorists now resort to using something as writing something on a piece of paper to go off the grid? …And we don’t say that companies who make paper shredders are somehow protecting terrorists, correct?”
Representative Robin Kelly (D-IL): “Is there such a thing as creating a backdoor that is only for the good guys?... Also, could the existence of a backdoor created in the interest of public safety actually serve as a “Trojan horse” that cybercriminals exploit to their advantage?” (Witnesses answer in the affirmative.)
Representative Blake Farenthold (R-TX): “Wouldn’t [a golden key] become the biggest hacker target in the world if it were known that there were a golden key and what we might have today that might be deemed secure as computing power increases might become a lot easier to break?” (Witnesses answer in the affirmative.)
Rep. Farenthold: “Is there anyone on the panel who believes we can build a technically secure backdoor with a golden key? Raise your hand and I’ll recognize you if you think that can be done... Let the record reflect no one on the panel thinks that can be done.”
District Attorney Conley (in response to Rep. Farenthold’s question): “I hate to hear talk like ‘that cannot be done’, imagine if Jack Kennedy said we cannot go to the moon, that cannot be done. He said something else. We’re going to get there in the next decade. So I would say to the computer science community, let’s get the best minds in the United States together on this. We can balance the interests here.”
Rep. Farenthold (in response to Mr. Conley): “I appreciate that, because I’m a proud American as well, but I think what we’re saying today is, it would be the equivalent of President Kennedy saying “we’ll be able to get to the moon in ten years and nobody else will ever be able to get there ever… it’s not like we’re saying that we can’t develop a secure system but we are also saying that, can we develop a secure system that will remain secure for any length of time that somebody smarter might not be able to hack five years down the road.”
Representative Rod Blum (R-IA): "I’m a software developer myself, and I’m also a homebuilder. So I’d just like to give you an analogy, as I understand this. Isn’t this analogous to the government asking for, or requiring homebuilders to put a video camera in every room of every new home they build, with the guarantee or the promise that the government won’t turn it on…unless we get a warrant? And that would make law enforcement’s job easier, correct and this would make law enforcement’s job easier... and quicker if there is a crime in the home? Isn’t this analogous to that? ...Because what troubles me is law enforcement tends to agree with, and I’ll paraphrase here, but that there’s a reasonable standard of privacy, of Fourth Amendment rights when one is in their own home… but when it comes to our cell phone conversations, our emails, anything that is electronic and data, it seems that this reasonable right to privacy isn’t there."
Representative Will Hurd (R-TX), Chairman of the Subcommittee on Information Technology: "I would like to read... Recommendation 29 that President Obama’s Review Group provided was:
"‘We recommend that, regarding encryption, the US Government should:
1. Fully support and not undermine efforts to create encryption standards;
2. Not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and
3. Increase the use of encryption and urge U.S. companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.’
“I think that’s a pretty good recommendation.”
Overall, the message from the Congressional representatives at the hearing was clear: backdoor mandates are a bad idea for a variety of technical and economic reasons, and they would undermine Americans’ civil liberties. We hope the FBI and other members of law enforcement heed their message.