The first report from the congressional working group on encryption offered few answers but many questions about...
how to reconcile the needs of citizens whose digital lives are protected by strong cryptography with the unease of law enforcement and intelligence agencies that claim to be thwarted by the experience of "going dark" when faced with inaccessible evidence.
The encryption working group, formally called the House Judiciary Committee and House Energy and Commerce Committee, was created by the chairmen and ranking members of those two committees in the wake of the legal battle between the FBI and Apple over unlocking and decrypting the contents of an iPhone used by one of the attackers in the 2015 San Bernardino mass shooting.
The report, just 13 pages long, was prepared after members of the working group and their staffs "held meetings, briefings, and roundtables with dozens of stakeholders from private industry, the intelligence community, federal law enforcement, state and local law enforcement, civil society, and the academic community," over a period of six months.
The working group led off its report with four observations the group offered as a foundation for further examination of encryption issues, followed by discussion of "next step" areas for further discussion.
Observing that "[a]ny measure that weakens encryption works against the national interest," the working group summarized the conflict: law enforcement agencies concerned about "going dark" face escalating obstacles to collecting evidence that is increasingly inaccessible due to encryption, while also noting the importance of strong cryptography to "personal, economic and national security."
Matt Blaze, associate professor of computer and information science at the University of Pennsylvania, noted on Twitter that the report shows the issue of encryption is a bipartisan one:
Takeaway from House crypto report: leaders on right & left, who agree on little, agree: weakening encryption is against national interest.— matt blaze (@mattblaze) December 21, 2016
Initial reaction to the report was largely positive. Rep. Suzan DelBene (D-Wash.) said the "Encryption Working Group report represents a critical first step in elevating the encryption debate beyond the fallacy of privacy versus security," in a statement provided to SearchSecurity. "I am pleased that our group was able to come together on a bipartisan basis to affirmatively state once and for all: requiring companies to weaken devices with 'backdoors' means we open up innocent Americans to the bad actors who would love easier access to our citizens' personal information."
However, reading more deeply reveals that despite the seeming agreement on the importance of strong cryptography, the working group members still left themselves room to maneuver.
"Congress should not weaken this vital technology because doing so works against the national interest," the report read, but then immediately pivoted, stating: "However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities."
The working group's other observations included noting that strong cryptography is a global phenomenon and is available globally; that "no one-size-fits-all solution to the encryption challenge" will satisfy all stakeholders; and finally, Congress "should foster cooperation between the law enforcement community and technology companies."
The "next steps" section of the report offers some indication of how Congress may approach the going dark issue, starting with some relatively uncontroversial approaches to expanding access for law enforcement agencies to data that has not been encrypted, including looking at tools companies could provide to give better insight into what data is available for law enforcement and how it may be accessed, reviewing federal warrant procedures to see if they can be made more efficient, clear and consistent and looking at ways law enforcement can better use metadata and other investigative tools already available to them.
But the group also recommended Congress consider options like compelling individuals to disclose passwords and PINs for accessing locked smartphones, and asked: "Are there other circumstances that would enable the government to compel production of a passcode without undermining the Fifth Amendment?"
Other areas for further investigation the group suggested include exploring the use of metadata analysis, legal hacking (also known as "lawful hacking") and investigating ways that Congress can foster privacy while also looking into how consumers' privacy and data security would be damaged by weakening encryption.
Find out more about the 'going dark' debate.
Learn about why the FBI believes backdoors could be unnecessary.
Read about why a former CIA/NSA director supports strong encryption.