11.23.15

No easy or simple solutions for encryption (Washington Examiner)

The fever-pitched debate over "encryption" that erupted in the aftermath of the Paris terrorist attacks may subside just as quickly, as lawmakers and other policymakers grapple with the difficult realities of trying to craft rules in this space.

In a nutshell, technology companies and privacy advocates say any U.S. requirement that encrypted products — like smartphones — contain a "back door" allowing access in some circumstances will be exploited by other countries such as China, by cyber criminals and by terrorists.

On the other hand, CIA Director John Brennan, FBI Director James Comey, Senate Armed Services Chairman John McCain, R-Ariz., Senate Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., and others have long been concerned that encrypted consumer communications devices create a dark space beyond the reach of law enforcement and intelligence agencies.

 

Following the Nov. 13 atrocity in Paris that left 129 dead, these lawmakers and senior law enforcement officials seized on early reports that the killers may have used encrypted smartphones to communicate among themselves. Those reports have yet to be publicly confirmed by officials in France or the United States.

 

McCain vowed to hold hearings within the Armed Services Committee and develop legislation on access to encrypted data, in a legally controlled environment.

 

One approach would be for the tech companies to retain a "key" to encrypted data that could only be accessed with a court order. But if such a key exists, techies counter, bad actors will find it.

 

"I don't know what the answer is," McCain acknowledged to reporters. "That's why we have to have hearings."

 

The Armed Services panel had yet to schedule a hearing by week's end, as Congress headed out for its Thanksgiving recess.

 

Burr agreed that Congress needs to step in and address encryption. Feinstein said she had reached out to Silicon Valley seeking the tech community's help, in a collaborative way, and been rebuffed.

 

"Well, I have actually gone to Silicon Valley," Feinstein said Nov. 16 on MSNBC. "I have met with the chief counsels of most of the big companies. I have asked for help. I haven't gotten any help."

 

Feinstein added: "I think that Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it's at a game in a stadium, in a small restaurant in Paris, take down an airliner, that's a big problem. So we need high tech's help in securing an Internet that even with a court order, you can't get to what they're saying. That's a big problem."

 

By the end of the week, it remained unclear if or how the Senate Intelligence Committee or other congressional committees might try to address strong encryption.

 

The issue has been broached repeatedly this year in hearings before congressional intelligence and homeland security committees, and Senate Judiciary Chairman Charles Grassley (R-Iowa) held a hearing specifically on the topic last summer.

 

Grassley at the time said "an open and honest conversation" was necessary, respectful of different points of view. "Today I hope the Senate takes a first step at seeing if any consensus is possible on this important and complicated issue," Grassley said.

 

Grassley made clear that policy answers were not obvious to anyone; but after the Paris attacks, he said it was even more urgent to keep trying to find the right balance.

 

"It's no secret that technology exists today that allows terrorists and criminals to communicate in the shadows, using encryption that makes it impossible for law enforcement or national security authorities to do everything they can to protect Americans, even when they obtain warrants, court orders, or other lawful process," Grassley said in a statement last week. "Of course privacy is important, but so is the rule of law."

 

The veteran senator from Iowa added: "Now, there's a great deal of speculation that terrorists used encrypted communications to plan the well-coordinated attack in Paris. Whether that's true or not, we need to learn more about how they were able to go undetected and carry out such atrocities against innocent human beings. The primary responsibility of our federal government is to keep the nation secure, and we need to ensure we are taking all necessary steps to protect our national security while ensuring Americans' constitutional protections are maintained."

 

Comey, Attorney General Loretta Lynch and other senior officials have said a productive dialogue is underway between the government and tech community.

 

Techies counter that the two sides have been talking past one another.

 

Technologists and civil liberties groups say there is no way to create limited access to encrypted products solely for relevant U.S. law enforcement and intelligence purposes.

 

"Tech experts have said [back doors] are not technologically feasible for a single authorized user, it is something that will be exploited," according to an IT sector source.

 

Neema Guliani of the American Civil Liberties Union said: "As numerous experts have noted, back doors to ensure law enforcement access can be exploited by malicious actors. In the wake of the Paris attacks, it would be a mistake to advance any policy that weakens encryption, degrading the privacy and security of Americans."

 

House Intelligence ranking member Adam Schiff, D-Calif., expressed hope that a more productive dialogue is possible involving the tech sector, law enforcement, civil liberties groups and others.

 

Schiff has a foot in several camps on the issue, as sponsor of strong cybersecurity legislation, a civil liberties champion and an advocate for the tech industry in his home state.

 

He said legislation on encryption is "premature," but added that "more productive" discussions may be taking place between the government and the tech community. "The camps are coming out of the polarized modes," Schiff said. "I think that's improving."

 

A tech-sector source agreed that "serious discussions" on encryption may come out of the recent tragedy.

 

But there are no easy or simple solutions.

 

Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.


Source: Washington Examiner