House group seeks alternatives on encryption fight

The House Encryption Working Group pushed back against efforts to legislate encryption in its year-end report, released Tuesday, instead calling for investigations of new law enforcement techniques.

“Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities,” reads the report.

Law enforcement, especially FBI Director James Comey, has pushed hard for back doors, saying that not being able to access encrypted data will hinder investigations. The security community disagrees, saying weakening encryption — a central requirement for defending intellectual property, infrastructure, commerce and all secure internet traffic — will cause more harm than good. 

The debate has been, at times, fought with dogmatic fury.  

“Unsurprisingly, the working group has reached the same conclusion as countless national security experts, computer scientists, and legal experts – undermining encryption is bad for our security and bad for our communities,” said Neema Singh Guliani, ACLU legislative counsel, in a statement. 

{mosads}The Encryption Working Group is composed of House Judiciary Committee Chairman Bob Goodlatte (R-Va.), House Energy and Commerce Chairman Fred Upton (R-Mich.), Judiciary ranking member John Conyers (D-Mich.), Energy and Commerce ranking member Frank Pallone Jr. (D-N.J.), and Reps. Jim Sensenbrenner (R-Wis.), Darrell Issa (R-Calif.), Zoe Lofgren (D-Calif.), Suzan DelBene (D-Wash.), Bill Johnson (R-Calif.) and Yvette D. Clarke (D-N.Y.).

“I am pleased that our group was able to come together on a bipartisan basis to affirmatively state once and for all: requiring companies to weaken devices with ‘backdoors’ means we open up innocent Americans to the bad actors who would love easier access to our citizens’ personal information,” said DelBene in a statement.

Most of the report deals with what the working group needs to research to move forward, including some issues that have fallen under Congress’s radar. Lawful hacking — an already-used practice — is seldom discussed in Congress, but it is an increasingly important tool to law enforcement.

Lawful hacking ultimately resolved the San Bernardino, Calif., case that pitted the FBI against Apple last year. The FBI eventually licensed a third-party vendor’s technique to hack into the iPhone of one of the two attackers.  

The government also invests its own resources into discovering and purchasing new security vulnerabilities. It is a process regulated only by executive fiat and fraught with its own controversy over whether the law enforcement benefits outweigh the harm if criminals discover the same flaws. 

The rules for deciding which vulnerabilities to keep, known as the vulnerabilities equities process (VEP), are an Obama administration invention that may change in future administrations. The prospect that Congress may discuss the VEP has earned the report some admirers. 

“We are encouraged to see the report acknowledge the “vital” role encryption plays in our national security and that weakening encryption makes America less safe. We also welcome the working group’s willingness to work on issues beyond encryption on a bipartisan basis, such as the Vulnerabilities Equities Process,” the lobbying group Internet Association said in a statement. 

The report also calls for more investigation into compelling suspects to give up passwords and the role of metadata in law enforcement. 

As it stands, police cannot compel a suspect to give up a text password to a device or computer — it is considered by most courts a violation of a defendant’s right against self-incrimination. Police can, and do, force suspects to open phones with fingerprint-based security, however. 

Metadata — information collected by the phone company such who was called and for how long — is often proposed as a suitable replacement for the data lost because of encryption. The report notes that, while there may be different types of data, it might not be fair to assume that any one type of evidence contains all the information another type of evidence contains.

Fully comprehending all of the issues will not come quickly, the report notes, but the dangers of a knee-jerk decision on encryption could be devastating. 

“This is a complex challenge that will take time, patience, and cooperation to resolve. The potential consequences of inaction—or overreaction—are too important to allow historical or ideological perspectives to stand in the way of progress,” concludes the report.