Lawmakers Skeptical About Encryption Override

Original Source 

The FBI and other law enforcement agencies are urging Congress to require firms that offer secure communications apps and devices to consumers to provide a means to access encrypted data. The push comes in the wake of decisions by Apple and Google to offer encryption by default on their mobile operating systems. 

Congress doesn't appear to be buying it, if an April 29 hearing of the House Oversight and Government Reform IT Subcommittee is any indication. Lawmakers honed in on the technical problem presented by creating a third-party key or backdoor for the FBI and other law enforcement agencies. 

Rep. Ted Lieu (D-Calif.), who has a degree in computer science, dismissed the notion of a secure backdoor key as "technologically stupid." 

The basic problem with giving law enforcement access to cryptography, said Matthew Blaze, a computer scientist and a professor at the University of Pennsylvania, is that programmers do not understand how to design secure backdoor keys, "even at an abstract theoretical level." 

Law enforcement witnesses didn't have answers to these objections. But Daniel Conley, a Massachusetts district attorney whose jurisdiction includes Boston, was optimistic about a technical solution. 

"I hate to hear talk like, ‘that cannot be done.’ Think about if Jack Kennedy said, 'We can't go to the moon. That cannot be done.' He said something else," Conley said. "So I would say to the computer science community, let's get the best minds of the United States together on this. We can balance the interests here." 

The intractable problem with backdoors is that if communications providers or law enforcement keeps a key to unlock private messages, that key becomes potentially discoverable by adversaries. There are some ways to reduce that risk, said Blaze, like splitting keys so they are stored in different places or held by a combination of individuals. But ultimately even a "key escrow" system is potentially discoverable. 

"It's impossible to build a back door for just the good guys," said Rep. Jason Chaffetz (R-Utah), chairman of the full committee. "If someone at the Genius Bar can figure it out, so can the nefarious folks in a van down by the river." 

U.S. companies also face challenges at the policy level. Jon Potter, resident of the Application Developers Alliance, warned that other countries, including China and Russia, would likely make their own demands for cryptographic backdoors if U.S. law required law enforcement access to mobile communications and apps. Moreover, such apps could be banned in European markets, which have stricter data privacy rules than in the U.S. Potter worries that companies would have to design and support different versions of their applications for different markets based on cryptography rules. "That especially harms startups and small innovators," Potter said. 

Weighing against all this is the government's interest in making sure it can get access to information held by criminal suspects. 

Amy Hess, executive assistant director of the Science and Technology Branch of the FBI, warned in her testimony that with unbreakable, end-to-end encryption, criminals can elude capture and prosecution for crimes such as human trafficking, child sexual exploitation and terrorism. Hess said that it would be more secure and useful to have law enforcement access built into systems and software at the design end, and she expressed hope that industry and government would be able to collaborate on solutions. 

"Certainly they won't be bulletproof, but certainly [there are] more secure ways of being able to get law enforcement what it needs, yet at the same time provide layers and layers and layers of security so that the providers can provide the customer with what they need as well," Hess said. 

There's no legislation pending on private network encryption, but FBI Director James Coney told a House Appropriations subcommittee in March that the bureau wanted a "legislative fix" to give law enforcement access to encrypted data.