The enormous fissure that formed decades ago in the deathless American debate over encryption proved insurmountable on Tuesday. Senate lawmakers struggled to be heard on the all-important topic by the two tech company suits that they invited over mostly for the purpose of serving as punching bags.
Supposedly aimed at analyzing the “benefits and risks” of granting law enforcement the ability to bypass the strongest of privacy measures available to consumers, the hearing, called by Sen. Lindsey Graham’s Senate Judiciary Committee, in some instances devolved into threats.
“You’re gonna find a way to do this, or we’re gonna do it for you,” Graham fired off early on, scoffing and cutting off two witnesses—officials from Apple and Facebook—as he’s often inclined to do.
However, Tuesday’s hearing was an unusually bipartisan affair: Sen. Dianne Feinstein, the ranking member, went straight for the most prominent of recent encryption cases, FBI v. Apple—in which the former asked a judge to compel the latter into unlocked iPhone of the San Bernardino shooter, Syed Rizwan Farook—waiving the victims of the related terrorist attack in the face of Erik Neuenschwander, Apple’s manager of user privacy.
“A lot of people killed,” she said, “a lot of people injured.”
The FBI ultimately paid an outside firm to break into the phone. The cost of doing so, which Feinstein said had been imparted to her in a “classified way,” was “obnoxious it’s so high.” This led her to form a “very strong opinion,” she said, “that these devices have to be able to be opened when a crime is committed and this is evidentiary.” (In 2017, Feinstein said the cost of cracking the San Bernardino shooter’s phone was $900,000.)
Neuenschwander made Apple’s feelings on the subject clear in his prepared remarks, declaring strong encryption an imperative, calling it a vital safeguard against the sophisticated attacks of malicious actors and the “underlying technology providing information security in all modern systems.”
“We do not know of a way to deploy encryption that provides access only for the good guys,” he said, “without making it easier for the bad guys to break in.”
Neuenschwander’s perspective is widely supported among experts in the cryptography field and is shared among many privacy advocates who argue that granting law enforcement “exceptional access” to all forms of electronic communication betrays a prevailing commitment to the protection of human rights.
At the heart of the debate lies the sincere doubt of privacy proponents that law enforcement agencies—whose employees routinely abuse privileged access to data, often for petty reasons, such as to spy on neighbors and lovers—are even capable of securing the all-powerful means to decipher encrypted data.
Security experts have taken issue with the idea that law enforcement is equipped to anticipate the kinds of technical vulnerabilities that would threaten to undermine whatever system is established granting them access to so much intimate correspondence. Not three years ago, a trove of Central Intelligence Agency secrets was spilled everywhere online. If the CIA can’t keep its own secrets, how can the public trust anyone in the government with this responsibility?
Presumably, hundreds, if not thousands, of local, state, and federal agencies would eventually want access.
Manhattan District Attorney Cyrus Vance, invited by the committee to undercut Apple’s position, fired off statistics regarding how many devices his office alone has been unable to access. “About half of those are Apple devices,” were uncrackable he said, adding that 82 percent of the time, the devices are now locked, as opposed to “60 percent four or five years ago.”
Vance said his technicians, using their own methods and those purchased from outside firms, are able to unlock around half of the devices.
Vance went on to tell Texas Sen. John Cornyn that at “the direction of the leaders of this country,” Apple and Facebook should be pressed to resolve law enforcement’s encryption problem, suggesting that Silicon Valley’s best and brightest could, should they ever desire, make short work of it. Vance then seemed to undercut his own argument by acknowledging that he was just “a simple DA,” who, he said, lacks “technical experience.”
Citing the “understandable frustration” of law enforcement in “solving crimes,” Sen. Chris Coons pressed Jay Sullivan, Facebook’s Messenger privacy chief, saying he was concerned that child predators would “continue to use Facebook products, like Messenger, to harm the most vulnerable.” He asked what steps the company would take to guarantee it wasn’t “favored” by those looking to exploit children and whether its current efforts to identify illegal images would be hampered by the deployment of end-to-end encryption across Messenger.
“We believe there’s no place for these activities on our products,” Sullivan said.
Coons fired back: “So you’re against child pornography and child abuse?”
“Absolutely,” Sullivan said.
“Thank you for clarifying that,” Coons replied.
When encryption comes, Sullivan said, Facebook will continue to identify “bad actors” by allowing users to report illegal content, among other means. After Coons noted that criminals trading in child pornography are unlikely to report one another, Sullivan responded by saying Facebook knows that it’s common for such criminals to communicate with many people. “We understand their playbook a little better,” he said.
“What I’m trying to say is a lot of our techniques are what we call ‘behavioral’ based on the people and how they interact and not necessarily 100 percent reliant on content,” Sullivan added.
A group of leading computer scientists and cryptographers wrote in 2015 that a proposal to regulate encryption and guarantee law enforcement access “feels rather like a proposal to require that all airplanes can be controlled from the ground.”
“While this might be desirable in the case of a hijacking or a suicidal pilot, a clear-eyed assessment of how one could design such a capability reveals enormous technical and operational complexity, international scope, large costs, and massive risks — so much so that such proposals, though occasionally made, are not really taken seriously,” they said.
A working group report finalized this September by a group of academics, cybersecurity professionals, and former federal law enforcement agents—including Jim Baker, former FBI general counsel; Tom Donahue, who served on the National Security Council under Presidents Bush and Obama; and Chris Inglis, former deputy director of the National Security Agency (NSA)—concluded that accessing encrypted communications in transit “may not offer an achievable balance of risk vs. benefit”.
It concluded that such a goal is “not worth pursuing and should not be the subject of policy changes, at least for now.”
The group, whose work was sponsored by the Carnegie Endowment for International Peace and Princeton University’s Center for Information Technology Policy, suggested that, instead, the debate be focused on encryption data “at rest on mobile phones.” It concluded that if constructive dialogue could not be had on this front, “then there is likely none to be had” with respect to other forms of encryption.
Bruce Schneier, a renowned cryptographer and security technologist, wrote in a brief, mostly rosy review of the report, “I don’t believe that backdoor access to encryption data at rest offers ‘an achievable balance of risk vs. benefit’ either, but I agree that the two aspects should be treated independently.”
Writing for Bloomberg on Tuesday, Michael Hayden, who was the director of both the NSA and the Central Intelligence Agency, argued that users would “simply migrate” to services with privacy options not offered by companies following U.S. mandates. Indeed, he noted that “even if Congress compels tech firms to comply,” this would have “no impact” on encryption services created abroad or by the open-source community.
Hayden, who publicly sided with Apple in the San Bernardino case, pointed to the Hong Kong protests where, he said, pro-democracy protesters have easily moved their communications “beyond the reach of Chinese authorities” by switching from using domestic communication services to encrypted, foreign apps like Telegram.
“Unless Washington is willing to embrace authoritarian tactics,” he added, “it is difficult to see how extraordinary-access policies will prevent motivated criminals (and security-minded citizens) from simply adopting uncompromised services from abroad.”
On Tuesday’s hearing, Sullivan echoed that concern, likewise arguing that an encryption backdoor would ultimately drive users to adopt apps developed overseas and even further hinder domestic law enforcement efforts.
“...[W]e’ve been very active and we’ve also been very proactive, especially in the area of child exploitative imagery and child grooming,” Sullivan said of Facebook’s cooperation with authorities. If the FBI was forced to approach foreign companies instead “because that’s where the users go,” it will be even harder, he said, to secure that cooperation.