Established in the wake of the FBI/Apple iPhone unlocking controversy, the US House of Representatives’ Encryption Working Group (EWG) has issued a strong recommendation in favor of the use of encryption for private communications.
“Any measure that weakens encryption works against the national interest,” the group said in its year-end report. “Congress should not weaken this vital technology.”
The group is a joint effort of the US House Judiciary Committee and the House Energy and Commerce Committee, and includes two Republicans and two Democrats from each Committee, as well as the chairmen and ranking members of the respective Committees serving as ex officio members.
Back in February, a federal magistrate judge in the US District Court for the Central District of California issued an order requiring Apple to assist the FBI in obtaining encrypted data from an iPhone related to a 2015 shooting in San Bernardino, Calif. Apple resisted the order, but the FBI pursued a different method to access the data stored on the device. Nevertheless the case, and the heated rhetoric exchanged by parties on all sides, reignited a decades-old debate about government access to encrypted data.
The group acknowledged the position of Apple and other entities as it explained the rationale for protecting encryption:
Representatives of the national security community told the EWG that strong encryption is vital to the national defense and to securing vital assets, such as critical infrastructure. Civil society organizations highlighted the importance of encryption for individual privacy, freedom of speech, human rights, and protection against government intrusion at home and abroad. Private sector stakeholders—in particular, their information security officers—and members of the academic community approached the question from an engineering perspective—against a wide array of threats, foreign and domestic, encryption is one of the strongest cybersecurity tools available.
However, the group also noted that encryption policy must address the legitimate concerns of the law enforcement and intelligence communities.
“To be clear, the widespread adoption of encryption has had a profound impact on the law enforcement community,” the report noted. “Even with a lawful court order, even in dire circumstances, the authorities may not have access to encrypted data. To this end, Congress should explore proposals that have so far received little attention in the committees, but may offer valuable assistance to law enforcement agencies in a digital landscape where default strong encryption is ubiquitous.”
Some ideas include collaboration between the law enforcement community and the technology sector, and information-sharing between different elements of the law enforcement community.
“Public perception and recent tensions notwithstanding, there is already substantial cooperation between the private sector and law enforcement,” the report said. “Private company stakeholders demonstrated an ability to assist federal, state, and local agencies with access to information to the extent possible and with service of a lawful order, and expressed a willingness to explore ways to improve and enhance that collaboration.”
Stakeholders from all sides were nearly unanimous in describing a significant gap in the technical knowledge and capabilities of the law enforcement community, particularly at the state and local levels.
“This results in a range of negative consequences that not only hinder law enforcement’s ability to pursue investigations but also contribute to its tension with the technology community,” the report concluded. “For example, from the perspective of law enforcement, routine requests for data are often challenged by the companies, unnecessarily delayed, or simply go unanswered. From the perspective of the companies, these requests often lack appropriate legal process, are technically deficient, or are directed to the wrong company altogether.”
The working group also noted that a Congressional mandate requiring companies to maintain exceptional access to data for law enforcement agencies would apply only to companies within the United States.
“The consequences for such a policy may be profound, but they are not likely to prevent bad actors from using encryption,” the report stated. “Representatives of various private companies told the EWG that a mandate compromising encryption in the US technology sector would simply shift consumers to products offered by foreign companies. These forces might incentivize larger companies to leave the United States, and render small business and other innovators in the field obsolete.”
Above all, the group warned against engendering a binary debate between law enforcement and private entities.
“Encryption is inexorably tied to our national interests,” the report concluded. “It is a safeguard for our personal secrets and economic prosperity. It helps to prevent crime and protect national security. The widespread use of encryption technologies also complicates the missions of the law enforcement and intelligence communities. As described in this report, those complications cannot be ignored. This is the reality of modern society. We must strive to find common ground in our collective responsibility: to prevent crime, protect national security and provide the best possible conditions for peace and prosperity.”
Photo © Den Rise