Congressional Encryption Working Group Backs Encryption (with Mixed Message)

3 minute read
| Analysis

iPhone with Encryption BackdoorThe Congressional Encryption Working Group (EWG) released a year-end report this week stating specifically that, “strong encryption is essential to both individual privacy and national security.” This leaves me with hope, even though the report contained a few mixed messages.

The Encryption Working Group

The EWG was set up by the House Judiciary Committee and House Energy and Commerce Committee to (re)study the subject of encryption. Much of the group’s work represented in this report was precipitated by the epic fight in 2016 between the FBI and Apple over access to a locked iPhone used by a dead terrorist in late 2015.

Membership of the 10-member group is half Republican and half Democrat, and their job is to do a deep dive into encryption on behalf of their committees. Their work would, in theory, be used to help develop legislation coming out of either committee.

In other words, the EWG is sort of a focus group tasked with doing the heavy lifting in understanding encryption.

You can read the full report on Patently Apple, which posted the full document to Sribd.

The Good in the Report

There was a lot of good stuff in this report. Specifically, it openly embraced the reality that if governments have backdoor keys to encryption, it’s worthless. Here’s a representative quote:

Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors.

That is about as accurate as you could possibly hope for. Here’s another, which was the headline piece for what the EWG called “Observation #1:”

Any measure that weakens encryption works against the national interest.

That’s an important point, one that General Michael Hayden and members of the intelligence community have said publicly for years. While you, dear reader, and I might be most concerned about keeping our own data safe from hackers and thieves, the national interest and national security will weigh more heavily on Congress.

There is much more about the importance of encryption in the full report.

The Not So Good in the Report

Also on the accurate side of the report (from my perspective) is direct acknowledgment that, “the widespread adoption of encryption has had a profound impact on the law enforcement community.” This is true, absolutely.

From there, however, we get into mixed messages. For instance, the next quote includes one of the most powerful statements on the need for encryption, but it’s followed by a completely contradictory statement about law enforcement.

Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities

Heretofore, legions of people far smarter than me have concluded there’s no compromise on encryption. It’s hard to see how, when it comes to encryption, you can “address the legitimate concerns” of law enforcement.

There are other similarly contradictory statements throughout the report.

Proposals from the EWG

To be fair the report does outline some steps that would help law enforcement, but those steps don’t specifically address encryption. They include:

  • Creating unspecified “tools” to help law enforcement know what they can and can’t do
  • Possibly modifying warrant procedures in an unspecified manner
  • Clarifying warrant procedures
  • Reminding law enforcement that there are a crap ton of tools already at their disposal that don’t require screwing the nation (and the planet) on encryption
  • “Modernizing the National Domestic Communications Assistance Center” in an unspecified manner

Those proposals are solid and common sense—if vague. And, they don’t address the friction between law enforcement and encryption. As noted above, that’s because there is no addressing that friction. If we’re to be safe from the bad guys, law enforcement is going to have a harder job. That’s all there is to it.

A New Hope

Reading this report gives me new hope that Congress won’t mess encryption up. While some members of Congress steadfastly side with the “Of course law enforcement should be able to get at encrypted data” camp—Trey Gowdy (R-SC) and Jim Senssenbrenner (R-WI) spring to mind—the EWG appears to have listened to the people who actually understand this stuff.

6 Comments Add a comment

  1. furbies

    [quote]
    Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities
    [/quote]

    Perhaps your Congress can address this without weakening encryption by devising a law that allows a “higher court” (not a lower court) to order a suspect to “unlock” their encrypted device or the court will “assume” that the suspect has something to hide in as a far as particular charge is concerned ?
    (This is along the lines of “Done nothing wrong, then you have nothing to fear by unlocking”)

  2. Lee Dronick

    “Reading this report gives me new hope that Congress won’t mess encryption up”

    It could change drastically when President Elect Trump gets sworn in, I hope not.

  3. gGrant

    Somebody is making the mistake that law enforcement wants devices unencrypted for a particular crime. They want it -all the time- for everyone, suspect or not. They’ve had it since the telephone was invented (ref: Enemy of the State, a decade before Snowdon) and they want it even more badly now that they think they can store and mine this data. Not because there’s any particular reason for it, simply because THEY CAN.

    The rest is politics and rationalisation.

    Encryption can be broken (more quickly than anyone wants to admit), and for a specific crime, that’s all that needs to happen.

    All the breast beating, brow wiping and public anguish is merely softening the public up for government overreach. Law enforcement just don’t want to have to work that hard when communications were previously open to them at all times.

    FBI has a publicly admitted history of using information to blackmail people and a law was passed to limit the director’s tenure to prevent such abuses becoming institutional. That law was repealed by… not Bush… Obama.

    Congress has ignored Working Group reports before. Hate to burst that particular bubble. This report is to give the appearance of doing the right thing. The legislation will be entirely different. Study it carefully.

    FBI never worried about the terrorist Android phone (destroyed or not) because everything that ever went through that phone is stored on Google’s servers. Being destroyed, it seems, that is the phone that might have had any evidence on it, but nobody bothered/wanted to go there. Attacking Apple was always a rationalisation. FBI are used to open slather and Apple stands in their way.

  4. bbh

    Who defines “serious”. Isn’t the 5th Amendment supposed to prevent compulsory self incrimination even for “serious” stuff?

  5. bbh

    Who defines “serious”? Isn’t the 5th Amendment supposed to prevent compulsory self incrimination even for “serious” stuff?

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account