Security

US Congress locks and loads three anti-encryption bullets

We might ban it, we might not, but we will be in charge

US Congress is preparing no fewer than three new bills over the ongoing encryption debate: one banning end-to-end encryption, one setting up a commission to review the issue, and a third to make sure that it is Congress that gets to decide what happens next.

Leading member of the Senate Intelligence Committee Dianne Feinstein (D-CA) – who has been criticized for being too close to the NSA – has said she will introduce a new bill that will impose limits on encrypted devices.

She may be beaten to the punch, however, by Representative Michael McCaul (R-TX), chair of the House Homeland Security Committee, who has announced he will put forward a bill to create "a national commission on security and technology challenges in the digital age" – in large part to dig into the issue of encryption.

And then there is the Encrypt Act, put forward Wednesday by Representative Ted Lieu (D-CA) and Blake Farenthold (R-TX). Their bill seeks to override other proposed bills in their home state's legislative bodies that would ban encryption by declaring that only Congress is allowed to make such laws.

All three efforts show how political the issue of protected communications has become in recent months. Sadly, none of them address the core issue at the heart of the debate: how can you give law enforcement access to encrypted comms without introducing a backdoor that others can use?

And another

Senator John McCain has also jumped into the debate, publishing an op-ed this week in which he reiterated the same line as a host of other politicians and presidential candidates: that Silicon Valley needs to "do something" to give law enforcement access to encrypted data but that something should not be a backdoor.

The question as to what that something actually is, then, has been notable by its persistent absence.

McCain appears to represent the establishment's view that there needs to be a 2016 equivalent of the 1990s when "legislation ensured law enforcement agencies are able to lawfully wiretap without mandating how those systems ought to be designed."

Unfortunately that "just do it" bellowing from the political sidelines fails to address the fundamental problems that sparked the encryption debate in the first place.

First, Apple, Google, Facebook et al were appalled to discover in Snowden documents that the NSA was abusing its access rights to carry out mass surveillance of all of their customers' communications, including tapping their data centers.

As a result of that, and the privacy outcry of their customers, Silicon Valley decide to increase the level of protection around data, increasing and expanding the amount of encryption it applies.

Critical among these changes has been Apple's decision to introduce end-to-end encryption on its phones so that even if it is presented with a warrant to hand over information, it is not in a position to decrypt that data into a readable format.

That approach means law enforcement loses its ability to act in secret and it also removes the ability of Congress to pass laws that enable law enforcement to insist on the handing over of information. Unsurprisingly, neither party has been keen on that loss of power.

Magical thinking

On a second related topic, technologists have been repeatedly making the point that if you introduce a flaw into encryption technology in order to enable it to be unencrypted later, then that flaw can also be used by others. And by others, everyone means the security services who do all that they can to access the data and don't bother with court orders or warrants.

The term "magical thinking" has been used to refer to the concept that it is possible to create a system that would grant law enforcement access to unencrypted data, but no one else.

Despite that term gaining wide usage in Washington however, politicians and law enforcement personel continue to insist that it is possible to do exactly that. Unable to come up with a solution, they have resorted to pressuring Silicon Valley to come up with an answer by passive-aggressively calling on their "brightest minds" to work on the issue.

As such, of the three proposed Congressional bills, only the one creating a special commission is likely to prove feasible.

Feinstein's plan to simply ban end-to-end encryption will hit a brick wall of objections, not least of which will be President Obama, who has said publicly he will not seek legislation on the issue.

Likewise McCain's call for 1990s legislation – which, incidentally, completely ignores that fundamental point that the information stored and shared on mobile phones these days is magnitude-of-orders more personal and private than simple phone conversations.

States rights

The bill to grant the Congress sole rights to an encryption solution is likely to face opposition from Congressmen with a strong states-rights philosophy. Plus its constitutionality would almost certainly be challenged by the states.

And that leaves the bill to create a commission to dig into the issue and come up with a reasoned solution – rather than knee-jerk legislative fixes. It may be the only practical outcome in an increasingly noisy and content-free debate.

Unfortunately, Congress does not have the best track record when it comes to reasonable and logical progress, so there is likely to be a lot more heat before a solution is found. ®

Sponsored: Accelerated Computing and the Democratization of Supercomputing