Our Top Five Takeaways From Today's Hearings on Encryption
Despite all of the evidence to the contrary, FBI Director Comey wants you to know that he doesn't want another crypto war. As he said today in hearings before the Senate Judiciary Committee and Senate Select Committee on Intelligence (SSCI), he just wants a discussion. Of course, it's hard to have a discussion when you're not listening to anyone else. And in this case, Comey and those who support weakening encryption simply aren't listening to the experts telling them that backdoors or golden keys just won't keep us safe.
Much of what Mr. Comey, his law enforcement colleagues, and anti-encryption lawmakers said today repeated familiar tropes. But there were some important takeaways. Here are our top five:
5. Some Lawmakers Believe Public Safety is More Important Than the Constitution
I’ve heard my colleagues, with all due respect, talking about attacks on privacy and our constitutional rights et cetera, et cetera, but it seems to me that our first obligation is the protection of our citizenry against attack, which you agree is growing.
-Senator John McCain
Most elected representatives who support undermining encryption (along with other intrusive law enforcement measures like mass surveillance and unregulated use of surveillance technology) make arguments about striking a balance between civil liberties and safety. This hearing was no exception.
But even while lawmakers talk about striking a balance, they cite endless tirades of anecdotes about ISIS and Al Qaeda to support their need for whatever tool they want to adopt or keep, making it clear that in the current environment, they think we should reassess our ideas. Senator McCain was far more honest about where he stands than most elected representatives—instead of implying that safety is more important than the Constitution, he actually said it.
The reason lawmakers don't generally say that is probably because Congress takes an oath to uphold the constitution—including the rights that Senator McCain thought were important enough to warrant only an "et cetera, et cetera."
Of course, Senator McCain's statement is a red herring. As we explain below, we have no real evidence about how much of a problem encryption really is—but we DO know breaking it at the government's request is a serious threat not only to privacy, but to the safety of the Internet.
4. The Government Wants Companies To Hold the Keys—But The Companies Don't Want To
Both Deputy Attorney General (DAG) Sally Yates and FBI Director Comey said something important at the hearing—they're not looking for a "one size fits all" legislative solution right now. That's a good thing, of course. We would fight tooth and nail against any proposal undermining encryption. The technology industry has also made it clear that they oppose any such policies.
But if Comey and Yates don't want legislation, what do they want? DAG Yates repeatedly broached the idea that companies should be able to access their customers' data—presumably without customers' knowledge or consent. Senator Ron Wyden said that to him, it looks like we're moving towards a proposal that tech companies stockpile keys to encrypted communications. And when he asked Director Comey whether there has been any analysis of the effects of stockpiling of keys on cybersecurity, Director Comey wasn't able to answer.
Of course, regardless of who holds the key, creating a way to access data means creating a security flaw. Not only does it seem incredibly unlikely that industry would support a proposal that they “hold the keys,” we’d be left with the same problem—broken, unsafe products.
3. Proponents of Weakening Encryption Couldn’t Address the Availability of Open-Source or non-U.S. Encryption Tools
Throughout both hearings the ire of both law enforcement and Senators focused on one target: U.S. companies that create products the companies themselves can’t decrypt. Senator Waterhouse went so far as to propose that companies should be held liable for anything bad that happens because of their encryption. But strong encryption tools come from a variety of sources, including free and open-source software projects, as well as products developed by non-U.S. companies. The only major difference between these sources is the adoption rate; as Comey himself observed, default encryption on popular devices has created an inflection point. Whereas just a few years ago encryption was the realm of a tech-savvy few, now everyone has access to better security thanks to the sorts of changes Apple has made. So what would happen if we turned the clock back, as law enforcement is requesting?
The first thing to remember is that Congress can only impose mandates on U.S. companies. That means that we can only turn the clock back for commercial products developed or sold in the U.S. As Senator Blunt pointed out, this means that criminals or terrorists will just use encryption tools from elsewhere. We’d add that so will anyone concerned about privacy and security.
When asked about the availability of non-U.S. tools, Director Comey’s answer was that we would have to work with our allies to all come to the same rules regarding backdoors. But thanks to the Internet, all technology is global. It’s unlikely that every country that produces technology products is going to go along with this plan just to make the FBI’s life a little easier. What’s much more likely is that other countries will see the competitive advantage a U.S. mandate for backdoors gives their own companies—and U.S. companies will get hit even harder.
2. There’s No Hard Evidence That Law Enforcement is Actually “Going Dark”
In both hearings the witnesses representing law enforcement trotted out scary hypothetical situations and terrifying anecdotes about how encryption could stifle investigations and let “bad guys” go free. But when asked by Senators if they had any actual numbers on how often strong encryption thwarted investigations, neither Director Comey nor DAG Yates had any idea.
Both tried to duck the question by claiming that it was like “proving a negative.” But counting each time a law enforcement officer can’t access data because of encryption (or even just thinks they won’t be able to access data, without actually trying) doesn’t seem that difficult.1
The only actual number mentioned was from Manhattan District Attorney Vance, who said that his office had encountered locked iPhones 74 times. A spokesperson for his office told Wired that this was over 9 months, and that the office handles approximately 100,000 cases in the course of a year. This means the office encountered encryption in less than 0.1% of cases. That doesn’t sound like “going dark” is really a particularly pressing problem—especially since DA Vance didn’t bother to explain how any of the 74 encrypted iPhones that his office encountered actually stood in the way of a successful prosecution.
For people whose jobs depend on the ability to present hard evidence to a judge in order to put “bad guys” away, you’d think Comey, Yates, and Vance would be able to come up with some better evidence that they’re actually “going dark.” Or maybe they think that when it comes to undermining everyone’s security, scare tactics—and not actual evidence—is sufficient?
1. Director Comey Wants the Impossible From Technologists
Multiple times during the hearings Director Comey admitted that he had no idea how to accomplish his goal of getting access to user data in actual practice, even going so far as to say “Don’t listen to me if I suggest a technical solution.” Instead, he insisted that he needs a way to get at encrypted data, and that he didn’t care what method companies used to provide that access. He also said (as he has before) that he doesn’t think providing that access will require a backdoor.
But saying that you want access to truly encrypted data without requiring a backdoor is like saying you want to travel to Mars without requiring the trip be via rocket. Sure, some ingenious person might invent a warp drive tomorrow that would allow you to do it—but nobody at NASA actually expects that to happen.
Similarly, no computer scientist or cybersecurity expert knows of a way to give Director Comey what he wants without weakening everyone’s security. They’ve told him that. They’ve been telling law enforcement that for nearly twenty years. But despite this, Director Comey testified today that he doesn’t think they’ve tried hard enough. He thinks that some genius in their garage in Silicon Valley might find a way to do it tomorrow. And Senator Mikulski said that she’s sure the patriots in Silicon Valley will step up to help their country.
It's possible the same people who invented the cryptography our technology relies on are wrong. And it's also possible that the standard model of physics is wrong and a different genius will invent a warp drive tomorrow, too. But we’re not going to hold our breath or stake our security on such a pipe dream.
- 1. Certainly, it would be a lot easier than trying to come up with a “securely” backdoored strong crypto system