Senate Judiciary Committee Places Impossible Encryption Demands Upon Tech Companies ⇥ arstechnica.com
Sean Gallagher, Ars Technica:
In a hearing of the Senate Judiciary Committee yesterday, while their counterparts in the House were busy with articles of impeachment, senators questioned New York District Attorney Cyrus Vance, University of Texas Professor Matt Tait, and experts from Apple and Facebook over the issue of gaining legal access to data in encrypted devices and messages. And committee chairman Sen. Lindsey Graham (R-S.C.) warned the representatives of the tech companies, “You’re gonna find a way to do this or we’re going to do it for you.”
Graham and ranking member Sen. Diane Feinstein (D-Calif.)—who referenced throughout the hearing the 2015 San Bernardino mass shooting and the confrontation between Apple and the Federal Bureau of Investigation that resulted from mishandling of the shooter’s county-owned iCloud account by administrators directed by the FBI—closed ranks on the issue.
“Everyone agrees that having the ability to safeguard our personal data is important,” Feinstein said. “At the same time, we’ve seen criminals increasingly use technology, including encryption, in an effort to evade prosecution. We cannot let that happen. It is important that all criminals, whether foreign or domestic, be brought to justice.”
As always, lawmakers are exhibiting profound resistance to learning about encryption from experts in the field. There is simply no way to encrypt data in a way that can be viewed with a warrant regardless of human cooperation, but is otherwise secure. Former law enforcement personnel said as much in response to the San Bernardino case, as has pretty much every expert in this field.
Lawmakers urgently need to understand that what they are asking for is not possible. It never has been; it likely never will be. Every solution that has been proposed so far — hardcoded super secret credentials, escrow systems, forcing the creation of special software patches, and the like — has already been evaluated and discarded.
A few months ago, the Carnegie Endowment for International Peace’s Encryption Working Group published an overview of what the encryption debate looks like today:
There will be no single approach for requests for lawful access that can be applied to every technology or means of communication. More work is necessary, such as that initiated in this paper, to separate the debate into its component parts, examine risks and benefits in greater granularity, and seek better data to inform the debate. Based on our attempt to do this for one particular area, the working group believes that some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed. If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas. Other forms of access to encrypted information, including encrypted data-in-motion, may not offer an achievable balance of risk vs. benefit, and as such are not worth pursuing and should not be the subject of policy changes, at least for now. We believe that to be productive, any approach must separate the issue into its component parts.
One reason lawmakers are struggling with technologists in this debate but winning with the public overall is because encryption seems like a black box. I disagree with this report that there is balance to be found in encrypting data at rest securely and somehow allowing only law enforcement access to it, but I think it’s worth investigating. But if experts come back again to say that this is not possible, lawmakers need to understand that they are not being hyperbolic or defeatist. Some things simply are not possible.