Congressional Committees Say Backdooring Encryption Is A Bad Idea

from the sorry,-Jim,-but-thanks-for-asking! dept

Two bipartisan Congressional committees are the latest to express their opposition to government-mandated encryption backdoors. The House Judiciary Committee and the House Energy and Commerce Committee have arrived at the same conclusion as the experts FBI director James Comey insists on ignoring: encryption backdoors are a net loss for everyone, no matter what gains might be experienced by law enforcement and intelligence agencies.

This is stated plainly in the first bullet point of its encryption report [PDF]:

Any measure that weakens encryption works against the national interest

While the committees acknowledge encryption can impede investigative efforts, the downsides of backdoors cannot be offset by making things easier for certain government agencies.

[S]takeholders from all perspectives acknowledged the importance of encryption to our personal, economic, and national security. Representatives of the national security community told the EWG that strong encryption is vital to the national defense and to securing vital assets, such as critical infrastructure. Civil society organizations highlighted the importance of encryption for individual privacy, freedom of speech, human rights, and protection against government intrusion at home and abroad. Private sector stakeholders—in particular, their information security officers—and members of the academic community approached the question from an engineering perspective—against a wide array of threats, foreign and domestic, encryption is one of the strongest cybersecurity tools available.

However, the committees still believe there might be a way to reconcile competing interests, even though it has more questions than answers at this point. The report suggests more "collaboration" between tech companies and law enforcement agencies -- a term that generally means most of the compromises will be made by the private sector. Whether this means companies collecting more data and communications and storing them where law enforcement can access them or creating "one time" backdoors in response to court orders remains to be seen.

More encouragingly, the report suggests the "smart guys" in law enforcement haven't fully taken advantage of the tools and data available to them.

It also remains unclear whether the law enforcement community is positioned to fully leverage the unencrypted information still held by many companies. A number of stakeholders acknowledged the potential benefit of improving law enforcement’s understanding of what data or information is available, who controls it, and how it could be useful to investigators. In particular, companies are often able to provide volumes of unencrypted metadata associated with their products or services. In some cases, this source of information could be useful to investigators. In others, one representative of a law enforcement agency told the EWG, access to a stream of metadata might be more like “looking for a particular grain of sand on the beach.”

This is probably the result of the law enforcement mindset. It often seems agencies are more interested in what is quickest and easiest, rather than what might be more productive, if just a bit more difficult. (A number of cases where warrants were never obtained, despite officers having both the time and probable cause to do so, is evidence of this mindset.) The report suggests this is one area where things could be improved by collaboration with private companies. It's not a terrible suggestion but it's one that requires agencies to move on from their defeatist attitudes and to stop pretending advances in technology are always far more beneficial to criminals than to law enforcement.

The report also inadvertently points out just how disingenuous it is to shrug off mass surveillance concerns by saying, "It's just metadata."

Metadata may not completely replace the loss of encrypted content, but metadata analysis could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations.

The report also touches on "legal hacking" as a potential solution -- albeit one with very limited practical application. If this is the route the government chooses to go more frequently in response to encrypted devices, it will signal the end of the already mostly-worthless Vulnerabilities Equity Process. It would also -- as the report acknowledges -- only further the "us vs. them" conflict between tech companies and law enforcement, as the government's interest in keeping vulnerabilities secret would tend to outweigh its obligation to divulge security holes to affected companies.

While the report breaks very little new ground in terms of issues raised, it does at least signal that legislative efforts to undermine encryption aren't likely to find much bipartisan support. So, for the time being, device encryption is still safe. It's the other issues raised -- legal hacking, compelled disclosure, etc. -- that will need to be watched closely in the future.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Dec 2016 @ 1:53pm

    The report suggests more "collaboration" between tech companies and law enforcement agencies

    That is just a back door by another name. If anybody but the communicting parties can read encrypted messages, the encryption is broken by definition.

    reply to this | link to this | view in chronology ]

  • identicon
    Jackson, 23 Dec 2016 @ 2:32pm

    Gorilla Dust

    "While the report breaks very little new ground in terms of issues raised..."


    ...so it was a waste of time -- telling Congress stuff it already knew.

    Real purpose of these two bipartisan Congressional committees was pure public relations --- to give false impression that Congress is really really concerned about government "BackDoor" abuses. Gorilla Dust

    And of course, these two bipartisan Congressional committees said absolutely nothing about the non-constitutionality of the federal government mandating government backdoors to private tech companies. How convenient.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Dec 2016 @ 3:09pm

    Metadata may not completely replace the loss of encrypted content, but metadata analysis could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations.

    You have to prove you've mastered the basics before you're allowed to move on to more complicated rights violations.

    reply to this | link to this | view in chronology ]

  • identicon
    Mr Big Content, 23 Dec 2016 @ 6:58pm

    Dont Listen To Those Those Terrorist-Sympathizating Lefties!

    Us Experts can appreciate teh nuances in this kind of discussion that goes right over the heads of plebs like most of you reading (you know who your are). Theirs GOOD encryption and theres BAD encryption. OF COURSE you dont want bakcdoors in you GOOD encryption, as used by loayal decent citizens. But teh terrorists use BAD encryption, and OF COURSE we want to break into that!

    So you must compare APPLES WITH APPLES. But of course you cant expect that kind of discrinimination from RADICAL ATHIEST LEFT-WINGERS!!! They just think encryption is encryption, its all the same! They have no idea how math works!!! There is moral math and there is immoral math. AVOID TEH IMMORAL MATH!!!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Dec 2016 @ 6:36pm

      Re: Dont Listen To Those Those Terrorist-Sympathizating Lefties!

      Now all you need is some useless hyphenation of words and superfluous punctuation, and you'd have yourself a perfect John Mayor impression.

      reply to this | link to this | view in chronology ]

      • identicon
        Wendy Cockcroft, 4 Jan 2017 @ 6:04am

        Re: Re: Dont Listen To Those Those Terrorist-Sympathizating Lefties!

        Mr Big Content is a TD regular, whose shtick is to take an Onion-esque approach to commenting. The resulting lulz are well worth reading his comments for.

        And I can understand every word of his posts, unlike Mr. John "Grammar? Punctuation? Meh! Can't be bothered with it. Please...! No emails!" Mayor. I report his posts because attempting to read them gives me a headache. I really wish he'd get a clue about coherence. If he did, we might have more respect for him.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.