Senators warn on encryption

Law enforcement hawks from both parties on the Senate Judiciary Committee threatened tech companies with new rules for access to encrypted data.

digital key (Mott Jordan/Shutterstock.com)
 

Law enforcement hawks on the Senate Judiciary Committee threatened tech companies with new rules for access to encrypted data.

At a Dec. 12 hearing, Sen. Lindsey Graham (R-S.C.), the panel's chairman, warned that the time had come for tech companies to work with law enforcement agencies to develop a way into encrypted devices and data through a warrant or face legislative action.

"This time next year, if we haven’t found a way that you can live with, we will impose our will on you," Graham said.

Graham's tough talk was echoed by Sen. Marsha Blackburn (R-Tenn.).

"We've slapped your hand enough. This is not going to continue," she said.

Tech company officials who testified at the hearing stressed the importance of encryption for user privacy and noted that Congress itself approved encrypted apps for use on lawmaker smartphones.

"Government officials and organizations of all kinds have recognized the immense importance of secure private communications," said Jay Sullivan, a product manager for Facebook's Messenger app, noting that the Senate approved the use of the encrypted messaging application Signal for staffers in 2017.

Platform owners and device makers cited familiar refrains on the technical hurdles they face in providing an encryption workaround for law enforcement that can't be exploited by criminal adversaries.

"We do not know of a way to deploy encryption that provides access only for the good guys without making it easier for the bad guys to break in," said Erik Neuenschwander, Apple's manager of user privacy.

Neuenschwander said over the last seven years, his company has responded to almost 130,000 U.S. law enforcement agencies' requests for information, as well as supporting thousands of emergency requests, with the company responding within 20 minutes.

Sullivan told the committee that if the U.S. steps away from strong privacy and encryption, foreign app providers would fill the gap, complicating law enforcement's job even more.

Matt Tait, a cybersecurity fellow at the University of Texas and a former information security specialist for Britain's GCHQ, noted that companies walk a fine line when trying to serve customers seeking a secure product while being compliant with law enforcement requests. In the event of a new regulation from Congress mandating access to encrypted devices, Tait said, "you would see all of the tech companies looking for how they can build that in the most secure way possible."

But absent new rules, Tait noted, "it would be insane for any of these tech companies to build that kind of a solution because then they would be attacked by their competitors."

The question remains as to whether there is widespread support in Congress to require new rules. Sen. Chris Coons (D-Del.) noted that "there is a great enthusiasm for finding a solution that allows law enforcement timely, reasonable and affordable access to critical evidence of crime" among committee members at the hearing. "Frankly," he said later, "most of us are concerned about protecting the most vulnerable Americans."