Tech experts and industry representatives squared off against law enforcement officials in two sessions of lively testimony today in front of the House Energy and Commerce committee. Today's hearing is the latest in the ongoing battle in the courts and legislature commonly called the second “Crypto Wars,” after a similar national debate in the 1990s.
Two witnesses on the law enforcement panel offered a chilling proposal to deal with the well-documented weakness that any domestic encryption ban would do little against the hundreds of encryption products developed and sold internationally. Thomas Galati of the NYPD and Charles Cohen of the Indiana State Police argued that software could be kept off American computing devices by exerting legal pressure on the Android, Apple, and Blackberry app stores.
That proposal would seem to leave to app store gatekeepers the nigh-impossible task of ensuring none of the software it carries comes with “warrant-proof” cryptographic options. But worse, it cuts right to the core of fundamental computing freedom questions and cues up the next legislative battle to address what software people are allowed to run on their devices.
It's a scenario envisioned by EFF Special Advisor Cory Doctorow in his essay Lockdown: as long as we're using the kinds of general purpose computers that power our phones, laptops, and increasingly everything else, the only way to remove capabilities is by requiring DRM software and other spyware to make sure users are in compliance.
The laws that currently aim to enforce those kinds of restrictions piggyback on copyright law, and create uncertainty around phone jailbreaking, to pick a relevant example. EFF has argued for—and won—explicit exemptions to those laws, allowing users to install software from alternative app stores. It's not hard to imagine that if a proposal to regulate encryption software through app store chokepoints were to proceed, it would be accompanied by pressure to tighten those restrictions.
At another point in the hearing, lawmakers pressed the FBI's Amy Hess on the role of third-party “grey hat” hackers in accessing the data on the iPhone at the heart of the hotly contested “Apple v. FBI” case. Representative Diana DeGette of Colorado suggested those capabilities might be cultivated internally instead.
Hess disagreed, saying the FBI will always need to seek the cooperation of industry and academic experts. That might have been an opportunity to discuss the duty FBI and other agencies have in disclosing vulnerabilities to those same tech industry companies—an area EFF has worked to shine light on through Freedom of Information Act requests and lawsuits concerning the Vulnerabilities Equities Process (VEP). Unfortunately, no lawmakers pushed Hess on the question.
The second panel—made up of industry and tech representatives—seemed to serve as a fact-checking service for the first. Apple's General Counsel Bruce Sewell, for example, categorically denied three allegations made about his company in the previous panel, saying Apple has not provided source code to the Chinese government, has not actively “thrown away” keys it once used to assist law enforcement, and has not announced passcode protection for the next generation of its iCloud backup software.
Other irresponsible statements from the first panel went without comment. When Charles Cohen, the Indiana State Police commander, was asked about information that is more accessible to surveillance now than before cell phones, he drew a blank. “I'm having problems thinking of information that is available now that was not before. From my perspective, thinking through investigations that we previously had information for, when you combine the encryption issue along with shorter and shorter retention periods for Internet service providers … it might be difficult to find an example of an avenue that is now available that was not before.” It's possible that Cohen is not familiar the myriad ways in which cell phone metadata, content, and location tracking are being used by law enforcement—but that would be quite a surprise, given the Indiana State Police's long history with the technology.
Ultimately, it's a step forward that a congressional committee has summoned tech expertise into the room, if only to explain why law enforcement wasn't able to compromise our security in the first Crypto Wars. Speaking to a representative who floated the idea of a key escrow system, University of Pennsylvania Associate Professor of Computer and Information Science Dr. Matt Blaze explained: “I just want to caution that the split-key design, as attractive as it sounds, was also at the core of the NSA design of the Clipper Chip, which was where we started over two decades ago.” Blaze should know; his research discovering a fatal flaw in the Clipper Chip protocol is often credited with sinking the project.
Meanwhile in the Senate, draft legislation could threaten uncompromised cryptography altogether. U.S. readers, tell your Senators to oppose the Burr-Feinstein backdoor proposal today.