A Voice of Reason from the Encryption Working Group
In 2016, the House Judiciary Committee and the House Energy and Commerce Committee created the Encryption Working Group to look at the challenges law enforcement faces prosecuting crimes with the increasing use of encryption by criminals. Law enforcement organizations refer to the challenges caused by encrypted data as “going dark,” as it limits their ability to obtain the information and evidence they need. The need for such a working group was emphasized by the standoff between the FBI and Apple over the encrypted iPhone used by one of the San Bernardino shooters.
The Encryption Working Group spent six months meeting and discussing the issue with stakeholders from the private industry, the intelligence community, law enforcement, civil society and the academic community, and late last month, the group released its Year-End Report. Its observations point out the complexity of the issue, and its recommendations provide some reasonable approaches to bridging the gap between the needs of law enforcement, individual privacy and national security. The following is a summary of their observations and recommendations from the report.
Observation #1: “Any measure that weakens encryption works against the national interest.” For those of us that work in the encryption and cybersecurity space, this is a welcome observation. Although the report highlights the challenges of law enforcement when they cannot access encrypted data regarding a crime, it also acknowledges the greater importance of encryption to protect personal privacy and national security.
Observation #2: “Encryption technology is a global technology that is widely and increasingly available around the world.” Here the committee acknowledged that U.S. Congressional mandates are limited in their ability to control a technology that is available from sources worldwide and that any attempt to mandate access from U.S. companies would only render U.S. encryption technology obsolete.
Observation #3: “The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the ‘going dark’ phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge.” In this observation, the committee describes the complications caused by having different levels of technical expertise and resources across various law enforcement agencies, the contradictory requirement to use encryption by other agencies (i.e. the U.S. Department of Health and Human Services and the U.S. Deptartment of State) and the wide variety of available encryption technologies. Looking at all of these quickly results in the realization that there is no easy solution to address the issue.
Observation #4: “Congress should foster cooperation between law enforcement community and technology companies.” This observation touches on the vast amount of data that technology companies have that is not encrypted, and its potential usefulness to law enforcement. It also acknowledges the issue that law enforcement organizations often do not have the technical expertise to mine the available data to help in their criminal investigations.
The recommendations made in the report attempt to help bridge the gap given the group’s observations and include:
Making it easier for law enforcement to understand what unencrypted data is available from technology companies and the process for making a legal request for the data
Determining if the vast amount metadata available can help fill the gap of missing information facing law enforcement
Exploring a framework for law enforcement to use legal hacking as part of a criminal investigation
Exploring the Fifth Amendment implications of using compelled disclosure, where an individual is required through court process to provide the passcode or thumbprint to unlock a device
Evaluating the need for greater security and encryption around the privacy of personal information to protect consumers in our increasing digital world
Although the Encryption Work Group did not find a single easy solution to this complicated problem, its Year-End Report offers a thorough summary of the issues and outlines recommendations that could help law enforcement investigate and prosecute crimes while not compromising personal privacy and national security. As emphasized in this report, this is a complicated issue that can only be addressed through the combined efforts of the public and private sector, and we look forward to participating in the continued discussion.