“As the attorney general, and certainly as a citizen, I support strong encryption,” Loretta Lynch told lawmakers at a Senate Judiciary Committee hearing. “I think we all have to. We need it to protect our data—our personal data, our financial data, our medical data. The issue here is warrant-proof encryption.”
The Justice Department last month secured a court order forcing Apple to write custom software that would let the FBI flood San Bernardino shooter Syed Farook’s iPhone with password guesses. Apple is fighting the order because it believes that complying would set a dangerous precedent. Tech companies, cryptography experts, and privacy groups have rallied to Apple’s side, joining a battle that is part of a decades-long encryption war.
“They need to start preparing for a world in which ubiquitous, unbreakable encryption serves as a foundation for our technical infrastructure.”
Lynch rejected the suggestion that the government was trying to set a broad precedent for law-enforcement access to encrypted devices by pursuing a politically advantageous and emotionally resonant case.
“What we feel is the appropriate way at this point in time, certainly in the cases before us,” she said, “is to take a very narrow view of the information that we need and the means by which we would seek to obtain that information.” She denied wanting “a major change in, for example, an overall operating system.”
Law-enforcement and intelligence officials have pressed tech companies to design their encryption so that they can bypass it if presented with a warrant for encrypted data, but Silicon Valley firms and their supporters have resisted doing so, arguing that it would introduce new security vulnerabilities.
Lynch, like many other senior officials, suggested that tech companies could design their encryption to suit law-enforcement needs without endangering the privacy and security of their users, relying on the vague argument that brilliant Silicon Valley engineers could overcome any problem.
“Just as we have security in so many other areas of our lives and yet still retain the ability to have very, very focused responses to law enforcement,” she told lawmakers, “I certainly believe that our technology companies—the greatest companies in the world—have the ability to work with us and achieve that.”
The attorney general’s remarks drew scorn from experts who called her assessment of encryption design naive.
Joseph Hall, the chief technologist at the Center for Democracy and Technology, took issue with Lynch’s “warrant-proof encryption” comment.
“A warrant is a creature of law,” Hall said in an email, “and demanding that encryption tools bow to this creature misunderstand[s] that strong encryption means by definition there are no ways to downgrade, subvert, or backdoor those protections.”
Amie Stepanovich, U.S. policy manager at the digital-rights group Access, added that “attempts by technologists to ‘dumb down’ encryption for law enforcement can only result in additional vulnerabilities.”
“Make no mistake that encryption mandates will result in more data breaches, more device theft, and less trust in the internet economy,” she said in an email. “Not only that, but other countries are using the US to provide justification for more and different types of mandates that will continue to degrade security globally.”
Referring to government officials, Hall said, “They need to start preparing for a world in which ubiquitous, unbreakable encryption serves as a foundation for our technical infrastructure, not one in which surveillance tools are woven into the fabric of both digital and physical reality.”
Stepanovich added, “It is not enough for [Attorney General] Lynch to conditionally support encryption—we need the administration to provide unmitigated support for encryption and other digital security tools.”
Lynch declined to address some of the legal issues in the San Bernardino case, such as the limits on the law underpinning the magistrate judge’s order, the All Writs Act, which critics say has been applied in an overly broad way. “What we’ve tried to do,” Lynch said, “is have a very narrow, very focused inquiry.”
The privacy and cryptography communities do not see it this way. Their sense is that the government wants to set a broad precedent for future technical demands—ones that clash with the reality of modern technology.
“Calls for ‘balance’ or ‘compromise’ misunderstand that encryption must be as strong as we can make it to protect against all threats against national security,” Hall said.
Update 8:57am CT, March 10: Added comments from Amie Stepanovich.
Photo via Chatham House/Flickr (CC BY 2.0) | Remix by Max Fleishman