The hearing, prompted by a court battle between Apple and the Justice Department over a dead terrorist’s iPhone, represented the first serious effort by Congress to study the benefits and challenges of unbreakable encryption.
Apple has vowed to fight the California court order requiring it to help the FBI access the iPhone of one of the San Bernardino shooters. The company has said that complying would create a troubling precedent that could lead to more intrusive and dangerous demands.
Although government officials and security engineers have been debating encryption for decades, a series of deadly terrorist attacks in 2015, combined with law-enforcement worries about changes to Apple’s encryption in late 2014, sparked a new round of the so-called “crypto wars.” The central issue is whether tech companies should design their encryption so that they can always bypass it if presented with a warrant.
“The notion that we would have invulnerable communications, I think, is something that we should all be concerned about.”
Comey has led the charge for these guaranteed-access schemes, which critics call “backdoors.” Opponents of these design requirements argue that they weaken encryption and will push people—including criminal and terrorist suspects—to unregulated foreign platforms.
Most lawmakers on the committee were sharply critical of Comey’s position in the San Bernardino case and on encryption in general.
One of the most contentious areas of discussion was the proper roles for Congress and courts in the encryption debate. Comey argued that federal courts should play a major role in assessing the meaning of a key law in the San Bernardino order. But he did acknowledge that Congress’s job was to address “this collision between public safety and privacy.”
“I’m not prepared to tell you specifically what to do,” Comey told Rep. David Cicilline (D-R.I.). He later declined to address whether Congress should enact specific limits on how the FBI could demand assistance like in the San Bernardino case.
Rep. Raul Labrador (R-Idaho) pointed to a recent data breach at the Internal Revenue Service as evidence that sensitive data—like the custom software that the FBI wants Apple to write—is frequently targeted for theft, and he argued that asking Apple to create this code only increased the risk that hackers could do serious damage by stealing one piece of software.
But Comey argued at the hearing that complying with the San Bernardino order—and generally designing encryption to comply with warrants—could be done securely, calling claims by leading technologists that it was impossible “nonsense.”
Comey also faced tough questions about the government’s suggestion that Apple was fighting the order because it was only interested in preserving its bottom line.
Rep. Hakeem Jeffries (D-N.Y.) pointed to comments by New York City Police Chief William Bratton, who accused Apple of “corporate irresponsibility.” Asked whether he agreed with that remark, Comey said, “I’m not going to characterize it that way.” He said he believed that Apple’s primary concern was its market power but added that that was “not an illegitimate motive.”
Rep. Zoe Lofgren (D-Calif.), one of the lawmakers who has fought hardest to preserve unbreakable encryption, asked Comey if he’d considered the international ramifications of Apple losing this fight. Many other governments are eager to make similar demands of Apple and are likely waiting to use U.S. government action as a precedent.
“There are undoubtedly international implications,” Comey said. But he distinguished between the concepts of “data at rest” (data stored on a device) and “data in motion” (data flowing across Internet cables or over wireless connections), saying the San Bernardino case deals with the former and international concerns mostly affect the latter.
Lofgren also asked Comey if the encryption vulnerability discovered in a firewall made by a leading security company had given him pause as he considered the potential for the San Bernardino order to lead to similar vulnerabilities.
“No,” Comey said. “But I think about that and a lot of similar intrusions and hacks all day long.”
Lofgren ended her questioning by highlighting the futility of the government’s push to demand access to a phone’s contents, saying users could still communicate securely within encrypted apps that court orders couldn’t touch.
Comey did receive bipartisan support from lawmakers who attacked Apple for designing encryption that prevented it from complying with certain warrants.
Rep. Hank Johnson (D-Ga.) suggested that end-to-end encryption created “zones of impunity” to the warrant process that endangered Americans’ lives.
“Does it seem reasonable that the framers of the Constitution meant to exempt any domain from its authority to be able to search and seize,” Johnson asked Comey, “if it’s based on probable cause or some exigent circumstance allows for a search-and-seizure with less than a warrant and a showing of probable cause?”
Comey said he doubted that this was the framers’ intent. Warrants let police officers access Americans’ homes—traditionally the most private of domains—so there was no reason, he said, to believe that the framers would be happy with end-to-end encryption.
Jeffries pointed out that, by buying Apple products, setting device passcodes, and enabling features like auto-erase, Americans were making statements about their desire for privacy.
Rep. Trey Gowdy (R-S.C.) echoed this argument, calling phones that used unbreakable encryption “evidence-free zones.”
“I just find it baffling,” he said, referring to Apple’s position.
Rep. Scott Peters (D-Calif.) added, “The notion that we would have invulnerable communications, I think, is something that we should all be concerned about.”
When it was his turn to question Comey, Rep. Cedric Richmond (D-La.) looked out into the gallery and asked the family of a woman who was murdered and who kept a diary on her encrypted phone to stand up. The FBI has cited that phone—which it believes might contain clues about the woman’s murder—as another one that it needs Apple’s help to open.
“Are we in danger of creating an underground criminal sanctuary for some very disturbed people?” Richmond asked.
“We are in danger of that,” Comey replied.
It remains to be seen whether or not these appeals to emotion will shape any legislation that Congress crafts to address encryption. Two senators are working on a bill that may mandate backdoors, while two other lawmakers want to create a commission to study digital-security challenges.
During his round of questioning, Jeffries pointed out that, by buying Apple products, setting device passcodes, and enabling features like auto-erase, Americans were making statements about their desire for privacy.
“That’s something,” he said, “that we should respect as Congress attempts to craft a solution.”
Photo via Joe Gratz/Flickr (PD) | Remix by Fernando Alfonso III