Two Senate committees will review the use of encryption and its implications for national security, in the latest sign that the Paris terrorist attacks have reignited a long-running debate over cryptography.
Sens. Richard Burr (R-N.C.) and John McCain (R-Ariz.), respectively the chairmen of the Intelligence and Armed Services Committees, said Tuesday that they would study tech companies’ use of encryption to determine how it affected law-enforcement and counterterrorism operations.
“In the Senate Armed Services [Committee] we’re going to have hearings on it and we’re going to have legislation,” McCain told reporters. He said that the current legal environment, which does not restrict the commercial use of encryption, was “unacceptable.”
“If it means that people are going to have to change their business models, then so be it.”
In announcing an Intelligence Committee review of encryption, Burr said, “If it means that people are going to have to change their business models, then so be it.” Asked what form Burr’s review might take, a spokeswoman said that she didn’t have any details to share.
A McCain spokesman did not respond to a request for comment about his plans for encryption hearings and legislation.
Encryption protects people’s personal information from being stolen or otherwise intercepted. It is present in everything from mobile software like iOS and email services like Gmail to bank websites and electronic health-data portals. Americans use encryption every day without realizing it, chiefly when they browse websites that begin with “https.”
Burr and McCain’s comments on Tuesday mark the sharpest congressional criticism of encryption in recent months, as lawmakers grapple with the possibility that ISIS militants and other terrorists are using secure messaging to hide their attack planning. FBI Director James Comey warned last October that criminals were evading detection this way, a phenomenon he called “going dark,” although he and other law-enforcement officials who make this argument have yet to present evidence of their claims.
Investigators have no evidence to suggest that the terrorists who struck in Paris planned their attack through encrypted messages, Burr said on Tuesday afternoon after lawmakers left a classified briefing with U.S. officials. But he said that the use of encryption was “likely” because “we didn’t pick up any direct communication” ahead of time.
Burr, Comey, and other politicians have repeatedly criticized strong encryption and the tech companies that offer it, arguing that providing encryption is tantamount to supporting terrorists. Their rhetoric is part of a long-running debate over the value of encryption known as the “crypto wars.”
McCain called for legislation requiring tech companies to design their encryption so they could decode it for investigators. Burr was more cautious, telling Politico, “If I knew what to legislate, I probably would’ve already done it.” But, Burr added, “We’ve got to start a dialogue between government and the private sector.”
That dialog has existed for many years. Tech trade groups and companies, security experts, and open-Internet groups universally oppose the inclusion of deliberate holes in encryption, known as “backdoors,” arguing that they represent major security vulnerabilities. The Obama administration considered and rejected proposals for backdoor mandates, but U.S. officials continue to pressure tech companies to implement them.
Sen. Ron Wyden (D-Ore.), the leading civil-liberties advocate on Burr’s committee, said in an interview Wednesday afternoon that he would fiercely oppose any attempt to weaken encryption.
“Creating backdoors and undermining strong encryption is not the way to go,” Wyden said. “It is not going to be fruitful. … What will happen is, we’ll drive American [technology] companies offshore, and it’ll be harder for our lawful citizens … to get access to those products. How does that make sense?”
“This is a big, big, big gift to foreign hackers, to weaken encryption,” Wyden said. “And it’s not people like me saying this in Capitol Hill. These are independent technologists.”
Noting that independent security experts are universally critical of backdoors, Wyden said that he was determined to make sure their voices were heard in the hearing. He said that he would be “outspoken in terms of trying to point to facts that I think are are not in question.”
Kevin Bankston, director of New America’s Open Technology Institute, said in an interview that his group was looking forward to educating “legislators who may not understand the technology ecosystem when it comes to encryption.”
“Any attempt by the U.S. government demanding backdoors into strong encryption will fail to achieve the goal of preventing terrorists from using it,” he said, “and will primarily only prevent millions of innocent people from using it, while also systematically disadvantaging U.S. companies in their attempt to compete for foreign markets that are, especially now, very concerned about security.”
Still, he said, “We welcome continuing discussion where we can continue to make our case for encryption as a critically important technology that needs to be protected against government interference.”
It’s not yet clear whether House committees will follow their counterparts in the upper chamber and schedule hearings on encryption. A spokesman for the Intelligence Committee said there were presently no plans for public hearings but added, “I can’t comment on anything that might occur on the classified side.” A spokeswoman for the Judiciary Committee said it “continues to examine this important issue” but did not directly answer the question.
“Creating backdoors and undermining strong encryption is not the way to go.”
Bankston argued that legislating restrictions on encryption would do little to combat terrorism, because jihadists could always use open-source software developed in other countries.
“The fact is, there are dozens of strong end-to-end encryption tools available,” he said, “many of them coded outside of the United States and available outside the United States, many of them which are open-source software that anyone anywhere could build on and distribute.”
Degrading U.S. companies’ encryption, Wyden said, “would just drive consumers to all these distributed systems around the world where we’d have even less leverage in terms of protecting both safety and liberty.”
Asked what his message was for lawmakers holding hearings on encryption, Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, said in an email: “That strong encryption is needed for security and privacy; that backdoors are bad for security and privacy; [and] that wishful thinking is not reality.”
Photo via Elliott P./Flickr (CC BY 2.0) | Remix by Max Fleishman