The debate over how to respond to terrorists’ use of encrypted technology continues to ripple through Congress, and now the chairman of the Senate Judiciary Committee has asked the Obama administration to explain how it is addressing the issue.
In a letter to Deputy Attorney General Sally Yates and FBI Director James Comey, sent Tuesday and released publicly Wednesday, Sen. Chuck Grassley (R-Iowa) wrote that, despite increasing administration rhetoric about jihadists using encryption to hide their planning, “I have yet to see any concrete progress” on stopping them.
Comey has been particularly focused on this problem, which he and others call “going dark.” At hearings and in speeches, he has criticized technology companies that provide end-to-end encryption—which even they cannot break—in their devices and online services. He and other officials want tech companies to modify their encryption so that the government can always bypass it if it has a warrant. Technical experts warn that doing so would create significant security vulnerabilities and push people to foreign services untouched by a U.S. mandate.
This battle between intelligence officials and technologists, known as the crypto wars, began in the 1990s but gained new urgency after a series of terrorist attacks in 2015.
Grassley argued in his letter that the government was dragging its feet in devising a comprehensive approach to encryption and that it “has been unwilling to establish a deadline or timetable to assess the effectiveness of its case-by-case approach.”
To prod them along in that process, Grassley requested “any and all currently available quantitative data concerning the scope and impact of encryption on both the ‘data-in-motion’ and ‘data-at-rest’ problems.”
“Data in motion” refers to the transit of data packets across and between companies’ networks, while “data at rest” refers to information while it is stored on servers. End-to-end encryption—which Apple and Google both made default parts of their mobile operating systems in 2014—makes it impossible for the government to capture data in motion.
In the wake of the 2013 Edward Snowden leaks, Silicon Valley firms—fearful of being seen as accessories to mass surveillance—tightened their security measures and made more robust solutions available to their customers. Apple has been at the forefront of that effort. The company argued in a New York case that it should no longer have to unlock a criminal suspect’s iPhone, because doing so would burden the company by damaging its reputation. And it vowed on Wednesday to fight a California magistrate judge’s order compelling it to help the FBI break the password on an iPhone used by one of the San Bernardino shooting suspects.
While these two cases involve helping the government unlock specific phones and not modifying encryption wholesale, privacy advocates pointed to them as evidence of broader government missteps.
But Grassley remained unpersuaded by civil libertarians’ arguments. “Whether it’s a terrorism case handled by the FBI or a murder case handled by state or local police,” he said in a statement, “it’s critical that we find a way that allows law enforcement to maintain its ability to execute lawful, court-authorized investigative techniques, such as warrants and wiretaps, which are essential to enforcing the rule of law and protecting the American people.”
Declaring in his letter that Americans deserved to know if the government was making progress in convincing other firms to modify their encryption, Grassley asked the Justice Department for “a list of all the providers that the Administration has approached [about encryption] since July 2015” along with notes on how each company responded to the entreaties.
That effort is likely to produce few results. Major technology industry groups and their members remain firmly opposed to adding so-called “backdoors” to commercial encryption.
“The government wants to force companies’ engineering staff to create malware that weakens security on a mobile phone’s operating system,” Mark MacCarthy, senior vice president of public policy for the Software and Information Industry Association, said in a statement on the California case. “This position has massive implications for all software companies, threatening data security generally and opening up tremendous new opportunities for those who want to do harm to individuals and society.”
Photo via Gage Skidmore/Flickr (CC BY 2.0) | Remix by Max Fleishman