House lawmakers struggled in their questioning of law-enforcement officials at a Tuesday hearing to grasp the basics of encryption, resulting in the assorted witnesses making several eyebrow-raising technological claims.
The first part of the House Energy and Commerce Committee hearing on the encryption debate featured testimony from Amy Hess, the executive assistant director of the FBI‘s science and technology branch; Thomas Galati, the chief of the New York Police Department’s intelligence division; and Charles Cohen, a captain in the Indiana State Police and the commander of its Intelligence and Investigations office.
The hearing came six days after the leaders of the Senate Intelligence Committee, Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), introduced a bill that would require tech companies to be able to provide investigators with access to encrypted data when they receive warrants.
In recent years, law-enforcement and intelligence officials, concerned that terrorists and criminals are hiding behind unbreakable encryption, have urged Congress to require tech companies to design their encryption so that they can bypass it. But technologists, civil-liberties advocates, and leading independent security experts overwhelmingly oppose this idea, arguing that adding so-called “backdoors” to encryption would fundamentally and dangerously weaken it.
It became evident early in the hearing that the law-enforcement witnesses did not understand the technical specifics of the encryption debate any better than most of their congressional questioners.
Cohen, responding to a concern about weakening device security by undermining encryption, said, “There’s a difference between encryption and firewalls.” He suggested that he was interested in modifying the former, while leaving the latter—which, he argued, was the key security layer—untouched.
Technologists on social media quickly expressed puzzlement at Cohen’s attempt to distinguish encryption from firewalls, and it was unclear to what sort of firewall he was referring.
Cohen returned to his firewall argument later, when asked if there was a safe, targeted way for companies to bypass specific devices’ encryption without exposing all of their products to harm. He used the controversial safe-deposit-box analogy to explain why there was a safe way to do this.
A tech company, Cohen said, would be metaphorically drilling into the metaphorical safe deposit box while inside its own firewall, which would make the process secure. He compared it to breaking open a bank box while locking the door to the bank itself.
None of the lawmakers listening to Cohen’s remarks seemed to understand that he was venturing far afield of the technical reality.
Cohen made other technologically dubious remarks, such as when he answered a question from Rep. Richard Hudson (R-N.C.) about split-key encryption, in which police possess one half of a key to unlock a range of devices and the devices’ manufacturer possess the other half. When served with a warrant, the tech company would produce its half of the key, allowing police to unlock the device.
In arguing that split-key encryption was a feasible approach, Cohen said that it would be like a bank having one key to a safety-deposit box and a customer having another. Hudson then compared the situation to the plot of Star Wars: The Force Awakens, in which Luke Skywalker’s droid R2-D2 held part of a map to his location and the Resistance droid BB-8 obtained the missing piece.
Security experts have produced several landmark reports contesting law-enforcement officials’ claims about encryption, including a study analyzing the global prevalence of encrypted products. But when Rep. Morgan Griffith (R-Va.) pointed to that report and asked the assorted witnesses whether requiring backdoors in the United States wouldn’t simply push customers (and criminals) onto foreign platforms, Galati and Cohen replied with misinformation.
Cohen explained that, because Apple and Google ran app marketplaces for their operating systems, they acted as “gatekeepers” and could prevent foreign companies from making their apps available to American iOS and Android users.
But Android phone owners, at least, can install apps by directly downloading and opening their installation files; foreign-made encrypted apps like Telegram do not require Google‘s approval, even if many of them currently do use its app store out of convenience.
Galati, in his response to Griffith, echoed Cohen’s incorrect assessment of American OS-makers’ ability to control their users’ app installations.
Technical specifics aside, the implication of their remarks about app-store limitations was clear: Congress, they seemed to say, should consider requiring app-store operators like Apple and Google to police the kinds of encrypted apps that their users could install.
The law-enforcement witnesses shared several emotional stories about murder and child-abuse investigations that were languishing because key evidence was encrypted. Hess said that FBI agents reviewing seized devices encountered passwords 30 percent of the time and were unable to break them in 17 percent of cases.
But the witnesses rejected many arguments about the dangers of backdoors. Hess, like Cohen, disputed the notion that mandating them in the U.S. would push people onto foreign platforms, saying that most consumers wanted the best technology and that would keep them on American platforms.
When Rep. Jerry McInerney (D-Calif.) asked Hess whether it was true that building backdoors would amount to publicizing vulnerabilities to hackers, Hess dodged his question. She said that hackers would always try to penetrate secure systems and that no system could ever be 100 percent secure.
Most lawmakers seemed sympathetic to to the law-enforcement witnesses’ concerns. Rep. Kevin Cramer (R-N.D.) asked them if it would help if Congress forbade tech companies from putting up roadblocks to the process of “brute-forcing” a phone’s password by flooding the phone with password guesses. Apple’s iOS includes several such features, including the ability to make the phone automatically erase itself after 10 incorrect guesses.
Hess didn’t seem to want to focus on the technique of brute-forcing, which can be prohibitively time-consuming, even without OS roadblocks, when the password is long enough. But she did acknowledge that iOS’s anti-brute-forcing features made the FBI’s job harder.
Cohen expressed support for a law mandating the removal of those features, saying that, while it would decrease individuals’ security, it would help police who were often racing against the clock to solve crimes. But even he said that brute-forcing phone password was not a complete solution.
Only once did a lawmaker seriously challenge a witness’s technologically confusing claim. Toward the end of the hearing, Cohen said that he had read news reports alleging that Apple had given the Chinese government the source code to its operating system, which would have dramatically simplified the process of exploiting it.
This offhand comment, offered without evidence, incensed Rep. Anna Eshoo (D-Calif.), a leading digital-security advocate in Congress. She demanded that Cohen provide evidence to substantiate his claim. Cohen said that he was unable to do so; he had seen “news stories” but could not remember which ones.
There is no public evidence that Apple has given the Chinese government its source code, and the company has routinely denied doing so.
The encryption argument, part of a long-running encryption debate, has also swept into the court system. The Justice Department and Apple sparred for more than a month over a court order compelling the company to help the FBI unlock a terrorist’s iPhone by writing custom software.
The House encryption hearing was divided into two sessions, with the law-enforcement panel taking place first, followed by a panel with Apple’s top lawyer and three security experts.
Correction: Rep. Hudson made the comparison between split-key encryption and the new Star Wars movie.