The witness list for the hearing, released Thursday by the House Energy and Commerce Committee’s oversight subcommittee, reveals that the FBI has tapped its top technology official to lead a panel of police witnesses in the hearing’s first panel. Apple, meanwhile, will dispatch its top lawyer, a veteran of congressional technology hearings, to anchor the second panel, which is stocked with security experts.
The hearing comes on the heels of a bitter dispute between Apple and the Justice Department over access to the locked iPhone of one of the San Bernardino shooters. The government dropped its demand for a court order compelling Apple’s unlocking assistance when a third party presented it with another method.
That fight may be over, but the war continues. The government still wants Apple’s help unlocking another iPhone, this one in a drug case in New York, and it also secured an order for a phone in Massachusetts.
The rise of these iPhone court battles signals a new phase in a long-running debate over the role of encryption in public life. Government officials, arguing that criminals and terrorists are increasingly using encryption to mask their activities, want tech companies to design their encryption so that they comply with court orders seeking encrypted data. Technologists and privacy advocates reply that the only way to do this is to fundamentally undermine the encryption that protects Americans in their everyday lives.
The leaders of the Senate Intelligence Committee, Sens. Richard Burr (R-N.C.), and Dianne Feinstein (D-Calif.), have introduced a bill that would require companies to be able to decrypt their data in response to court-issued warrants.
No one has pressed the case for guaranteed-access schemes in encryption—which critics call “backdoors”—harder than FBI Director James Comey, who fielded questions from lawmakers about encryption and the San Bernardino fight at a March 1 House Judiciary Committee hearing.
But for next week’s hearing, Comey is sending Amy Hess, the head of the FBI’s Science and Technology Branch, which handles encryption, hacking, and computer crimes.
Hess last testified before Congress on April 29, 2015, making the case for a guaranteed-access mechanism in commercial encryption and sparring with skeptical House Oversight Committee Chairman Jason Chaffetz (R-Utah).
Joining Hess are three law-enforcement officials whose thoughts on encryption are less clear than the FBI’s stance.
Ron Hickman, the sheriff of Harris County, Texas, will testify on behalf of the National Sheriff’s Association. That group supported the Justice Department in the San Bernardino court fight, but Hickman’s comments about encryption at an April 11 encryption summit suggest that he is amenable to civil-liberties groups’ concerns.
“I think that when we provide perception to the public that we have some secret, backdoor kind of way to do things,” he said, “that trust is eroded.”
Hickman again used the term “backdoor,” which law-enforcement officials like Comey consider derogatory, on his Facebook page, describing the debate as one about whether the government should “compel technology companies to provide a ‘back door’ into systems and software.”
Even less is known about what the other two law-enforcement witnesses—Thomas Galati, chief of the New York Police Department’s intelligence division, and Charles Cohen, head of the Indiana Internet Crimes Against Children Task Force—think about encryption.
In a 2012 interview with Cohen on a website dedicated to forensics, the Indiana State Police captain said, “When a criminal can store electronic evidence or contraband in an encrypted container on a server physically located on another continent, investigators have to consider a paradigm shift in computer forensics.” But Cohen did not recommend any specific policy changes in response to the rising use of encryption.
An Internet search revealed no comments by Galati on the subject.
Apple General Counsel Bruce Sewell, representing the other side of the debate, is likely to reiterate many of the arguments he advanced at last month’s Judiciary hearing, where he warned that requiring companies to design their encryption to facilitate warrants would damage Apple’s ability to protect its users’ data and thus erode consumer trust.
Testifying alongside Sewell are three opponents of backdoors with very different backgrounds.
If there is an encryption rock star among these three experts, it is Matthew Blaze, an associate professor of computer science at the University of Pennsylvania. In 1994, Blaze discovered a serious security flaw in the Clipper chip, a National Security Agency device that the Clinton administration wanted tech companies to place in their products to let the government decrypt their communications.
Blaze’s discovery effectively killed the Clipper chip and ended the first phase of the so-called “crypto wars.” Now, he’s back to fight that war all over again. He has savagely attacked the Burr–Feinstein encryption bill, lending his credibility to the coordinated pushback against the legislation by calling it “worse than Clipper.”
Joining Blaze will be Daniel Weitzner, the director of the MIT Internet Policy Engineering Initiative. Weitzner previously advised President Obama on tech issues as Deputy Chief Technology Officer for Internet Policy. He helped write a 1997 report that was sharply critical of key escrow, an approach to backdoors that involves maintaining one-size-fits-all decryption keys.
“The credentials, the keys, other tools that you need to break into a communication are going to be spread out very widely,” Weitzner told the Daily Dot last July, “and all someone has to do is steal those or impersonate the person who is authorized to use the backdoor.”
It is the fourth witness on the security panel who has provoked the most intrigue among privacy advocates awaiting the hearing. Amit Yoran, the president of security firm RSA, now a division of the EMC Corporation, will have to walk a fine line as he analyzes the security risks of requiring companies to use backdoored encryption.
In the mid-2000s, the NSA paid RSA $10 million to adopt a random-number generator called Dual Elliptic Curve as the central algorithm in its BSafe software. The NSA had secretly designed Dual_EC with a backdoor—allowing it to predict the number generation and thus unscramble any encryption built on top of it—and it knew that RSA’s adoption of the code would create a ripple effect in the security industry.
It worked. Many other companies began using Dual_EC before security researchers revealed the backdoor and prompted the National Institute of Standards and Technology to withdraw the flawed algorithm.
The Dual_EC flare-up was one of the first salvos in the latest phase of the crypto wars, and it continues to resonate today.
Correction: Columbia University hosts a copy of the 1997 key-escrow report but did not supervise or exclusively publish it.