At encryption hearing, lawmakers search in vain for workable solutions

image

Apple’s general counsel, Bruce Sewell. (Photo: Saul Loeb/AFP).

Congressional committee members questioned security experts, law enforcement officials and Apple’s head lawyer in a congressional hearing on Tuesday, marking the second time in two months that lawmakers have sought to understand both the risks and benefits that encryption poses to modern society.

The nearly four-hour hearing comes less than a month after the FBI abandoned a controversial case against Apple, in which the federal agency sought to compel the tech company’s help to access the iPhone of a San Bernardino shooter. After encountering heavy opposition from activists, academics, tech companies and lawmakers, forensic investigators found a last-minute solution to break into the Apple device by instead hiring “an outside party,” whose identity it has not revealed. Since then, however, the agency has continued to pursue legal access to Apple’s encrypted devices in a pending court case.

Related: Congress moving ahead on encryption vs. terrorism debate

The testimonies offered Tuesday addressed several technical and ethical issues surrounding the government’s regulation of encryption, as well as questions about how it plans to balance the requirements of national security and individual privacy in a technologically driven world. As Rep. Diana DeGette, D-Colo., said in her opening statement to the committee: “None of our conversations seem to be focused on workable solutions. What I want to hear today is from both law enforcement and industry about possible solutions going forward.”

Witnesses from the law enforcement side included FBI assistant director Amy Hess, Indiana state police captain Charles Cohen, and New York City intelligence bureau police chief Thomas Galati. They were joined by MIT research scientist Daniel Weitzner, University of Pennsylvania associate professor of computer science Matt Blaze, RSA security firm president Amit Yoran, and Apple’s general counsel Bruce Sewell.

image

FBI assistant director Amy Hess with New York City police intelligence bureau chief Thomas Galati, center, and Indiana state police captain Charles Cohen. (Photo: Manuel Balce Ceneta/AP).

Most notably, Hess said that the FBI’s strategy to use a third-party mobile forensic expert in the San Bernardino case was not a reliable method for accessing evidence in the future.

“These solutions are very case by case specific,” she said in reply to a question from DeGette. “They may not work in all instances. Also, they’re very time-intensive and resource-intensive, which may not be scalable to enable us to be successful in our investigations.

DeGette, who referenced the FBI’s decision to use a “gray hat” party to help open the phone in the San Bernardino case, followed up by asking why the government couldn’t develop its own sophisticated techniques for breaking into devices.

“I don’t see that as possible,” Hess responded. “I think that we really need the cooperation of industry, we need the cooperation of academia, we need the cooperation of the private sector in order to come up with solutions.”

Hess’ testimony contradicts the suggestions of numerous security experts —including encryption expert Susan Landau, who testified in front of Congress in March — that the FBI could and should create its own techniques to break into phones, rather than rely on the industry that engineers them for help.

In another line of questioning related to the San Bernardino case, Rep. Yvette Clarke, D-N.Y., questioned the ethics of relying on a third-party to break into phones and asked if the government needed to “enhance its technological capabilities.”

“We need the help of the private industry,” Cohen replied. “Both the industry that makes the technology and others. There are over 18,000 police agencies in the United States. While the FBI may have some technical ability internally, the police stations do not.”

On the technical panel, Prof. Blaze of UPenn emphasized that even as the public grapples with whether government can be trusted with keys to people’s data, cryptographers don’t know how to engineer a system that offers exclusive access. In other words, if the government is able to access encrypted communications, so can sophisticated cybercriminals.

“The encryption issue has been characterized as a question of whether we can build systems that allow the good guys in and keep the bad guys out,” Blaze, who has been studying encryption for over two decades, said in his opening statement. “Much of the debate has focused on questions of whether we can trust the government with keys for data. But before we can ask that question, there’s an underlying technical question, of whether we can trust the technology to actually give us a system that does that. And unfortunately, we simply don’t know how to do that safely and securely at any scale.”

Blaze, alongside the rest of the technical panel, agreed that asking third-party hackers to help with government investigations was not a good policy. But he differed with law enforcement officials by saying the government should develop a solution to access data on its own.

“It requires enormous resources,” Blaze said. “With the resources they currently have, I think it’s likely they don’t have the ability.” When pushed by DeGette, however, he said “I think this is a soluble problem.”

At one point during the hearing, Rep. John Yarmuth, D-Ky., expressed exasperation with the repetition of law enforcement’s statements.

“I find it hard to come up with any question that is going to elicit any new answers from you,” Yarmuth said. “I think your testimony and the discussion we’ve had today is an indication of how difficult this situation is.”