Critics say Senate encryption bill is “deeply impractical”
Kate Krauss - spokeswoman for the Tor Project, a non-governmental organization that provides a free means for users to anonymize their online browsing - told AMI Newswire that draft legislation released April 8, dubbed the Compliance with Court Orders Act of 2016, was unlikely to pass, calling the bill “deeply impractical.”
In a four-hour Senate Energy and Commerce Committee hearing April 19, experts from law enforcement and computer security offered testimony on the pros and cons of a law that would force tech companies to break their own encryption. Encryption, at its core, is a way of hiding digital data from all but the people who have a digital “key,” and it is regularly used to protect against identity theft. In the most secure circumstances, experts say, only one or two people have the key, and often only for a temporary amount of time. Data on iPhones is often encrypted and remains inaccessible until a pass code is entered.
The bill’s proponents want every Internet service provider, device manufacturer, software maker and website in the U.S. to have a “key” or similar system, made available to investigators with a court order.
But according to testimony from Matthew Blaze, a computer science professor at the University of Pennsylvania, successfully building a third-party “key” system makes everyday security exponentially more difficult. “The design and implementation of even the simplest encryption systems is an extraordinarily difficult and fragile process,” he testified. “Very small changes frequently introduce fatal security flaws.”
Opponents say that, in addition to weakening security overall, forcing all software manufacturers to have a “backdoor” could also drive software and device development to companies outside the U.S.
“If there was a law passed in the United States that weakened many pieces of software, then our whole country would become the place to not get your software,” Krauss said. “A bank would want to go where the software was stronger, and buy from the company that had the strongest software to keep its customers safe.”
The hearing and bill, co-sponsored by senators Diane Feinstein (D-California) and Richard Burr (R-North Carolina), comes only weeks after the end of a battle between the FBI and Apple Inc., over a request to break into a phone owned by one of the suspects in the San Bernardino shootings last December. Tashfeen Malik and her husband Syed Rizwan Farook are alleged to have killed 14 and injured 22 people at a public health department holiday party. Investigators alluded to the possibility that the couple had ties to terrorist networks abroad as part of its request to Apple to access information stored on Farook’s iPhone.
The FBI announced in late March it had broken into the phone with the help of a third party, and subsequently moved to drop its case against Apple.
Testimony from law enforcement at the latest hearing, however, noted that encryption like that found on the iPhone is making it difficult to solve crimes. Thomas Galati, chief of the New York Police Department’s Intelligence Bureau, testified that his group currently has 67 legally-seized iPhones that it can’t open to investigate crimes. He said these crimes include 10 homicides and a case where two police officers were shot.
“In today’s world, nearly everyone lives his or her life on a smartphone … evidence that once would have been stored in a file cabinet or a notebook is now archived in an email or a text message,” he testified. “The same exact information that would solve a murder, catch a rapist or prevent a mass shooting is now stored in that device.”
But Galati said another encryption problem exists, which he called “data in motion.” The term refers to data or communications - such as phone calls - that are encrypted. This encrypted information needs to be heard as it happens in order to use it as evidence. In the past, law enforcement used wiretaps to listen in on phone conversations. In a world that is increasingly using smartphones, free apps, such as WhatsApp or Signal, allow users to encrypt calls and text messages on a smartphone. In that instance, even if law enforcement secures a warrant for a wiretap, the encryption keeps them from knowing what is being said.
It’s not immediately clear whether the new bill, if passed, would force services such as Tor or WhatsApp to allow as-it-happens eavesdropping on encrypted phone calls or browsing. A summary of the bill released by Feinstein’s office said companies covered under the legislation are “responsible only for the information or data that they (or another party on their behalf) have made unintelligible.”
Krauss, however, said she heard this argument nearly 20 years before, in the early days of the World Wide Web, the underlying system that allows viewing of Internet-connected web pages. At that time, she said, legislators took high profile looks at the “dark” web, with some arguing that because a technology could be used for illegal purposes, then it needed regulation.
The argument, she said, was as flawed then as it is today. “We are very against bad guys and we are dismayed when our service is used in this way. But you don’t destroy I-95 just because bad guys use it to get to New York.”
In spite of the potential for misuse, Tor touts itself as a system that has enabled secure communications for human rights activists, whistle-blowers and journalists in repressive countries. Founded as a U.S. Naval Research Laboratory project for military communications, it evolved into a non-governmental organization based in Massachusetts, and expanded its service to all people. Its worldwide network of computers that enable the anonymization are owned and operated by volunteers, and neither the volunteers nor organization retain data from its users’ browsing.
The organization even refuses to keep records of donations, in part to protect benefactors in countries where free speech is repressed (Krauss points out that it is funded in large part by the National Science Foundation and the U.S. State Department, among others). People browsing the web through Tor have their encrypted data constantly channeled through changing paths, in order to hide where a person is browsing from.
The source of the leak of the Panama Papers - an investigation that documented more than $2 billion in funds hidden in offshore bank accounts connected to leaders in Canada, Iceland, Russia and more - requested that the journalist he was working with communicate entirely through encrypted channels. Although the journalist responsible for getting the data would not say what was used, he made reference to programs such as Signal.
Integrating a mechanism for eavesdropping on the Tor network, Krauss said, would undermine the entire project. To date, she said no law enforcement agency has brought a subpoena to the group.
“The way we are designed is that it’s freedom for everybody, or freedom for nobody. There’s no technical way to pick apart who is using what ... the whole point is that it’s a conduit for anonymous communication for everyone.”
In the meantime, the Feinstein-Burr bill has public support from prosecutors and law enforcement throughout the country, including New York City Police Commissioner William Bratton.
“As terrorist acts rock Europe, law enforcement’s ability to legally intercept communication is critical to uncovering the next plot,” Bratton said in an April 8 statement. “No key piece of evidence in disrupting an attack or identifying a child predator should be beyond the reach of the law.”