Sophos Cloud Optix
The US House Judiciary Committee’s Encryption Working Group released its year-end report earlier this week, and it looks like a victory for many technology and privacy advocates.
The report makes the following four points, which you can read in full in the PDF report here:
- Any measure that weakens encryption works against the national interest
- Encryption technology is a global technology that is widely and increasingly available around the world
- The variety of stakeholders, technologies and other factors create different and divergent challenges with respect to encryption and the “going dark” phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge
- Congress should foster cooperation between the law enforcement community and technology companies.
The first point is especially noteworthy as it has been a bone of contention in government, law enforcement, civil rights groups, and technology companies (including Sophos) for quite some time.
The committee’s observation draws a line at forcing private-sector companies to build backdoors into their encryption practices, saying:
Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities.
This finding echoes what ENISA, the EU cybersecurity policy group, has said, which is that building backdoors into encryption does much more harm than good. It hampers legitimate efforts to safeguard information and privacy and delivers a powerful weapon into the hands of criminals, outweighing any possible benefit to intelligence and law enforcement.
Similarly, earlier this year legislators in the House introduced a bill that would stop states from requiring encryption backdoors in smartphones.
The rest of the observations do dive a bit more deeply into the arguments against backdoors. The second point specifically mentions that if backdoors are mandated, they’ll only apply to companies based in the US, inevitably driving a lot of business to other countries where such mandates don’t exist.
And if a company takes its business overseas, law enforcement could lose all jurisdiction to all data they hold, not just the encrypted data they might be seeking at that time. Pointedly, the report adds:
Congress cannot stop bad actors – at home or overseas – from adopting encryption. Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.
That said, the second sentence in the observation seems to leave the door ajar for some kind of alternate solution for intelligence and law enforcement. There’s no clear directive in the report to outline how exactly the committee would both protect encryption technologies from mandated backdoors and also allow law enforcement to access vital information. The third point specifically cites that there’s no one-size-fits-all option.
Stored data, also called “data at rest”, for example has very different challenges for law enforcement in comparison to data that’s in transit, otherwise called “data in motion”. This kind of data is also treated differently from a technological point of view, hence the rejection of a one-size solution – though we may colloquially all think of it as data en masse, the reality of where and how the data are stored, tracked and encrypted is a lot more complex.
While it’s a big problem, as the report pointedly states it doesn’t mean there is no solution. It remains to be seen exactly how this will play out and what can be done to help law enforcement do their jobs without compromising encryption.
But for right now the House Judiciary Committee coming out strongly against backdoors is a win for those that have been advocating for leaving encryption well enough alone.
there was never any risk in the first place. There will always be someone making encryption that doesn’t have a back door. It looks like the government is starting to catch on to that.
as a side point, there is no way they would require back doors on all encryption in the first place. Your telling me that the President would be required to use encryption with a back door? or doctors? what about IT staff for doctors? the hole back door argument hasn’t made any sense from the beginning.
Its all in the way you look at it. Of course the president of the USA would expect to have an email system that doesn’t have back doors, how could he safely, privately and securely conduct communications between himself and his staff etc… However he won’t care and will not have any such expectation for systems used by anyone outside his government as they need to beat terrorism and severe crimes by spying on communications without discrimination as the basic fact is despite the various methods available to the multitude of security agencies, they believe that by mass surveilling everyone on the planet they are going to catch that all important communique that will prevent very bad things from happening despite evidence to the contrary and despite in all common sense that there probably is not enough personnel or hours in the day to trawl through every phone call, text message, online post and so on in order to capture that all important information which would prevent such an incident, however this seems to be the belief. And this is not just the belief of the president, everyone human being will believe to some extent that they should not be spied upon but that its okay for everyone else to be, ultimately we are all extremely selfish when it comes down to it.