The US House Judiciary Committee’s Encryption Working Group released its year-end report earlier this week, and it looks like a victory for many technology and privacy advocates.
The report makes the following four points, which you can read in full in the PDF report here:
- Any measure that weakens encryption works against the national interest
- Encryption technology is a global technology that is widely and increasingly available around the world
- The variety of stakeholders, technologies and other factors create different and divergent challenges with respect to encryption and the “going dark” phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge
- Congress should foster cooperation between the law enforcement community and technology companies.
The first point is especially noteworthy as it has been a bone of contention in government, law enforcement, civil rights groups, and technology companies (including Sophos) for quite some time.
The committee’s observation draws a line at forcing private-sector companies to build backdoors into their encryption practices, saying:
Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities.
This finding echoes what ENISA, the EU cybersecurity policy group, has said, which is that building backdoors into encryption does much more harm than good. It hampers legitimate efforts to safeguard information and privacy and delivers a powerful weapon into the hands of criminals, outweighing any possible benefit to intelligence and law enforcement.
Similarly, earlier this year legislators in the House introduced a bill that would stop states from requiring encryption backdoors in smartphones.
The rest of the observations do dive a bit more deeply into the arguments against backdoors. The second point specifically mentions that if backdoors are mandated, they’ll only apply to companies based in the US, inevitably driving a lot of business to other countries where such mandates don’t exist.
And if a company takes its business overseas, law enforcement could lose all jurisdiction to all data they hold, not just the encrypted data they might be seeking at that time. Pointedly, the report adds:
Congress cannot stop bad actors – at home or overseas – from adopting encryption. Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.
That said, the second sentence in the observation seems to leave the door ajar for some kind of alternate solution for intelligence and law enforcement. There’s no clear directive in the report to outline how exactly the committee would both protect encryption technologies from mandated backdoors and also allow law enforcement to access vital information. The third point specifically cites that there’s no one-size-fits-all option.
Stored data, also called “data at rest”, for example has very different challenges for law enforcement in comparison to data that’s in transit, otherwise called “data in motion”. This kind of data is also treated differently from a technological point of view, hence the rejection of a one-size solution – though we may colloquially all think of it as data en masse, the reality of where and how the data are stored, tracked and encrypted is a lot more complex.
While it’s a big problem, as the report pointedly states it doesn’t mean there is no solution. It remains to be seen exactly how this will play out and what can be done to help law enforcement do their jobs without compromising encryption.
But for right now the House Judiciary Committee coming out strongly against backdoors is a win for those that have been advocating for leaving encryption well enough alone.