On Tuesday, December 10, the Senate Judiciary Committee (SJC) held a hearing on the encryption debate, the first such hearing in years. Most of the senators present vowed that unless companies such as Apple and Facebook (whose witnesses appeared at the hearing) voluntarily change their products to enable law enforcement access to encrypted data, the Senate
On Tuesday, December 10, the Senate Judiciary Committee (SJC) held a hearing on the encryption debate, the first such hearing in years. Most of the senators present vowed that unless companies such as Apple and Facebook (whose witnesses appeared at the hearing) voluntarily change their products to enable law enforcement access to encrypted data, the Senate will bring legislation – possibly as soon as next year – to mandate that access.
Senator after senator excoriated the Apple and Facebook witnesses, interrupting them before they could answer the questions posed to them and generally refusing to listen to a word they said – while giving the witness for law enforcement, Manhattan District Attorney Cyrus Vance, ample opportunity to speak unhindered. In the entire two-hour hearing, only two or three senators expressed any skepticism about law enforcement’s claimed need for an access mandate or questioned whether such a mandate would be effective in achieving its goals. (I recently explained why it wouldn’t.) Even those few who did (Senators Tillis, Lee, and to my surprise, Hawley), failed to press Vance on these seemingly-key questions, allowing him to dodge without giving any straight answers.
Not that the Facebook/Apple witnesses came out that well either: while I agreed with everything they said, they failed to connect with the panel on the necessary gut level. They spent their time trying to explain technical nuance to a group of people who could not care less about technicalities and nuance, and who told them as much in no uncertain terms. They came off as dispassionate techies who either didn’t or couldn’t make the case for why encryption’s protections are as important as the vital and pressing law enforcement interests at stake. The senators’ fury towards the two industry witnesses showed that law enforcement’s recent public-relations campaign, going all-in on demonizing encryption for enabling child sex abuse, has been wildly effective. Facebook and Apple failed to counter that messaging; they missed the opportunity to explain, in a way that would really land with the panel, why and how encryption protects children… even after Senator Lee lobbed them a softball on that point. In fact, the Facebook witness was forced by one senator to state affirmatively that Facebook opposes child sex abuse – falling into the exact framing I recently wrote about, of “pro-encryption equals anti-child safety.” Like I said in that post: this PR campaign was a genius move by law enforcement. It’s worked like a dream.
In fact, law enforcement pulled a particularly neat trick at this hearing. That PR campaign was prompted by Facebook’s plan to roll out end-to-end encryption by default across its messaging services. (Law enforcement has warned that this plan will embolden child abusers to use those services to trade child sexual abuse material [CSAM] and for enticing and grooming child victims.) Yet the panel appeared largely uninterested in talking about messaging encryption and focused mostly on the idea of an access mandate for encrypted devices. Indeed, Vance testified that he would concede on access to end-to-end encrypted messaging and would settle for a device mandate. This focus on devices isn’t surprising: a device backdoor mandate is the thing Vance has dearly wanted for the last five years, and both he and SJC ranking member Dianne Feinstein respectively drafted device backdoor legislation back in 2016. Those proposals went nowhere back then, but that was before the “techlash” caused congressional trust and patience in tech companies to tumble to its current low ebb. Now it’s 2019, and soon Vance, Feinstein, and other proponents of device encryption backdoors might finally get their wish, thanks to fears about messaging encryption. It’s a heck of a bait and switch!
However, I am under no illusion that law enforcement will simply go away and shut up about end-to-end messaging encryption if Congress passes a device backdoor mandate. True, devices have long been the focus of U.S. authorities, whereas those in other countries such as the U.K. have tended to focus more on messaging. But U.S. officials have long made noise about messaging too, even if it hasn’t always been clear to what extent their backdoor proposals targeted messaging and not just devices. Even if Cy Vance would content himself with a device mandate, Cy Vance doesn’t speak for the Attorney General, who has Facebook’s plans in his crosshairs.
It is a classic negotiation strategy to ask for more than you actually want, then let yourself be bargained down to a “reasonable compromise” that just happens to be what you really wanted. Anything else you get on top of that is gravy. Mandating messaging encryption backdoors would be a nice-to-have for Vance, but by conceding on end-to-end encrypted messaging for the time being, he gives the appearance that the law enforcement community is engaging in earnest, good-faith negotiation toward the “mature, adult, reasonable, balanced, middle-ground compromise” on encryption that he and his colleagues are always demanding from device makers, platforms, app developers, cryptographers, and civil libertarians (who realize there is no middle ground). If Vance comes across as willing to give up something in the spirit of finding middle ground, he can make Facebook and Apple look even more unreasonable than the SJC members accused them of being.
And if next year Congress passes a law that only (“only”) mandates backdoors for encrypted devices, well, law enforcement can always come back to ask for messaging encryption backdoors later. That is their M.O.: to renege on compromise positions when it comes to access mandates. The Communications Assistance for Law Enforcement Act (CALEA), which requires telecoms to make phone calls wiretappable, was a compromise when it was passed in the 1990s. The statute exempted “information services” such as Facebook and Apple from CALEA’s duties, leaving them free to design their encryption however they wanted. The law even left CALEA-covered entities free to encrypt calls and throw away the keys to decrypt. Law enforcement has been trying to roll back CALEA’s compromises ever since, sometimes successfully, sometimes not. So far, the fight to force Apple, Facebook, etc. to build backdoors in their encryption – basically, to close the “information services” carve-out in CALEA – has fallen into the “not successful” category. But that might change, if the senators who railed against encryption during Tuesday’s hearing keep their word and persuade their colleagues to join them.
I would like to think such a bill would have little chance of passing, even now that public opinion has soured on Big Tech. But then, I didn’t see the necessity for the CLOUD Act either. As my CIS colleague Al Gidari pointed out before the CLOUD Act dropped (as part of a massive must-pass omnibus spending bill), to deal with the problem of foreign law enforcement authorities’ encountering unacceptably long delays in getting U.S. providers to respond to requests for user data under mutual legal assistance treaties (MLAT), the simplest, narrowest solution would seem to be “to properly staff and budget for the realities of a new digital world so that the Department of Justice can properly do its job in screening such [MLAT] requests for legitimacy.” As far as I was concerned, you could get most of the way towards solving the MLAT problem through three things: (1) additional budget, staff, and other resources for DOJ to support its MLAT role, (2) guidance and trainings for foreign law enforcement unfamiliar with American probable-cause standards, and (3) the creation of a group of Article I federal judges tasked solely with handling MLATs (since staffing up DOJ wouldn’t do much good if the federal courts were still too backlogged to deal promptly with MLAT matters). I am sure those ideas are not perfect, and they might not solve the whole problem, but they seemed to me – admittedly a political naïf 3,000 miles away from Washington – to be much simpler and easier measures than what we actually got with CLOUD: an expansion of police surveillance powers.
On the encryption debate, a narrower path also seems like the wiser course of action to pursue here. During the hearing, Vance asserted that although his office is an outlier, most state and local law enforcement agencies lack the resources the FBI has to buy technical workarounds to smartphone encryption (which resolved the FBI’s 2016 showdown with Apple). Leaving aside whether that’s true, given that police agencies around the country own Cellebrite and other devices for getting into locked phones, it suggests that law enforcement has a resource problem, not an encryption problem.
Further, the whole framing of Tuesday’s hearing assumed that encryption really is the main problem for law enforcement. It isn’t, according to a Center for Strategic and International Studies report from last year. CSIS surveyed law enforcement agencies around the country and found that their top challenges in digital evidence-gathering were figuring out which service providers held relevant data and then getting it from those providers. Those challenges, CSIS said, “ranked significantly higher than any other challenges—including challenges associated with accessing data from devices or interpreting the data that has been obtained,” i.e., encryption. The CSIS report likewise identified budget constraints and training limitations as hindrances to effective access and use of digital evidence.
In short, it seems to me like we are facing the same situation we did with cross-border data requests. As the CSIS report recommended, more budget, more resources, more coordination, and more training are potential solutions to try to address the problems law enforcement is experiencing with encryption’s impact on investigations. Those should be the measures of first resort, not rushing to hand the police more power by enshrining encryption backdoor requirements into law.
And in fact, there’s already proposed legislation based on CSIS’s recommendations: the Technology in Criminal Justice Act of 2019, introduced in the House last month by a bipartisan group of co-sponsors led by Rep. Val Demings of Florida. The bill seeks to close the resource, training, and information-sharing gap for digital evidence, and to improve the frayed relationship between law enforcement and technology companies. Notably absent from the bill is any language that would roll back the CALEA compromise or mandate encryption backdoors. To be clear, I’m not advocating for or against Rep. Demings’ bill. I just want to point out that it offers an alternative to whatever backdoor nightmare the Senate Judiciary Committee is surely drafting up right now.
Congress should reject power grabs by law enforcement and focus instead on wisely and adequately allocating resources where they are needed. We could have had that for cross-border data demands, but Congress gave us CLOUD instead. And after watching so many senators compete on Tuesday to see who could yell at Apple and Facebook the loudest, I fear I see another dark cloud on the horizon.
 If we’re going to talk about budget, it bears noting that federal authorities did already have budget for fighting the online child sex abuse crimes they are using to justify their encryption backdoor demands, but they spent a bunch of it promoting the administration’s xenophobic border policy instead. An October New York Times article on Facebook’s CSAM problem reported that “the Department of Homeland Security this year diverted nearly $6 million from its cybercrimes units to immigration enforcement — depleting 40 percent of the units’ discretionary budget until the final month of the fiscal year.” Shortchanging child victims in order to persecute immigrants: why hurt just one vulnerable population when you can harm two at once?