Congressional Encryption Working Group Year-End Report
On December 20, ten members of the House of Representatives’ bipartisan Encryption Working Group released a year-end report of its findings, observations, and recommendations for Congress and stakeholders to consider on encryption policy. In particular, the report focused on ways to facilitate greater cooperation between law enforcement and the private sector that would enable law enforcement to obtain through appropriate legal processes electronic information and evidence seen as necessary to an investigation, but do so without compromising or weakening encryption – a technology seen as vital to the national interest.
Specifically, the report’s recommended next steps are targeted at 1) law enforcement requests for information; 2) better use of metadata analysis; 3) a potential framework for legal hacking; 4) compelled disclosure by individuals; and 5) privacy and security.
Last March, the chairs and ranking members of the House Energy and Commerce (E&C) Committee and the House Judiciary Committee established a 12-member Encryption Working Group (EWG), which consisted of four members from each committee, equally divided between Republicans and Democrats, along with the chairs and ranking members of both committees. Since then, the EWG met with numerous representatives from law enforcement, the intelligence community, the technology industry, civil society and privacy advocates, academia, and other stakeholders. The EWG’s year-end report provides a window into these conversations and a set of milestones on the state of encryption policy within Congress.
Of the 12 EWG members, 10 agreed to co-sign the report (E&C Chair Fred Upton (R-MI), E&C Ranking Member Frank Pallone (D-NJ), Judiciary Chair Bob Goodlatte (R-VA), Judiciary Ranking Member John Conyers, Jr. (D-MI), and Representatives Bill Johnson (R-OH), Yvette Clarke (D-NY), Darrell Issa (R-CA), Zoe Lofgren (D-CA), James Sensenbrenner (R-WI), and Suzan DelBene (D-WA)). Two EWG members from the E&C Committee – Representatives Adam Kinzinger (R-IL) and Joe Kennedy III (D-MA) – did not sign the report.
KEY POINTS AND OBSERVATIONS
The report acknowledges what appears to be a binary debate on encryption: Law enforcement cannot do its job without exceptional access to encrypted data, and the private sector, cryptography experts, and information security professionals believe that it “is exceedingly difficult and impractical, if not impossible” to give law enforcement exceptional access to encrypted data “without also compromising security.” That said, the report considers as inaccurate “a narrative that sets government agencies against private industry, or security interests against individual privacy.” Such a narrative does not capture the complexity of the issues involved.
The report made four fundamental observations and key points worth highlighting:
Observation #1: Any measure that weakens encryption works against the national interest.
- Stakeholders from the private and public sectors all acknowledge the importance of encryption to individual, economic, and national security. That said, Congress should look at ways to address legitimate law enforcement and intelligence community concerns about access to encrypted data.
- The report calls on Congress to explore proposals that facilitate greater collaboration between law enforcement and the tech sector, as well as better information sharing between elements of law enforcement.
Observation #2: Encryption technology is a global technology widely and increasingly available around the world.
- Because of the global scale of encryption, the private sector fears that any U.S. policy mandates that compromise encryption risks shifting U.S. consumer use to foreign-based products, and could shift investments and jobs outside the United States, which further hinders law enforcement/intelligence access to data, encrypted or not.
- Because Congress cannot stop bad actors, it should consider other ways to assist law enforcement.
Observation #3: The myriad stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption.
- There is a significant overall gap between knowledge and resources available to federal law enforcement and state and local agencies.
- The intelligence community’s resources and personnel make it better situated to work around encryption challenges, making their challenge more “going spotty,” than “going dark.” That challenge increases as default strong encryption becomes more prevalent globally.
- Given resource and knowledge gaps, there is no one-size-fits-all solution. However, by focusing on a number of discreet issues, there is an opportunity to mitigate the challenges.
Observation #4: Congress should foster cooperation between the law enforcement community and technology companies.
- Reducing the knowledge and capabilities gap between law enforcement and the technology community will improve law enforcement’s effectiveness, and have the potential to reduce friction with the technology community.
The report offers a number of policy recommendations for further exploration by the EWG and consideration by Congress:
Law Enforcement Requests for Information
The report calls on Congress to explore means of providing assistance to improve law enforcement access to unencrypted data in a digital economy. This assistance could include:
- Tools that help companies clarify what information is already available to law enforcement
- Review of federal warrant procedures to determine whether they can be made more efficient and ensure they are clear and consistent with respect to law enforcement access to digital information
- Examine how law enforcement can better utilize existing investigative tools
- Authorize and modernize the Department of Justice’s National Domestic Communications Assistance Center (NDCAC), which is a hub for technical knowledge management designed to facilitate information sharing among law enforcement agencies and the communications industry
Some argue that metadata, our collective digital “footprints,” could help investigators offset the loss of encrypted content. While metadata cannot replace encrypted content in every case, the report calls for greater exploration of metadata’s value. Key questions include:
- What kind of metadata can be accessed by law enforcement?
- What privacy interests are implicated as a result of law enforcement analysis of large amounts of metadata over time?
- What kind of algorithmic or other technical tools would law enforcement need to leverage metadata?
- What judicial and evidentiary processes exist around metadata, and do they limit their effectiveness or applicability in court?
Legal or lawful hacking occurs when law enforcement exploits a vulnerability in the digital security of a device or service in order to obtain evidence of a crime. Many stakeholders argue that law enforcement should be given the resources to exploit existing product flaws. Others believe legal hacking creates the wrong incentives. The report suggests the E&C and Judiciary Committees could explore a framework for legal hacking. Key questions include:
- What sort of legal process, if any, is required to authorize legal hacking?
- Should law enforcement disclose vulnerabilities leveraged in legal hacking to the affected companies?
- Is the Obama Administration’s Vulnerabilities Equities Process (ad hoc process the federal government uses to determine whether to disclose vulnerabilities in its possession) adequate? Should Congress provide guidance or authorize a formal structure for the process?
- How do law enforcement’s challenges differ from those of the intelligence community?
- Can legal hacking be cost managed so it can be used regularly as an investigative technique, and if so, what security issues would that raise?
Compelled Disclosure by Individuals
Could a policy be developed on a case-by-case basis consistent with legal procedures to compel decryption by individual consumers of encrypted products? For example, could law enforcement require an individual provide a passcode or other authenticator that does not undermine the security of the encrypted product? Key questions to consider:
- Can the government compel an individual to unlock his phone without violating the Fifth Amendment’s self-incrimination protection?
- Is there a substantive or legal difference between unlocking a device with a passcode and unlocking the device with a biometric identifier?
- What is the proper legal standard for compelling an individual to unlock a device?
Privacy and Data Security
Encryption products are driven significantly by consumer interest in privacy and security. Yet at the same time consumers enjoy the convenience of services that necessitate the sharing of information with third parties. The report calls on Congress to explore the role of encryption in advancing data security and privacy. Key questions include:
- Should the federal government take additional steps to address greater security around private data?
- How can companies use encryption to better protect consumer privacy and security?
- How can the government use encryption to better protect privacy and security of data held by various agencies?
- What vulnerabilities remain after communications have been encrypted and how might those vulnerabilities be addressed?
- How would consumers’ privacy and data security suffer if encryption were weakened?