Lawmakers Need To Learn More About Encryption Before Regulating It, Says U.S. House Report

The House Committee on Homeland Security issued a report called “Going Dark, Going Forward,” in which it found after more than 100 meetings and briefings with stakeholders impacted by the use of encryption that the whole encryption debate may be flawed. What they learned is that there’s no simple solution without “troublesome trade-offs” regarding encryption and “going dark.”

How The Encryption Debate Began

What started the encryption debate in the first place was the fact that both Apple and Google announced stronger local storage encryption enabled by default for their devices back in 2014. The public fight against strong encryption has been mostly championed by FBI Director James Comey, who then took it up a notch when Apple said it wouldn't help the agency unlock the iPhone of the San Bernardino shooter.

Apple has been adamant that such a move would serve only to weaken the security of its devices, which then sparked a larger national debate about whether Apple and other companies should be compelled to decrypt their devices. However, that ultimately culminated with the FBI backing off and saying it found an alternative way to unlock the iPhone.

Anti-Encryption Bill

Senator Diane Feinstein, who has been a champion of surveillance laws such as the 2008 FISA Amendments Act and its 2012 renewal, as well as the “Cyber-Patriot Act” legislation passed under the guise of “cybersecurity legislation” last year, also tried to pass an anti-encryption bill in the Senate.

However, the bill’s draft has been highly criticized by security experts, as well as by Senator Ron Wyden (apparently the only member of the Senate Intelligence Committee that ever seems to want less surveillance rather than more), who promised he would filibuster it.

The authors of the recent report also seem to believe that Feinstein and Senator Richard Burr’s anti-encryption bill would’ve had major unintended consequences.

“Initially, lawmakers and some among law enforcement personnel believed the solution was simple: statutorily authorize law enforcement access to obtain encrypted data with a court order,” said the report authors. “Unfortunately, this proposal was riddled with unintended consequences, particularly if redesigning encryption tools to incorporate vulnerabilities - creating what some refer to as ‘backdoors’ - actually weakened data security. Indeed those vulnerabilities would naturally be exploited by the bad guys - and not just benefit the good guys,” they added.

Security Vs. Security

The FBI and other members of the U.S. government have tried to paint this debate as “privacy vs. security”. The authors of the "Going Dark, Going Forward" report learned that the debate is really one about “security vs. security,” because what encryption does as its principal goal is protect data.

This is partly the reason why the European Union calls its digital privacy laws “Data Protection” regulations, because what we really mean by “digital privacy” is the ability to protect our data, and for that, encryption is critical.

Therefore, if we want our data to be properly protected, then strong encryption with no weaknesses is needed. Otherwise, those weaknesses will be discovered and abused by bad actors. The House Committee on Homeland Security agreed in the report that strong encryption can be used to protect personal communications and information, but also critical infrastructure, trade secrets, financial transactions, and other types of sensitive information.

No Simple Solutions

The report also said that we’re just beginning to understand the impact of encryption on society, and it would be a mistake for Congress to put a burden on technology companies by restricting what type of encryption they can use. It also said that it could hurt U.S. companies’ competitiveness, in contrast to what the CIA director recently said about foreigners having no choice but to use U.S. products and services.

“In our estimation, the best way for Congress and the nation to proceed at this juncture is to formally convene a commission of experts to thoughtfully examine not just the matter of encryption and law enforcement, but law enforcement’s future in a world of rapidly evolving digital technology,” said the members of the House Committee on Homeland Security.They added that, “We believe that experts in the fields of commercial technology, computer science and cryptology, privacy and civil liberties, law enforcement, intelligence, and global economics are best equipped to deconstruct this extraordinarily complex problem, and propose novel solutions that will stand the test of time.”

House Homeland Security Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA) have proposed the formation of a “Digital Security Commission” that brings together all stakeholders to further explore this issue for another year, before recommending policies and legislation to Congress.

However, it’s not clear whether this type of commission can find an ideal solution, likely because it will mostly be interested in finding a “balance” between law enforcement needs and data protection needs. That type of balance may just not be possible in practice, or at least law enforcement may have to find ways around encryption and around forcing companies to backdoor their products or to keep them vulnerable so law enforcement can continue to exploit them.

The type of policies that will be proposed will also likely depend on the makeup of the commission. If too few stakeholders that care about privacy or data protection are invited to be part of it, then chances are the commission won’t decide policies that would be too much in favor of stronger privacy.

However, this type of commission may also be an opportunity for the rest of Congress to further educate itself on encryption and technology, which is generally a good thing, as that can also lead to more people discovering that encryption is beneficial and not something to be feared and banned.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jimmysmitty
    Or, here is a better idea, do not regulate it at all? Because all they would do is put the privacy of people and companies at risk if they try to regulate what was designed to allow for confidential and private matters tro stay that way.

    However knowing the government, they will still want to so instead of law makers learning about it why not assign top experts who are actually in the field to assist in making sure they don't do what they normally do and screw us over?
  • jeremy2020
    "Lawmakers Need To Learn SOMETHING Encryption Before Regulating It, Says U.S. House Report"

    fixed it
  • ddpruitt
    Oh my god, the US government understanding that security policies have nuance!? What's next, no more trolls in forums?
  • Haravikk
    Finally some sense; regulating encryption is stupid, as it doesn't prevent criminals from using strong encryption anyway (they don't care about your regulations, they're criminals), so all it does is weaken encryption for law abiding citizens. Maybe that's what some in government want, but the citizens do not (those that understand the issue at least).

    The key thing to do is realise that regulating encryption is pointless, and that law enforcement agencies need to assume that encryption is unbreakable and proceed from there. Sure, sometimes they'll get lucky and encryption is weak or flawed, but they should be concentrating resources on stopping causes and means of crime; you stop terrorists by fighting radicalisation, with border security, and by preventing their access to weapons and/or the materials to make bombs (or track these to detect suspicious activity).