Senate Judiciary committee interrogates Apple, Facebook about crypto

In a hearing of the Senate Judiciary Committee yesterday, while their counterparts in the House were busy with articles of impeachment, senators questioned New York District Attorney Cyrus Vance, University of Texas Professor Matt Tait, and experts from Apple and Facebook over the issue of gaining legal access to data in encrypted devices and messages. And committee chairman Sen. Lindsey Graham (R-S.C.) warned the representatives of the tech companies, "You're gonna find a way to do this or we're going to do it for you." The hearing, entitled "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy," was very heavy on the public safety with a few passing words about privacy. Graham said that he appreciated "the fact that people cannot hack into my phone, listen to my phone calls, follow the messages, the texts that I receive. I think all of us want devices that protect our privacy." However, he said, "no American should want a device that is a safe haven for criminality," citing "encrypted apps that child molesters use" as an example. "When they get a warrant or court order, I want the government to be able to look and find all relevant information," Graham declared. "In American law there is no place that's immune from inquiry if criminality is involved... I'm not about to create a safe haven for criminals where they can plan their misdeeds and store information in a place that law enforcement can never access it." Graham and ranking member Sen. Diane Feinstein (D-Calif.)—who referenced throughout the hearing the 2015 San Bernardino mass shooting and the confrontation between Apple and the Federal Bureau of Investigation that resulted from mishandling of the shooter's county-owned iCloud account by administrators directed by the FBI—closed ranks on the issue. "Everyone agrees that having the ability to safeguard our personal data is important," Feinstein said. "At the same time, we've seen criminals increasingly use technology, including encryption, in an effort to evade prosecution. We cannot let that happen. It is important that all criminals, whether foreign or domestic, be brought to justice." Vance, for his part, called Apple's and Google's introduction of device encryption "the single most important challenge to law enforcement over the last 10 years... Apple and Google upended centuries of American jurisprudence." He cited a human trafficking case he could not get evidence for because of encryption, recounting how the suspect in jail told a cellmate that Apple's encryption was "a gift from God" to him.

That isn’t how any of this works

Vance has been a frequent and long advocate for federal legislation to ensure legal, extraordinary access to data. "I'm not sure state and local law enforcement are going to be able to bridge the gap with technology without congressional intervention," Vance told the committee in a response to a question from Sen. Feinstein. Explaining that his office's lab gets about 1,600 devices a year as part of case evidence, Vance said, "About 82 percent are locked—it was 60 percent four years ago," he said. "About half of those are Apple devices. Using technology, we're able to unlock about half of the devices—so there are about 300 to 400 phones [a year] that we can't access with the technology we have. There are many, many serious cases where we can't access the device in the time period where it is most important." Feinstein then told the other witnesses, "You heard a very prominent district attorney from New York explain what the situation is... I'd like to have your response on what you're going to do about it. That will determine the degree to which we do something about it." Apple Manager of User Privacy Erik Neuenschwander responded that Apple will continue to work with law enforcement, citing the 127,000 requests from law enforcement for assistance Apple's team—which includes former law enforcement officials—has responded to over the past seven years, in addition to thousands of emergency requests that Apple has responded to usually within 20 minutes. "We're going to continue to work with law enforcement as we have to find ways through this," Neuenschwander said. "We have a team of dedicated professionals that is working on a daily basis with law enforcement." Feinstein interrupted Neuenschwander: "My understanding is that even a court order won't convince you to open the device." Neuenschwander replied, "I don't think it's a matter of convincing or a court order. It's the fact that we don't have the capability today to give the data off the device to law enforcement." There had been conversations about making changes to fix that, Neuenschwander said, "But ultimately we believe strong encryption makes us all safer, and we haven't found a way to provide access to users' devices that wouldn't weaken security for everyone." Vance said in response that Apple should re-engineer its phones to allow access. "What they created, they can fix," he said.

Mixing up cryptos

Prof. Tait, is a cyber-security fellow at the University of Texas' Lyndon B. Johnson School of Public Affairs and former GCHQ analyst better known on Twitter as @pwnallthethings, broke the issue of access down into three separate problems: digital wiretaps, device access, and "cyber tips" (the detection and reporting of criminal content such as child pornography by platform operators). While wiretaps and "cyber-tips" require a "backdoor" of some sort, he said, "options exist for both conducting wiretaps and retaining 'cyber tips' without the need for altering or regulating end-to-end encryption," Tait said. "These options are not easy, to be sure, but they exist." Device access, however, is a whole different problem, Tait noted, because it relies on physical access. "Uniquely among the problem domains, only device encryption, which thwarts device searches, would be amenable to a 'front door' access mechanism. This is because device searches can be predicated on the knowledge, if not consent, of the owner, and the technology to do so can be built around law-enforcement’s physical access to the device." He suggested that there might be a way to store a device owner's key locally in a way that would allow warranted access and did not require the cooperation of the owner—an idea that Neuenschwander pushed back on as unworkable. Neuenschwander explained that much of the problem law enforcement faced with data access was an education problem. He said:

Given the pace of innovation and the growth of data in recent years, we understand that one of the biggest challenges facing law enforcement is a lack of clear information about what data are available, where they are stored, and how they can be obtained. That is why we publish a comprehensive law enforcement guide that provides this information, and our team has trained law enforcement officers in the United States and around the world on these processes. We will continue to increase our training offerings in the future, including by deploying online training to reach smaller law enforcement departments.

Jay Sullivan, the product management director for privacy and integrity in Facebook's Messenger, emphasized that Facebook had announced its end-to-end encryption plans early so that it could work with the government to find other ways to accommodate providing tips on criminal content. "Law enforcement access continues," Sullivan noted. "We opposed backdoors, [but] we're not flipping a switch tomorrow." Sullivan noted in his opening statement that end-to-end encryption is "already well-established and widely used" by individuals and industry, with billions of people using encrypted communications every day. "In particular, end-to-end encryption is the best technology available to make messages private, safe, and secure... [it] ensures that no one other than the sender and recipient, not even Facebook, can intercept or read the substance of private communications." Sullivan was quick to point out that Apple, Google, Microsoft, and Facebook's WhatsApp already provide end-to-end encryption (as does Facebook Messenger, but not by default), as do non-US providers such as Japan's Line and the Israeli-developed, Japanese-owned Viber. And he suggested that US regulation on end-to-end encryption would push people to use foreign-developed tools. "Until recently, the Internet almost everywhere has been defined by American platforms with strong values of free expression," Sullivan said. "There is no guarantee that these values will win out. If the United States rolls back its support for privacy and encryption, foreign application providers—including those who may be outside the reach of our legal system and not nearly as committed to or capable of preventing, detecting, and responding to bad behavior—will fill the vacuum and provide the private and secure communications that people expect and demand." The committee leadership did not seem moved. Sen. Graham said, in regard to providing access, "My recommendation to you is that you all get on with it... By this time next year, if you haven't come up with a solution that we can all live with, we will impose our will on you."