Update: Congress eyes commission to tackle encryption debate

Bipartisan bill would weigh balance between privacy and security

smartphone encryption
Credit: Shutterstock

Bipartisan congressional legislation will be introduced to create a national commission on security and technology that addresses the growing concern over encryption technology used by terrorists.

Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Tex. discussed with reporters  their joint legislative proposal to create a Digital Security Commission. McCaul is the chairman of the House Homeland Security Committee; Warner is a member of the Senate's Select Committee on Intelligence, among other committees.

Neither lawmaker said when the proposal would be introduced, but said the commission, once formed, would work on a tight timeline. McCaul, a former federal prosecutor in cybersecurity and national security in Texas, said a group of experts in security, law enforcement, intelligence and privacy will be named when the legislation creating the commission is introduced.

A major focus of the commission will be encryption technology used in smartphone apps and elsewhere and how intelligence officials can legally monitor encrypted communications used by terrorists to plan attacks. Both lawmakers have written about how encryption poses a paradox for protecting both security and personal privacy.

Solutions recommended by the commission could include voluntary technology changes adopted by industry instead of congressional action, both men said. McCaul said a commission could head off a “knee-jerk legislative” approach, although he called the use of encrypted tech and the dark net “one of the greatest challenges to law enforcement I’ve probably seen in my lifetime."

Warner, a former governor of Virginia and co-founder of wireless carrier Nextel, said the commission will not only look at encryption technology, but other forms of “going dark” as well as the use of social media to recruit terrorists. Both lawmakers noted that any legislative approach might be ineffective since it would only affect U.S.-based businesses when half of encryption apps are written by companies abroad, out of reach of U.S. laws. Some terrorists involved in the recent Paris attacks used Telegram, a Belgian-based encrypted app.

“Encrypted technology [also] protects American privacy used by American defense and enterprise,” Warner said. The idea of using a “back door” to circumvent encryption on smartphones won’t work, he added.

“The idea of having a debate about a back door into encryption could have happened 15 years ago, but now the horse is at the barn…. I don’t believe there’s a single silver bullet in a legislative way," he said.

The idea for a Digital Security Commission stems from concerns voiced by the FBI and others after the attacks in Paris and San Bernardino last year. FBI Director James Comey told a Senate hearing in December that one of two terrorists killed in a May 3, 2015 attack in Garland, Texas had used encrypted messages 109 times before staging that attack.

Comey and lawmakers and even President Obama have repeatedly asked technology companies to voluntarily find ways to turn over to a judge any encrypted communications suspected of being terrorist related. Those requests have brought strong opposition from privacy advocates.

Apple CEO Tim Cook, among others in the tech community, has openly defended personal privacy, noting that newer Apple iPhones protect personal data with encryption directly on the phones that can't be accessed by anybody but the user.

The two lawmakers jointly penned an opinion piece for The Washington Post last month that outlined their intentions. "Because extremists are 'going dark,' law enforcement officials warn that we are 'going blind' in our efforts to track them," they wrote.

They noted that ISIS has distributed a manual to followers that includes tips for concealing messages through end-to-end encryption, secure apps and other means. Similar tactics are used by drug traffickers and child predators, they said.

But the lawmakers also admitted that encryption is also a "bedrock of global commerce and it has helped enhanced individual privacy immeasurably."

They added: "Digital innovations present us with a paradox. We are no longer simply weighing the costs and benefits of 'privacy vs. 'security' but rather 'security vs. security.'" Mandating backdoor access to encrypted data would "weaken Internet privacy for everyone" and make "information systems more vulnerable to attack."

McCaul and Warner want the new commission to include experts on all sides of the debate. "This would not be a group of politicians debating one another," they wrote, but would be a body charged with developing "actionable recommendations that can protect privacy and public safety.

"We must find more ways to stop terrorist attacks during the planning phase -- not while they are under way," they wrote.

This story, "Update: Congress eyes commission to tackle encryption debate" was originally published by Computerworld.