The Information Technology Subcommittee of the Committee on Government Oversight and Reform of the US of House of Representatives last Wednesday held a hearing on encryption technology and potential US policy responses. The subcommittee heard testimony from representatives of the IT sector, members of the criminal justice and law enforcement community, and a computer science professor. Discussion focused on how law enforcement and the criminal justice system could deal with encrypted communications.
Encryption is used to obfuscate data so that it is only readable by those who possess the proper information to decode it. With companies stepping up security efforts in response to market demands in the post-Snowden era, some every day applications now feature rather sophisticated encryption schemes. This conveys a tremendous benefit to consumers looking to protect their data and communications, but could also provide a safe haven to criminals and terrorists.
The primary policy question is how to properly balance individual privacy rights with the law enforcement’s intelligence gathering needs. Some in the law enforcement community have floated the idea of building what are known as “backdoors” into systems to allow law enforcement to defeat encryption. Backdoors are security holes intentionally built into systems that allow those who are aware of them to bypass security measures.
As some of the witnesses and subcommittee members pointed out, this proposition is dubious. From a technological standpoint, it’s virtually impossible to build a backdoor that only the “good guys” can use. Mandated security backdoors could be a boon to the already-thriving underground market for exploiting security weaknesses. There’s also reason to believe that this requirement would put US-based companies at a disadvantage compared to foreign competitors that would not be required to build systems with inherent weaknesses. It would also require users of US-developed applications to question whether their data were actually protected by encryption.
Law enforcement has made a compelling case for how encryption has created difficulties for many of their legitimate activities. After Wednesday’s hearing, which many would consider a strong repudiation of the mandated backdoor concept, it will be interesting to see what solutions, if any, are presented in the future. Companies should closely monitor this debate as it could directly impact the security of communications systems they depend on to carry confidential or privileged information.