The battle between Apple and the Federal Bureau of Investigation over whether the tech giant should break into a locked iPhone has thrust the conversation about encryption onto the national stage. Congress looks set to get involved, but it’s unlikely that any bill requiring companies to help law enforcement get around encrypted data will gain traction.
Encryption is used in practically every service online. Legislation to break into it “is going to put a chilling effect on commerce and speech, because no one’s going to want to send information or transact online if they don’t think that their transactions are secure,” said Bijan Madhani, privacy counsel at the Computer & Communications Industry Association, in an interview.
Amazon, Facebook, Google and PayPal are just a few of the tech firms that CCIA represents. Madhani believes the technology community will be “uniform” in opposition against any bill mandating companies to create a “backdoor” to their security systems. Such measures would require companies “to do something that will actually harm the overall internet and the overall internet security and their users,” Madhani said.
There’s also the issue (as always) of pure politics. American Civil Liberties Union Legislative Counsel Neema Singh Guliani likened the encryption debate to the controversy that swirled around the National Security Agency’s bulk data collection program. Then, as now, both Republicans and Democrats have raised questions.
“In Congress, this issue looks different from any other that we’ve seen,” Guliani said. “What we’re saying [is that] libertarians from the Republican party and Democrats stand together on this issue.”
While lawmakers have discussed the tension between private sector encryption and law enforcement needs for at least a year, the Apple case has brought a new urgency to the problem. A federal court is compelling Apple to create software to bypass security features on an iPhone used by a San Bernardino shooter. Apple is appealing.
Technology companies almost universally support Apple. (A notable exception is Bill Gates, who pressed for a way forward that satisfies both law enforcement and tech in a CNN interview). The tech industry says if Apple complies with the court order and creates a backdoor, even for just this one iPhone, it would undermine the security of millions of iPhones. It would also weaken encryption systems that run modern life, from online banking to personal data such as health insurance information.
Law enforcement says it has a duty to protect the country and that opening one locked phone is perfectly reasonable in a pending investigation.
Apple has called for congressional intervention. Ironically, so has FBI Director James Comey. Of course, they each want different things. Comey wants the ability to get into specific encrypted systems (i.e., individual devices) when the FBI can obtain a warrant.
Apple has called for a commission made up of experts from the intelligence and tech worlds to reach a compromise on encryption. Apple said it would “gladly participate.” House Homeland Security Committee Chairman Michael McCaul (R-Texas) and Sen. Mark Warner (D-Va.) are proposing a similar idea, but some intelligence hawks are skeptical it would work.
McCaul and Warner may offer the only viable option in Congress, and even that isn’t certain. Still, there is no visible path forward for more stringent legislation in either the House or the Senate. It’s not just that it would be difficult to draft the theoretical encryption measure. It could be technologically impossible to find any sort of agreeable terms. What law enforcement wants — a way into specific devices or systems — is precisely what tech firms don’t want to give because their leaders believe that no law can target a specific device for specific people.
This conundrum is different from a much debated cybersecurity bill last year, which was about private companies sharing potential terrorism-linked data with the government. In this case, tech lobbyists believe that a bill to get around the security systems would actually damage the country’s defenses against cyber-attacks.
Legislation could also face massive opposition from a large faction in the House, with the likes of Patriot Act skeptic Rep. Jim Sensenbrenner (R-Wis.), that is wary of government surveillance.
Both Madhani and Guliani said the House is a big obstacle for any encryption mandate. “The mindset in the House has long been that surveillance and government overreach have gone too far,” Madhani said. “That constituency still exists.”
Even if the Senate rallied around encryption legislation, which is already being floated by Sens. Richard Burr (R-N.C.) and Dianne Feinsten (D-Calif.), he said, the “vocal opposition” in the House would stop it from getting through.
It’s happened before. Guliani pointed to an appropriations bill last year where almost 300 House members supported an amendment that would have prohibited any federal funding to create encryption backdoors. “The support was striking,” she said. It could serve as a sneak peak for what the debate will look like this time around.
We’ll soon find out. The House Judiciary Committee will hold a hearing Tuesday on encryption. Apple’s senior vice president and counsel Bruce Sewell will testify, as will Comey. The committee is particularly important because an encryption bill would likely go through that panel, which hosts Sensenbrenner and other privacy advocates as members.
“When we look at these hearings, and the House Judiciary hearing in particular, what is striking is there are a lot of members on these committees that have a strong history of being pro-privacy and being very concerned about government overreach,” Guliani said. “I would anticipate that many members will vocally express criticisms … about the FBI’s position.”
The Senate is a different story. It’s looking increasingly likely that an encryption bill will be introduced. Last week, Feinstein told reporters that the bill is “coming along” and that difficulties are arising because “some people are making it a lot harder than we think it needs to be.” She disappeared into an elevator before she could clarify.
They’ve been down this path before. Burr and Feinstein teamed up to lead the effort on cybersecurity legislation last year, and many in the tech industry opposed it. That bill, the Cybersecurity Information Sharing Act, is now law. The idea behind it is that by cultivating a voluntary information-sharing culture, it would make both the public and private sectors better prepared to defend against cyberattacks.
Opponents fought the cybersecurity measure vehemently for what they saw as a lack of privacy protections regarding personal information. It took three tries on the Senate floor before Burr and Feinstein could get the bill passed, and that was only after a massive amount of massaging to make it amenable to the tech community.
The tech world is almost unanimous in saying this debate won’t have the same happy ending. While the cybersecurity bill (dubbed CISA) has its flaws, it still aims to improve security in both the public and private sectors and offers legal protections to businesses that choose to participate. In the encryption case, tech lobbyists say a mandate to open locked systems would actively damage a private company and the entire internet ecosystem where it operates.
“CISA for all of its faults, was about information-sharing for a more robust internet ecosystem,” Madhani explained. “An encryption mandate, or whatever Burr-Feinstein ends up being, is going to the opposite of that. It’s going to require companies to do something that actually weakens overall ecosystem security. And that’s why companies are really opposed.”