[Infowarrior] - House group punts on encryption fight

Tue Dec 20 19:14:50 CST 2016

(Meanwhile, in NYC, DA Vance is plotting his next crypto-tantrum....  -- rick)

House group punts on encryption fight

By Joe Uchill - 12/20/16 06:58 PM EST 12

http://thehill.com/policy/cybersecurity/311284-house-encryption-working-group-lets-learn-more-before-making-grave

The House Working Group on Encryption released its year-end report Tuesday, with lawmakers calling for more research on what they said was a complicated issue.

The report highlighted what lawmakers still hope to learn as they take up encryption next session. That list includes further exploring some peripheral issues connected to encryption such as law enforcement hacking, also known as lawful hacking.

The report, though, critically remains neutral in the debate over whether tech companies should be mandated to build backdoors into their products to allow law enforcement to circumvent security measures.

“Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities,” reads the report.

Law enforcement, especially FBI Director Jim Comey, has pushed hard for backdoors, saying that not being able to access encrypted data will hinder investigations. The security community disagrees, saying weakening encryption – a central requirement for defending intellectual property, infrastructure, commerce and all secure internet traffic – will cause more harm than good. 

The Working Group on Encryption is composed of House Judiciary Committee Chairman Bob Goodlatte (R-Va.), House Energy and Commerce Chairman Fred Upton (R-Mich.), Judiciary Ranking Member John Conyers (D-Mich.), Energy and Commerce Ranking Member Frank Pallone, Jr. (D-N.J.), and Reps. Jim Sensenbrenner (R-Wis.), Darrell Issa (R-Calif.), Zoe Lofgren (D-Calif.), Suzan DelBene (D-Wash.), Bill Johnson (R-Calif.), and Yvette D. Clarke (D-N.Y.).

Most of the report deals with what the working group needs to research to move forward, including some surprising issues. Lawful hacking is seldom discussed in Congress, but it is an increasingly important tool to law enforcement.

Lawful hacking ultimately resolved the San Bernardino case that pitted the FBI against Apple last year. The FBI eventually licensed a third-party vendor’s technique to hack into the iPhone.  

The government also invests its own resources into discovering and purchasing new security vulnerabilities. It is a process regulated only by executive fiat and fraught with its own controversy over whether the law enforcement benefits outweigh the harm if criminals discover the same flaws. 

The rules for deciding which vulnerabilities to keep, known as the vulnerabilities equity process (VEP), are an Obama administration invention that may change in future administrations. The prospect that Congress may discuss the VEP has earned the report some admirers. 

“We are encouraged to see the report acknowledge the “vital” role encryption plays in our national security and that weakening encryption makes America less safe. We also welcome the working group's willingness to work on issues beyond encryption on a bipartisan basis, such as the Vulnerabilities Equities Process,” the lobbying group the Internet Association said in a statement. 

The report also calls for more investigation into compelling suspects to give up passwords and the role of metadata in law enforcement. 

As it stands, police cannot compel a suspect to give up a text password to a device or computer – it is considered by most courts a violation of a defendant’s right against self-incrimination. Police can, and do, force suspects to open phones with fingerprint-based security. 

Metadata, information collected by the phone company like who was called and how long, is often proposed as a suitable replacement for the data lost because of encryption. The report notes that, while there may be different types of data, it might not be fair to assume that any one type of evidence contains all the information another type of evidence contains.

Fully comprehending all of the issues will not come quickly, the report notes, but the dangers of a knee-jerk decision on encryption could be devastating. 

“This is a complex challenge that will take time, patience, and cooperation to resolve. The potential consequences of inaction—or overreaction—are too important to allow historical or ideological perspectives to stand in the way of progress,” concludes the report.

--
It's better to burn out than fade away.