WASHINGTON — Growing concern about terrorists’ use of encrypted communication is spurring Congress to act, but the first major piece of legislation is taking a cautious approach as lawmakers grapple with how to spy on suspected criminals without weakening cybersecurity and privacy.
House Homeland Security Committee Chairman Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., who serves on the Intelligence Committee, are set to brief reporters this week on a bill that would create a national commission on security and technology to come up with creative ways to solve the problem. The panel would be made up of civil liberty and privacy advocates, law enforcement and intelligence officials, professors, lawyers, tech executives, and computer science and cryptography experts.
Despite calls from some lawmakers to do so, the bill would not mandate that tech companies build “backdoors” into encrypted cellphones or Internet sites to give law enforcement access to digital communication. The U.S. tech industry strongly opposes such mandates.
“We cannot wait for the next attack before we outline our options, nor should we legislate out of fear,” McCaul and Warner wrote in a recent op-ed in the Washington Post. “Instead, Congress must be proactive and should officially convene a body of experts representing all of the interests at stake so we can evaluate and improve America’s security posture as technology — and our adversaries — evolve.”
Last month, law enforcement officials confirmed that the terrorists who struck Paris in November used encrypted apps to coordinate their attacks. The apps they used were not created by American tech companies.
Islamic State leaders have distributed a 32-page manual of tips for how their followers can conceal their messages by using encrypted devices and apps, McCaul and Warner wrote. They said similar tactics are used by drug traffickers and child predators.
Sen. Dianne Feinstein, D-Calif., vowed last month to introduce legislation with Senate Intelligence Committee Chairman Richard Burr, R-N.C., to require companies to provide encrypted data with a court order. Companies such as Apple and Google are currently unable to provide data from their most strongly encrypted cellphones and other electronic devices because the data cannot be accessed by anyone other than the user.
“I’m going to seek legislation if nobody else is,” Feinstein said during a Senate Judiciary Committee hearing last month. “I think this world is really changing in terms of people wanting the protection and wanting law enforcement, if there is conspiracy going on over the Internet, that that encryption ought to be able to be pierced.”
FBI Director James Comey said at the same hearing that he believes companies should be able to comply with court orders to provide communications between suspected terrorists or other criminals. However, he stopped short of saying that Congress should pass a law mandating that companies do so.
Representatives of the U.S. tech industry said that mandating backdoors into encrypted communication would compromise cybersecurity by allowing hackers to gain entry as well.
“A backdoor for the good guys is a backdoor for the bad guys too,” said Adora Jenkins, senior vice president of external affairs at the Information Technology Industry Council, which represents companies such as Facebook, Google, Twitter, Microsoft, Visa, and Samsung.
The council welcomed the idea of a national commission to bring all sides together.
“We think it’s the right way to go about discussing the challenges that law enforcement and technology companies are facing,” said Andy Halataei, the group’s senior vice president of governmental affairs. “In order for this to work, you have to have everybody in the room that has a stake in this issue. You really have to get the technologists and civil libertarians and law enforcement in the room together to talk about what is technically feasible.”
McCaul and Warner said there are no easy answers.
“The same tools that terrorists and criminals are using to hide their nefarious activities are those that everyday Americans rely on to safely shop online, communicate with friends and family, and run their businesses,” they wrote. “We are no longer simply weighing the costs and benefits of privacy vs. security but rather security vs. security.”