Top senator: Encryption bill may “do more harm than good”

Top senator: Encryption bill may "do more harm than good"

Legislating encryption standards might “do more harm than good” in the fight against terrorism, Senate Homeland Security Committee Chairman Ron Johnson (R-Wis.) said on Thursday.

In the wake of the terrorist attacks in Paris and San Bernardino, Calif., lawmakers have been debating whether to move a bill that would force U.S. companies to decrypt data for law enforcement.

“Is it really going to solve any problems if we force our companies to do something here in the U.S.?” Johnson asked at the American Enterprise Institute, a conservative think tank. “It’s just going to move offshore. Determined actors, terrorists, are still going to be able to find a service provider that will be able to encrypt accounts.”
Investigators have said the Paris attackers used encrypted apps to communicate. It’s part of a growing trend, law enforcement says, in which criminals and terrorists are using encryption to hide from authorities.

For many, the solution has been to require that tech companies maintain the ability to decrypt data when compelled by a court order. Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) are currently working on such a bill.

But the tech community and privacy advocates have pushed back. They warn that any type of guaranteed access to encrypted data puts all secure information at risk. Keeping a key around to unlock encryption means that anyone, they argue, including hackers can use that key.

Johnson said he understands the importance of strong encryption.

“Let’s face it, encryption helps protect personal information,” he said. “It’s crucial to that. I like the fact that if somebody gets my iPhone, they’re going to have a hard time getting into it.”

Capitol Hill faces a learning curve on the issue, Johnson explained.

“It really is not understanding the complexity,” he said. “And I’m not being critical here. It’s really complex, which is the biggest problem you have in terms of cyber warfare [and] cyberattacks.”

“The experts, the attackers are multiple steps ahead of the good guys trying to reel them in, trying to find them,” Johnson added.

China Antiterror Law Doesn’t Require Encryption Code Handovers

China Antiterror Law Doesn’t Require Encryption Code Handovers

BEIJING—China passed a new antiterrorism law that stepped back from previous language of concern to global technology firms, but which still raises questions about its scope and the potential impact on companies doing business there.

The law, passed Sunday by China’s rubber-stamp parliament, also authorized the armed forces and paramilitary police to take part in counterterrorism operations in foreign countries with the approval of those countries and Beijing’s military leadership.

Chinese authorities say the law is intended to help prevent terror attacks in China and better protect its citizens overseas, four of whom were killed by militants in Mali and Syria in November.

Beijing has blamed a series of recent attacks in China on jihadist separatists from the northwestern region of Xinjiang, where some of the mostly Muslim Uighur ethnic group have been resisting Chinese rule for decades.

The new law contains much of the language from a draft version released a year ago that U.S. officials, business groups and rights advocates criticized as having an overly broad definition of terrorism and onerous requirements for companies dealing with proprietary commercial information and private data in China.

The final version of the law requires telecom operators and Internet companies to help authorities with decryption of data and other counterterrorism efforts. Unlike the draft version, however, it leaves out some controversial language requiring tech companies to store their data locally and provide their encryption systems for review to be able to operate in China.

Still, the broad wording that tech companies must provide “technical means of support” to China’s government for counterterrorism has prompted concern among some U.S. tech firms, according to a person familiar with the matter.

“Telecommunications and Internet service providers should provide technical interfaces and technical support and assistance in terms of decryption and other techniques to the public and national security agencies in the lawful conduct of terrorism prevention and investigation,” says a final version of the law, published by the official Xinhua News Agency.

China’s law comes as data encryption has become a flash point globally between tech firms and law enforcement authorities. U.S. tech companies such as Apple Inc. and Google Inc. have been clashing with U.S. and European governments over new encryption technologies, which law-enforcement officials say hinder their ability to catch terrorists.

Apple criticized a U.K. proposal on Dec. 21 that would give national-security authorities more power to monitor communications. The proposal would require tech companies to retain “permanent interception capabilities” for communications, including “the ability to remove any encryption.”

U.S. President Barack Obama had spoken in support of the U.K. stance against encryption in January, but backed down from trying to change U.S. law in October.

U.S. Federal Bureau of Investigation Director James Comey said in November that the bureau had been stymied in tracking Islamic State’s recruiting efforts due to use of encrypted communication services.

Following Edward Snowden’s revelations that U.S. authorities inserted so-called backdoors in technology products to allow spying, U.S. tech companies have sought to distance themselves from government surveillance in order to regain the trust of consumers. Apple and Google have released software with encryption they say they are unable to unlock.

Chinese officials say they studied U.S. and European Union legislation while drawing up China’s counterterrorism law.

They have also stepped up efforts in recent months to persuade foreign governments that Uighurs resisting Chinese rule should be considered terrorists.

Beijing has long maintained that Uighur separatists have links to al Qaeda and Chinese officials have said in recent months that at least 300 ethnic Uighurs have joined Islamic State in Iraq and Syria.

Some recent attacks in China have borne the hallmarks of jihadist groups, but rights groups and Uighur activists say much of the violence is provoked by police abuses, excessive religious restrictions and a huge influx of non-Uighur migrants to Xinjiang.

The new law also restricts the right of media to report on details of terrorist attacks and the government’s response.

The counterterrorism law is part of a series of new pieces of legislation that many experts say are designed to tighten the Communist Party’s control over the economy and society, and promote a notion of rule of law that doesn’t undermine its monopoly on power.

President Obama has said he raised concerns about an early draft of the counterterrorism law directly with Chinese President Xi Jinping, saying technology companies would be unwilling to comply with its provisions.

U.S. officials and business groups have also expressed concern over a sweeping new national security law, passed in July, that the government says is needed to counter emerging threats but that critics say may be used to quash dissent and exclude foreign investment.

In May, China’s parliament also published a draft of a new law that seeks to tighten controls on foreign nongovernmental groups. Nearly four dozen U.S. business and professional groups signed a letter to the Chinese government in June urging it to modify that draft, which they said could hurt U.S.-China relations.

U.S. Secretary Of Homeland Security Warns About The Dangers Of Pervasive Encryption

U.S. Secretary Of Homeland Security Warns About The Dangers Of Pervasive Encryption

In a speech at cybersecurity conference RSA, U.S. Secretary of Homeland Security Jeh Johnson outlined the government’s discomfort with increasing implementation of encryption by technology companies, and what impact the shift might have on national security.

While tech firms like Apple are advancing encryption to an increasingly broad set of consumer activities, the government is concerned that it could increasingly be locked out from the communications, and the intentions, of threats to national security.

The issue of encryption, who should hold the controlling keys, and if American technology companies should be compelled to provide special access to consumer data to the United States government are issues as old as they are controversial. The common argument against any weakening of encryption is that there are no unexploitable weaknesses — if Google were to craft a back or front door for the U.S. government, it’s impossible to keep that same entryway free from other parties.

After asking for “indulgence” and “understanding,” the secretary said during his remarks that the “current course [the technology industry is on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security.”

In the secretary’s view, the nation’s “inability to access encrypted information poses public safety challenges.” Ignoring the mild irony behind that comment — why else would you choose to encrypt data? — the government employee continued: “In fact, encryption is making it harder for your government to find criminal activity and potential terrorist activity.”

Johnson concluded with a colorful description of privacy and freedom, calling them “the things that constitute our greatest homeland security.”

His remarks were very similar to President Barack Obama’s in an interview earlier this year with Re/code’s Kara Swisher. The president said that while he was more in favor of encryption than most in law enforcement, he also recognized the problems it posed for those agencies. Both Obama and Johnson spoke about the importance of privacy when facing tech-oriented audiences, but failed to take a strong stance in its defense.

The Homeland Security secretary weighs in on this issue as White House aides are investigating encryption and preparing to report back to the president this month. In a recent speech at Princeton University,NSA chief Michael Rogers argued law enforcement should have front door access with multiple locks. He argued government abuse of this access could be avoided by splitting multiple keys among separate agencies.

But Jeff Williams, the CTO of Contrast Security, tells TechCrunch that such an approach is impossible. He argued that it would be impossible for the government to create technology that would allow it front door access to all communications devices and splitting such a tool among agencies would be inefficient and ineffective. He also said a split key could still be thwarted by super-encryption.

“Frankly the cat is out of the bag on secure encryption,” Williams said.

Even with the upcoming report to the president, it is unlikely Obama will take any measurable stand for Americans’ privacy rights. The private sector and law enforcement have volleyed back and forth on this issue for decades, now reigniting the exact same debate we saw in the early 1990s over the Clipper Chip. We’ve seen the White House take very little action on limiting the scope of the American intelligence apparatus, even in the wake of high-profile leaks from Edward Snowden.

Why would it start now?

The private sector has to keep improving encryption, as customers — particularly those outside the United States — worry about surveillance. But as these companies work to keep threats out of these devices, we can be certain that our law enforcement agencies are working just as fast to break into them.

With little public scrutiny over this technical issue, politicians have little incentive to stand up for privacy. Even with high-profile remarks such as those from Johnson today, it’s likely we’ll continue to see more of the status quo.