Seven months after 14 people died in the San Bernardino terror attack, the push by California Sen. Dianne Feinstein to give law enforcement access to encrypted cellphone data has fizzled.
A draft bill by Feinstein and Sen. Richard Burr, R-North Carolina, was panned by technology companies and never introduced, while a new report from the House Homeland Security Committee declares that the proposal and others floated in Congress “provide little guarantee of successfully addressing the issue.”
Susan Hennessey, a former National Security Agency lawyer and now a cybersecurity expert at the Brookings Institution think tank in Washington, said Feinstein’s proposal is unlikely to see the light of day given the fierce opposition in Silicon Valley and Congress.
“It would be very, very surprising if the bill was introduced any time in the near future – if at all,” Hennessey said.
The collapse of Feinstein’s effort comes amid congressional bewilderment about what to do about the growing use of digital encryption, which the FBI and local police across the nation argue is increasingly used by criminals and terrorists to avoid detection.
Politicians vowed action when Apple refused to unlock the iPhone 5c of San Bernardino shooter Syed Farook. While the FBI managed to crack that particular phone with help from an outside group, the issue remains unresolved.
Facebook-owned WhatsApp – a messaging app with more than a billion monthly users – recently enabled end-to-end encryption. And Facebook announced last week that Messenger, its photo and text messaging service, is testing a new “secret conversations” feature that offers end-to-end encryption – which would make encryption available to 900 million users.
“As end-to-end encryption proliferates, law enforcement is inevitably going to run up against it again,” Hennessey said. “And it’s just a matter of time until they run up against it on a case that’s of such importance or a legal issue of such consequence that there is no choice but to get an answer.”
“Once that happens,” she said, “either Congress provides an answer or the courts will have to provide an answer.”
Feinstein and Burr’s draft legislation would have forced tech companies to grant access to encrypted data if there’s a court order. Silicon Valley denounced the proposal as an attack on consumer privacy and security.
“Requiring companies to engineer vulnerabilities into their products and services by weakening encryption will make us all less safe and secure,” said Noah Theran, spokesman for the Internet Association, which represents companies including Google, Facebook and Yahoo.
Feinstein spokesman Tom Mentzer said there have been no decisions on moving forward with the proposal and “staff continue to consult” on the matter.
Burr continues to tout the idea, using the forum of a weekly Republican address in June to declare that terrorists are “using secure messaging applications to recruit, plan and execute attacks against civilians.”
The government needs to think a lot more than twice before telling the private sector to degrade that which we all agree only the private sector can provide – enhanced cybersecurity.
Michael Hayden, former director of the Central Intelligence Agency and the National Security Agency
But opposition to the Feinstein-Burr proposal is strong and doesn’t come just from tech companies and privacy advocates. Michael Hayden, former director of the Central Intelligence Agency and the National Security Agency, said in an interview that he also opposes it.
The data stored on digital devices is vulnerable to criminals and hostile governments, he said, and the U.S. government is not in a position to provide protection.
“The private sector is the one we are relying on to make it safe, and one way the private sector is doing so is through really hard to beat encryption,” Hayden said. “The government needs to think a lot more than twice before telling the private sector to degrade that which we all agree only the private sector can provide – enhanced cybersecurity.”
Encryption will grow stronger as technology advances no matter what Congress does, Hayden said, and there is no point in alienating the tech industry.
“And, oh, by the way, if we do make American industry stop, we probably end up with the worst of all possible worlds, driving the best encryption in the world offshore,” he said.
Hayden favors a bill that would create a commission on digital security that includes representatives from Silicon Valley, the FBI and national intelligence agencies.
But the bill to create the commission has languished and some experts are skeptical it would accomplish much.
“That’s kind of a do-nothing idea for me,” said Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. “It seems like you’re just kicking the can down the road with a commission.”
Pfefferkorn said Congress needs to settle the debate once and for all with a national policy in support of strong encryption that declares the technology to be good for national security, the economy and civil liberties.
She supports bills sponsored by California Democratic Reps. Ted Lieu of Torance and Zoe Lofgren of San Jose that would prevent the government from undermining encryption.
Other nations are moving in the opposite direction. Russian President Vladimir Putin last week signed a law requiring technology companies to provide access to encrypted communications to the FSB, the Russian intelligence agency that is the successor to the KGB.
And a Brazilian court froze $6 million in Facebook assets last month when company subsidiary WhatsApp didn’t turn over messages sent by suspected members of a drug smuggling ring – even though WhatsApp says it can’t access or read the encrypted messages.
Sen. Ron Wyden, a Democrat from Oregon, is watching to see whether Feinstein and Burr resurrect their proposal to open encrypted data to U.S. law enforcement.
“If this bill does come to the floor, Senator Wyden will filibuster it. He feels strongly this would be a huge mistake,” said Wyden spokesman Keith Chu.