Obama administration's encryption concerns meant to start a debate
- 13 March, 2015 06:58
U.S. President Barack Obama's administration still believes in the use of encryption to protect digital information, even after top officials have questioned how law enforcement agencies will get access to data on encrypted devices, a White House advisor said.
There is "no scenario" in which the U.S. government wants weaker encryption, Michael Daniel, the White House's cybersecurity coordinator, said Thursday.
But Obama and other officials have raised questions about how to deal with technology that puts information "literally beyond the reach of law enforcement under any sort of due process," Daniel said during a discussion about encryption and law enforcement at the Information Technology and Innovation Foundation in Washington, D.C.
The officials raised those concerns after moves by Apple and Google to include encryption on smartphone operating systems, in part in response to news reports about large-scale surveillance programs at the NSA. But the concerns were meant to kick start a broad public debate about the amount of data law enforcement agencies should have access to, Daniel said.
Daniel didn't offer any suggestions about how to allow police access to encrypted data without building back doors into devices, but he said it's important for the U.S. to work out a process that is acceptable to police, to tech vendors and to the public. The U.S. needs to come up with a solution that it can show the rest of the world as an alternative to more invasive options being pushed by China and other countries, he said.
"This is a problem that's worth a lot of graduate students' time," he said.
The debate about law enforcement access to electronic devices isn't going away, with the growing adoption of the Internet of things, drones and autonomous vehicles, noted Daniel Castro, vice president at ITIF. Law enforcement agencies will have interest in "similar levels of access" to those technologies as it does to smartphones and other devices, he said.
Other speakers at the ITIF event questioned how a new U.S. policy could create a process for law enforcement agencies to get access to encrypted data without also exposing that data to cyberattackers.
So far, encrypted communications haven't created much of a problem, with the U.S. Courts' 2013 wiretap report showing only nine cases nationwide where encryption limited police from gaining access to information, said Amie Stepanovich, senior policy counsel at Access, a digital rights group.
Encrypted data may make some police work more difficult, and law enforcement agencies may have to resurrect old tactics that focus on individual suspects, she said. Encryption won't make police work "harder than it historically was," Stepanovich added. "You're going to have to step back from the model that's emerged with the Internet Age, of collecting all the information and being able to analyze it, and you'll have to go back to the targeted surveillance model."
Even without access to encrypted smartphone data, U.S. police agencies have many ways to track suspects, including email and telephone metadata, airplanes that mimic cell towers and license plate readers, panelists said.
"The notion of the government going dark I don't think is accurate," said Bruce Heiman, a lawyer focused on U.S. policy and regulations with the K&L Gates law firm. "The government is awash in data."
Government agencies have a lot of "tools" to gain access to information they want, added David O'Neil, a partner in the Debevoise and Plimpton law firm and a former head of the criminal division in the U.S Department of Justice. Law enforcement agencies so far haven't publicly identified a criminal or terrorism case that fell apart because of a lack of access to encrypted data, he said.
"I am confident that [encryption] won't be a deal breaker for law enforcement," he added.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is email@example.com.