US Congress Hearings on Encryption Technology Are Disastrous for the FBI

The US government held hearings this week on encryption technology, and discussed both the merits of encryption and privacy, and the dangers of inaccessible data. The meeting was to broach the idea of allowing federal agencies such as the FBI, CIA, and NSA access to the data of all American software by mandating that back doors be built into all current and future technology created by Americans.

Here is a full video of the hearing:
https://www.youtube.com/watch?t=3891&v=YG0bUmuj4tg

This hearing is interesting because the members of congress on the panel seem to be well informed on the issues of creating backdoors, and seem to be strongly opposed to mass surveillance as well as the huge economic fallout that would occur from a loss in the trust of American products.

Here is a full transcript of the meeting with the most important parts in bold.

The meeting opens with the following statement from Republican Congressman Will Hurd of Texas:

"In September of last year, Apple and Google, the largest mobile device manufacturers in the United States, announced that they would implement increased security measures on their products in attempt to strengthen privacy and data security. These developments were met with concern from some law enforcement agencies such as the FBI, who were worried that this increased level of encryption would lead to an inability to access data on specific devices, and that despite obtaining a warrant, investigatory efforts could be hindered by this. As a former CIA officer, I understand the need for law enforcement to access digital information in a timely manner. However, I also understand the protection afforded to Americans provided by the constitution and I have taken an oath two times to protect and defend these rights. I firmly believe that law enforcement officials must gain the trust of the very people that they are trying to protect in order to be successful, and i remain concerned that a government mandated back or front door on US-based mobile device manufacturers might undermine that trust."

"Today's meeting will involve testimony from a variety of experts and stakeholders and representatives on ways to balance law enforcement needs with privacy and security concerns. The hearing will also explore the impact on domestic privacy, American consumers, and US technology manufacturers. As technology continues to evolve and encryption capabilities become a part of everyday life for all Americans, this debate will only grow larger. I believe we can find a way to protect the privacy of law abiding citizens and ensure that law enforcement has the tools they need to catch the bad guys. I welcome the witnesses and look forward to today's discussion."

"I'd now like to recognize my friend and a ranking member of the subcommittee Ms Kelley of IL for a 5-minute opening statement." 

Democrat Congresswoman Robin Kelly of Illinois:

"Thank you chairman and thank you to our witnesses for appearing on today's panel."

"Recently companies like Apple and Google have announced plans to incorporate automatic encryption for their mobile devices. Encryption will become the default privacy feature on their mobile devices, making the content unavailable without the user's selected pass-code. As a society we rely on mobile devices to manage and protect many aspects of our lives, personal, professional, and financial. Privacy on our smartphones is critically important. Hackers are a concern as is unrestricted government surveillance."

"According to a May 2014 study on trends in the US smartphone industry Android and Apple control 52.1% and 41.9% share of the market. Their move towards automatic encryption will have a significant effect on the industry standard for privacy protections. Their move toward automatic encryption has been criticized as seriously hindering law enforcement operations. Criminals, like non-criminals, use mobile devices to manage the many aspects of their lives, some of which can provide evidence of a crime. Today many criminal cases have a digital component and law enforcement entities increasingly rely on the contents of mobile devices to further an investigation or prosecution of serious crimes and national security threats. The FBI, and local law enforcement departments and prosecutors have all expressed concern with automatic encryption."

"They envision a number of scenarios in which the inability to access data on mobile devices will seriously hinder a criminal investigation. They do not want to be in a position to tell a victim of crime or the family of a victim that they cannot save someone or prosecute someone because they cannot access the content of a mobile device. There is a balance to be struck here. It is important that the government policy approach ensures privacy protections, and it is important that law enforcement under tightly controlled circumstances have the ability to investigate and prosecute crimes. I look forward to today's hearing and your testimony."

Will Hurd: "Thank you. I'm now pleased to recognize Mr. Chaffetz of Utah, the chairman of the full committee, for an opening statement."

Republican Congressman Jason Chaffetz of Utah:

"I thank the chairman and I appreciate your passion in this topic. It affects literally every American (and) it affects literally everybody across the world. I think one of the great questions that needs to be posed to our society and certainly to our country as a whole is how to find the right balance between personal privacy and national security. I, for one, am not willing to give up every bit of privacy in the name of security. So how do we find that right balance? It's not easy to find.

"In response to recent moves by Apple and Google mentioned by Chairman Hurd, the FBI Director Comey recommended quote a 'regulatory or legislative fix' which would force companies to manufacture their mobile devices in such a way that law enforcement can access the data on those devices without a warrant or a court order. I have three general concerns about Director Comey's proposal."

"First, it's impossible to build just a backdoor for just the good guys... If somebody at the Genius Bar can figure it out so can the nefarious folks in a van down by the river. As Alex Stamos (who is) Yahoo's Chief Information Security Officer recently explained: 'All of the best public cryptographers in the world would agree that you can't really build backdoors in crypto. That's like drilling a hole in a windshield.'

"The congress department's national institute of standards and technologies Chief Cybersecurity Adviser agreed saying: 'There is no way to do this where you don't have an unintentional vulnerability.' And I worry about those unintentional vulnerabilities."

"We have a wide variety of experts on the panel today to help us understand the potential economic, privacy, security, and geopolitical consequences of introducing a vulnerability into the system."

"Second, we are already living in what some experts are calling the 'golden age of surveillancing' for law enforcement. Federal, State and Local law enforcement have never had more tools at their disposal to help detect, prevent, and prosecute crime. It seems that we hear every day that there's a new often startling story about the United States Government's ability to track its own citizens."

"I recognize that technology can be a double-edged sword and many pose challenges for law enforcement as well but we're certainly not going to go dark and in many ways we've never been brighter."

"Third, strong encryption prevents crime and is a part of the economy. People keep their lives in their mobile phones. A typical mobile phone might hold a person's pictures, contacts, communications, finance schedule and much more personal information... If your phone is lost or stolen you want to know that your information is protected and encryption does that. There's a reason that the worlds largest technology companies are increasingly developing stronger and more frequently used encryption technologies. It's not because they're anti-law-enforcement. On the contrary it is because sophisticated cyber-hacks are near daily events. No one is immune from digital snooping from the White House to corporate America to private citizens."

"The opportunity brought to us by the modern technologies are near-limitless, but not if the system is compromised. Strong encryption helps ensure that data is secure and allows companies and individuals to operate with confidence and trust and I look forward to hearing from our witnesses today, but we have choices to make. Do we allow the 99% of Americans who are good honest decent hardworking patriotic people to have encrypted phones? Or do we need to leave a back door open and create vulnerability for all of them. Because vulnerability is all or none folks. It's not just a little bit. It's not just for the good guys. And that's why we're having this hearing today..."

The chairman then recognizes the panel.

Ms Amy Hess - Executive Assistant Director of the science and technology branch at the Federal Bureau of Investigation.

Mr Daniel Conley - District Attorney of Suffolk County Massachusetts

Mr Kevin Bankston - Policy Director at New America's Open Technology Institute

Mr John Potter - President of the Application Developers Alliance

Dr Matthew Blaze - Associate Professor of Computer Information Science at the School of Engineering and Applied Science at the University of Pennsylvania

Ms Amy Hess is then given five minutes to make her statement on behalf of the FBI.

"(her microphone was off at the beginning of her statement)...of the men and women of the FBI. The bureau has undergone an unprecedented transformation in recent years to address and prevent threats to our national security and our public safety, but as those threats continue to evolve, the FBI must evolve as well. Today's FBI is a threat-focused intelligence-driven organization and we must continuously challenge ourselves to stay ahead of changing threats and changing circumstances."

"As you know, technology has forever changed the world we live in. Our phones and computers have become reflections of our personalities, interests, and identities and with that comes the need to protect our privacy and our data. But technology can be used by some very dangerous people and the FBI has a sworn duty to keep every American safe from harm while simultaneously protecting their constitutional rights and preserving their civil liberties. Moreover, we recognize our national interests and promoting innovation, and the competitiveness of us companies in the global marketplace, as well as freedom of expression around the world. But the evolution of technology creates new challenges for law enforcement. It impacts our ability to access communications pursuant to court orders, which means those of us charged with protecting the American people aren't always able to access the information we need to prosecute criminals and prevent terrorism, even though we have the lawful authority to do so."

"To be clear we obtain the proper legal authority to intercept and access communications and information but we increasingly lack the technical ability to do so. This problem which we refer to as going dark is broader and more extensive than just encryption. But for the purposes of this testimony i will focus on the challenges involving the evolving use of encryption."

"We encounter encryption in two overlapping contexts. The first is legally authorized real-time interception of what we call data in motion, such as phone calls, email, and text messages in transit. The second concerns legally authorized access to data stored on our devices, or what we call, data at rest."

"First let me address court ordered interception of data in motion. In the past there were a limited number of communication carriers conducting electronic surveillance, and it was more straightforward. We'd develop probable cause to believe a suspected criminal was using a target phone to commit a felony. We'd then obtain a court order for a wiretap on that phone, and under the supervision of a judge we collected the evidence we needed for prosecution."

"Today there are countless providers, networks, and means of communicating. We have laptops, smartphones, and tablets. We use multiple networks and any number of apps and so do those conspiring to harm us. They use the same devices, and the same networks, and the same apps to make plans, target victims, and concoct alibis. Thousands of companies now provide some form of communication, but most do not have the ability to isolate and deliver particular information when ordered to do so by a court."

"Turning to court ordered access to data at rest. We know that encryption of stored data is not new. But it has become increasingly prevalent and sophisticated. And the challenge to law enforcement and national security officials has been heightened with the advent of default encryption settings and stronger encryption standards. In the past, the consumer had to decide whether to encrypt the data on his or her device and take action. But with today's newer operating systems, the device and all of the user's information on the device can be encrypted by default. Further, companies have developed encryption technology which makes it impossible to decrypt data on devices they manufacture, even when lawfully ordered to do so."

"Although there are good reasons to support these new uses of encryption, such decisions regarding system design have a tremendous impact on our ability to fight crime and bring perpetrators to justice. Like the general population, criminals are increasing storing such information on electronic devices. And if these devices are encrypted, the information they contain may be unreadable to anyone other than the user. The process of obtaining a search warrant, authorized by a court of law, to seek evidence of a crime, could be an exercise in futility."

"To be clear, we in the FBI support and encourage the use of secure networks and sophisticated encryption to prevent cyber threats. We know that adversaries will exploit any vulnerability they find, but we believe the security risks associated with the implementation of lawfully authorized access are better addressed by developing solutions during the design phase rather than resorting to a patchwork solution after the product or service has been deployed."

"Just as we have an obligation to address threats to national security and public safety, we likewise have the obligation to consider the potential impact of our investigation on civil liberties, including the right to privacy. We must always act within the confines of the rule of law and the safeguards guaranteed by the constitution. We also believe that no one in this country should be beyond the law. The notion that a suspected criminal's closet could never be opened, or his phone could never be unlocked, even with properly obtained legal authority is troubling. We will of course use every lawfully authorized technique we have to protect the citizens we serve, but having to rely on those other tools could delay criminal investigations, preclude us from identifying victims and co-conspirators as well as prematurely alerting suspects to our investigative interests and potentially put lives in danger."

"Thank you again for the opportunity to discuss the FBI's priorities..."

Mr Daniel Conley is then given five minutes to make his statement.

"...My name is Dan Conley and i'm the district attorney in Boston and a member of the National District Attorneys Association, the largest association of prosecutors in America. Thank you for the invitation to testify today on this incredibly important issue. Last year, when Apple and Google announced their new operating system, they touted that the technology would not allow law enforcement, even with a court order, to access information on its mobile devices. In America, we often say that none of us is above the law. But when corporate interests place crucial evidence beyond the legitimate reach of our courts, they are in face granting those who rape, defraud, assault, or even kill a profound legal advantage over victims and society. So i'm here today to ask Congress to intervene. As a prosecutor my duty is to ensure that evidence we present in court is gathered fairly, ethically and legally. If it's not, if a search is a improper then a court will suppress that evidence and exclude it."

"We as Americans enjoy a presumptive right to privacy that may only be abridged under clearly defined circumstances, such as when there are specific, articulable facts that would lead a judge to believe that the place to be searched would yield evidence of a crime. In decades past these were car trunks and safety deposit boxes and today they are mobile devices. We undertake those searches to solve crime. We don't wander to websites that people visit or aggregate data about people's personal health, wealth or shopping habits. That frankly, is the purview of companies like Apple and Google. Their nominal commitment to privacy rights would be far more credible if they were forbidding themselves access to their customer's interests, search terms, and consumer habits. But as we all know they are taking full advantage of their customer's private data for commercial purposes, while building an impenetrable barrier around evidence in legitimate, court-authorized investigations."

"For over 200 years of American jurisprudence, our courts have balanced the rights of individuals against society. But in this case, in one fell swoop, Apple and Google have upended it. They have created hiding places not merely beyond the reach of law enforcement, but beyond the laws that define our nation."

"Let me give you an idea of what this means in practical terms. In every big city there's a mass-transit system, and a disgraceful practice of snapping photographs up women's skirts has taken place. If the offender's phone cannot be searched pursuant to a warrant, then the evidence won't be recovered and this practice will be an unchargeable crime. This isn't even the worst of it. Years ago we investigated a child pornography case. We just thought a teacher was trading child pornography. It turns out after we got a warrant and examined his mobile devices it turned out that he was not only collecting photographs, he was abusing children. After a multijurisdictional investigation he is serving 45 years in prison. If those devices were encrypted he would be free to continue what he is doing on our streets. Human trafficking and commercial sexual exploitation of children is also aided and abetted by the same technology, with victims often children, advertised for sale on websites that are accessed by hand-held devices. With these operating systems, those devices would become warrant-proof and the evidence that they contain unreachable by investigators."

"Now I don't believe Apple and Google set out to design an encryption system to protect human traffickers, but this is the result. When we talk about warrant-proof encryption, it is the perpetrators or every violent, financial or sexual crime in which hand-held technology is used to benefit it. This isn't rhetoric. This is reality."

"Like most Americans I am a customer of these companies and I hold my privacy interests dear. And I understand and strongly encourage the use of secure encryption technology to prevent hacking, theft, and fraud, and I think that most people recognize that there must be a balance struck between individuals privacy rights and the legitimate interests of our society to bring dangerous criminals to account. Apple and Google need to recognize this as well."

"I will conclude today by pointing out that for the past several weeks around Boston and around the country, we have all been following the trial of one of the individuals who was a terrorist in Boston two years ago, and through his actions left four people dead and hundreds more grievously injured."

"Cell phone evidence, much of it volunteered by people, but some of it obtained by warrant, was critical to understanding what happened, how it happened, and who did it. Were law enforcement blocked from obtaining that evidence, the apprehension of those responsible for the Boston marathon bombings might have been very much in doubt."

"So again I don't think that Apple or Google intended to create a safe space for terrorists to do their deeds, but make no mistake that this is the result and those are the stakes."

"I therefore respectfully urge congress to help us find a reasonable, balanced solution that protect privacy while also ensuring that there are reasonable means to gain lawful access to crucial evidence."

"I thank you for your time and attention and look forward to your questions, thank you."

Mr Bankston is given 5 minutes to make his statement.

"...District Attorney Conley is absolutely right that encryption is one of the most critical law and order issues of our time. However, and with respect for his and the FBI's work to keep us all safer, he's got it exactly backwards. Strong encryption is absolutely critical to the preservation of law and order in the digital age, much more than it is a threat to it. Some have framed this debate as a choice between safety and privacy, but that is a false choice. The debate on whether to allow strong encryption without backdoors is really a choice between safety and safety. A little more safety against some isolated crimes or a much more safety for many more people against countless other criminal and national security threats, be they street criminals looking to steal our phones and laptops, ID thieves and fraudsters and Russian hackers and corporate spies trying to steal our most valuable data, or foreign intelligence agencies trying to compromise or most sensitive national security secrets."

"The ultimate question isn't what will make law enforcement's job easier in some investigations. The ultimate question is 'What will prevent more crime?' Which will make law enforcement's job easier overall and will keep us all safer. The answer to that question is more strong encryption, not less. I wont deny that encrypted devices, or end-to-end encrypted communication will in some cases inconvenience law enforcement, notably though the government has yet to provide a single specific example where such encryption has posed an insurmountable problem. That's because there are often a variety of other ways for law enforcement to get the evidence that it needs."

"The FBI is concerned that 'it's going dark!' But all in all the digital revolution has been an enormous boon to law enforcement, what some would call 'A golden age of surveillance'. More and more of our interactions with others and with the world are moving into the digital realm, being quantified and recorded, an unprecedented and exponentially growing cache of sensitive data about all of us, with most of it available to law enforcement. Think about the massive archive of private email and instant messages and text messages and photos and videos and the vast public records of our social network activities most of which didn't exist or weren't available just 15 years ago. Most of which are stored in the internet cloud and are easily accessible to law enforcement and much of which is backed up from the very same encrypted phones that the government is concerned about. Think of all of the new metadata of when and with whom all of those messages were exchanged, where and when those photos and videos were taken. And think especially about all of that new location data generated by our cell phones and our mobile apps creating extensive records of our movements regardless of whether those phones are encrypted or not. Think about all of that, when law enforcement says 'it is going dark.' I would counter that by most measures, they are going bright. And in those few cases where they are in the dark, when they truly need the data on an encrypted device, even then there are options. They can in many cases ask the court to compel the owner to decrypt the device under the threat of contempt, or even remotely hack into the device over the internet, a technique that's somewhat worrisomely being used more and more often."

"Admittedly I have some serious constitutional concerns about both of those law enforcement techniques, but I am much more concerned that in order to address those rare cases, law enforcement seems to want congress to take steps that would undermine everyone's security, rather than targeting an individual suspect."

"Make no mistake, attempting to mandate encryption backdoors will undermine everyone's security as professor Blaze will testify. That is the unanimous conclusion of every technical expert that has spoken publicly on this issue. And as Mr Potter will make clear surveillance backdoor mandates will also undermine our economic security and prompt international customers and many American consumers and many of the bad guys that we're trying to stop, to turn away from the compromised products and services made by US companies."

"It's true now, just as it was during the so-called crypto-wars of the 90's, weakening encryption is a bad idea. That is why a majority of the house of representatives at the time, including four current members of this oversight committee, including ranking member Cummings, co-sponsored chairman Goodlatte's Security and Freedom Through Encryption Act, which would have reaffirmed American's right to make, use, and sell strong encryption products without backdoors. That is why a majority of the house just last year voted for the (amendment) that would have prevented the NSA from demanding or even asking that companies weaken the security of their products. And that is why this congress should similarly reject any short-sighted backdoor proposals in favor of protecting our long term national and economic security. Thank you..."

Mr Potter is given 5 minutes to make his statement.

"...The App Developer Alliance represents over 200 companies and 35000 individuals worldwide. Thank you for inviting me to speak today about the challenges that app developers and digital industry partners face if we are required to both protect privacy and provide government with privacy-breaching backdoors."

"First it is important to highlight that protecting data through innovative security based products is unquestionably good for businesses and consumers. In contrast, backdoors make apps less secure and less trustworthy."

"Second we must remember that data protection is not only about civil liberties and privacy. Encryption prevents cybercrime which threatens fundamental economic interests that operate digitally including healthcare, transportation, banking and manufacturing, encryption also prevents identity theft which has been the top complaint to the Federal Trade Commission for 15 consecutive years."

"Third, nearly every digital business wants to be global but mandatory government backdoors may spark a trade war and imprison businesses in their home country."

"Fourth, governments conflicting messages about data protection create uncertainty about business expectations. Uncertainty creates risk, inhibits growth and job creation and especially harms startups and small business."

"Handling customer data securely is an essential business commitment. Customers worldwide demand this. The media routinely report on data breaches and organized cybercrime. In response, and strongly encouraged by government agencies including the FBI, developers have prioritized security. Given the magnitude of cybercrime and of government resources committed to fighting it, law enforcement criticism of encryption is perplexing. For several years law enforcement has routinely encouraged and even required encryption to protect sensitive data. Until recently, the FBI website recommended that all organizations 'encrypt data so that hacker can't read it'. Quizzically that recommendation was deleted from the FBI website just a few weeks ago. In contrast the federal trade commission continues to advise that 'encryption is the key to securing personal information online'."

"Government mixed messages about security and privacy slow product development, inhibit investors, worry customers, and harm all companies, especially startups. Every digital business opportunity is global, so the worldwide impact of mandatory government backdoors is important. Unauthorized US government collection of global communications has created international outrage and backlash that is already costing American companies billions of dollars. Mandating backdoors that weaken encryption will exacerbate global distrust, and we should expect two reactions."

"First, international governments with demand their own security backdoors. Second, US based apps will be deemed non-compliant with international privacy laws and be locked out of those markets."

"Developers will have to make many versions of apps for many markets with different law enforcement demands and privacy laws or risk being blocked from those markets. Building multiple versions of any product increases costs and goes against every rule of digital business. Additionally for good reason some might be concern if other countries or particular countries demand their own backdoors. If markets become inaccessible to US apps because of mandatory backdoors then a digital trade war could break out. The App Developer's Alliance membership is global, because apps create jobs and deliver value globally. Closed markets may benefit some of our members in the short-term, but the large majority of our members recognize that an encryption and privacy trade war is substantially negative."

"Finally the basics of technology, privacy, and security are critical. Any security opening creates vulnerability. You can't build a backdoor that only the good guys can walk through. Hackers know it, the FBI knows it and increasingly customers know it. Forced insecurity harms consumers and all industries, but it especially harms startups and small innovators, because building backdoors that are only slightly ajar is technically challenging and very expensive."

"There are situations that justify law enforcement access to our cell phones, to our apps, to the cloud, but there are many methods to accomplish this with court-approval. Congress must insist that law enforcement and national security agencies utilize these processes. This is fundamental to Americas civilian government."

"In closing, please remember that encryption technologies are a market response to well founded consumer, commercial, and government demand. When an app developer builds a thriving business model on security and consumer trust, only to be told by the FBI that they want the product to be secure, but not too secure. This disrupts the marketplace, it's bad for innovation for business and for consumers."

"Thank you."

Dr Blaze is given 5 minutes to make his statement.

"...As a technologist i'm finding myself in the very curious position of participating in a debate over the desirability of something that sounds wonderful. Security systems that can be bypassed by the good guys, but that also reliably keep the bad guys out. And we can certainly discuss that. But as a technologist I can't ignore the stark reality, which is simply that it can't be done safely. And if we make wishful policies that assume and pretend that we can there will be terrible consequences for our economy and for our national security."

"So it would be difficult to overstate today the importance of robust, reliable computing and communications to our personal, commercial, and national security. Modern computing and network technologies are obviously yielding great benefits to our society and we are depending on them to be reliable and trustworthy in the same way that we depend on power and water and the rest of our critical infrastructure today. But unfortunately software-based systems, the foundation on which all of this modern communications technology is based, are also notoriously vulnerable to attack by criminals and by hostile nation-states. Large scale data breaches are of course literally a daily occurrence and this problem is getting worse rather than better as we build larger and more complex systems. It's really not an exaggeration to categorize the state of software security as an emerging national crisis."

"And the sad truth behind this is that computer science, my field, simply does not know how to build complex large-scale software that has reliably correct behavior. And this is not a new problem it has nothing to do with encryption or for modern technology it's been a central focus of computer research since the dawn of the programmable computer. And as new technology allows us to build larger and more complex systems, the problem of ensuring their reliability becomes actually exponentially harder with more and more components interacting with each other. So as we integrate insecure vulnerable systems into the fabric of our economy, the consequences of those systems failing become more likely and increasingly serious. Unfortunately there is no magic bullet for securing software systems. Large systems are fundamentally risky and this is something that we can at best manage rather than fix outright. There are really only two known ways to manage the risks of unreliable and insecure software. One is the use of encryption, which allows us to process sensitive data over insecure media and insecure software systems to the extent that we can. And the other is to design our software systems to be as small and as simple as we possibly can and minimize the number of features that a malicious attacker might be able to find flaws to exploit."

"And this is why proposals for law enforcement access features frighten me so much. Cryptographic systems are among the most fragile subtle elements of modern software. We often discover devastating weaknesses in even very simple cryptographic systems years after they are designed and fielded. What 3rd party access requirements do is take even very simple problems that we don't really know how to solve and turning into far more complex problems that we really have no chance of reliably solving. So backdoor cryptography of the kind advocated by the FBI might solve some problems if we could do it but it's a notoriously and well known difficult problem. We've found subtle flaws even in systems designed by the National Security Agency such as the Clipper Chip two decades ago, and even if we could get the cryptography right we could be tasked with integrating access features into the software. Requiring designers to design around third party access requirements will basically undermine our already tenuous ability to defend against attack. Accepting to frame this debate as being between personal privacy and law enforcement but in fact the stakes are higher than that. We just can't do what the FBI is asking without seriously weakening our infrastructure. The ultimate beneficiaries will be criminals and rival nation-states."

"Congress faces a crucial choice here, to effectively legislate mandatory insecurity in our critical infrastructure, or to recognize the critical importance of robust security in preventing crime in our increasingly connected world."

"Thank you very much."

Congressman Blake Farenthold (R) is then given an opportunity to speak for 5 minutes.

Republican Congressman Blake Farenthold of Texas:

"Thank you very much Mr Chairman. Can we get the slide out? I think it was Mr. Potter that the FBI had some recommendations on their website about encryption that was recently taken down. I want to read the two that are highlighted, this has something to do with a couple of questions that... 'Depending on the type of phone, the operating system may have encryption available. This can be used to protect the users data in the case of loss or theft.' and it also says 'Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device.' These are now off of the FBI website. Why did the FBI take down this guidance?"

Ms. Hess:

"We actually decided to provide a link to that information, that same information appears through the link to IC3."

Congressman Farenthold:

"And you agree that that's probably good advice? You still advise people that it's a good idea to encrypt their data?"

Ms Hess:

"Yes sir, we fully support encryption."

Congressman Farenthold:

"Alright now, Dr Blaze you talked about the good guys vs the bad guys. Who... the good guy today might not also be a good guy... I mean that definition of good / bad guy it's overly simplistic, but it also... who are the good guys and who are the bad guys and who makes that decision?"

Dr Blaze:

"Oh that's certainly true. Even if we can draw a line between who we want to have access and who we don't which is of course an impossible task in practice, we would still be left with the problem of who would be able to provide access."

Congressman Farenthold:

"Mr. Bankston, let's talk a little bit about a golden key. That's one of the things that folks are looking at. Wouldn't that become the biggest hacker target in the world if it were known that there were a golden key? You know what we have today that might be deemed secure will with as computing power increases become easier to break?"

Mr Bankson:

"Yes congressman that's absolutely the case. I think that professor Blaze made clear attempting to build such a system would add incredible levels of complexity to our system such that it would inevitably, as the cybersecurity coordinator at NIST said recently would lead to 'unanticipated vulnerabilities' and that doesn't even count the vulnerability of the possibility of bad actors obtaining the key. Even if you were to split those keys apart as the NSA director has suggested, you have to put that key together somewhere and wherever you do do that is going to be a critical target for anyone who wants to compromise our security."

Congressman Farenthold:

"...Is there anybody on the panel who believes we can build a technically secure backdoor with a golden key? Raise your hand and i'll recognize you. Alright let the record reflect that no-one raised their hand and thinks that that can be done."

"Alright let's talk about little bit about if we were going to go ahead and do it. The United States... let's assume that they're a good guy and we're gonna put in a backdoor for them. All of a sudden if you want to sell the same product in another country so China wants a backdoor, Austria wants a backdoor... basically every country is gonna want a backdoor. Does anybody disagree with that statement? I see no hands coming up for that one either. So then we are going to but every backdoor into all of these systems making it that much more difficult or do we say well alright this one's sold in the United States so we will put a US backdoor in, well that doesn't help our intelligence community abroad and if i wanted to avoid that, i'd go to the Cayman Islands which I assume has better privacy laws. I don't know. There would be some haven country, and buy my phone there. Would it then be seized by customs? I don't see a practical way to implement this."

(he motions to panel)

"I'm now appointing you to the NSA, to the head of the NSA. Anybody got a way we can do what we want to do? Raise your hand if you've got any suggestions if you think we could do it."

"Alright Mr Conley."

Mr Conley:

"I'm no expert. I'm probably the least technologically savvy guy in this room. But, there are a lot of great minds in the United States. We're trying to figure out a way to balance our interests here. It's not an either or situation. And you know, Dr Blaze said, you know he is a computer scientist i'm sure he is brilliant but jeeze I hate to hear talk like 'that can not be done' I mean think about if John Kennedy said 'we can't go to the moon, that can not be done' he said something else 'we're gonna get there in the next decade' so i would say to the computer science community, let's get the best minds in the United States together on this we can balance the interest here."

Congressman Farenthold:

"I appreciate that because i'm a proud American as well, but I think what we're saying today is if president Kennedy said 'we will get to the moon in ten years and nobody else will be able to get there ever.' And i think that is the distinction that i'd like to draw there. It's not like we're saying that 'we can't develop a secure system' but we're saying 'can we really develop a secure system that will be secure for any length of time that somebody smarter might be able to hack five years down the road.'..."

Congresswoman Kelly:

"Mr Bankston a core component to what we are doing here today is examining what we can do to protect the privacy of consumer data and not serve as a barrier to law enforcement... law enforcement's community's ability to do work that keeps us safe. I know I've heard from a number of folks on both sides of the data privacy issue and so what i want to ask is, is there such a thing as creating a backdoor that is only for the good guys?"

Mr Bankston:

"I am also not a technical expert, I am a policy expert, but based on what every expert in the field has said not only in the current debate, but also 20 years ago in a many multi-year debate over exactly this issue, the answer is a clear no and in fact a unanimous no."

Congresswoman Kelly:

"Also could the existence of a backdoor created in the interest of public safety actually serve as a Trojan Horse that cybercriminals exploit to their advantage?"

Mr Bankston:

"Absolutely, any backdoor is necessarily going to weaken the security of a system in a way that another actor, one with worse interests than our own government trying to protect us, could exploit."

Congresswoman Kelly:

"Any other comments about that? Yes Ma'am."

Ms Hess:

"First off, when we are discussing solutions we've found in the past is if the solutions are developed on the front-end of the system's design, they are fundamentally more secure than something that is patched on to the backend of an existing solution or an existing network or an existing device. That we also found with respect to what Mr Bankston refers to 20 years ago when a law was enacted that essentially most thought would decrease security of systems, and that turned out not be the case. To the contrary companies actually developed more secure ways while still being able to conduct the surveillance that we were enabled to enact back 20 years ago."

Mr Bankston:

"If I may respond to that. I assume Ms Hess is referring to CALEA... Which actually explicitly provided that the phone companies subject to its intercept capabilities were under no obligation to prevent or assist in the decryption of encryption that was done by their users or even encryption that they offered where they did not hold the keys. So protection for encryption in fact end-to-end encryption was protected explicitly in CALEA."

Congressman Chaffetz:

"...Ms Hess, you have a very important role within the FBI and we appreciate the work that you're doing, but it was said earlier, and i want to ask and give you a chance to respond to it, does encryption actually help to prevent crime in your opinion?"

Ms Hess:

"Yes sir it does."

Congressman Chaffetz:

"But the policies that the FBI is advocating, specifically the Director, don't necessarily fall in line with that do they? I mean I struggle with what the Director is asking for because... are you gonna have good encryption not encryption."

Ms Hess:

"I think the distinction comes from the idea that we are not supportive or in favor of encryption and that is not true. That's not accurate. We actually encryption it secures our networks and it obviously assists us with providing security and the blocking of cyberthreats. However all we're asking for is a way for us to with a lawful order be able to get information from the company, so that the provider would be able to provide in a readable form the potential evidence that we would need in an investigation."

Congressman Chaffetz:

"So you want encryption but a key, and doesn't that key, by its very definition, create a vulnerability?"

Ms Hess:

"I think in today's world I think there is no such thing as absolute security in the physical or the digital world. What we're asking for is not to lower those standards by developing some type of lawful intercept or lawful access capability, but rather to come up with a way that we may be able to implement perhaps multiple keys or some other way to be able to securely access the information or actually rather to be able to be provided with the information."

Congressman Chaffetz:

"That's the concern. That if you create a key... Let's pretend that it's a key to your house. You go down to Ace Hardware and make a copy of it right? So somebody's gonna be able to figure it out. You'll have a locksmith who can go and open up your front door, it's the same principle... Unless there's some new technology that I don't know about... That's the concern and that's the disconnect from what we hear from the FBI and the reality of... You create the hardest strongest encryption possible which means not having a key and again I know we won't necessarily solve it all right here in this debate, but i've gotta ask you something else before I run out of time."

"One of the key concerns that I have, and i've sponsored a bill called the GPS act deals with geolocation. There's a debate and discussion about metadata vs content, for instance in emails. If you and I are trading emails, the Department of Justice argue that the fact that i've communicated with you is just the metadata it's not the content of what we were talking about. But do you believe, does the Department of Justice believe that your geolocation is content? Or do they just think that that is metadata?"

Ms Hess:

"Well sir first off for geolocation information we do obtain a search warrant for that information."

Congressman Chaffetz:

"Always? Always?"

Ms Hess:

"I would have to ask that we maybe brief you on that in more detail at a later time, but at the same time to address your issue about metadata and geolocation information. Clearly those certainly are useful tools. Useful techniques for us to be able to paint the picture of what happened in an investigation, but they are not wholly inclusive of all of the evidence that we may need to be able to show intent for example with the content of that information."

Congressman Chaffetz:

"I understand the need. And i don't have a problem if you have probable cause or get a warrant or even articulable suspicion. What i have a problem with is you tracking geolocation at will. And i think Americans have a reasonable right to privacy. So post-Jones what i still struggle to understand from the Department of Justice is: What is their guidance? What are the rules of the road? I mean, I'd like to know if you all track my wife or not? Do you do that? I know you can. The question is do you do it? And you're giving me a... clarify it for us? It's not a yes or a no that's the concern. I'm not getting a yes or no from you."

Ms Hess:

"I would answer in response to the question in that certainly to obtain any type of information we would go through a lawful process."

Congressman Chaffetz:

"Is lawful process your ability to track geolocation without a getting a warrant?"

Ms Hess:

"Currently we do get a warrant is my understanding."

Congressman Chaffetz:

"And i'm asking do you always get a warrant to track geolocation? The answer is no isn't it?"

Ms Hess:

"There's exigent circumstances, that is correct."

Congressman Chaffetz:

"Okay so describe those circumstances. At what level? What's the threshold? What's the guidance?"

Ms Hess:

"First I believe it would depend on the type of data that we're talking about."

Congressman Chaffetz:

"Geolocation."

Ms Hess:

"And the type of geolocation data, whether that's GPS data or whether that's some other type of data... geolocation... type of data. I again request that we could certainly brief you on this in more detail."

Congressman Chaffetz:

"I want you to brief the American people. That's why i'm going to continue to ask these types of questions... This is one of the deep questions I have to the Department of Justice. Believe me you're not the first person that can't clearly answer this. And I think that people have a right to know what that answer is. Is the government tracking their geolocation? And right now I think that unfortunately the answer is yes they are. And certainly they are at times without a warrant and without articulable suspicion..."

Congressman Ted Lieu (D) is then given an opportunity to speak for 5 minutes.

Democratic Congressman Ted Lieu of California:

"As a recovering Computer Science major, it is clear to me that creating a pathway for decryption only for good guys is technologically stupid. You just can't do that. But i'm more interested now, in knowing is, if this were to happen, what would the effect be on global companies and global app developers and Mr Potter, your testimony raised concerns that a device pathway would introduce technological vulnerabilities to mobile applications. What effect would the pathway have on the global application developer's market."

Mr Potter:

"...Today, every app developer thinks that their marketplace is global, that their opportunity is global. The Google Play store is global. The Apple devices are global. The challenge is in Europe we have a very different privacy regime than we have in the United States. And Europe has already made... European leaders have already spoken quite bluntly that if they strengthen their privacy laws, it will in fact harm US companies and create business opportunities for European companies. So Europe is... European privacy leader's area are very concerned about... and they've been pretty blunt about it, Facebook, Amazon, Google, cloud data, things like that and what they do with the data. And they are extraordinarily distressed with the US government vacuuming up data throughout the world, including listening to the phone calls of some of their leaders. The combination of that, the political angst and the business stress creates a very easy opportunity for them to say any company that has a back door, particularly to the US government, which at least in the minds of European leaders does not have a great history of using those backdoors with discipline, creates a vulnerability that is unlawful under European privacy law and therefore you'd be banned from the European market."  

Congressman Lieu:

"I'm going to use the balance of my time to make a statement primarily directed to Mr Conley. I respect your public service. I take great offense to your testimony today. You mentioned that unaccountable interests such as Apple and Google are essentially protecting those who rape, defraud, assault, and kill. That's offensive. It is a fundamental misunderstanding of the problem."

"Why do you think that Apple and Google are doing this? Because the public is demanding it. People like me. Privacy advocates. A public who doesn't want an out of control surveillance state. It is the public that is asking for this. Apple and Google didn't do this because they thought that they'd make less money. This is a private sector response to government overreach."

"Let me make another statement: That somehow these technology companies are not credible because they also collect private data. Well here's the difference. Apple and Google don't have coercive power. District Attorneys do, the FBI does, the NSA does. And to me it is very simple to draw a privacy balance when it comes to law enforcement and privacy. Just follow the damn constitution. And because the NSA didn't do that and other law enforcement agencies didn't do that, you are seeing a vast public reaction to this. Because the NSA, your colleagues have essentially violated the 4th amendment rights of every American citizen for years by seizing all of our phone records and by collecting our internet traffic, that now is spilling over to other aspects of law enforcement. And if you want to get this fixed i suggest that you write to the NSA or the FBI should tell the NSA to stop violating our rights. And then maybe you'd have the public much more on the side of something like what law enforcement is asking for."

"And let me just conclude by saying that I do agree with law enforcement that we live in a dangerous world. That's why our founders put in the constitution of the United States, that's why they put in the 4th amendment. Because they understand that an Orwellian overreaching federal government is one of the most dangerous things that this world can encounter."

"Thank you again."

Congressman Rod Blum (R) is then given an opportunity to speak for 5 minutes.

Republican Congressman Rod Blum of Iowa:

"... Ms Hess my question will probably be addressed to you. I just want to make sure i understand this. Law enforcement wants to force the private sector to build a backdoor if you will or backdoor key into cell phones, into software, and things such as that is that correct?"


Ms Hess:

"Sir I would actually phrase that such that we are simply asking for information we seek in response to a lawful order in a readable format. How that actually happens should be the decision made by the provider."

Congressman Blum:

"So you're not asking for a backdoor key to the encrypted software or cell phone?"

Ms Hess:

"If we don't have that key but yet the provider can get us the information by maintaining the key themselves. Then that would be obviously a legitimate way to respond to our lawful order."

Congressman Blum:

"Okay and what you're asking for would only be used if a warrant was issued? Is that correct?"

Ms Hess:

"Yes sir. Everything we're discussing today. Yes Sir."

Congressman Blum:

"And what we're discussing today would arguably make law enforcement's job quicker and easier to apprehend the bad guy? As we said is that correct?"

Ms Hess:

"Yes sir."

Congressman Blum:

"I'm a software developer myself and i'm also a home-builder so i'd like to give you an analogy as i understand this. Isn't this analogous to the government asking for or requiring home builders to put a video camera in every room of every new home that they build, with the guarantee or the promise that the government won't turn it on... unless we get a warrant. And that would make law enforcement's job easier, correct? And quicker if there's a crime in the home. Isn't this analogous to that, because you're saying 'trust us, we'll only do this if we need to do it'?"

Ms Hess:

"Sir I think the analogy may be better described as if we should need to know what's going on in that home, then as long as the company can respond quickly, now that might mean that they wire the home, but it certainly doesn't mean that they have to have the cameras installed as long as they can do that quickly. On the other hand if they could come up with a different way to tell us what's going on inside that home and do it quickly and in a timely manner that's quickly available to us when we need it. Then however, whatever way they come up with would be acceptable."

Congressman Blum:

"What troubles me is tends to agree with and i'll paraphrase here, that there's a reasonable standard of privacy with our 4th amendment rights, and one of them is in their own home. I think most law enforcement would agree with that, but when it comes to our cell phone conversations our emails anything that's electronic and data it seems like this reasonable right to privacy isn't there. And the people in my district and I feel the same way. Could you address that please?"

Ms Hess:

"Yes sir, I'd like to. It is believe that's inaccurate. You certainly do have a reasonable expectation of privacy which is why with what we're discussing today requires a warrant. Whether that's real-time communications or the data is stored on that device it still would require a warrant and that is the threshold under the constitution."

Congressman Blum:

"And this next question is for anyone in the panel. Does law enforcement have other ways, other than what you're asking for (he motions to Ms Hess) to access the necessary data needed in let's say 99% of the criminal cases? Are there other ways of doing this? Because it seems like we are always given as citizens the dichotomy of liberty and giving up liberty and freedom for safety. And I believe in American exceptionalism. I believe we can have both. Are there other ways that law enforcement can do this?"

Ms Hess:

"Yes sir, I would also like to address that. i believe that we can balance liberty and security and public safety. I would say that there are certainly times when law enforcement is stymied by a particular obstacle in an investigation we will seek all other ways to get the information we need. But those other ways may delay us in getting that information. They may not be timely solutions. They may not be encompassing solutions to where we might be able to identify other victims, or other co-conspirators, or the vast nature of the crime, or the impact of the crime. And that's what concerns us, to be able to get that information quickly."

Congressman Will Hurd (R) is then given an opportunity to speak for 5 minutes.

Republican Congressman Will Hurd of Texas:

"I've got a question for everyone, so we'll start with you Dr Blaze. Can you tell us a little about your background? Quickly, your degrees, how long you've been involved in computer science and cryptography."

Dr Blaze:

"I'm a computer scientist, my specialty is in computer security and cryptography and the applications of cryptography to building large-scale systems. As a particular focus of my research area is focused on surveillance technologies and some of the issues at the intersection of technology and public policy. In this issue 20 years ago I discovered some flaws in the previous government proposal, the Clipper Chip."

Congressman Hurd:

"So, and you're at a university that their department is pretty well known worldwide when it comes to cryptology and communication science, is that correct?"

Dr Blaze:

"I'd like to think so."

Congressman Hurd:

"And I know you're a modest man so I don't mean to ask an indelicate question but you're considered an expert when it comes to cryptology and encryption."

Dr Blaze:

"I suppose so."

Congressman Hurd:

"So in your expert understanding is there any way to do a split-key approach to encryption?"

Dr Blaze:

"There's things we can do like splitting the key between multiple locations that can reduce some aspects of some of the risks in a system like this."

Congressman Hurd:

"But it does create additional vulnerabilities that has technical capability will be able to take advantage of." 

Dr Blaze:

"That's right. We can move the risks around from one system to another but there are still fundamental problems that we don't know how to solve."

Congressman Hurd:

"And this was ultimately part of the problem with the Clipper Chip from the 90's?"

Dr Blaze:

"That's right. There were a number of problems with the Clipper Chip proposal but that was one of them."

Congressman Hurd:

"Thank you. Mr Potter, as a politician i'm always told don't answer hypothetical questions but i'm gonna pose a hypothetical question to you. If there were a back door or front door put into applications or programs of US businesses. How do you think that would impact businesses in China, Russia, and Iran?"

Mr Potter:

"I'd have to anticipate that those governments would ask for their own backdoors."

Congressman Hurd:

"Thank you. Now Mr Bankston I wanted to save you for last. Mr Conley, a question. If you have a properly issued warrant to go into someone's house, and there's a safe in that house that's locked. What happens?"

Mr Conley:

"The safe would be taken out and it would be broken into."

Congressman Hurd:

"So in your testimony you mentioned that Google and i believe we can infer Apple stated that their new operating system would make its devices inaccessible to law enforcement officials, even with a warrant signed by a judge. Is that correct?"

Mr Conley:

"That is correct."

Congressman Hurd:

"So if you had a properly issued warrant, would you not be able to get that device?"

Mr Conley:

"We could get the device. We couldn't get the information off of the device if it's running iOS8."

Congressman Hurd:

"So iOS8 if it's... the default setting is a 5 digit pin, correct?"

Mr Conley:

"It's a passcode of some sort."

Congressman Hurd:

"Dr Blaze, i'm a little rusty when it comes to... so that's 5 factorial 5 right? So it would take what 13000 iterations of a potential 5-digit pin? Actually it's a 4 digit pin so..."

Dr Blaze:

"104 so about 10000."

Congressman Hurd:

"For a brute-force method with today's technology is that difficult?"

Dr Blaze:

"That's well within the range of a brute-force attack."

Congressman Hurd:

"How long would that take?"

Dr Blaze:

"On modern computing hardware essentially no time at all."

Congressman Hurd:

"Would you agree that that's the equivalent of taking a safe out of a home and using some safe-cracking skills... this would be the digital equivalent?"

Dr Blaze:

"No this would be much easier than that."

Congressman Hurd:

(laughs) "Because you're good. I think my colleagues from Texas A&M would be able to do it too. Now my next question is to you also Mr Conley. The upskirting example that you used. If you had surveillance on someone doing upskirting. The fact that they were putting a camera to try to take pictures of someone would that not be enough to arrest them?"

Mr Conley:

"No that would not be enough. In order to have committed the crime you have to have taken the photo and there'd be no way to prove that the actual photo was taken or what it was taken of. So we could not successfully prosecute that case without the photograph."

Congressman Hurd:

"I would like to yield to my colleague from California Mr Lieu."

Congressman Lieu:

"I do have some more questions on how easy it would be to defeat one of these pathways. So let's say we pass a law that says okay the Apple iPhone now has to have this pathway only for the good guys. What's to keep a terrorist, this is for Dr Blaze, from saying, even though i like their multi-colored Apple iPhones i'm gonna switch to Samsung phones. Is there anything stopping that from happening?"

Dr Blaze:

"No. Fundamentally the ease of loading application software and the wide variety of platforms that we have, make it very simple for someone who is determined to unbreakable encryption to do so. It might not be as easy or as inexpensive as we'd like it to be but there are no fundamental barriers to it."

Congressman Lieu:

"And currently right now, there is nothing preventing two people, anywhere in the world, from downloading an encryption program to encrypt end-to-end those two communications. That would make this pathway essentially meaningless is that correct?"

Dr Blaze:

"That's right. Now, you know there may be vulnerabilities on the computers that run that software and in fact there likely would be for the reasons that i discussed in my written testimony. But the encrypted messages themselves in transit would be effectively impossible in practice to decrypt."

Congressman Lieu:

"And is it to your understanding that terrorists sometimes resort to just writing something on a piece of paper so that they're off the grid."

Dr Blaze:

"Well i'm not an expert on terrorists but i'd imagine that paper and pencil technology is well within their reach."

Congressman Lieu:

"And we don't say that companies who make paper shredders are somehow protecting terrorists, correct?"

Dr Blaze:

"I've never heard that said."

Congressman Lieu:

"So let's talk a little bit about computer code. It's true isn't it that computer code is neutral, that is the code cannot tell if the person reading the code or accessing code is Asian, or the leader of Hamas, or the FBI director, or gay, or a woman or a man. As long as you've got the key to that encryption, you'd get in the system. Correct?"

Dr Blaze:

"That's right."

Congressman Lieu:

"The NSA, would you agree, has one of the most secure systems in the world."

Dr Blaze:

"I think they have enormous expertise."

Mr Lieu:

"Curious isn't it that we now know so many secrets about the NSA. Not because of technology, but because we have human beings, and so another aspect of all of this is you'd be asking the American public to be trusting all of the human beings in the federal government, who could be looking at private data. And it turns out that sometimes human beings do things that you don't want them to do. Such as this one person who has now disclosed all of these secrets of the NSA, even though that is one of the most secure systems in the world."

Dr Blaze:

"The operational aspects of maintaining this kind of large scale secure system are enormously daunting as I think the NSA discovered two years ago."

Congresswoman Robin Kelly (D) is then given an opportunity to speak for 5 minutes.

Congresswoman Kelly:

"Ms Hess and Mr Conley, when you're not doing your job you're citizens of our society so how do you reconcile the need for this data with people's privacy interests and their data because you're a person too and then you're in law enforcement. So how do you reconcile this?"

Ms Hess:

"I certainly obviously value my privacy. I want to make sure that my system is as secure as possible and I think goes back to the point that certainly the FBI is trying to make . Which is that we support encryption. We want secure networks. It's just this inability that, for example if I was committing criminal activity, that that information would be completely inaccessible. So in the safe example that we would never be able to access what's inside that safe. And that I think is more to the point of the question because certainly we do value privacy and certainly the safeguards of the constitution."

Mr Conley:

"I value my privacy as much as the next person. Just to give you an example recently my computer at home was infiltrated by somebody and so anytime I click onto a link I'd get bombarded with all sorts of merchandising messages and so forth. Somewhat innocuous but it's clear that my computer was infiltrated so I went out and bought some security software and loaded it onto my computer so i'm certainly very cognizant of the need to protect my privacy and do all of my banking and so forth on this. My position has always been very simple that we ought to not be able to completely hide valuable evidence of a crime that is being committed or has been committed to hold individuals accountable for their actions. And that's what i'm advocating for. Some sort of balancing of the interests here so that everyone's right to privacy is acknowledged and, glorified really but at the same time, law enforcement is not completely kept in the dark about these sorts of things."

Congresswoman Kelly:

"I appreciate all of your testimony and obviously encryption of data from what i'm hearing should be conducting in a way that is respectful of law enforcement and private consumers interests."

Mr Conley:

"Mr Chairman, you had asked a question about the passcode and about brute force and far be it from me i suppose to challenge Dr Blaze on brute force but my iPhone is owned by the commonwealth of Massachusetts and it has 7 digits. The passcode is not 4 but 7 so I suppose the exponential issue there is considerably larger obviously with 7 digits. And i'm told that after 10 attempts to break in using my passcode, that's it, i'm blocked out by some erratum that goes on. I have, at least up to this point in this hearing, I believed that there is no brute-force technology available that would allow law enforcement to break into somebody's hand held device."

"And I also ask this question. Can this issue be bifurcated in some way so that big corporate computer networks and so forth can remain encrypted without any sort of golden key, but mobile devices, devices like this which are now the tools of terrorists and criminals can be accessed on probable cause after a magistrate issues a warrant?"

Congressman Hurd:

"Thank you Mr Conley and to answer that question. When I left the CIA I spent about five years helping build a cybersecurity company. We did penetration testing and technical vulnerability assessments. And I would always offer my clients, a lot of the time we worked for banks, and i'd offer my clients the option of, you pay our fee or we get to keep what we take. No one ever took us up on that last one because we never not got it. So the tools and the technical capabilities are out there. That's something that, having the conversation about 'how do we get the right tools and expertise to law enforcement?' may be a conversation or may be a positive thing that comes from this conversation."

"Mr Conley, last question for you sir. Or sets of questions. In the upskirting example. Are there upskirters in Boston that haven't been caught because they use encryption?"

Mr Conley:

"Well this encryption technology is really brand new, so i'm not aware of any cases yet. When we caught an upskirter in Massachusetts, we realized actually there was no statute that made it a crime. So the Massachusetts legislature quickly took up this issue and made it a crime. Meteoric!"

Congressman Hurd:

"As it should be..."

"Ms Hess question for you. What is the FBI asking for?"

Ms Hess:

"Certainly what we're asking for first and foremost is exactly what we're doing here today and just the opportunity for the American public to consider these issues and to weigh the risks because clearly we recognize that there is no absolute security again in either the physical or the digital world. Everything may present a vulnerability. There may already be vulnerabilities in place. But for law enforcement to not have the ability to accept or to receive the information that we might need in order to hold those accountable who conduct heinous crimes or who will conduct terrorist attacks, that's the question I think we need to balance in the American public. And despite having that conversation will help us I think to make better informed decisions."

Congressman Hurd:

"...Does the FBI have any information or data that suggests that the inherent vulnerabilities that have been discussed about encryption is that there's a way to do it?"

Ms Hess:

"We certainly believe and share Mr Conleys hope that there is some type of innovative solutions out there that we might be able to see government and industry work together to come up with. Certainly they won't be bulletproof as has been said earlier. But certainly more secure ways of being able to get law enforcement what it needs but at the same time provide layers and layers and layers of security so that the providers can provide the customer with that they need as well."

Congresswoman Hurd:

"Mr Bankston, in your written testimony, you talked about the President's review group. Can you characterize quickly for me what the President's review group is or was?"

Mr Bankston:

"The review group was a panel of experts picked by the President, five of them, to review the NSA's intelligence activities including a former CIA director and a former anti-terrorism czar. The White House concluded that it should be the policy of the United States to promote rather than undermine the use of strong encryption."

Congresswoman Hurd:

"And you highlighted recommendation 29 and I would like to read that. And I do appreciate all of you all's written testimony, but you had a lot of great information here. And recommendation 29 that President Obama's review group provided was that 'They recommend, regarding encryption that the US government should fully support and not undermine efforts to create encryption standards.' And number two 'not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.' And number three 'increase the use of encryption and urge US companies to do so in order to better protect data in transit, at rest, in the cloud and other storage.' And I think that's a pretty good recommendation."

"And I'd like to close my remarks with a quote from Ms Hess written testimony. 'Following the rule of law, and upholding civil liberties and civil rights are not burdens. They are what make all of us safer and stronger.' I couldn't agree more with that..."






< last
next >