Paris revives battle over government access to encrypted data

The terrorist attacks in France are resurrecting a push, once thought dead, for legislation guaranteeing government access to encrypted data.

In recent days, government officials have said the Islamic State terrorists may have used encrypted communications channels to plan the deadly strikes in Paris that killed over 100 people and wounded hundreds more.

{mosads}Although largely unconfirmed, the reports have given purchase on Capitol Hill to what had become an unpopular argument: Government investigators need a way to crack anyone’s encryption during criminal investigations.

“It’s a wake-up call for America and for our global partners, that globally we need to begin the debate on what we do on encrypted networks because it makes us blind to the communications and to the actions of potential adversaries,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said Tuesday after a committee briefing on the Paris attacks.

Some lawmakers have used the incident to resurrect a dormant call for legislation that could guarantee federal investigators access to locked data at major tech and Internet companies.

“In the Senate Armed Services we’re going to have hearings on it and we’re going to have legislation,” Sen. John McCain (R-Ariz.), who chairs the committee, told reporters Tuesday, calling the status quo “unacceptable.”

While tech companies and privacy experts say that strong encryption is necessary to protect consumer privacy — especially after the revelations about National Security Agency surveillance from Edward Snowden — law enforcement officials and some lawmakers say the secrecy is a risk to national security.

“The French clearly in this instance had no understanding that this was going to happen,” New York City police commissioner William Bratton said on CBS’s “Face the Nation” Sunday, blaming encryption. “And we’re seeing the ramifications of that.”

For months, privacy advocates had been steadily gaining ground in their fight for universal, unbreakable encryption. They repeatedly argued that any permanent entry point built into encryption exposes all locked data to hackers, weakening global online privacy.

After a year of this pressure from technologists, major Silicon Valley players and digital rights groups, the Obama administration in October publicly declared it would no longer seek a legislative solution that would require companies to decrypt data for law enforcement.

Even supporters of guaranteed access — both on Capitol Hill and in the administration — acknowledged earlier this year that the encryption debate had become too charged for legislation to pass.

“The legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail published by The Washington Post.

But, Litt noted, “It could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

Friday’s terrorist attacks in Paris may be that moment.

“It’s causing a lot more attention in Congress,” McCain said.

Momentum in the debate appears to have swung back toward law enforcement, with lawmakers on both sides of the aisle raising the alarm about encrypted technology on Tuesday.

Senate Minority Whip Dick Durbin (D-Ill.), the second ranking Democrat, told reporters, “I’m open” to law enforcement’s argument “that the new encryption standards make it more difficult for them to do their work.”

“I want to know what we can do to give them access,” added Durbin, who has sided with privacy advocates before on certain cybersecurity-related topics.

McCain was more direct when asked if he would require tech companies to build a portal into their encryption for government officials.

“Yeah, I would,” he said.

But exactly how McCain and his allies might accomplish this is unclear.

Despite the unexpected light the Paris attacks have shed on the encryption debate, many congressional leaders were unwilling to commit to any specific course of action.

Burr and Sen. Dianne Feinstein (D-Calif.), the Intelligence Committee’s ranking member, told reporters they were launching an investigation into the issue.

“The chairman and I will consult other members of our committee will consult and hopefully we will be able to come forward with some proposals that make some good sense,” said Feinstein, adding when pressed on what those proposals might look like, “I don’t think it makes sense to speculate.”

Senate Homeland Security Committee Chairman Ron Johnson (R-Wis.) struck a similar tone.

“I’m not sure there’s a legislative solution because if we do this with U.S.-based companies, there are going to be other companies around the world that do it,” he told The Hill. “Technology is just going to continue to move forward and it’s going to be a vexing problem.

The complexity of writing a congressional proposal has intensified the pressure on Silicon Valley to voluntarily work with the government on the issue.

“Let me just tell you something, there are things that are more important than the profitability of a private company,” Durbin said. “I think security of the United States is.”

Meanwhile, privacy advocates and their Capitol Hill allies have stood firm.

Encryption is simply a matter of life on the modern Internet, they maintain, and no government action is going to change that.

“It is impossible to use the Internet in 2015 and not use encryption,” tweeted Christopher Soghoian, principal technologist for the American Civil Liberties Union (ACLU). “Terrorists are using encryption = terrorists are using the Internet.”

It’s also far from clear the type of guaranteed access law enforcement is calling for would have allowed officials to actually intercept messages in the lead-up to the Paris attacks.

“It’s important to be careful about some of these knee-jerk approaches that don’t give you more security and put at risk your liberty,” Sen. Ron Wyden (D-Ore.), a leading digital privacy advocate on Capitol Hill, told reporters Tuesday. “Too often in the past the Congress… comes up with policies that do not do either and that make no sense.”

Security experts note that terrorist groups have long developed their own encryption tools that were outside the reach of government rules.

“Requiring companies to weaken their technology when terrorists can fairly easily obtain advanced encryption technology products around the world, doesn’t make much sense to me,” added Wyden, who has aggressively pressed law enforcement officials on the matter across a number of congressional hearings.

The contentious back-and-forth is creating uncertainty about how Congress will handle encryption standards.

“I wouldn’t dare even remotely let you believe that we’re on a legislative route,” Burr said. “We’re on an exploratory route trying to figure out what options we have.”

Jordain Carney and Julian Hattem contributed.