Export Compliance Daily is a Warren News publication.
‘Vital’ Evidence 

Senate Judiciary Members Demand Apple and Google Allow Access to Encrypted Data

Apple and Google need to voluntarily provide better device access, or Congress will force them to alter encryption standards and accommodate lawful police searches, Senate Judiciary Committee members from both parties said Tuesday. The panel and representatives from Apple and Facebook debated end-to-encryption during a Tuesday hearing, at which law enforcement slammed Apple’s decision in 2014 to engineer devices in a way that effectively blocks police access.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Chairman Lindsey Graham, R-S.C., told us he understands that industry is trying to protect consumer privacy, and that if a company weakens its devices, users may gravitate toward foreign services. But, he said, “You’ve just got to find a way to accommodate a warrant.”

Citing the deadly 2015 San Bernardino mass shooting, in which police were denied lawful access to an Apple device that was evidence, ranking member Dianne Feinstein, D-Calif., said during the hearing that police require “vital access” to such evidence at the scene of a crime. She noted police are able to contract third parties to access information on an encrypted phone, but the cost, based on classified briefings, is “obnoxiously high.”

Hopefully there will be voluntary cooperation to give police better access, Sen. Richard Blumenthal, D-Conn., told us. A product designed to impair lawful access to data necessary for public safety is a real threat that must be countered, he said.

If providers don’t find a way to more consistently cooperate with law enforcement, “it’s probably going to be at their own peril in terms of legislative action,” Sen. Thom Tillis, R-N.C., told us. An industry agreement with law enforcement is a better scenario than Congress delivering a response that might not keep pace with technology, he said.

Sen. Josh Hawley, R-Mo., told reporters Congress shouldn’t rush to legislation. He wasn’t convinced back doors won’t make consumer data susceptible to a lot of other bad actors, and foreign entities like China, he said.

Until fall 2014, Apple and Google “routinely provided” police access to mobile phones when a court ordered a warrant for police investigation, testified New York County District Attorney Cyrus Vance. But encryption for new operating systems made the companies’ phones completely inaccessible, upending centuries of jurisprudence, he said. Google didn’t comment.

Apple doesn’t have a method for allowing the good guys to access encrypted data without also exposing that information to bad actors, said Apple User Privacy Manager Erik Neuenschwander. Encryption is the underlying technology for all IT security systems, and it will only grow in need as more devices are added to the internet, he said. Blumenthal told us the company has the expertise to deliver a solution for police, but it’s a question of willingness.

Facebook believes consumers, journalists and others should be able to communicate freely without the threat of bad actors or oppressive regimes accessing the information through back doors, said Messenger Product Management Director-Privacy and Integrity Jay Sullivan. If the U.S. rolls back existing privacy regimes in the U.S., foreign entities will fill the gaps from services formerly offered by U.S. companies like Facebook, he said.

Neuenschwander said before iOS 7 most data on Apple phones wasn’t encrypted, so the company freely turned that data over to law enforcement when investigations deemed it necessary. The company sealed that gap by encrypting all data to prevent access by harmful entities.

If Apple and Google haven’t provided a solution for police to access information that’s vital in police investigations “this time next year,” Congress will “impose its will on you,” Graham said. Feinstein asked if it’s accurate that police can't access the Apple data, even with a warrant. It’s not a question of a warrant because Apple doesn’t have the ability to access the encrypted data on a user’s phone, said Neuenschwander. Apple has evaluated techniques for changing that but hasn’t found a way to allow police access without weakening encryption for everyone, he said.

Apple doesn’t have access because it engineered its phones that way, said Vance. The company made that decision without any intervention from Congress or police, and it can reverse it, he said. Without the threat of legislation, the two sides won’t come to an agreement, he argued. Without external regulation on device encryption, there’s no incentive for big tech to engage in a debate, said University of Texas-Austin professor Matt Tait. If regulation threatened court-ordered access, companies would be competing to find the most secure way to deliver, said Tait. Without regulation, there’s no incentive to weaken yourself from a competitive standpoint

It’s clear encryption is a positive thing, but the issue is lawful U.S. government access to vital evidence “protecting our citizens from trafficking and sex abuse,” said Sen. Dick Durbin, D-Ill. A private company shouldn’t have the ability to unilaterally decide whether police can access evidence with a warrant, said Sen. John Cornyn, R-Texas: “Everybody needs to follow lawful court orders. ... This seems like a race to the bottom.” Sen. Sheldon Whitehouse, D-R.I., slammed Apple, saying if it continues down the road of unbreachable encryption, it must accept the consequences, such as loss of life resulting from law enforcement’s inability to access vital data.

Sen. Mike Lee, R-Utah, asked whether Apple can provide back-door access without the potential for personal data breaches. Apple’s experience is that the “bad guys” exploit any weaknesses in security systems, said Neuenschwander.

Big tech now enjoys nearly complete immunity from legal responsibility under Section 230 of the Communications Decency Act, said Blumenthal. That will end, because Americans are losing patience, he said. That immunity will be short-lived if big tech doesn’t better honor its responsibilities, he said.

The government should abandon efforts to get Facebook to forgo its plans of deploying end-to-end encryption across its messaging services, more than 100 civil society and industry groups wrote law enforcement in the U.S., U.K. and Australia Tuesday. The American Civil Liberties Union, the Electronic Frontier Foundation, Engine, the Internet Society, New America’s Open Technology Institute, ACT|The App Association and the Computer & Communications Industry Association signed.