The bipartisan Congressional Encryption Working Group just released an end of year report after spending much of the last year looking into the decades-long encryption debate – and have squarely refuted the idea that weakening encryption is necessary to protect people.
The working group was formed after several high-profile cases where law enforcement asked for additional access to consumer devices, citing howe “the widespread adoption of encryption poses a real challenge to the law enforcement community and strong encryption is essential to both individual privacy and national security.”
We’ve talked about how protecting cybersecurity is a shared responsibility and we see increased need for governments, tech companies and users to work together on topics like encryption, security vulnerabilities and surveillance – as Denelle notes in her blog post here.
The report refutes the idea that encryption backdoors are a necessary (or good) solution and argues against laws that would mandate weakening encryption – saying that “any measure that weakens encryption works against the national interest.” The report acknowledges the profound impact that encryption has on law enforcement investigations and the “going dark” phenomenon, but cautions that there is no “one-size-fits-all” solution to the encryption challenge.
Four key observations are highlighted for the next Congress as they work on encryption related matters:
- Any measure that weakens encryption works against the national interest.
- Encryption technology is a global technology that is widely and increasingly available around the world. (it’s free and often open source)
- The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the “going dark” phenomenon, and therefore there is no “one-size-fits-all” solution to the encryption challenge.
- Congress should foster cooperation between the law enforcement community and technology companies.
The Encryption Working Group also called for additional inquiry into topics including lawful hacking and the Vulnerabilities Equities Process (VEP), two areas that Mozilla has been advocating for reform to add transparency and accountability measures. The report said “stakeholders expressed concern that a legal hacking regime creates the wrong incentives for government agencies that should be working with private companies to patch vulnerabilities and improve cybersecurity” and the report included questions about the existing Vulnerability Equities Process (VEP) and how Congress might formalize it.
While we are encouraged by the Encryption Working Group report, it has findings and recommendations that are not currently binding. So, we will continue to work with legislators, tech companies and internet users to bring more education, awareness and advocacy for the protection of encryption and cybersecurity. We look forward to working with the next administration, Congress and government law enforcement agencies on protecting cybersecurity and national security.