04.27.16

Op-ed: Encryption Without Tears

By Senators Richard Burr and Dianne Feinstein

In an increasingly digital world, strong encryption of devices is needed to prevent criminal misuse of data. But technological innovation must not mean placing individuals or companies above the law.

Over the past year the two of us have explored the challenges associated with criminal and terrorist use of encrypted communications. Two examples illustrate why the status quo is unacceptable.

The first is the Islamic State-inspired terrorist attack last year in Garland, Texas. FBI Director Jim Comey said the attackers “exchanged 109 messages with an overseas terrorist” the morning of the shooting, but the FBI cannot access those messages to determine the exact role of Islamic State in the shooting and how to help prevent future attacks.

Another case involves the murder of Brittney Mills, eight months pregnant when she was shot to death last year on her front porch in Baton Rouge, La. Her unborn son was delivered at the hospital but died a week later.

Even though police found Brittney’s smartphone next to her body, the murder remains unsolved and law enforcement cannot access any information on her encrypted phone, including an electronic diary Brittney kept.

These are two of the many cases where law enforcement is unable to fully investigate terrorism or criminal activities. In fact, today the FBI is unable to gain access to data on many of the mobile devices they obtain that are password protected.

In response to these cases, we are circulating a proposal in the Senate to ensure that technology does not undermine the justice system.

The draft proposal requires a person or a company—when served with a court order—to provide law enforcement with information (in readable form) or appropriate technical assistance that is responsive to the judicial request. This will enable law enforcement to conduct investigations using the communications involved in criminal and terrorist activities.

Our draft bill wouldn’t impose a one-size-fits-all solution on all covered entities, which include device manufacturers, software developers and electronic-communications services. The proposal doesn’t define the technological solutions or tell businesses how to solve the problem. It provides compensation for reasonable costs that businesses may incur when complying with a court order.

We want to provide businesses with full discretion to decide how best to design and build systems that maintain data security while at the same time complying with court orders.

Critics in the industry suggest that providing access to encrypted data will weaken their systems. But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.

We are not asking companies to provide law enforcement with unfettered access to encrypted data. We aren’t even asking companies to tell the government how they gain access to this encrypted data. All we are doing is asking companies to find a way to keep their data secure while also cooperating with law enforcement in terrorism and criminal investigations.

President Obama said earlier this year, “You cannot take an absolutist view on this.” We agree—and believe that strong data security and compliance with the justice system don’t have to be mutually exclusive. American technology companies have done some amazing things that are the envy of the world. We think that finding a way to achieve both goals simultaneously is not beyond their capabilities.

Sen. Burr (R., N.C.) is the chairman, and Sen. Feinstein (D., Calif.) the vice chairman, of the Senate Select Committee on Intelligence.

This op-ed was published by the Wall Street Journal.