The letter, shared with The Washington Post, comes in the wake of testimony in April by FBI Assistant Director Amy Hess before the House Oversight and Government Reform Committee’s subpanel on information technology.
“As members on the committee with computer science degrees, we found the testimony both enlightening and troubling,” said the lawmakers. Hurd is the subcommittee’s chairman.
In an interview, Lieu said he found encouraging Hess’s testimony that the FBI supports the use of secure networks and sophisticated encryption to prevent cyber intrusions and protect data.
But, Lieu said, he found disturbing that no witness at the hearing, including Hess, could say they knew of a solution that could be guaranteed to work only for U.S. law enforcement. “That’s the rub,” he said. “You can’t have simultaneously good encryption and a back door to unlock the encryption.”
The issue for law enforcement has taken on new urgency in recent months as tech companies including Apple and Google have moved to offer strong encryption on their products and services. Comey has been vocal about the challenge that poses to the FBI. “Increasingly we are finding ourselves unable to read what we find or unable to open a device,” he said at a recent cyber conference at Georgetown University Law Center. “And that is a serious concern.”
The bureau and other government officials have been careful not to characterize what they are seeking as a “backdoor.” In fact, the FBI has been careful not to promote any one particular technical solution at all.
“We are simply asking for information that we seek in response to a lawful order in a readable format,” Hess said at the hearing. “How that actually happens should be the decision of the provider.”
Having a tech company hold a decryption key that could unlock encrypted communications for an investigator would be “obviously a legitimate way to respond to our lawful order,” Hess said. But that idea has been criticized by a number of cryptologists and lawmakers, such as Lieu and Hurd, as creating a vulnerability that could be exploited by hackers or foreign governments.
“What the FBI wants is a way to access that encrypted data [of a target] through a third party, whether it’s them or Apple or Google,” Lieu said. “By definition, that weakens encryption.”
“There is no such thing as absolute security — in either the physical or the digital world,” Hess said at the hearing.
“What we're asking for is not to lower those standards by developing some type of lawful intercept or lawful access capability. But rather, to come up with a way that we may be able to implement perhaps multiple keys or some other way to be able to securely access the information or …. be able to be provided with the information.”
Hurd and Lieu said that though they recognize there is a role for the private sector in cooperating with law enforcement to address security threats, “this is not the best or most effective way.”
Said the lawmakers: “We strongly urge the FBI to find alternative ways of addressing the challenges posed by new technologies.”
Lieu said they wrote the letter “to send a message” to the FBI that it should not attempt to force a new decryption mandate on companies either through legislation or existing authorities. “That’s not what Congress has ever authorized and it’s not what we want,” he said.
The bureau, for its part, has not drafted legislation to address the issue, officials said. The White House is still working on a report for President Obama that explores the possible options that would aid law enforcement as well as their ramifications for privacy, security and the companies’ global competitiveness. It is not clear when the report will be finished.