While there are obviously many issues that will divide Republicans and Democrats once the Trump administration takes office the one that most IT security professionals will be watching most closely will be the debate over encryption.
President-elect Donald Trump has already signaled his intention to side with law enforcement officials that contend encryption tools provided by the IT industry is being employed by terrorists and other criminals to hamper their investigations. At the same time, however, the IT industry is essentially arguing that increased usage of encryption is needed to protect data from all manner of cybercriminal activity.
This week a bi-partisan Encryption Working Group made up of Congressional representative sitting on the House Judiciary Committee and House Energy and Commerce Committees published a Year-End Report that says usage of encryption to protect the growth of the digital economy is in the national interest.
At the same time, however, the committee is not insensitive to the challenges facing law enforcement officials. The committee appears to be trying to balance the needs of law enforcement officials against a Fourth Amendment that limits the government’s ability to engage in unreasonable search and seizure processes and a Fifth Amendment that guarantees that individuals can’t be forced to incriminate themselves by being compelled to give up encryption keys and passwords.
The committee essentially recommends that rather than compromise the integrity of encryption by forcing the IT industry to create backdoors that might be exploited by cybercriminals, law enforcement officials should share intelligence with each other about ways to engage in “legal hacking.” Furthermore, the report notes that law enforcement officials should make greater use of unencrypted metadata to achieve their goals. In that context, the report makes a distinction between what laws apply to data at rest versus data moving across a network that would be subject to existing telecommunication regulations that law enforcement officials can use to gain permission to access data by invoking, for example, The Patriot Act.
It’s unlikely that any law enacted by Congress to weaken encryption is going to come down to a vote along party lines. Each representative and senator is likely to have a bias one way or the other that not necessarily result in them voting in one direction or another. There are many Democrats, for example, that will favor pleas from police departments for more access. There are also more than a few Republicans concerned about government overreach.
Any effort to weaken encryption is likely to be subject to legal proceedings that will ultimately wind their way to The Supreme Court. In fact, a court case concerning whether the U.S. can compel Microsoft to release data stored in servers in Ireland is only the first of many cases involving how data is stored that the court is likely to address in the years ahead.
In the meantime, IT security professionals should avail their expertise to both local courts and lawmakers. The more informed justices and politicians are about the state of IT security the more likely it is they will come up with reasonable course of action. Of course, not everyone in the IT security community necessarily agrees on what those actions should be. But the one thing that should be clear to all is that not participating in the debate in the first place will most definitely lead to an outcome no one is ultimately happy with.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.