Senator: Crime Victims Should Be Able to Sue Apple, Google for Encrypting Data
Sen. Sheldon Whitehouse says we'll all 'pay the price' of encryption, whether it's through a "terrorist attack" or "family-by-family" as criminals evade law enforcement.
Screengrab: US Senate
Employees of Sony Pictures are currently suing the company for not properly encrypting their personal information, putting them at risk when the company suffered a massive breach last fall. To demonstrate the tough position companies have now been placed in, a US Senator proposed Wednesday that Apple, Google, and others that offer encryption to their users should be held liable if that encryption allows a crime to be committed.
Sen. Sheldon Whitehouse (D-Rhode Island) said that the rise of encryption that keeps both companies and law enforcement from being able to access user data without permission from the user, has threatened Americans' safety. He said that the use of encryption by criminals and terrorists would have severe consequences someday and used a caricatured hypothetical situation that's become popular with law enforcement types, saying that companies must be able to decrypt information for police officers in case "someone with a white van kidnaps a young girl."
"We're the people who are going to pay the price [of encryption], whether it's all of us by a terrorist attack one day or whether it's just family-by-family as law enforcement is crippled," he said. "There's a real price to be paid."
Wednesday was encryption day on the hill, as FBI director James Comey and deputy Attorney General Sally Yates were called to testify in front of the Senate Judiciary Committee. As is the case with most political discussions of encryption, few privacy advocates were called to testify and few lawmakers seemed to have even a basic grasp of the technological issues at hand.
Comey, Yates, and a handful of Senators repeatedly mentioned that groups such as ISIS are using encryption to evade law enforcement, with only brief mentions of the fact that encryption protects millions of Americans from cyber crime and from unwanted government surveillance.
Comey and Yates were there to pitch Congress on the idea that "going dark," or losing the ability to wiretap or grab evidence after the fact due to encryption, is a severe national security risk. They asked the Senate to push companies to build in ways of breaking encryption, something that the world's computer scientists have said is impossible without building in vulnerabilities that could threaten encryption altogether.
The hearing was little more than political theatre (and little has changed in the discussion over the last six months), and Whitehouse was this performance's most dramatic actor. He said that families should be allowed to sue companies such as Apple and Google if their encrypted products are used to commit crimes, even as he admitted that default encryption is a feature that "provides great value" to the companies because their customers are demanding it.
"When we see companies privatizing value and socializing the cost, we remedy that through the civil courts. If you're a polluter poisoning a river, someone downstream can bring an action and can get damages for the harm that they've sustained," he said. "I'd be interested in whether the Department of Justice has done any analysis as to what role the civil liability system might be playing now to support these companies in drawing the correct balance, or if they've immunized themselves from the cost entirely and are enjoying the benefits."
Yates said that the Department of Justice had not done such an analysis, but that it would as a result of Whitehouse's line of questioning.
Whitehouse wasn't quite done, however. He also asked Comey for a list of companies that had, in the past, refused to comply with law enforcement requests for information (unrelated to encryption): "You mentioned that some folks could comply with requests but they choose not to? Could you let me know if there's a record of those companies and if that's something we could have access to on the committee?"
Comey said he was unsure on whether there was a list, but that he would get back to him on that request, as well.
While not directly related to encryption, Whitehouse seemed to be painting tech companies as feeling as though they're above the law. There was no mention of the fact that, often, law enforcement asks for too much data or asks for information without a warrant.
In the absence of Comey's list, here's a sampling of just how often law enforcement asks for user info: According to Google's public transparency report, between July and December, 2014, US law enforcement asked for user data 9,981 times; Google complied 78 percent of the time. Facebook says that during the same period, it received 14,274 requests from American law enforcement and complied in 79.14 percent of cases. Twitter says it received 1,622 requests for information and complied in 80 percent of cases.
Whitehouse and others are correct when they say that balancing privacy with law enforcement needs is a complex problem, but suing America's tech companies for giving consumers what they want, for keeping their data safe, isn't the way to solve it.