Skip to main content

tv   US Senate  CSPAN  April 22, 2016 12:00pm-2:01pm EDT

12:00 pm
terrorists have the same access to secure means of fumigation and they would use it as their own mission control center. that is the crux of the recent debate. access to secret technologies beyond the reach of law enforcement no longer requires coordination or sophistication. it is available to anyone and everyone. at the same time as more of our lives become dependent on the internet and information technology, the availability of widespread encryption is critical for personal, economic and national security. while many of the arguments and could abatement act with those of decades past, the circumstances have changed and so must the discussion. we can no longer be a battle between two sides come a choice between black and white. if we take that approach the only outcome is that we all lose. this is a core issue of public safety and ethics and it requires a very thoughtful approach. that is why we here today to begin moving the conversation from apple versus the fbi were
12:01 pm
right versus wrong to constructive dialogue the recognizes this is a complex issue that affects everyone and, therefore, we are all in this together. we have two very strong panels and expect each will make strong arguments about the benefits of strong encryption and the challenges it presents for law enforcement. i encourage my colleagues to embrace this opportunity to learn from these experts to better understand the multiple perspectives, layers and complexities to this issue. it's time to begin a new chapter, one which all can bring some resolution to war. this process will not be easy but if it does not happen now, we may reach a time when it is too late and success becomes impossible. so fragile and called on congress to address this issue, who we are. i can only hope moving forward you will be willing to join us at the table. i now recognize the ranking member from colorado for five
12:02 pm
minutes. >> thank you, mr. chairman and thank you for only this important hearing. issues surrounding encryption and particularly the disagreements between law enforcement and the tech community gain significant public attention in the san bernardino case, but i'm not take interested in relitigating that dispute today. as you said, mr. chairman, the conversation needs to be broader than just that one case. let me state unequivocally that i like you and the rest of us are today recognize and
12:03 pm
appreciate the benefits of strong encryption in today's digital world. it keeps our communications secure, our critical infrastructure safe at our bank accounts from being drained. it provides each one of us with significant privacy protections. but also like you, i see the flipside of the coin. while encryption does provide these invaluable protections -- it makes systems that are impenetrable or war to prove, how do we stop criminals and terrorists? if he can't crack the system president obama said that everybody is walking around with a swiss bank account in their pocket. i for the tech communities concerned some of the policies being proposed by creating a backdoor for law enforcement will undermine the encryption that everybody needs to keep us safe. as they remind us, a backdoor for good guys ultimately becomes a front door for criminals. the tech community has been particularly vocal about the negative consequences of proposals to address the encryption challenge. i think many of these arguments
12:04 pm
are valid by the vulnerable we should not do, not what we should do collectively to address this challenge. i think the discussion needs to include dialogue about how to move forward. i can't believe this problem is intractable. the same things seem to be true from where i sit for law enforcement which raises legitimate concerns but doesn't seem to be focused on workable solutions. i don't promote forcing industry to build back doors or other circumvention is that experts will tell us when a device security or privacy for all of us. at the same time i'm not comfortable with impenetrable waterproof spaces where -- were to prove spaces where terrorists can operate without any for that law enforcement could discover the plot. what i want to hear today is from both law enforcement and industry about possible solutions going forward. for example, if we conclude that
12:05 pm
expensive were to prove spaces are not acceptable, then what are the policy options? what happens if encryption is the reason law enforcement can't solve or prevent a crime? if the holder or transmitter of the data or device can't or will not help law enforcement, what are suitable options? last week the "washington post" reported the government relied on great hackers to circumvent the san bernardino iphone. well, thank goodness? i don't think so. i don't think relying on a third party is a good model. this recent san bernardino case suggest that when the government needs to enhance its capabilities when it comes to explore ways to work around the challenges posed by encryption. i intend to ask both panels what additional resources and capabilities of the government needs to keep pace with technology. while providing government with
12:06 pm
more tools or capability require additional discussions regarding due process, and the protection of civil liberties. enhancing the government's tactical capability is one potential solution that does not mandate backdoors. finally, the public, the tech community and the government are all in this together. in that spirit i really do want to thank our witnesses for coming today. i'm happy that we have people from law enforcement, academia and industry. and an industry. and a happy that applicant to testify today. your voice is particularly important because other players like facebook and whatsapp declined our invitation to be a part of this panel. the tech community has told congress we need to solve this problem. and we agree but i've got to tell you, it's hard to solve a problem when the key players will not show up for the discussion. and i'm here to also tell you as a longtime member of the subcommittee, relying on
12:07 pm
congress to come on its own, passed legislation in a very complex situation like this is a blunt instrument at best. i think would be in everybody's best interest to come to the table and help us work on a solution. thanks again for holding this hearing. i know we won't tribalized these concerns. i look forward to working with everybody to come up with every single solution. i get about. >> i recognize that chair of the full committee mr. upton. >> for months we witnessed an intense and important debate between law enforcement and the technology committee about encryption. while much of this reasoned debate is focused on the fbi and apple, this issue is much bigger than any one entity device application or piece of technology. at its very core this is a debate about what we as a society are willing to accept. if you paid any attention it might appear to be a black and white choice to either we side
12:08 pm
with law enforcement and grants them access to a cryptic technologies thus weakening the security and privacy of our digital infrastructure, or we can side with the technology community and prevent law enforcement from access and cryptic technologies thus creating a warrantless safe haven for terrorists, pedophiles and other evil and terrible actors. it's important that we move beyond the us versus them mentality that has encompassed this discussion for far too long. this debate is not about picking sides. it is about evaluating options. it begins by acknowledging the equities on both sides. from the technology perspective there is no doubt that strong encryption is a benefit to our society. as more of our daily lives and integrate with the digital universe, encryption is critical to the security and privacy of our personal and corporate secrets. as evidenced by the breaches the past year, data theft can have a devastating effect on our
12:09 pm
personal privacy, economic strength and national security. in addition encryption doesn't just enable terrorists and wrongdoers to do terrible things. it provides a safe haven for dissidents, victims of domestic violence and others who wish to remain hidden for noble purposes. have to look to the future and see that more and more aspects of our lives will become connected to the internet, including such things as our cars, medical devices and the electric grid, encryption will play an important role in minimizing the risk of physical harm or life -- loss of life if these become compromised. from the law enforcement perspective, while encryption to protect information, it prevents issues risk to public safety. a strong and accessible encryption becomes the norm, law enforcement loses access to valuable tools and evidence necessary to stop that actors are doing terrible things. as we were here today this cannot always be offset by alternative means such as
12:10 pm
metadata or other investigative tools. there are certain situations such as identifying the victims of child exploitation, not just the perpetrators, or access to content is critical. these are but a few of the boundaries of both sides of this debate which leads us to the question, what's the answer? sitting here today i don't have answered no to expected provided through history. this is accomplished issue and it will require a lot of difficult conversations but that is not an excuse to put her head in the sand or resort to default position. we need to confront head on because they will not go away and it will only get more difficult as time continues to tick. identifying a solution to this problem will involve trade-offs and cover much of both sides but ultimately it comes down to what society accepts as the appropriate balance between government access to encryption and security of encrypted technologies. for that reason and others, many have called us, us, this
12:11 pm
committee, to confront the issues. that's why we are holding history and that's why chairman goodlatte and along with the ranking member stabs a bipartisan joint committee working group to examine this issue. in order for congress to successfully confront the issue it will require patience, creativity, courage and more importantly, cooperation. it's easy to call on congress to take on an issue but you better be prepared to answer the call when we do. this is too important to have key players sitting on the sidelines and, therefore, i hope all of you are prepared to participate as we take to heart what we hear today and be part of the solution moving forward. and i yield back. >> gentleman yields back. now recognize mr. pallone for five minutes. >> thank you, mr. chairman. i welcome the opportunity to hear today from both law enforcement and the tech community as a seed to understand and develop solutions to this encryption debate the encryption enabled the privacy
12:12 pm
and security that we value but also creates challenges to those seeking to protect us. law enforcement has a difficult job in keeping our nation safe e and they're finding some devices and programs are hampering their efforts to conduct thorough investigation. even with a obtain a warrant to find itself unable to access information protected by into and encryption. this raises questions about comfortable we are as a nation with these dark areas. at the same time the tech community helps protect some of our most valuable information in the most secure way to do that is by using into and encryption many the device or up manufacture does not hold the key to that information. with the tech committee tells providing backdoors make their job that much more difficult, we should heed that warning and work towards a solution that will not solve one problem on creating many more. it's clear both sides in this discussion have compelling arguments. simply repeating those arguments is not a sufficient response.
12:13 pm
we need to work together to move forward and help today's hearing is just the beginning of that conversation. in the last several months and years we've seen major players look to congress for solutions. in 2014, fbi director comey said, i'm happy to work with congress come with our partners in the private sector in with my law enforcement and national security counterparts and with the people we certified the right answer, defined the balance we need. in an e-mail to apple employees earlier this your, tim cook wrote about his support for congress to bring together experts on intelligence technologies and civil liberties to discuss the implications for law enforcement, national security privacy and personal freedoms. and he wrote that apple would gladly participate in such an effort. if we have any hope of moving forward we need all parties to come to the table. the participation of our witnesses today should serve as a model to others have been reluctant to participate in this discussion. we can't move forward if each
12:14 pm
party remains in its corner i'm willing to compromise to both sides need to recognize this as an effort to strike a balance between security and privacy of personal data and public safety. the public needs to feel confident their information is secure but at the same time we need to assure them that law enforcement has all the tools it needs. mr. chairman, i would like to yield the remaining time to the gentleman from new york. >> i thank ranking member pallone for dealing. first let me welcome chief thomas galati who is the chief of intelligence from my hometown of new york city. and many refer to in your city police department is new york's finest but i'd like to think of them as the world's finest. welcome, chief. at its core our constitution is about the balance of power. it's about balancing power among the federal government, state government and the rights of
12:15 pm
individuals or through the years getting that balance just right has been challenging at times tension filled. but we have done. we have prevented the encryption versus privacy rights issue is simply another opportunity for us to again we calibrate and fine-tune. the balance in our democracy. and as the old cliché states, marcus is not a spectator sport. it's time for all of us to participate. it's time to roll up our sleeves and work together to resolve this issue as an imperative, because it's not going away. i'm glad we are having to send today because i do believe that working together we can find a way to balance our concerns, and to address this issue of physical security with our rights to private security. security. i look forward to hearing the perspective of our witnesses, the perspective of our witnesses today and i yield back the remained of the time. thank you, mr. chairman. >> thank you.
12:16 pm
i would just ask unanimous consent that the members written open status be introduced into the record. without objection the documents will be entered into the record. now i'd like to introduce the witnesses of our first panel for today's hearing. offers what is on the panel is ms. amy hess. ms. hess is executive assistant director for science and technology of the federal bureau of investigation's in this role. she's responsible for the executive oversight of the criminal justice information services laboratory and operational technology divisions. ms. hesse has logged time in the field as an fbi special agent as well as the bureau's headquarters in washington, d.c., and we thank her for preparing for testimony and look forward to hearing your insights. we also want to welcome chief thomas galati from the new york city police department. chief galati is a 32 year old -- a 32 year veteran of the new york city police department and serves as chief of intelligence.
12:17 pm
as chief of intelligence he is responsible for the activities of the intelligence bureau, the western hemisphere's largest invisible law enforcement intelligence operation. thank you for your test was today and we look forward to your comment. finally, for the first that we welcome captain charles cohen come indiana state police, currently the command of the office of intelligence and investigative technologies where he is responsible for the cybercrime electronic surveillance and internet crimes against children. we appreciate his time today and once again thank all the witnesses for being here. sheriff ron hickman of the harris county sheriff's office unfortunately will not be joining us today due to the tragic flooding yesterday in the houston area. our prayers and thoughts do with the folks of houston. there have been several tragedies of there. we all wish he could be with us but we understand. i would ask unanimous consent his testimony be written into the record. without objection.
12:18 pm
naturally painless as you are where the committee is holding investigative hearing in when doing so has the practice of taking testimony under oath. do any of you had any objections? they all say no. the chair advises you under the rules of the house and other committee you are entitled to be advised by counsel. giving you advice -- -- also knows what the advocates would you please rise, raise your right and i will swear you can. [witnesses were sworn in] >> you are now under oath and subject to the penalties set forth in title 18 section 1001 of the united states code. you may not give a five minute summary of your opening statement. this has come to our recognized for five minutes. >> good morning chairman murphy, ranking member degette and -- >> just make sure your microphone is pulled up close. >> thank you for the opportunity to appear before you today advocate in this important
12:19 pm
discussion. in recent years we've seen new technologies transform our society come most notably by enabling digital communications the facilitating e-commerce. it is essential to protect these to promote free expression, secure commerce and trade and safeguard sensitive information. we support strong encryption. we've seen a criminals including terrorists are using advances in technology to their advantage. encryption is not the only challenge we face in today's landscape. we face in the obstacles and lawfully tracking suspects because they can seamlessly communities while changing from a known wi-fi servers to a cellular connection to wi-fi hotspot. they can move from one communication application to another enter the same conversation or multiple conversations simultaneously. communication coverage of standard data retention policies and without historical data it's difficult to put pieces of investigative puzzle together. some for fumigation fires of millions of users in the united states but no point of presence
12:20 pm
or make it difficult if not impossible to execute a lawful court order we encounter powerful surrender suspects virtually anonymous on the internet and if we cannot attribute communications and actions for specific individual critical recent evidence may be lost. the problem is exponential increase when we face one or more on top of another. we've had a reasonable expectation of privacy. this means only with problem calls and a court order to law enforcement listen to individuals private conversation or into their private space. but when changes in technology hinder or prohibit our ability as authorized investigative tools and follow critical leaves we may not be able to root out child predators hiding in the shadows or criminals targeting our neighbors. we may not able to identify and stop terrorists are using today's fumigation platforms to plan and execute attacks in our country. we are in this quandary, kind of ask my security as an entry world where increasing information is beyond the reach
12:21 pm
of judicial authority and china maximize privacy in this era of rapid ecological investment. finding the balance is a complex endeavor and it should not be left solely to corporations or to the fbi to solve. it must be publicly debated and deliberative. the american people should decide how we want to govern ourselves in today's world. it's la law enforcement's responsible to inform the american people that the investigative tools with successfully used in the past are increasingly become less effective the discussion has been highly charged at times because people are passionate about privacy and security. this is an essential discussion which must include a productive needful in rational dialogue on how encryption pose a significant barriers to law enforcement the building to do its job. as this continues we are fully committed to working with industry, academia and other parties to develop the right solution. we have an obligation to ensure everyone understands the public
12:22 pm
safety and national security risks that result from use of new technology by malicious actors. to be clear we are not asking to expand government surveillance authority but rather to ensure we can continue to obtain electronic information and evidence pursuant to legal authority that congress has provided us to keep america safe. there is not and will not be a one size fits all solution to address the challenges we face. the fbi is pursuing multiple avenues to overcome these challenges but we realize we cannot overcome them on her own. mr. chairman, we believe the issues posed by this growing problem our grave and complex. we must continue the public discourse on the best to ensure that privacy and security can coexist and reinforce each other, and this hearing is a vital part of that process. thank you for your time and your attention to this important matter. >> that recognize chief galati for five minutes. >> thank you. on behalf of mayor de blasio and police commissioner brad and
12:23 pm
myself, thanks to the committee for the opportunity to speak with you this morning. years ago criminals and our compass is stored of their information and closets, drawers, say single boxes. there was and continues to be an expectation of privacy but a high burden imposed by the fourth amendment which requires lawful search be warranted and authorized by a neutral judge has been deemed sufficient and protection against unreasonable government search and seizure for the past 224 years. now it seems that legal authority t is struggling to cah up with the times. because today and everyone lives their lives on a smartphone, including criminals, so evidence that once would be stored in a file cabinet or in a book at the archived in an e-mail or a text message. the same information that would solve a murder, catch a rapist or prevent a mass shooting is now stored on that device. but where law enforcement has legal access to the file cabinet, it is shut out of the phone. not because of constraints built into the law but rather limits imposed by technology.
12:24 pm
when law enforcement is enabled access evidence necessary to the investigation, prosecutor prevention of a crime despite the lawful right to do so, we call this going to work. every day we deal with this dilemma into fronts. first it's what we know as data at rest because when the actual device, the computer, tablet or the phone is a law-enforcement possession but the information stored within it is inaccessible. in just a six-month period from october 2015 through march of this year new york city, we have been locked out of 67 apple devices lawfully seized pursuant to the investigation of 44 violent crimes. there are 35 non-apple devices. of these apple devices these incidents include 23 felonies, 10 homicides, two rapes and two police officers shot in the line of duty they include robberies, criminal weapons possession, criminal sex acts and felony assault. in every case we have the file
12:25 pm
cabinet, so it's become and the legal authority to open it but will lack the technical ability to do so because of encryption to protect its content. in every case these crimes deserve our protection, also. the second type of going dark is an incident known as data in motion to in these cases law enforcement is legally permitted to a wart or other judicial process to intercept and access suspects can occasions by the encryption built into the applications such as whatsapp, telegram and others block this type of service. we may know a criminal group is communicating. were unable, but we are unable to understand why. in the past a phone or a wiretap against legal obtained from a judge would alert the police officer to drop off locations and hideouts and target locations. now we are illiterate in the dark, and criminals know what. we heard a defendant in a felony case make a call from riker's island where he exalt the apple
12:26 pm
iowa state and its encryption software as a gift from god. this leads the. >> leads for people were sworn to protect africa's position at what he did more alarm is the position is not dictated by our elected officials or judiciary system or our laws. instead it is created and controlled by corporations like apple and google not take it upon themselves to decide who can access critical information and criminal investigations. as a bureau chief emanations largest municipal waste department, an agency that's charged with protecting a .5 million residents, i'm confident that corporate ceos do not hold themselves to the same public safety standards as our elected officials and law enforcement professionals. so how do we keep people safe? the answer cannot be warrantproof encryption outside the reach of search warrant or subpoena and outside legal authority to establish over centuries of jurisprudence.
12:27 pm
at sf not always been apples and. into mikey months ago they held the key that could overwrite protection of untold overwrite protection of untold. apple use this master key to comply with court orders in kidnappings, murders and terrorism cases. there was no docketed accident or a code getting out to hackers or the government. they were able to comply constitutionally legally court orders, then why not now? ramifications to this fight extends far be on san bernardino, california, and the 14 people murdered to get it is important recognize that more than 90% of criminals from of all criminal prosecutions are handled at the state or local level. these cases involve real people. families, your friends, your loved ones. they deserve police departments that are able to do everything within the law to bring them to justice and they deserve corporations to appreciate the ethical responsibility i applaud you for holding the string today. it is critical we worked together and across silos to fight crime because criminals are not bound by jurisdictional boundaries or industry
12:28 pm
standards. but increasingly they are aware of the safety net that the warrantproof encryption provides them and we must take responsibility for what that means. for the new york city police department in means investing more in people's lives and then in quarterly earnings reports and putting public safety back and enhance of the brave men and women who is sworn to defend. thank you. >> captain colin, you're recognized for five minutes. >> thank you for allowing me to testify. i'm a catholic indiana state police. i served as the indian internet crimes against children task force against children task force committed against children task force committed i would not be today if it were not for and counts as public associate with encryption that did not easy technological fixes. we need your help and it is apparent that help must be legislated as far as i'm of the attack is not exaggerating or trying to mislead anyone when they say there's currently no way to recover data from newer iphones. apple has designed an open system and device combination that acts as a locked container without a key. the sensitivity of information
12:29 pm
people keep stored should be compared with the sensitivity of information that people keep them safe deposit boxes and bedrooms. criminal investigators with lawful authorization have the technical needs to access both deposit boxes and bedrooms but we lack the means to access new cellular phones. we are often asked how encryption hundred law enforcement ability to conduct criminacriminal investigations. there are numerous encrypted phones sitting indiana state police evidence room with you for a solution, legal or technical come to the problem. some blogger murder victims and child sex confidence. and mother and son were shot to death inside home in indiana. both victims had newer iphones. i'm confident if they were able both would give consent for us to examine their phones to help us find her killer or killers. unfortunately, being deceased they are unable to give consent and, unfortunately, for investigators they chose to buy phones running encrypted operating systems by default.
12:30 pm
i need to emphasize were talking not just about suspects phones but also victims those. not just about incriminating evidence that the scope of terry evidence that cannot be recovered it is difficult to know what evidence has not been recovered. the child victims that are not being rescued as a child sex offenders that are not being arrested as result of encryption but the investigation, prosecution a federal conviction of randall flagellates to shed light on the type of evidence is being concealed by encryption. ..
12:31 pm
because of our encryption on the usb storage device, crimes committed by fletcher could not be investigated or prosecuted. that means additional victims cannot be provided that in services or access to the justice they richly deserve. congress takes the time to truly understand what is going phenomenon and what problems could be created. there's a cross associated with an encryption screen that allows access to some theoretically chance of lost data but there is a greater and real human cost we already see across the country because investigations that failed due to default hard
12:32 pm
encryption. my daily work, i feel the impact of law enforcement going dark. to me it is a strong feeling of frustration because it makes the detectives and examiners from whom i am responsible less effective but the crimes and victims of the family is altogether different. it is infuriating, unfair, and incomprehensible why such critical information for solving crimes should be allowed to be completely out of reach. i have heard some say that law enforcement can solve problems using metadata alone. that is simply not true. that is like asking a detective to process a crime scene by only looking at the street address on the outside of the house where a crime was committed. i strongly encourage committee members to contact your state investigative agency or local police department and ask about the challenge. i appreciate your invitation to share my perspective and i am happy to answer questions today or at any point in the future. thank you mister chairman and members of the committee i think the panel , i don't nice i have five minutes for questioning. i think sometimes the fbi's
12:33 pm
concerns about encryption are broadly characterized as being against encryption. considering the fbi's work on investigations like the sony data breach or the attacks on hospitals, why have a tough time believing your organization is against the technology that's so instrumental to protecting digital information so to clarify, does the fbi agree that strong encryption is important to the privateers of our our citizens and to strengthen national security yes, sir and also, can you elaborate on that? yes and you are correct as i stated in my opening statements, we do support strong encryption because it does all the things you just said. we also recognize that we have a continuing struggle, and increasing struggle to access readable information, to access content of communications caused by that encryption that is now in place by default >> so it brings this question up. are you witnessing an increase in individuals intentionally or even unintentionally evading
12:34 pm
the law through availability of default encryption? >> i think it's difficult to discern whether or not they are intentionally doing it. however i am we are significantly seeing increases in the use and deployment of decryption because it is a default setting now on most devices. >> related to that, chief galati would you say he default application of encryption can create laws for law enforcement, is that the issue that mrs. hess is saying, if the default one? he encryption, a lot of the apps being used today even with legal process or coverage on the phone, you cannot intercept those conversations. often we hear criminals both in criminal and terrorism cases, people encouraging people to go to apps liketelegram, what's up and so on . >> captain cohen, your
12:35 pm
testimony was moving about those cases you described involving murder and with victimizing children. you know, this debate is oftentimes about picking sides the most notable being apple versus the fbi so either you support law enforcement or you support the tech community. that feels like a losing proposition. i understand people want to have encrypted technology but based upon the responses captain, that you heard from mrs. hess and the chief, do you think thisis an us versus them debate or are there answers we could be going for here? what do you think because you are on the front lines dealing with these terrible cases . is this an us them, is there an answer question mark. >> i do not think it's an us versus them. what we do seeis a challenge with people encryption . it functionally cannot be turned off. there's not even the option to disable the encryption. the example that i gave you was that after two prior
12:36 pm
convictions, the landlord needed to do something to protect himself from criminal investigation and went out in search of we assume and gretchen and ways to do that the difference is now what we are seeing increasingly , to your question mrs. hess as well, what we are seeing is a wide variety of criminals and i see it daily discussion among those that store children, trade and child pornography discussing the best possible systems to buy, the best accommodation of cell phone and operating system divide to prevent encryption. make no mistake that criminals listed in this testimony are learning from it. they armor learning which messaging app to use to protect themselves against encryption. they are learning which app is located out the united states, has no brick-and-mortar location in the united states. ones are located in countries which we with which we have a treaty and which ones we don't. criminals are using it as an education to make themselves more effective in the terminal
12:37 pm
tradecraft. >> mrs. hess, what answer do we have for those cases with whether it's a terrorist planning a plot or they have already killed some people and we are trying to find out what thenext move is or it is a child predator . will there be an answer for this? >> yes sir and to clarify, my earlier statement also, we do see individuals, criminals and terrorists encouraging others to move to encrypted the platforms and we seen it for some time. the solution to that for us is, no investigator, no agent will take that as an answer to say they should stop investigating. they will try to find whatever workaround they can but those solutions may be time intensive. they may not eventually be effective. they may require an additional amount of resources or an additional amount of skill in order to get to those solutions but primarily we are in usually a race against the clock and that's the key component of how we are finding additional
12:38 pm
solutions around this problem. >> i know this is a frightening aspect for americans. we understand privacy but if there is some child predator hiding in the bushes by the playground, watching you snatch a victim, we can find them but now this has given them this cloak of invisibility. it's pretty frightening. we got to find an answer. my time is up, i now recognize as to get for five minutes. >> follow up on the germans questioning. the problem really is not to solve encryption because if you are eliminating default encryption, criminals could still get encryption and they do. is not correct mrs. hess question mark. >> that's correct . >> of the problem is that criminals and have easy access to encryption. and i think we can stipulate that encryption is really great for people like me who have bank accounts who don't want them to be hacked but it's a really horrible challenge for all of us as a society, not
12:39 pm
just law enforcement when you have a child sex predator was trying to encrypt or just as bad, a terrorist. what i want to know is what are we going to do about it? and the industry says that if congress forces them to develop tools so that law enforcement with probable cause and a warrant can get access to that data, that then will just open the door. do you believe that's true, mrs. hess? >> i believe there certainly will be always no such thing as 100 percent security. however, industry leaders today have built systems that enable us to be able to get or receive readable content. >> and chief galati, what's your view on that?
12:40 pm
>> i believe that in order to provide, and i don't want to call it a tactical but rather a frontal, i think if the companies can provide law enforcement, i don't believe it would be abused. >> why not? >> we have the khalil law from 1984 and that was in use so i don't see how by making law. >> what they are saying isthe technology , once they develop that technology than anybody could get access to it and they could break the encryption. >> i believe that if we look at apple, they had the technology going back to about 18, 19 months where they were doing it for law enforcement and i am not aware of any cases of abuse that came out when asked apple actually did have capability so i can see if this bill had the key today. >> i will ask them because it's coming up. captain cohen it will be
12:41 pm
helpful to look for real-world analogies. if you think of an android iphone or phone as a safety deposit box. the key the bank holds, that's the private key to the encryption. the key to a cold, that's the key to the of the bank does is build firewalls around that. there's a difference between encryption and firewalls. >> you think that technology exist? >> the technology does exist. >> i don't have a lot of time but i'm going to ask them the same question. there's something else that can be done and forced the industry to comply or like in the san bernardino case, the fbi hired a third-party to help them break the code in that phone and that was what we call gray hacks, people who are in this murky market. what do you think about that suggestion mrs. hess? >> yes ma'am. that certainly is one potential solution but that takes me back to up my prior answer which is that these solutions are very case-by-case specific.
12:42 pm
they may not work in all instances. they are dependent on the fragility of the systems and also they are very time intensive and resource intensive which may not be scalable to enable us to be successful in our investigations. >> you think there's any ethical issue with using these third-party hackers to do this? >> i think certainly there are vulnerabilities we should review to make sure we identify the risks and benefits of being able to exploit those vulnerabilities in a greater setting. >> i understand you are doing it because you have to in certain cases. do you think it's a good policy to follow? >> i do not think that should be the solution. >> and one more question is, if third-party individuals can develop these techniques, to get into these encrypted devices or programs, why can't we bring more capabilities to the government to be able to do that? >> certainly these types of
12:43 pm
solutions and as i said, this should not be the only solution but these type of solutions that we do employ and can employ, they require a lot of highly skilled specialized resources that we may not have immediately available to us. >> can we develop those with the right resources? >> no man, i don't see that possible. i think we really do need the cooperation of industry, we need cooperation of academia. weneed the cooperation of the private sector in order to come up with solutions. >> banking . >> we now recognize the gentleman from indiana, ms. brooks for five minutes. >> thank you mister chairman. in 2001, after i was appointed us attorney for the southern district of indiana i began work with you indiana crimes against children taskforce which was led primarily us attorney steve the road up working hand-in-hand with you , captain cohen.
12:44 pm
i want to thank you for being here because prior to that time i would say i was certainly not aware about what really went into and what horrific crimes really were being perpetrated against children at that time in 2001, 2002. when we talk about child exploitation against children, we need to realize this involves babies up to teenagers. this is not all about willing teenagers doing these type of, being involved in these type of acts. these are people praying on children of all ages and i want to walk you through captain cohen, what some of the impediments are. a bit more about how this works, how we are being ported in your investigations and i also want to wrap up and make sure we have time for you to explain your thoughts about the firewalls. first of all, if you could please walk-through with us, offenders, and i'm talking about older children: kids who have access to social media.
12:45 pm
their perpetrators are making connections through social media platforms correct? >> yes ma'am. >> and others typically unencrypted or a printed question mark. >> two years ago i'd have said unencrypted, now encrypted. >> i left my sources us attorney, i think things have changed dramatically. in the second step, the conversation moves to encrypted discussions, would that be correct? they encourage particularly young people to go to app's like kick and others. >> they will go trolling for potential victim on it unencrypted app. once they have a victim they can perpetrate against, they will move to anencrypted communication app .>> would be fair to say that through the relationship that's been developed, they typically encourage them to send an imag . >> correct. they want the victim to do on compromising act that they can then exploit. >> and that image is sent from
12:46 pm
one smartphone to another or from one smartphone to a computer? >> generally from one smartphone to another. involving an android phone or iphone. >> but this doesn't just happen in our country, correct? x correct. i've heard from someone evenin another country to victimize a child in the us .>> we have out of country perpetrators as well as in country perpetrators focusing on even out of country victims as well, is that right? x correct ma'am, yes. >> are those typically encrypted, the transmission of those photos are typically encrypted. >> that's one of our challenges. the transmission is encrypted as well as when the data sits at rest on the phone, it's encrypted there as well . >> and you are presenting that image to a jury if an individual is caught and is prosecuted, it is imperative is it not for you to present the actual image to a jury. >> yes ma'am. the metadata alone, who was talking with whom doesn't
12:47 pm
matter. the content of that communication. if the images that were sent and received. >> so if you can't get these encrypted images, and the encrypted discussion, what you had in court #ácustomá we have nothing in court. we can't complete the investigation. >> how do you find the victims? >> oftentimes we don't have a way to identify the victims, they go on served. >> and can you please talk to us a bit more about why, what it is you actually do to find the victims? >> we do everything we can. we tried legal solutions meaning trying to get records and source providers from the technology companies, trying to identify them through that. the challenge we encounter there many times as mrs. hess mentioned is because of retention periods, the records no longer exist. and then we tried to get the communication to show who was talking with room and often times we are unable to do that
12:48 pm
because of encryption. >> is a common that one when you find these phones or perpetrator there are usually thousands of images involving multiple victims . >> thousands of thousands and also in encrypted cloud sites like dropbox and google drive. >> could you please expand a little bit on what you previously started to answer as potential solutions with respect to firewalls question mark. >> potential solutions is to create a better firewall. think of the safety deposit box, think about is a bank. while you think of the actual locks on these safe-deposit boxes as the encryption, you build firewalls around that. those firewalls can be legal process we opened up and you can go inside but just like a safe-deposit box, if we go to the bank with a search warrant, the back uses their feet. we get the drill and we drill the customers lock and we see what's inside that box. i've done it dozens of times in the course of my career. the differences with encryption, my drill doesn't
12:49 pm
break the law. >> thank you, i yield back. >> we now recognize mister clark for five minutes. >> i thank you mister chairman and i thankranking member . in october 2014, fbi director comey gave these remarks on encryption before the brookings institute. we in the fbi will continue to throw every lawful tool we had this problem but it is costly. it's inefficient and it takes time. we need to fix this problem. it is long past time. we need assistance and cooperation from companies to comply with lawful court orders so criminals around the world cannot seek safe haven for lawless conduct. we need to find common ground and we care about the same things. so mrs. hess, i'd like to ask this question of you. other than tech companies creating back doors or law enforcement, what do you believe are some possible solutions to address the impact between law enforcement need to lawfully gain access to
12:50 pm
critical information and the cyber security benefits of strong encryption? >> yes ma'am and as previously stated, i really believe that certain industry leaders have created secure systems that they are still yet able to comply with lawful orders. they are able to access the contents to either of those communications to either provide some sort of protection for their customers against malicious software or some other type of article. in addition to that, they are able to do it perhaps for business purposes or for banking regulations for example. in addition to those solutions we certainly don't stop there. we look at any possible tools we may have in our toolbox and that might include the things we previously discussed here today, whether that be individual solutions, metadata, whether it could be an increase in physical surveillance but each of those things comes with a cost and all those things are
12:51 pm
not as responsive as being abl to get that information directly from the provider. >> you believe there is some common ground? i do . >> so the other panelists, are there solutions you can see that mike's solve this impasse? >> the solution we had in place previously in which apple as an example did hold a key and as chief galati mentioned, that was never compromised so they could comply with the proper process. essentially what happens is apple solve the problem that does not exist. >> i would say by apple orother industries holding the key , it reduces at least the law enforcement having to go outside of those companies to find people that can get a solution so as mentioned earlier about the gray hackers, they are going to be out there but if the companies are doing it, it reduces the risk i
12:52 pm
believe. >> very well. in the san bernardino case, counsel indicated the fbi has used the services of private sector third parties to work around the encryption of the iphone in question. this case raises important questions about whether we want law enforcement using nongovernmental third-party entities to circumvent security features developed by private companies. do you have questions about whether this is a good model or a better model exists? this is assuming press accounts are true and you procure the help of third-party to gain access to that iphone, why were you apparently not able to solve this problem on your own? >> for one thing, as previously discussed, technology is changing rapidly. we live in such an advanced age of technology development and to keep up with that we require the services of specialized skills we can only get through private industry and that partnership is critical to our success. >> this is the to the entire panel. do you believe the us
12:53 pm
government needs to enhance technological capabilities? >> i think it does. private industry provides a lot of opportunity so i think the best people that are out there are working for private companies and not working for the government. >> i agree with the chief. essentially we need the help of private industry, both the industry that makes the technology and others. we need industry practice good corporate citizens and help us because we can't do it alone. there are over 18,000 police agencies in the united states and while the fbi may have technical ability internally, those other agencies do not and as the chief mentioned, other 90 percent of the investigations are handled at the state and local level. we need industries help . >> very well. i will yield back to mister chairman. >> we now recognize mister griffin for five minutes. >> thank you all for being here to this important discussion we are having today.
12:54 pm
i will say we have to figure out what the balances, both from a security standpoint but also to make sure we are fulfilling our obligations under our constitution which was written with real life circumstances in mind. they said we don't want the government to be able to come in and get everything. they were aware of the situationwith general warrants, both london used against john wilkes . and the founding fathers were also aware of james otis and his fight in massachusetts which john adams said so the seeds of the revolution and the british government wanted to go from warehouse to warehouse looking for smuggled goods. so it's not an easy situation. i do have is question though. apparently some researchers recently published the results of a survey of over hundred encrypted products that are
12:55 pm
available online and basically they found that about two thirds of them are foreign products. the question would be, given that so many of the encrypted products could in fact be companies not headquartered within the united states of america, if we force the companies that we do have jurisdiction over to we can the security of their products, are we doing little more than hurting american industry and then sending the bad actors like mister fletcher who is the child pornographer just to a different format that we don't have control over? that one question i would ask all three of you. >> right now google and apple act as gatekeepers for most of those trend app's, meeting if it's not on the store, if it's not available on double play for an android or ios device the customer could not install it so while some of the encrypted app's like telegram
12:56 pm
are based outside the united states, us companies act as gatekeepers as to whether or not those app's are accessible in the united states to be use . >> g? >> i would agree. especially with what the captain said and you know, certain app's are not available on all the devices so if the companies outside the united states can't comply with the same rul and regulations of the ones that are in the united states than they should be available on the app source. you can't getevery app on a blackberry that you can on an android or google . >> yes sir. what you stated is correct and i think certainly we need to examine how other countries are viewing those same problems because they have the same challenges as we are having similar to the liberation test whether their law enforcement maybe and access to these communications as well so as we move toward that, question for us is what makes consumers want to buy american products. is it because they are more
12:57 pm
secure, is it because they actually cover the type of services that consumers desire? is it because of personal preference? at the same time we need to make sure that we balance that security as well as the privacy that consumers have come to expect. >> i appreciate that. captain cohen, i am curious. you talk about the fletcher case and indicated the judge ordered that give the password to the computer but then you didn't get access to the thumb drive. was the judge asked to force them to do that as well smart text that instance the judge compelled him to provide it. he said the thumb drive is not encrypted. his defense disagreed and said it was encrypted. he then provided a password failed to stipulated polygraph as whether he knew the password
12:58 pm
or failed to disclose it so every indication is he intentionally chose not togive the second password for that device. >> and was he held in contempt for that question mark i do not believe he was . >> look, obviously if eating the images you have a better chance of finding the victim but that proves even before encryption there was difficulty in finding victims even if you found a store of graphs in a filing cabinet. it's sometimes hard to track down the victims, is not correct? >> it is very difficult to find child victims. >> it's a shame. i like the concept, the visual you are able to drill into the safety deposit box but you can't get into the computer or telephone. is there a product out there that would be that limited because of the problems i know apple has had as they don't want to have a backdoor to every single phone that other folks could get a hold of and the government could use that will, particularly governments not as conscious of civil liberties as the united states.
12:59 pm
do you know of any such product that would give you that kind of specificity. >> be similar to what we had prior to apple aging where the encryption key is kept, meaning the legal process served on apple as an example and apple is the one to use the drill, not law enforcement. that helps provide another layer of protection against abuses by governments other than ours meaning while that have that capability because they are inside the firewall, those outside the vault would have no ability to get access. >> i appreciate it and i yield back mister chairman x i recognize mister wells for five minutes. >> thank you very much. first of all i want to thank each of you for the work you and your departments do. in these astonishing times when the kind of crimes that all america is exposed to are happening and the expectation on thepart of the public is some way you are going to make it right and make it safe . so i think all of us really appreciate your work. this issue as you have
1:00 pm
acknowledged is very difficult. i think if any of us were in your position what we want is access to any information fourth amendment allowed us to get in order for us to do our jobs. but there's three issues that are really difficult. one is the law enforcement issue you have very clearly enunciated.youb the cost go through the process of getting a warrant, you're entitled to the information yet because of technology we have these impediments to you getting what you are legally authorized to get. all of us want you to get the information you rightfully can obtain. but the second issue that makes it unique almost is that in order for you to get the information, you have to get the active participation of an innocent third-party who had nothing to do with the events but who potentially can get the information for you. that's the whole application but it's very, gated situation
1:01 pm
because it's not as though if you came with a warrant to my house i need to turn over information i had. it's one thing if i go in my drawer and get it to you. it's another thing if it's very deep in the backyard and the order is i've got to buy a backhoe or rent a backhoe and go out there and start digging around until i find it. normally that would be the burden on the law enforcement agency. so that's the second issue, how much can the government require a third-party, a company or individual to actually use their own resources to assist in getting access to the information. and then third issue that's really tough that mister griffith was just acknowledging, we get a backdoor key, we trust you but we have a governments and companies we are doing business with and they get pressure to provide that same backdoor key. the key is lost and then things happen with respect to privacy and security that you don't want to happen and we don't want to happen.
1:02 pm
so this is a genuinely tough situation where frankly i'm not sure there's an easy balance on this. so just a couple of questions, what would you see as the answer here? i know you want the information but if the getting of the information requires me to hire a few people to work in the yard with a backhoe or apple to really deploy high-class engineers to come up with a entry key, are you saying that that's what should be required now? >> yes sir, i think the best solution is for us to work cooperatively with technology, with industry and with academia to try to come up with the best puzzles possible solution but at that i would say no investigative agency should forgo that for all other solutions.they should
1:03 pm
continue to drive forward with all solutions available x and chief, i will ask you. you are on the front lines in new york all the time and is a view that the right policy now would be for you when you have probable cause to protect us and we are all in the same page there. to force a technology company at significant effort and expense to assist in getting access to the information with mark. >> sir, i would say up to a couple years ago most of the technology companies and they still do have law enforcement liaisons that we work closely with. for example, if it's facebook or google, even after where we have the ability to go to them with legal process and they are providing us with the search warrant. >> my understanding from talking to those folks is that if it's information stored in the cloud, this is the
1:04 pm
situation in san bernardino. there's a lot of stuff that was relatively easy to retrieve and they do provide that. they do cooperate as long as you have a warrant. they do everything they can to accommodate those lawful requests from law enforcement, is that your experience? >> yes. the cloud does have some issues because things can be deleted from the cloud and never recovered. if the phone is not uploaded to the cloud, things are lost. >> would you just acknowledge there's a significant distinction between a company turning over information that's easily retrievable in the cloud comparable to me going into my house and opening a drawer and giving you the information you requested versus the company that has to have engineers try to somehow crack the code so that they are very energetically involved in the process of decryption.
1:05 pm
that's the difference, you agree? >> it is a difference and i believe when they create the operating system, that's where they have to make that key available so they don't have to spend the resources to crack the code but rather have a new operating system. >> thanks. one last thing. i just want to say, i thought what representative park said, the research is for you to let you use some of this work on your own really makes an awful lot of sense. there's none of these conflicts are going to be, we want to say they are resolvable, there tough to resolve. >> i now recognize mister mullen for five minutes. >> as you can see, i think both sides on this up here on this in this committee, you see we want to get to the real problem. we want to be helpful, not a hindrance. all of us want to be safe but we also want to make sure we operate within the constitution
1:06 pm
and the technology is changing at such a pace that i know law enforcement has to do their job and staying with it because criminals are always doing their job to, like it or not and if it changes, the crimes change, we have to change the way we operate.the concern is privacy, obviously and getting into that, some have argued the expansion of connected devices to the internet of things provides law enforcement with new surveillance tools and capabilities. recently the government center at harvard university argued the internet of things could potentially offset the government's inability to access encrypted technology for providing new paths for surveillance and monitoring. my question is, what's your reaction to the idea that the internet of things resents a potential alternative to accessing encrypted devices. >> mark. >> i do think the internet things and associated metadata presents us with an additional
1:07 pm
opportunity to collect information and evidence that will be helpful to muslim investigation. however those merely provide us with leads or clues whereas the real content of the communications is what we really seek in order to prove beyond a reasonable doubt in court in order to get a convention. >> could you expand on content within the device? or the conversation between the devices? >> what people are saying to each other as opposed to just who is communicating or at what location they were communicating. it's critically important to law enforcement to know what they said in order to prove intent. >> is there something we in this panel, or this committee should be looking at to help you to gain access to that or since it's connected, doesn't even take any extra step for you to access that information? >> yes and exactly to the point of the discussion today is that
1:08 pm
we need to work with industry and with academia in order to come up with solutions so we can access that content or so they can access in and provided to us.>> the fbi has foreign options unassuming. >> yes, sir. >> are there challenges or concerns used in the growth of connected devices that you can see coming down the road, obviously with the technology changing rapidly today, what are some of the challenges you are facing? >> as more and more things in today's world become connected, there is also an increasing demand for encrypting those services, those devices and capabilities. that's warranted and well merited but again it presents a challenge for us as metadata is increasingly encrypted. at present a challenge as well. we need to be able to access the information but more importantly the content. in other words if a suspect toaster is connected to their
1:09 pm
car so they know it's going to come on at a certain time, that's helpful but it doesn't help us to know the content of the communication when it comes to their developing watch. >> is there a difference between say the fbi and the way you have to operate? >> there's not much of a difference because we work very well together. but the additional challenges, in february apple announced plans to tie the same encryption to iphone accounts. the content currently in the cloud system, apple announced publicly they plan to make that encrypted and inaccessible with the service of legal process so that's one of the challenges you ask about that we are going to lose that area of content as well.>> i just assume that everything i do online for some intent in purposes is out there and people are going to be able to retrieve it. i don't assume any privacy really when it's on the internet. is that analogy, could that analogy hold up true or should we be expecting a sense of
1:10 pm
privacy when it's on the internet? i mean, we put it out there. >> sir, i believe we should all expect a sense of privacy on theinternet . when we talk on the restaurant, a telephone, landline or cellular but that privacy cannot be completely absolute. we do need to have when we serve proper legal process a search warrant as an example, have the ability for reasonable search and seizures, not all search and seizures so we have private companies without checks and balances protecting everyone against all searches. >> g, do you have an opinion on that? >> i agree also. on the internet, you have a right to privacy and most of these app's and programs give you privacy settings so nobody can get at it. when you get into the criminal world or the malicious criminal intent, that's when law enforcement has to have the ability to go in and see what you have . >> mister polonius is recognized for nine minutes. >> thank you mister chairman.
1:11 pm
i've never seem to be amazed at how complex an issue this is. the required balance in various competing values yet much of the public debate is focused on simplified versions of the situation, they painted in black and white and there seems to be some misunderstanding we have to have either cyber security or no protection online at all. we've heard the limitations encryption places on law enforcementaccess puts us in danger of going dark . by contrast we hear that law enforcement now has access to more information than ever, so-called golden age of surveillance. at harvard at the berkeley center there was a report titled making progress on the going dark debate that concludes and i quote, indications of the future will need to be eclipsed into darkness or illuminated without shadow. and i think that's a useful framework to view the issue, not as a binary choice between total darkness or complete
1:12 pm
illumination but rather a spectrum i think it's fair to say there have been and always will be areas of darkness where criminals are able to conceal information and no matter what law enforcement has a tough job but the question is how much darkness is too much? i wanted to ask you all and this is for any of you, about some key questions on this spectrum issue. where are we on the spectrum? currently, where should we be on the spectrum. if we are not in the right place, how do we get there? let's start with mrs. hess and whoever else wants to say something. >> yes sir. as far as the amount of information we can receive today, i think it is true, do receive more information today than in the past but i would draw the analogy to the fact that the haystack has gotten bigger but we are still looking for the same needle and the challenge for us is to figure out what's important and relevant to the investigation. where presented with this volume of information and the
1:13 pm
problem additionally with that is that what we are collecting, what we are able to see is for example who's communicating with who or potentially what ip addresses are comedic and with each other, location, time, perhaps the duration but not the content of what they were actually saying. >> g, did you want to add to that? >> i agree that the internet has provided a lot more information to police, that we could go out and find public records, we could find records within police departments through the country so the internet has made things easier. however the encryption is taking all those games away and i think the more we go towards encryption the harder it's going to be to really investigate and conduct long-term cases. we do a lot of cases in new york about gangs, we call them cruise and it's very vital all the information we get from
1:14 pm
people on the internet that sometimes are very public out there but now they are switching to encrypted and it's making those long-term cases or those i guess you would call them rico cases very difficult to puttogether because we are in the wind . >> i see we have a lack of information that i have not seen before in my 20 years of investigation . not solely by encryption but also as it relates to retention of information and the lack of legislation related to data retention similar to what there is for the banking industry as well as our inability to serve legal process on companies either out-of-state or to distort data outside the united states. i see it as all interrelated issues which together conspire to make it more difficult than before for me to gather the information i need to functionally conduct criminal investigations on the spectrum you asked about, i see we are
1:15 pm
losing the ability to access information we need to rescue victims and solve crimes. >> thank you. i think my second question, to some extent you already answered but if anybody wants to add to it, my second question is where do you see the trend moving? are we comfortable with where we are headed or are the technological trends such as increased encryption leaving us with too much darkness. you can answer that unless anybody wants to add to it. yes, mrs. hess question mark. >> yes sir. i do see that would be increasing technology platforms continue to change and they continue to present challenges for us that i provided in my opening statement. in addition to that, we tried to figure out how we might be able to use what is available to us and we are constantly challenged by that as well. for example, some companies may not know what exactly or how to provide the information we are seeking and it's not just a matter of needing that
1:16 pm
information to enable us to see the content or enable us to see what people are saying to each other. it's also a matter of being able to figure out who we should be focusing on more quickly so that if we could get that information, we are able to target our investigations more appropriately and be able to exonerate the innocence as well as identify the guilty. >> thank you. i'm going to and with that but i wanted to add obviously that you continue to engage with us to help us answer these questions. not just with what we you are saying today but a constant dialogue is what we need. if you mister chairman. >> i now recognize doctor burgess for five minutes. >> thank you and thank you all for being here. i knowledge there is another hearing going on upstairs so some seem to be on going back and forth, that's what's happening. let me just ask you a couple questions if i could. there is another subcommittee of the energy and commerce committee call the manufacturing and trade subcommittee. we are working very closely
1:17 pm
with the federal trade commission which is under our jurisdiction. that subcommittee on the area of data breach notification and security. a component of that effort has been pushed for companies to strengthen data security. one of those paper has to be through encryption and the fcc will look at a company security protocols for handling data when it reviews whether or not the company is fulfilling its obligations for protecting its customers so as the fbi had any discussions with federal trade commission over whether or not the back doors are access which might compromise the security data. >> we have engaged in a number of conversations among the inter-agency, with other agencies, with industry, with academia. i can get back to you as far as whether we specifically met with the truck federal trade commission. >> that would be helpful
1:18 pm
because again, we are actually trying to work through concepts of more in the retail space for data security. data security is data security regardless of who is harmed in the process and purity is national security with writ large so that would be enormously helpful. let me ask you a question, it's a little off-topic but i can't help myself. one of the dark side of encryption is if someone comes in and encrypts your stuff and you didn't want to encrypted and then they won't give it back to you unless you fork over several thousand dollars in bitcoins to them in some dark apartment so what is it the committee needs to understand about that ran somewhere concept that's going on currently? >> as for ransom where is an increasing problem that we are seeing an investigating on a regular basis now. and i think certainly to exercise good cyber security hygiene is important. to be able to backup systems that have the capability to access that information is important. to be able to talk to each other about what pollutions
1:19 pm
might be available to be able to fall back to some other type of backup solutions so that you are beholden to any particular ransom demands. >> and of course that's critically important. some of the ransom where has of course inverted hospitals and medical facilities and i'll just offer an editorial comment for what it's worth. i cannot imagine going into an icu some morning and asking to see the data on my patient and being told it's encrypted by an outside source and you can't have it. when you catch those people, i think the appropriate punishment is to be shot at sunrise and i wouldn't put a whole lot of appeals between the action and the reaction. i will yield back. >> i recognize mister garment for five minutes. >> thanks to the witnesses for your testimony. i find it hard to come up with any question that has is going
1:20 pm
to elicit any new answers from you and i think your testimony and the discussion we had today is an indication of how difficult this situation is. it sounds to me like there's a great business opportunity here somewhere but probably you don't have the budgets to pay a business what they would need to be paid to get the information you are after so that maybe not such a good business opportunity after all. i want to ask one question about you, mrs. hess. in your budget request for the fiscal year 17, you request more than $38 million to deal with the growing dark issue. and your request also says it's not in personnel. it seems to me personnel has to be a huge part of this effort so could you elaborate on what your budget request involved in what you plan to do with that. >> yes sir.
1:21 pm
it's at a higher level, essentially we are looking for any possible solutions, any possible tools we might be able to throw at the problem. all the different challenges we encounter and whether that's giving us the ability to be better password guessers or whether that's the ability to try to develop solutions where we might be able to perhaps exploit some type of vulnerability or maybe that's perhaps a tool where we might be to make better use of metadata. all those things go into that request so we can try to come up with solutions to get around the problem we are currently discussing. >> i don't know enough to ask anything else so if anyone is interested in my time i will yield back. >> thank you mister chairman. >> thank thank you, i recognize mister mckinley for five minutes. >> thank you mister chairman. i've been here in congress for over five years now and we've been talking about this for all
1:22 pm
five and half years and i don't see much progress being made with and i hear the frustration in some of your voices but i was hoping we were going to hear today more specifics. if you could paint us a magic wand what would it be? what's the solution? you hint towards it but we didn't get close enough. so one of the things i'd like to try to understand is how we differentiate between privacy and national security. i don't feel we really come to grips with that. i don't know how many people on both sides of the aisle, i don't care. i'm concerned about national security as it relates to encryption. you had this past weekend, there was a very provocative tv show with 60 minutes came out about backing into cell phones. we had about a year ago, we all were briefed, it wasn't
1:23 pm
classified where russia hacked in and shut down the electric reading ukraine. the impact that could have a foreign government could have access to it. this past week in town hall meetings in the district,twice people raise the issue about hacking . and to shutting down the electric grid . it reminded me of some testimony that had been given to us about a year ago on that very subject when one of the presenters like yourself said that within four days a group of engineers in america, kids could shut down the grid from boston down through where was it question mark from boston to new york, just four days. very concerned about that. where we are going with this whole issue of encryption and protection so mister galati, if i can ask you the question, how
1:24 pm
confident are you that the adequacy of the fiction is protecting our infrastructure in your jurisdiction? >> sir, cyber security and infrastructure is very complicated and we have another whole section in the police department and the city that monitors us very closely with all the agencies such as con ed, det and so on. we also work closely with the fbi and their joint cyber task force to monitor cyber attacks. >> but the question really is how you feel because everyone who comes in here, when it runs in our companies, i don't need to list their names but all of them said we think we've got it. but yet during that discussion on 60 minutes, the hacker that was there isa professional hacker, he said i can break into any system . my question again back to you is how confident are you that
1:25 pm
the system is going to work, that is going to be protected? >> i think with all the agencies involved in trying to protect critical infrastructure and i think there is a big emphasis in new york, i'll speak about new york working with multiple agencies were looking at vulnerabilities to the system. i do think that is an encryption issue but i think what i was speaking about more when it came to encryption is about communication and investigating crimes or terrorism -related offenses. >> how about you in indiana? >> what are you talking about? all systems been compromised. we are talking about firewalls not encryption. were talking about the ability for someone to get inside the system, to have the password or something like that, to get the firewall so encryption of data in motion as an example would not protect us from the type of
1:26 pm
things you are talking about, being able to shut down the power grid. it's noteworthy that i saw that 60 minutes piece and what that particular hacker was able to exploit would not have been encryption. that is a separate system related to how the cellular, how the cell system or to centrally and it's separate and unrelated from the question of encryption so having more robust encryption would not fix those problems.and i like the background to be able to tell you specifically do i feel confident about how those firewalls areright now in those systems you have to . >> so my question back to you, how would you respond to this question mark. >> yes sir. i think first off there's no such thing as 100 percent secure. as a purely secure solution. with that said i think it is incumbent on all of us to build the most secure systems
1:27 pm
possible but at the same time we are presenting to you today the challenge that law enforcement has to be able to get for access or be provided with the information we seek pursuant to a lawful order. warrant that has been signed by a judge to be able to get the information we see in order to prove or have evidence that a crime has occurred. >> ideal back my time. >> mister tomko for five minutes. >> thank you mister chair and thank you to our witnesses. i'd encourage that here today we are developing dialogue which i think is critical for us to best understand the issu from a policy perspective . and there's no denying that we are at risk with more and more threats to our national security including cyber threats but there is also a strong desire to maintain individual rights and opportunities to store information and understand and believe that is protected and sometimes those two are very difficult. there's a tender balance that needs to be struck. so i think first question, to
1:28 pm
any of the three of you is is there a better outcome in terms of training?do you believe there's better dialogue, better communication, formalized training that would help the law enforcement community if they network with these companies that develop the technology? i'm concerned that we don't always have all the information we require to do our end of the responsibility thing here. mrs. hess? >> yes sir, i think that's certainly in today's world we do need people who have those specialized skills, who havethe training , who have the tools and resources available to them to be able to better address this challenge but with that said, there is still no one-size-fits-all solution . >> anything chief or captain
1:29 pm
you like to add? >> i would just say that we do work very closely with a lot of these companies like google and we do share information and also at times work on training amongst the two agencies and the companies so we do have cooperation there and i think you could always get better. >> and mrs. hess, in this encryption debate, what specifically would you suggest the fbi is asking or asking of the tech community? >> that when we present an order signed by an independent neutral judge that they are able to comply with that order and provide us with the information we are seeking in readable form. >> okay. and also to mrs. hess, if is the fbi asking apple and other companies to create a backdoor that would then potentially weaken encryption?
1:30 pm
>> i don't believe the fbi or law enforcement in general should be in the position of dictating to companies what the solution is. they have built those systems. they know their devices and their systems that are certainly than we do and how they might be able to build some type of the most secure systems available or the most secure devices yet still be able to comply with orders. >>
1:31 pm
the message that they are sending to other nations. other countries ask for such tools as well. right now apple and other technology companies give a legitimate argument that they do not have it. requiring tech companies to help subvert establishes precedents that could endanger people around the world who rely on protected communications to shield them from despotic regimes. >> yes, sir. in the international community, and we have had a number of conversations that this is a common problem among law enforcement throughout the world. obviously there are international implications to any solutions that might be developed, but in addition what we seek is through a lawful order with
1:32 pm
the system we set up for the american judicial system to be able to go to a magistrate or judge and get a warrant and say we have probable cause to believe that someone or some entity is committing a crime. i believe that other countries had such a way of doing business that would be a good thing for all of us. >> and do you have anything to add? >> in preparing for the testimony, i saw some of the stories that said apple provided source code for ios i don't know whether the story is true or not. i also tried to find an example and could not. apple said it did not provide a map board to china, but we are not talking source code. the source code would be the 1st thing needed to hack into an iphone, as an example.
1:33 pm
>> thank you. my time is exhausted. >> thank you. your recognized for five minutes. >> the chairman will thank the panel for being here today. as more and more of our lives, everything from communications to medical records, the need for strong security is becoming more important. at the same time, a mess increase in our digital footprint, does this present an opportunity to explore new creative ways to conduct investigations? we talked about metadata, but knew forms of surveillance or other options, maybe we have not discussed the net. >> yes, sir. i believe we should make every use of the tools we have been authorized by congress and the american
1:34 pm
people to use. if that pertains to metadata or other types of information about building differently technologies, then certainly we should take advantage of that. at the same time, clearly these things present challenges for us as well. >> of you and others in the community engage with the technology community or others to explore these types of opportunities for look at potential ways to do this? >> yes,yes, sir. we are in daily contact with industry and academia to try to come up with solutions, ways that we might be able to get evidence in our investigation. >> what have you learned? >> clearly technology changes on a very, very rapid pace. sometimes the providers were people who built those technologies may not have built-in were thought to build and a law enforcement solution so that they could
1:35 pm
readily provide us with information, even if they want to. in other cases, this is the way that they do business. they just may not be set up to do that because of resources or the proprietary way that their systems are created. >> the other members of the panel, do you have an opinion on this? >> as technology advances however, as we start using those tools we need to check with encryption especially blocking things that we recently were able to obtain. >> okay. to all of you, i recently read about the com sab technology company in the detroit news article the said there was a way for government to access data
1:36 pm
stored without building a backdoor to encryption. a two-part encryption system where there is a unique encryption key that only when both keys as well as a device in hand could you access encrypted data on the device. i'm not an expert on encryption. is such a solution achievable? secondly, have the vendor discussions regarding a proposal like this or something similar that would allow safe access to data without giving a key,a key, so to speak, to wanted to do. >> to answer your question, that paradigm could work. it is similar to the paradigm of a safety deposit box in a bank were you have two different keys. but that would require the cooperation of industry. >> what i was going to say. >> we will get a chance to hear from industry our next
1:37 pm
panel. i was trying to explain this to want my staffers. deep be eight and r2-d2. i get it now. anyway, i think that it is important that law enforcement technology work together. i want to thank the chairman for giving us this opportunity to do that and thank you all for being here. >> the gentleman yields back. >> thank you, mr. chairman. thank you to the witnesses. i am so appreciative of your time. and i am appreciative of the work product that our committee has put into this. with some of the members that are on the dance comeau we have served on privacy and data security task force for the community looking at how we construct legislation
1:38 pm
and looking at what we ought to do when it comes to the issue of privacy and data security and going back to the law and the intent of the law. congress authorizes wiretaps and has since 1934. and 6070 come along and there is the language. you have cats versus the us where citizens have a reasonable expectation of privacy. and we know that for you and law enforcement, you come up upon that with this new technology that sometimes, it seems, there is a fight between technology and law enforcement, and the balance that is necessary between that reasonable expectation and looking at the ability of your ability to do your
1:39 pm
job, which is to keep citizens safe. so, i thank you for the work that you are doing in this room, and considering all of that, i would like to hear from each of you. then we will start with you and work out to the panel. do you think that at this point there is an adversarial relationship between the private sector and law enforcement? and if you advise us all what should be our framework and what should be the penalties put in place that will help you to get these criminals out of the virtual space? and help our citizens now that they are virtual view, their presence online is going to be protected, but that you are going to have the ability to help keep them safe. kind of a loaded question. the event two minutes and 36
1:40 pm
seconds. it is yours, and we will move right down the line. 's. >> as far as whether there is an adversarial relationship, my responses, i hope not. we want to work with industry, academia. we have the same values, share the same values in this country that we want our citizens to be protected. we also very much value privacy. i think, as you noted, for over 200 years this country has balanced privacy and security, and these are not binary things. they should not be one of the other. how do we do that? i don't think that is for the fbi to decide, nor do i thinki think it is protect companies to decide unilaterally. >> we need your advice. >> it is not an adversarial relationship either. there are things we have to work with.
1:41 pm
they are very cooperative. this is a new area we're going into. right now it is not adversarial. >> the other two, as you mentioned, some of these that authorize wired, they have not been updated recently at an exponential pace, some of the statutes have not evolved to keep up with them, and relax the technical ability at this point to properly execute. >> and we would appreciate hearing from you as we look at these updates. statutes of their, but we need the application to the virtual space, and this is where it will be helpful to hear from you. what is the framework, what
1:42 pm
are the penalties, what enables you the best in force. and so if you could just submit to us -- i am running out of time, but submit your thoughts on that it would be helpful and we would appreciate it. i yield back. >> now recognize mr. cramer for five minutes. >> thank you, mr. chairman. it is refreshing to participate in the hearing for the peoplethe people asking the questions don't know the answer until you give it to us. i want to talk specifically on the issue of breaking modern encryption by brute force, as we call it. the ability to apply multiple passcodes until you can break it. that is sort of the trickier. the iphone specifically there is an issue of the data destruction future.
1:43 pm
removing the data destruction feature, at least a partial solution to your side. in other words, we are moving one of the tools. i am open-minded to it and looking for your thoughts on that issue. >> if i may. certainly, that is one potential solution that we do use, and we should continue to use. being able to guess the right password is something that we employ in a wide variety, number of investigations. the problem and challenges sometimes those pascoe links get longer and longer, involve alphanumeric characters and present special challenges that it would take years, if ever, to actually solve the problem regardless of what type of resources we might apply.
1:44 pm
to that point we ask our investigators to help us be better guessers in order to help us make a better guess. >> if i might, with the ten tries and you are out data destruction feature, that makes your job all the more difficult, expanding that i am not looking for magic numbers, but there has to be some way to at least increase your chances. >> and that is one of the things. usually it takes is more than ten guesses before we get the right answer. 's the time delay between guesses. >> sure.
1:45 pm
>> i do not think personally that the brute force solution would provide a substantive solution to the problem. as has been mentioned, is iowa went from a four digit pin to a six digit pin. so if you were to legislate, it would not like an over at the data is to have to write in that passcodes are only have a certain complexity and link and that would be great security. we want security and heart encryption but need a way to quickly be able to access data is often times am running against the clock. be able to brute force.
1:46 pm
>> thank you for your testimony and all you do. i yield back. it's. >> if they want to ask questions. >> i think the chairman for his courtesy of the witnesses. he stated in your opening testimony that congress is the correct form to make decisions on data security command i agree with that. encryption related issues are technical. therefore it's it is appropriate to review the issues. legislation does exactly that. >> ii believe that we need to work with industry and academia and all relevant
1:47 pm
parties. >> you agree that is the right approach? cyber security and privacy and so on. >> there are varying aspects. the premise i agree with. >> i really cannot comment. i do agree that you need to work together. 's's i do agree with the principle. >> whenever paradigm help members of congress will mfortable. civil liberties and security , whatever paradigm serves that purpose.
1:48 pm
>> thank you. you have eliminated some information that has been available and i thank you for doing that. what have we not heard about information that is now available that wasn't in the past's. >> am having problems. >> i would only say, been in
1:49 pm
the police department for 32 years. 's i do think there are a lot of things we are able to obtain today that we couldn't ten or 20 years ago. the encryption issue is definitely eliminating a lot of those gains. >> this would drive customers to overseas suppliers it's an absolute gain nothing. >> i disagree for the sense that many countries having the same conversation is, the same discussion currently. this will continue to be a larger issue's. while it may drive certain
1:50 pm
people who may decide it's too much of a risk to be able to do business in this country i don't think that is the majority. 's the majority of consumers want good products. >> thank you for calling out the quality of american products. my neighbor here and i's represent the area where those products are developed. there will be countries were products are available that supersede whatever requirements we make. also would lead potential bad actors that their weaknesses designed and the system. do you agree with that? >> i think there will always be people trying to find and
1:51 pm
exploit. >> they will be looking for those. they are designed weaknesses. i'll see how that could further security. i guess my time is expired. >> the chair recognized's the congressman for five minutes thank you for participating. it's we are certainly of the opinion that it is imperative. using strong, and in the encryption.
1:52 pm
what will hearing like this look like a year from now, two years from now,now, what do you perceive as the next evolutionary step in the debate and is processes become faster is with the ability to encrypt increasing. >> my reaction is that things don't change we would be sitting here giving you examples' of how we are unable to solve cases for fun predators are rescue victims. that would be the challenge for us, how we can keep that from happening and how we might be able to come up with solutions working properly together. >> again, next question is for the entire panel. what have been some successful collaboration
1:53 pm
lessons between law enforcement and software or hardware manufacturers doing the encryption, and are there any building blocks that we can build upon, or have the recent advancements made any previous success obsolete? for the entire panel. who would like to go 1st? >> i apologize, but can ii ask you -- i am not 100 percent clear on that question. >> let me repeat it. there have been some successful collaboration lessons between law enforcement software and hardware manufacturers dealing with encryption. other any building blocks are success stories we can build upon or have the recent advancements and strong encryption made any previous success obsolete? >> certainly we deal with industry on a daily basis to
1:54 pm
try to come up with the most secure ways of being able to provide that information. still be responsive to our request and daughters. clearly there are certain companies that fell under its scalia. the providers have bill ways to be able to respond to appropriate orders which has provided us with the path so that we know what we are looking for and how we receive that information. 's. >> i really can't comment on that. >> they provide a legal solution such that we can access data.
1:55 pm
and building upon those collaborations, following that path's. >> next question for the panel, what percentage of cases are jeopardized? whether it is cell phone, laptop, desktop what about the other cases? >> we are increasingly seeing the issue currently's in the 1st six months of this fiscal year we are seeing the number of cell phones hearing countering
1:56 pm
passwords. 's missing numbers and continue to increase. >> i give you some numbers. 's hundred and two devices, and these are 67. if i dislike at the apple devices, ten related to homicide, 22 rapes, and two of them are related to members of the police department that were shot. as we are seeing an increase one thing i will say is does not always prevent us from making an arrest. >> and to expand its we ask
1:57 pm
a series of questions. sixty-four bit operating system. it is encrypted. there is no technical solution. the problem is we never know what we don't know. we don't know whether is evidence is missing. the victim is not capable. >> the gentle lady from california. 's. >> thank you very much. be here to join in on this hearing.
1:58 pm
because i'm not a member of the subcommittee. 's i appreciate your courtesy. i 1st want to go to captain:. i think i heard you say that apple had disclosed its source code to the chinese government. that is a huge allegation for the nypd. can you confirm this? >> i'm state police, not nypd. 's the phone several stories. >> i did not here all of your presentation around that allegation. 's's that takes my breath
1:59 pm
away. thank you. ms. hess, san bernardino is really illustrative for many reasons. one of the more striking aspects to me is the way in which the fbi approach the issue of gaining access to that now infamous iphone. we know that the fbi went to court to force a private company to create a system solely for the purpose of the federal government. and i think that is quite breathtaking. it takes my breath away just to digest that. 's and then to use that whenever and however. some disagree. some agree.
2:00 pm
i think this is a worthy an important discussion. this came about after the government missed the key opportunity to backup and potentially recover information from the device by resetting the iphone password the days following the shooting. the congress has appropriated just shy of $9 billion for the fbi. 's now, of that 9 billion, how those dollars are spread across the agency, how is it that the fbi did not know what to do? how can that be? >> if i may, in the aftermath of san bernardino we are looking for any way to identify. >> did you ask apple? would you call apple right away and say


info Stream Only

Uploaded by TV Archive on