[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
THE ENCRYPTION TIGHTROPE: BALANCING AMERICANS' SECURITY AND PRIVACY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
MARCH 1, 2016
__________
Serial No. 114-78
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://judiciary.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
98-899 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin JERROLD NADLER, New York
LAMAR S. SMITH, Texas ZOE LOFGREN, California
STEVE CHABOT, Ohio SHEILA JACKSON LEE, Texas
DARRELL E. ISSA, California STEVE COHEN, Tennessee
J. RANDY FORBES, Virginia HENRY C. ``HANK'' JOHNSON, Jr.,
STEVE KING, Iowa Georgia
TRENT FRANKS, Arizona PEDRO R. PIERLUISI, Puerto Rico
LOUIE GOHMERT, Texas JUDY CHU, California
JIM JORDAN, Ohio TED DEUTCH, Florida
TED POE, Texas LUIS V. GUTIERREZ, Illinois
JASON CHAFFETZ, Utah KAREN BASS, California
TOM MARINO, Pennsylvania CEDRIC RICHMOND, Louisiana
TREY GOWDY, South Carolina SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho HAKEEM JEFFRIES, New York
BLAKE FARENTHOLD, Texas DAVID N. CICILLINE, Rhode Island
DOUG COLLINS, Georgia SCOTT PETERS, California
RON DeSANTIS, Florida
MIMI WALTERS, California
KEN BUCK, Colorado
JOHN RATCLIFFE, Texas
DAVE TROTT, Michigan
MIKE BISHOP, Michigan
Shelley Husband, Chief of Staff & General Counsel
Perry Apelbaum, Minority Staff Director & Chief Counsel
C O N T E N T S
----------
MARCH 1, 2016
Page
OPENING STATEMENTS
The Honorable Bob Goodlatte, a Representative in Congress from
the State of Virginia, and Chairman, Committee on the Judiciary 1
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary.................................................. 4
WITNESSES
Honorable James B. Comey, Director, Federal Bureau of
Investigation
Oral Testimony................................................. 6
Prepared Statement............................................. 9
Bruce Sewell, Senior Vice President and General Counsel, Apple,
Inc.
Oral Testimony................................................. 98
Prepared Statement............................................. 101
Susan Landau, Ph.D., Professor of Cybersecurity Policy, Worcester
Polytechnic Institute
Oral Testimony................................................. 104
Prepared Statement............................................. 106
Cyrus R. Vance, Jr., District Attorney, New York County
Oral Testimony................................................. 131
Prepared Statement............................................. 133
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Material submitted by the Honorable Steve Chabot, a
Representative in Congress from the State of Ohio, and Member,
Committee on the Judiciary..................................... 18
Material submitted by the Honorable Darrell E. Issa, a
Representative in Congress from the State of California, and
Member, Committee on the Judiciary............................. 31
Material submitted by the Honorable Zoe Lofgren, a Representative
in Congress from the State of California, and Member, Committee
on the Judiciary............................................... 43
Material submitted by the Honorable Cedric Richmond, a
Representative in Congress from the State of Louisiana, and
Member, Committee on the Judiciary............................. 68
Material submitted by the Honorable Bob Goodlatte, a
Representative in Congress from the State of Virginia, and
Chairman, Committee on the Judiciary........................... 87
APPENDIX
Material Submitted for the Hearing Record
Material submitted by the Honorable Bob Goodlatte, a
Representative in Congress from the State of Virginia, and
Chairman, Committee on the Judiciary........................... 180
Material submitted by the Honorable Doug Collins, a
Representative in Congress from the State of Georgia, and
Member, Committee on the Judiciary............................. 183
Questions for the Record submitted to the Honorable James B.
Comey, Director, Federal Bureau of Investigation............... 186
Response to Questions for the Record from Bruce Sewell, Senior
Vice President and General Counsel, Apple, Inc................. 189
Response to Questions for the Record from Susan Landau, Ph.D.,
Professor of Cybersecurity Policy, Worcester Polytechnic
Institute...................................................... 201
Response to Questions for the Record from Cyrus R. Vance, Jr.,
District Attorney, New York County.......................209
deg.OFFICIAL HEARING RECORD
Unprinted Material Submitted for the Hearing Record
Material submitted by the Honorable Zoe Lofgren, a Representative in
Congress from the State of California, and Member, Committee on the
Judiciary. This submission is available at the Committee and can
also be accessed at:
http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104573
Material submitted by Bruce Sewell, Senior Vice President and General
Counsel, Apple, Inc. This submission is available at the Committee
and can also be accessed at:
http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104573
THE ENCRYPTION TIGHTROPE: BALANCING AMERICANS' SECURITY AND PRIVACY
----------
TUESDAY, MARCH 1, 2016
House of Representatives
Committee on the Judiciary
Washington, DC.
The Committee met, pursuant to call, at 1:05 p.m., in room
2141, Rayburn House Office Building, the Honorable Bob
Goodlatte (Chairman of the Committee) presiding.
Present: Representatives Goodlatte, Sensenbrenner, Chabot,
Issa, King, Jordan, Poe, Chaffetz, Marino, Gowdy, Labrador,
Collins, DeSantis, Walters, Buck, Conyers, Nadler, Lofgren,
Cohen, Johnson, Chu, Deutch, Gutierrez, Bass, Richmond,
DelBene, Jeffries, Cicilline, and Peters.
Staff Present: (Majority) Shelley Husband, Chief of Staff &
General Counsel; Branden Ritchie, Deputy Chief of Staff & Chief
Counsel; Zachary Somers, Parliamentarian & General Counsel;
Kelsey Williams, Clerk; Caroline Lynch, Chief Counsel,
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations; Ryan Breitenbach, Counsel, Subcommittee on
Crime, Terrorism, Homeland Security, and Investigations;
(Minority) Perry Apelbaum, Staff Director & Chief Counsel;
Danielle Brown, Parliamentarian & Chief Legislative Counsel;
Aaron Hiller, Chief Oversight Counsel; Joe Graupensperger,
Chief Counsel, Subcommittee on Crime, Terrorism, Homeland
Security, and Investigations; James Park, Chief Counsel,
Subcommittee on the Constitution; David Greengrass, Counsel;
Eric Williams, Crime Detailee; and Veronica Eligan,
Professional Staff Member.
Mr. Goodlatte. We'd ask all the members of the media that
are taking thousands of pictures here, I'm sure they got some
excellent ones of the Director, but we ask you to please clear
aside so we can begin the hearing.
The Judiciary Committee will come to order. And without
objection, the Chair is authorized to declare recesses of the
Committee at any time. We welcome everyone to this afternoon's
hearing on The Encryption Tightrope: Balancing Americans'
Security and Privacy. And I will begin by recognizing myself
for an opening statement.
We welcome everyone today to this timely and important
hearing on encryption. Encryption is a good thing. It prevents
crime, it prevents terrorist attacks, it keeps our most
valuable information safe, yet it is not used as effectively
today as is necessary to protect against the ever-increasing
sophistication of foreign governments, criminal enterprises,
and just plain hackers.
We see this manifest almost every week in the reports of
losses of massive amounts of our most valuable information from
government agencies, retailers, financial institutions, and
average Americans. From identity theft, to the compromising of
our infrastructure, to our economic and military security,
encryption must play an ever-increasing role, and the companies
that develop it must be encouraged to increase its
effectiveness.
Encryption is a topic that may sound arcane, or only the
province of techies, but, in fact, it is a subject whose
solutions will have far-reaching and lasting consequences. The
Judiciary Committee is a particularly appropriate forum for
this congressional debate to occur. As the Committee of
exclusive jurisdiction over the United States Constitution, the
Bill of Rights, and the Federal Criminal Laws and Procedures,
we are well-versed in the perennial struggle between protecting
Americans' privacy and enabling robust public safety.
This Committee is accustomed to addressing many of the
significant legal questions arising from laws that govern
surveillance and government access to communications,
particularly the Wiretap Act, the Electronic Communications
Privacy Act, the Foreign Intelligence Surveillance Act, and the
Communications Assistance to Law Enforcement Act, otherwise
known as CALEA.
Today's hearing is a continuation of the Committee's work
on encryption, work that Congress is best suited to resolve. As
the hearing title indicates, society has been walking a
tightrope for generations in attempting to balance the security
and privacy of Americans' communications with the needs of our
law enforcement and intelligence agencies. In fact, the entire
world now faces a similar predicament, particularly as our
commerce and communications bleed over international boundaries
on a daily basis.
Encryption in securing data in motion, and in storage, is a
valuable technological tool that enhances Americans' privacy,
protects our personal safety and national security, and ensures
the free flow of our Nation's commerce. Nevertheless, as
encryption has increasingly become a ubiquitous technique to
secure communications among consumers, industry, and
governments, a national debate has arisen concerning the
positive and negative implications for public safety and
national security.
This growing use of encryption presents new challenges for
law enforcement seeking to obtain information during the course
of its investigations, and, even more foundationally, test the
basic framework that our Nation has historically used to ensure
a fair and impartial evaluation of legal process used to obtain
evidence of a crime.
We must answer this question: How do we deploy ever
stronger, more effective encryption without unduly preventing
lawful access to communications of criminals and terrorists
intent on doing us harm? This now seems like a perennial
question that has challenged us for years. In fact, over 15
years ago, I led congressional efforts to ensure strong
encryption technologies, and to ensure that the government
could not automatically demand a backdoor key to encryption
technologies. This enabled the U.S. encryption market to thrive
and produce effective encryption technologies for legitimate
actors rather than see the market head completely overseas to
companies that do not have to comply with basic protections.
However, it is also true that this technology has been a
devious tool of malefactors.
Here is where our concern lies: Adoption of new
communications technologies by those intending harm to the
American people is outpacing law enforcement's technological
capability to access those communications in legitimate
criminal and national security investigations.
Following the December 15 terrorist attack in San
Bernardino, California, investigators recovered a cell phone
owned by the County government, but used by one of the
terrorists responsible for the attack. After the FBI was unable
to unlock the phone and recover its contents, a Federal judge
ordered Apple to provide reasonable technical assistance to
assist law enforcement agents in obtaining access to the data
on the device, citing the All Writs Act as its authority to
compel.
Apple has challenged the court order, arguing that its
encryption technology is necessary to protect its customers'
communications, security, and privacy, and raising both
constitutional and statutory objections to the Magistrate's
order.
This particular case has some very unique factors involved,
and, as such, may not be an ideal case upon which to set
precedent. And it is not the only case in which this issue is
being litigated. Just yesterday, a magistrate judge in the
Eastern District of New York ruled that the government cannot
compel Apple to unlock an iPhone pursuant to the All Writs Act.
It is clear that these cases illustrate the competing
interests at play in this dynamic policy question, a question
that is too complex to be left to the courts and must be
answered by Congress. Americans surely expect that their
private communications are protected. Similarly, law
enforcement's sworn duty is to ensure that public safety and
national security are not jeopardized if possible solutions
exist within their control.
This body, as well, holds its own constitutional
prerogatives and duties. Congress has a central role to ensure
that technology advances so as to protect our privacy, help
keep us safe, and prevent crime and terrorist attacks. Congress
must also continue to find new ways to bring to justice
criminals and terrorists. We must find a way for physical
security not to be at odds with information security. Law
enforcement must be able to fight crime and keep us safe, and
this country's innovative companies must, at the same time,
have the opportunity to offer secure services to keep their
customers safe.
The question for Americans and lawmakers is not whether or
not encryption is essential, it is; but instead, whether law
enforcement should be granted access to encrypted
communications when enforcing the law and pursuing their
objectives to keep our citizens safe.
I look forward to hearing from our distinguished witnesses
today as the Committee continues its oversight of this real-
life dilemma facing real people all over the globe.
It's now my pleasure to recognize the Ranking Member of the
Committee, the gentleman from Michigan, Mr. Conyers, for his
opening statement.
Mr. Conyers. Thank you, Chairman Goodlatte. Members of the
Committee and our first and distinguished guest, I want to
associate myself with your comments about our jurisdiction. It
is not an accident that the House Judiciary Committee is the
Committee of primary jurisdiction with respect to the legal
architecture of government surveillance.
In times of heightened tension, some of our colleagues will
rush to do something, anything, to get out in front of an
issue. We welcome their voices in the debate, but it is here,
in this Committee room, that the House begins to make decisions
about the tools and methods available to law enforcement.
I believe that it is important to say up front, before we
get into the details of the Apple case, that strong encryption
keeps us safe, even as it protects our privacy. Former National
Security Agency Director, Michael Hayden, said only last week
that America is more secure with unbreakable end-to-end
encryption. In this room, just last Thursday, former Secretary
of Homeland Security, Michael Chertoff, testified that in his
experience, strong encryption laws help law enforcement more
than it hinders any agency in any given case.
The National Security Council has concluded that the
benefits to privacy, civil liberties, and cybersecurity gained
from encryption outweigh the broader risks created by weakening
encryption. And Director Comey himself has put it very plainly:
universal, strong encryption will protect all of us, our
innovation, our private thoughts, and so many other things of
value, from thieves of all kinds. We will all have lock boxes
in our lives that only we can open, and in which we can store
all that is valuable to us. There are lots of good things about
this.
Now for years, despite what we know about the benefits of
encryption, the Department of Justice and the Federal Bureau of
Investigation have urged this Committee to give them the
authority to mandate that companies create backdoors into their
secure products.
I have been reluctant to support this idea for a number of
reasons. The technical experts have warned us that it is
impossible to intentionally introduce flaws into secure
products, often called backdoors, that only law enforcement can
exploit to the exclusion of terrorists and cyber criminals. The
tech companies have warned us that it would cost millions of
dollars to implement and replace them at a competitive
disadvantage around the world. The national security experts
have warned us that terrorists and other criminals will simply
resort to other tools entirely outside the reach of our law
enforcement and intelligence agencies.
And I accept that reasonable people can disagree with me on
each of these points, but what concerns me, Mr. Chairman, is
that in the middle of an ongoing congressional debate on this
subject, the Federal Bureau of Investigation would ask a
Federal magistrate to give them the special access to secure
products that this Committee, this Congress, and the
Administration have so far refused to provide.
Why has the government taken this step and forced this
issue? I suspect that part of the answer lies in an email
obtained by The Washington Post and reported to the public last
September. In it, a senior lawyer in the intelligence community
writes that although the legislative environment toward
encryption is very hostile today, it could turn in the event of
a terrorist attack or a criminal event where strong encryption
can be shown to have hindered law enforcement. He concluded
that there is value in keeping our options open for such a
situation.
I'm deeply concerned by this cynical mind-set, and I would
be deeply disappointed if it turns out that the government is
found to be exploiting a national tragedy to pursue a change in
the law.
I also have doubts about the wisdom of applying the All
Writs Act, enacted in 1789, codified in 1911, and last applied
to a communications provider by the Supreme Court in 1977, to a
profound question about privacy and modern computing in 2016. I
fear that pursuing this serious and complex issue through the
awkward use of an inept statute was not, and is not, the best
course of action, and I'm not alone in this view.
Yesterday, in the Eastern District of New York, a Federal
judge denied a motion to order Apple to unlock an iPhone under
circumstances similar to those in San Bernardino. The court
found that the All Writs Act, as construed by the government,
would confer on the courts an overbroad authority to override
individual autonomy. However, nothing in the government's
argument suggests any principal limit on how far a court may go
in requiring a person, or company, to violate the most deeply
rooted values.
We could say the same about the FBI's request in
California. The government's assertion of power is without
limiting principle, and likely to have sweeping consequences,
whether or not we pretend that the request is limited to just
this device or just this one case.
This Committee, and not the courts, is the appropriate
place to consider those consequences, even if the dialogue does
not yield the results desired by some in the law enforcement
community. I'm grateful that we are having this conversation
today back in the forum in which it belongs, the House
Judiciary Committee. And so I thank the Chairman very much. And
I yield back.
Mr. Goodlatte. Thank you, Mr. Conyers.
And without objection, all other Members' opening
statements will be made a part of the record.
We welcome our distinguished witness of today's first
panel. And if you would please rise, I'll begin by swearing you
in.
Do you swear that the testimony that you are about to give
shall be the truth, the whole truth, and nothing but the truth,
so help you God?
Mr. Comey. I do.
Mr. Goodlatte. Thank you very much. Please be seated.
I'll now begin by introducing our first distinguished
witness today, Director James Comey of the Federal Bureau of
Investigation. Director Comey began his career as an Assistant
United States Attorney for both the Southern District of New
York and the Eastern District of Virginia. After the 9/11
terrorist attacks, Director Comey returned to New York to
become the United States Attorney for the Southern District of
New York. In 2003, he was appointed deputy attorney general
under the United States Attorney General, John Ashcroft.
Director Comey is a graduate of the College of William &
Mary and the University of Chicago Law School.
Director, welcome. Your entire written statement will be
made a part of the record. And I ask that you summarize your
testimony in 5 minutes. And we have the timing light that
you're well familiar with on the table. Again, welcome. We're
pleased that you are here, and you may begin your testimony.
TESTIMONY OF HONORABLE JAMES B. COMEY, DIRECTOR, FEDERAL BUREAU
OF INVESTIGATION
Mr. Comey. Thank you so much, Mr. Chairman, Mr. Conyers.
Thank you for hosting this conversation, and for helping us all
talk about an issue that I believe is the hardest issue I've
confronted in government, which is how to balance the privacy
we so treasure, that comes to us through the technology that we
love, and also achieve public safety, which we also all very
much treasure.
I worry a little bit that we've been talking past each
other, both folks in the government and folks in the private
sector, when it comes to this question of encryption, which we
in the government call ``going dark.'' What I'd like to do is
just take 3 or 4 minutes and try to frame how I think about it,
in a way I hope is fair, fair-minded, and if it's not, I hope
you'll poke at me and tell me where you think it's not, but
these are the things I believe to be true:
First, that the logic of encryption will bring us, in the
not-too-distant future, to a place where all of our
conversations and all of our papers and effects are entirely
private; that is, where no one can listen to our conversations,
read our texts, read our emails unless we say so, and no one
can look at our stuff, read our documents, read things we file
away without our agreement. That's the first thing I believe,
that the logic of encryption is taking us there.
The second thing I believe is, as both you and Mr. Conyers
said, there's a lot of good about this, a lot of benefits to
this. All of us will be able to keep private and keep protected
from thieves of all kinds, the things that matter most to us,
our ideas, our innovation, our secret thoughts, our hopes, our
dreams. There is a lot to love about this. We will all be able
to have storage spaces in our life that nobody else can get
into.
The third thing I believe is that there are many costs to
this. For the last two centuries, public safety in this country
has depended, in large measure, on the ability of law
enforcement agents going to courts and obtaining warrants to
look in storage areas or apartments, or to listen with
appropriate predication oversight to conversations. That is the
way in which law enforcement brings us public safety. It is
very, very important, and it's been part of the balance in
ordered liberty, that sometimes the people's stuff can be
looked at, but only with predication and only with oversight
and approval by an independent judiciary.
The fourth thing I believe is that these two things are in
tension in many contexts, increasingly in our national security
work, and in law enforcement work, generally across the
country. We see it obviously in ISIL's efforts to reach into
this country, and using mobile messaging apps that are end-to-
end encrypted, task people to kill innocent people in the
United States. That is a huge feature of our national security
work and a major impediment to our counterterrorism work,
because even with a court order, what we get is unreadable; to
use a technical term, it's gobbledygook. Right? We cannot
decrypt that that which is covered by strong encryption.
We also see it in criminal work across the country. We see
very tragically last year in Baton Rouge where a pregnant woman
8 months pregnant was killed by somebody she opened the door
to. And her mom says she kept a diary, but it's on her phone,
which is locked, and so the case remains unsolved.
And most recently and most prominently, as both Mr. Conyers
and the Chairman mentioned, we see it in San Bernardino, a case
where two terrorists, in the name of ISIL, killed 14 people and
wounded 22 others at an office gathering and left behind three
phones, two of which, the cheaper models, they smashed beyond
use, and the third was left locked.
In any investigation that is done competently, the FBI
would try to get access to that phone. It's important that it's
a live, ongoing terrorism investigation, but in any criminal
investigation, a competent investigator would try and use all
lawful tools to get access to that device, and that's what you
see happening in San Bernardino.
The San Bernardino case is about that case. It obviously
highlights the broader issue and, of course, it will we looked
upon by other judges and other litigants, but it is about the
case and trying to do a competent job of understanding, is
there somebody else? And are there clues to what else might
have gone on here? That is our job.
The fifth thing I believe is that democracies resolve these
kind of really hard questions through robust debate. I think
the FBI's job is very, very limited. We have two jobs. The
first is to investigate cases like San Bernardino, and to use
tools that are lawful and appropriate. The second thing, it's
our job to tell the American people, the tools you are counting
on us to use to keep you safe are becoming less and less
effective.
It is not our job to tell the American people how to
resolve that problem. The FBI is not some alien force imposed
upon America from Mars. We are owned by the American people, we
only use the tools that are given to us under the law. And so
our job is simply to tell people there is a problem. Everybody
should care about it, everybody should want to understand if
there are warrant-proof spaces in American life. What does that
mean? And what are the costs of that and how do we think about
that?
I don't know what the answer is. It may be the American
people, through Congress and the courts, decide it's too hard
to solve, or law enforcement can do its job well enough with
strong encryption covering our communications and our papers
and effects, or that it's something that we have to find a way
to fix to achieve a better balance. I don't know. My job is to
try to offer thoughtful explanations about the tools the FBI
has, and to bring them to the attention of the American people,
and then answer questions about that.
So I'm very, very grateful for this forum, very, very
grateful for this conversation. There are no demons in this
debate. The companies are not evil, the government's not evil.
You have a whole lot of good people who see the world through
different lenses, who care about things, all care about the
same things, in my view. The companies care about public
safety, the FBI cares about innovation and privacy. We devote
our lives to try to stop people from stealing our innovation,
our secrets, and hacking into our devices. We care about the
same things, which should make this in a way an easier
conversation, which I very much look forward to. Thank you.
[The prepared statement of Mr. Comey follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Director Comey. We'll now proceed
under the 5-minute rule with questions for the witness, and
I'll begin by recognizing myself.
Director, there has been quite a bit of debate on the
government's reliance on the All Writs Act, which most people
had never heard of until the last week or so. That is being
used in this case to try to compel Apple to bypass the auto
erase functions on the phone. It has been characterized as an
antiquated statute dating back to 1789, that was never intended
to empower the courts to require a third party to develop new
technology.
How do you respond to that characterization? Has the FBI
relied on the Act in the past to gain access to iPhones or
other similar devices, and is the Act limited to the
circumstances in which Congress has already imposed a statutory
duty on a third party to provide assistance?
Mr. Comey. Thank you, Mr. Chairman. I smile a little bit
when I hear that, because old doesn't mean bad, at least I hope
it doesn't, because I'm rapidly approaching that point. The
Constitution is as old or older than the All Writs Act, and I
think that's still a pretty useful document.
It's a tool that I use. I think there's some Members of the
Committee who are former Federal prosecutors. Every assistant
U.S. Attorney knows it. I used it when I started as an AUSA in
1987. It is an Act that Congress passed when the Constitution
was a baby, so there was a vehicle for judges to get their
orders complied with. And it's been used many, many, many
times, and interpreted by the courts many times, including by
the Supreme Court.
The cases at hand are simply about, as I understand it,
what is the reach of the All Writs Act. It's still good law,
but how far does it extend, especially given how technology has
changed. And I think the courts are going to sort that out.
There was a decision yesterday in New York, there will be
decisions in California. There will probably be lots of others,
because this is a problem law enforcement is seeing all over
the country.
Mr. Goodlatte. Let me ask you about that decision in New
York, because in its brief in the California case, Apple argues
that a provision of CALEA, another Federal statute, actually
prohibits the magistrate from ordering it to design a means to
override the auto erase functions on the phone. Just yesterday,
a magistrate in New York upheld that argument. Can you comment
on that?
Mr. Comey. Not in an intelligent way, because I haven't
read the decision out of New York. I understand the basic
contours of the argument. I don't fully get it, honestly,
because CALEA is about data in motion, and this is about data
at rest, but I also think this is the kind of thing judges do.
They take acts of Congress and try to understand, so what does
it mean, especially given changing circumstances. So I expect
it'll be bumpy, there will be lots of lawyers paid for lots of
hours of work, but we will get to a place where we have the
courts with an understanding of its reach.
Mr. Goodlatte. Now, if the FBI is successful in requiring
Apple to unlock this phone, that won't really be a one-time
request, correct?
Mr. Comey. Well, the issue of locked phones certainly not,
because it's become a----
Mr. Goodlatte. It will set a precedent for other requests
from the Federal Bureau of Investigation and any other law
enforcement agency to seek the same assistance in many, many,
many other cases?
Mr. Comey. Sure, potentially, because any decision of a
court about a matter is potentially useful to other courts,
which is what a precedent is. I happen to think, having talked
to experts, there are technical limitations to how useful this
particular San Bernardino technique will be, given how the
phones have changed, but sure, other courts, other prosecutors,
other lawyers for companies will look to that for guidance or
to try and distinguish it.
Mr. Goodlatte. So that technology once developed, which I
presume they could destroy again, but then will have to
recreate hundreds of times, how confident are you--whichever
procedure Apple decided to pursue, how confident are you that
what you are requesting, which is the creation effectively of a
key, a code, how confident are you that will remain secure and
allow all the other customers of Apple, and when this is
applied to other companies' technology as well, how confident
are you that it will not fall into the wrong hands and make
everyone's communication devices less secure, not more secure?
Mr. Comey. First, I've got to quibble a little bit with the
premise of your question. I hear people talk about keys or
backdoors. I actually don't see that this way. I mean, there
are issues about backdoors. This is about--there's already a
door on that iPhone. Essentially we're asking Apple, take the
vicious guard dog away; let us try and pick the lock. The later
phones, as I understand the 6 and after, there aren't doors, so
there isn't going to be, can you take the guard dog away and
let us pick the lock.
But, look, I have a lot of faith, and maybe I don't know
them well enough, in the company's ability to secure their
information. The iCloud, for example, is not encrypted, right,
but I don't lie awake at night worrying about whether they're
able to protect the contents of the iCloud. They are very, very
good at protecting their information and their innovation. So
no thing is for certain, but I think these folks are pros.
Mr. Goodlatte. Thank you very much. The Chair recognizes
the Ranking Member, Mr. Conyers, for his questions.
Mr. Conyers. Thank you, Chairman Goodlatte. And welcome,
again, to our forum here, a very regular visitor to the
Judiciary Committee.
Director Comey, it's been suggested that Apple has no
interest in helping law enforcement in any criminal case and
that the company cares more about marketing than about
investigating a terrorist attack. In your view, are companies
like Apple generally cooperative when the FBI asks for
assistance accompanied by appropriate legal process? Did Apple
assist with this particular investigation?
Mr. Comey. I think, in general, all American companies, and
I can't think of an exception sitting here, want to be helpful,
especially when it comes to public safety, because they have
families and children just as we do, so that's the attitude
we're met with.
And in this particular case, as in many others, Apple was
helpful to us. We had lots of good conversations about what we
might be able to do to get this device open, and we got to
place where they said, for reasons that I don't question their
motive, we're not willing to go further, and the government
made a decision, we still have an avenue to pursue with the
judge. We'll go to the judge. But I don't question their
motives.
Mr. Conyers. All right. Thank you. I sense that you're
still reluctant to speak about how your success in this case
might set a precedent for future actions. You indicated last
week that this litigation may guide how other courts handle
similar requests. Could you elaborate on that, please?
Mr. Comey. Sure. There's no--first of all, let me say this.
I've been trying to explain to people, this case in San
Bernardino is about this case. And the reason I've tried to say
that so much publicly is, I worry very much about the pain,
frankly, to the victims in this case when they see this matter
that's so important to them becoming a vehicle for a broader
conversation. So I want to make sure that everybody, especially
the FBI, remains grounded in the fact this is about that case.
My wife has a great expression she uses to help me be a better
person, which is, ``It's not about you, Dear.''
This case in San Bernardino is not about the FBI, it's not
about Apple, it not about Congress, it's not about anything
other than trying to do a competent investigation in an
ongoing, active case. That said, of course, any decision by a
judge in any forum is going to be potentially precedential in
some other forum; not binding, but guidance, either positive or
against. The government lost the case yesterday in Brooklyn. We
could lose the case in San Bernardino, and it will be used as
precedent against the government. That's just the way the law
works, which I happen to think is a good thing.
Mr. Conyers. Thank you. If you succeed in this case, will
the FBI return to the courts in future cases to demand that
Apple and other private companies assist you in unlocking
secure devices?
Mr. Comey. Potentially, yes. If the All Writs Act is
available to us and the relief under the All Writs Act as
explained by the courts fits the powers of the statute, of
course.
Mr. Conyers. And, finally, I think we can acknowledge,
then, that this case will set some precedent, and if you
succeed, you will have won the authority to access encrypted
devices, at least for now. Given that you've asked us to
provide you with that authority since taking your position at
the Bureau, and given that Congress has explicitly denied you
that authority so far, can you appreciate our frustration that
this case appears to be little more than an end run around this
Committee?
Mr. Comey. I really can't, Mr. Conyers. First of all, I
don't recall a time when I've asked for a particular
legislative fix. In fact, the Administration's position has
been they're not seeking legislation at this time. But I also--
we're investigating a horrific terrorist attack at San
Bernardino. There's a phone that's unlocked that belonged to
one of the killers. The All Writs Act that we've used since I
was a boy, we think is a reasonable argument to have the court
use the All Writs Act to direct the company to open that phone.
That's what this is about. If I didn't do that, I ought to be
fired, honestly.
I can also understand your frustration at the broader
conversation, because it goes way beyond this case. This case
will be resolved by the courts. It does not solve the problem
we're all here wrestling with.
Mr. Conyers. I thank the Director, and I yield back any
unused time. Thank you, Mr. Chairman.
Mr. Goodlatte. Thank you. And the Chair recognizes the
gentleman from Ohio, Mr. Chabot, for 5 minutes.
Mr. Chabot. Thank you, Mr. Chairman. I have a statement
from the Application Developers Alliance here that I'd like to
have included in the record.
Mr. Goodlatte. Without objection, it will be made a part of
the record.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Chabot. Thank you, Mr. Chairman.
And, Director Comey, like yourself, I happen to be a
graduate of the College of William & Mary, so I'm going to
start off with a tough question. Anything nice you'd like to
say about the College of William & Mary?
Mr. Comey. I could tell there with glow coming from your
seat. That's explained by your being a member of the Tribe.
Best thing ever happened to me besides--I actually met my wife
there. That's the best thing that ever happened to me. Second
best is that I was there.
Mr. Chabot. Excellent. Yes, it's a great place to go. There
are two members currently. Ms. Titus of Nevada is also a
graduate.
Now, this hearing is about electronic data security, or as
you describe it----
Mr. Goodlatte. The Chair is happy to extend additional time
to the gentleman for recognizing an important Virginia
educational institution.
Mr. Chabot. I appreciate the Chairman.
And as is already indicated, this is about electronic data
security or, as you described it, keeping our stuff online
private. So I'd like to ask you this, and it may seem a little
off topic, but I don't think it is.
A few weeks back, the FBI's general counsel, James Baker,
acknowledged that the FBI is ``working on matters related to
former Secretary of State Hillary Clinton's use of a private
email server.'' And then the White House press secretary, Josh
Earnest, stated that ``some officials over there,'' referring
to the FBI, ``had said that Hillary Clinton is not a target of
this investigation, and that it's not trending in that
direction.'' And the President then weighed in, even though he
apparently had never been briefed on the matter, commenting
that he didn't see any national security implications in
Hillary's emails, and obviously, this is a matter of
considerable import.
Is there anything that you can tell us as to when this
matter might be wrapped up one way or the other?
Mr. Comey. I can't, Congressman. As you know, we don't talk
about our investigations. What I can assure you is that I am
very close personally to that investigation to ensure that we
have the resources we need, including people and technology,
and that it's done the way the FBI tries to do all of its work:
independently, competently, and promptly. That's our goal, and
I'm confident it's being done that way, but I can't give you
any more details beyond that.
Mr. Chabot. I certainly understand, and I appreciate that.
I thought you might say that, but you can't blame me for
trying. Let me move on.
If Apple chose to comply with the government's demand,
maybe it does have the technical expertise and time and
finances to create such a vulnerability so we can get in and
get that information. But let me ask you, what about a small
business? I happen to be the Chairman of the House Small
Business Committee. Wouldn't such a mandate to, say, a small
company, a startup, say, with, you know, four or five, six
employees, wouldn't that be a huge burden on a small business
to have to comply with this sort of thing?
Mr. Comey. I think it might be, and that's one of the
factors that I understand the courts consider in passing on an
All Writs Act request, the burden to the private actor, how
much it would cost them, how much time and effort? And I think
Apple's argument in this case is, it would take us a ton of
effort, time, and money to do it, and so that's one of the
reasons we shouldn't be compelled to do it. So it's a
consideration built into the judicial interpretations of the
Act.
Mr. Chabot. Thank you. As the Chair of the Committee, we'd
ask you certainly to consider how this could affect--you know,
seven out of 10 new jobs created in the economy are small
business folks; half of the people employed in this country in
the private sector are small businesses, and I think we should
always consider them. Let me move on to something else.
In his testimony from our December 2015 hearing about H.R.
699, the Email Privacy Act, Richard Littlehale, the Assistant
Special Agent in charge of Criminal Investigation Division of
the Tennessee Bureau of Investigations, voiced a frustration
with the increasing technological capabilities of both
criminals and noncriminals.
Rather than trying to arguably infringe on the Fourth
Amendment rights of all Americans, would it be possible to
better train our law enforcement officers and equip them to
keep up with this changing world that we're discussing today?
Mr. Comey. Well, there's no doubt that we have to continue
to invest in training so that all of our folks are digitally
literate and able to investigate in that way. The problem we
face here is all of our lives are on these devices, which is
why it's so important that they be private, but that also means
all of criminals' and pedophiles' and terrorists' lives are on
these devices, and if they can't--if they're warrant-proof,
even a judge can't order access to a device, that is a big
problem. I don't care how good the cop is, I don't care how
good the agent is, that is a big problem. So that, we can't
quite train our way around.
Mr. Chabot. Thank you very much. I'm always almost out of
time so let me concludes with, go Tribe. Thank you.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from New York, Mr. Nadler, for----
Mr. Nadler. Thank you. Since we've gone a little far afield
here, let me do so again very briefly to point out that, among
others, Thomas Jefferson, who, among his minor accomplishments,
was the Founder of the Democratic Party, was also a graduate of
William & Mary.
Mr. Chabot. True.
Mr. Nadler. Mr. Comey, Director Comey, the attack--well,
we're all certainly very condemning of the terrorist attack in
San Bernardino, and we all--our hearts go out to the families
and victims of that. I commend the FBI for everything you've
done to investigate this matter. Now, the two terrorists are
dead and another coconspirator, the neighbor, is in jail. You
have used the USA Freedom Act to track their phone calls and
invest--which this Committee wrote last year--to track their
phone calls and investigate everyone they ever spoke to on that
phone. The FBI has done a great job already. Now, let me ask a
few questions.
It's my understanding that the--that we have found that the
attack in San Bernardino was not, in any way, planned or
coordinated by ISIS. Is that correct? It may have been inspired
by, but not directed or planned by.
Mr. Comey. Right. So far as we know, correct.
Mr. Nadler. And have you eliminated any connection between
the two suspects and any overseas terrorist organization?
Mr. Comey. Eliminated any? We have not----
Mr. Nadler. Have you seen any evidence of any, is a better
way of putting it?
Mr. Comey. We have not seen any evidence of that.
Mr. Nadler. Okay. Now, given those facts--so there's no
evidence of any coordination with anybody else, that's the two
homegrown, self-motivated, perhaps inspired-by-ISIS terrorists.
Now, the investigators seized the iPhone in question on
December 3; the FBI reached out to Apple for assistance on
December 5. Apple started providing the FBI with information,
with account information, I gather, the same day, but then the
next day, on December 6, at the instruction of the FBI, San
Bernardino County changed the password to the iCloud account
associated with that device. They did so without consulting
Apple, at the instruction or suggestion of the FBI. And
changing that password foreclosed the possibility of an
automatic backup that would allowed Apple to provide you with
this information without bypassing its own security, and thus
necessitating, in the first place, the application to the court
that you made and that we're discussing today. In other words,
if the FBI hadn't instructed San Bernardino County to change
the password to the iCloud account, all of this would have been
unnecessary, and you would have had that information. So my
question is, why did the FBI do that?
Mr. Comey. I have to--first of all, I want to choose my
words very, very carefully. I said there is no evidence of
direction from overseas terrorist organizations. This is a live
investigation. I can't say much more beyond that. This
investigation is not over, and I worry that embedded in your
question was--and that you understood me to be saying that.
Second, I do think, as I understand it from the experts,
there was a mistake made in that 24 hours after the attack
where the County, at the FBI's request, took steps that made it
hard--impossible later to cause the phone to back up again to
the iCloud. The experts have told me I'd still be sitting here,
I was going to say unfortunately, not unfortunately,
fortunately, I'm glad I'm here, but we would still be in
litigation, because, the experts tell me, there's no way we
would have gotten everything off the phone from a backup. I
have to take them at their word. But that part of your premise
of your question is accurate.
Mr. Nadler. Okay. So the second part of my question is, it
wasn't until almost 50 days later on January 22 when you served
the warrant. Given the allegedly critical nature of this
information, why did it take the FBI 50 days to go to court?
Mr. Comey. I think there were a whole lot of conversations
going on in that interim with companies, with other parts of
the government, with other resources to figure out if there was
a way to do it short of having to go to court.
Mr. Nadler. Okay. Thank you. Now, can you offer a specific
case, because I do think we all understand that it's not just a
specific case, it will have widespread implications in law, and
however the courts resolve this, which is essentially a
statutory interpretation case, the buck is going to stop here
at some point, we're going to be asked to change the law.
So encryption software is free, open source, and widely
available. If Congress were to pass a law forcing U.S.
companies to provide law enforcement with access to encrypted
systems, would that law stop bad actors from using their own
encryption?
Mr. Comey. It would not.
Mr. Nadler. It would not. So the bad actors would just get
around it?
Mr. Comey. Sure. Encryption's always been available to bad
actors, nation states----
Mr. Nadler. So if we were to pass a law saying that Apple
and whoever else had to put backdoors, or whatever you want to
call them, into their systems, the bad actors that were--and
with all the appropriate--with all the--not appropriate, all
the concomitant surrenders of privacy, et cetera, et cetera,
the bad actors could easily get around that by making their own
encryption systems?
Mr. Comey. The reason I'm hesitating is I think we're
mixing together two things: data in motion and data at rest.
The bad guys couldn't make their own phones, but the bad guys
could always try and find a device that was strongly encrypted.
The big change here happened in the fall of 2014 when the
company split from available encryption to default, and
that's----
Mr. Nadler. Yeah. But couldn't----
Mr. Comey [continuing]. That's the shadow of going dark
and----
Mr. Nadler. But couldn't foreign companies and bad actors
generally do that, whatever we said?
Mr. Comey. Sure. Potentially people could say, I love this
American device, but because I worry about a judge ordering
access to it, I'm going to buy this phone from a Nordic country
that's different in some way. That could happen. I have a hard
time seeing it happen a lot, but it could happen.
Mr. Nadler. My time has expired. Thank you.B1
first Issa submission deg.
Mr. Issa. Mr. Chairman, I'd like to ask unanimous consent
some documents be placed in the record at this time. I'd like
to ask unanimous consent that Patent Number 0240732, patent----
Mr. Goodlatte. Without objection.B2, B3, B4, B5
Issa submissions deg.
Mr. Issa. Thank you. Additionally, B2 deg.27353,
another patent; additionally, a B3 deg.copy of the USA
Today entitled, ``Ex-NSA Chief Backs Apple On iPhone;''
additionally, from B4 deg.Science and Technology, an
article that says, ``Department of Homeland Security awards
$2.2 million to Malibu, California, company for mobile security
research and, in other words, an encryption-proof, unbreakable
phone;'' additionally and lastly, the B5 deg.article
in Politico today on the New York judge's ruling in favor of
Apple.
Mr. Goodlatte. Without objection, they will all be made a
part of the record.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Issa. Thank you, Mr. Chairman. Am I recognized?
Mr. Goodlatte. The gentleman is recognized for 5 minutes.
Mr. Issa. Thank you, Mr. Chairman.
Justice Scalia said, it's best--said best what I'm going to
quote almost 30 years ago in Arizona v. Hicks in which he said,
``There is nothing new in the realization that the Constitution
sometimes insulates the criminality of a few in order to
protect the privacy of all of us.''
I think that stands as a viewpoint that I have to balance
when asking you questions. As I understand the case, and
there's a lot of very brilliant lawyers and experienced people
that know about All Writs Act, but what I understand is that
you, in the case of Apple in California, are demanding, through
a court order, that Apple invent something, fair to say, that
they have to create something.
And if that's true, then my first question to you is the
FBI is the premier law enforcement organization with
laboratories that are second to none in the world. Are you
testifying today that you and/or contractors that you employ
could not achieve this without demanding an unwilling partner
do it?
Mr. Comey. Correct.
Mr. Issa. And you do so because you have researched this
extensively?
Mr. Comey. Yes. We've worked very, very hard on this. We're
never going to give up, but we've worked----
Mr. Issa. Did you receive the source code from Apple? Did
you demand the source code?
Mr. Comey. Did we ask Apple for their source code? I
don't--not that I'm aware of.
Mr. Issa. Okay. So you couldn't actually hand a software
person the source code and say, can you modify this to do what
we want, if you didn't have the source code. So who did you go
to, if you can tell us, that you consider an expert on writing
source code changes that you want Apple to do for you? You want
them to invent it, but who did you go to?
Mr. Comey. I'm not sure I'm following the question.
Mr. Issa. Well, you know, I'm going to assume that the
burden of Apple is X, but before you get to the burden of Apple
doing something it doesn't want to do, because it's not in its
economic best interests, and they've said that they have real
ethical beliefs that you're asking them to do something wrong,
sort of their moral fiber, but you are asking them to do
something, and there's a burden, no question at all, there's a
burden, they have to invent it. And I'm asking you, have you
fully viewed the burden to the government? We have--we spend
$4.2 trillion every year. You have a multi-billion dollar
budget. Is the burden so high on you that you could not defeat
this product, either through getting the source code and
changing it or some other means? Are you testifying to that?
Mr. Comey. I see. We wouldn't be litigating if we could. We
have engaged all parts of the U.S. Government to see does
anybody that has a way, short of asking Apple to do it, with a
5C running IOS 9 to do this, and we do not.
Mr. Issa. Okay. Well, let's go through the 5C running IOS
9. Does the 5C have a nonvolatile memory in which all of the
encrypted data and the selection switches for the phone
settings are all located in that encrypted data?
Mr. Comey. I don't know.
Mr. Issa. Well, it does.
Mr. Comey. Okay.
Mr. Issa. And take my word for it for now. So that means
that you can, in fact, remove from the phone all of its memory,
all of its nonvolatile memory, its disk drive, if you will, and
set it over here and have a true copy of it that you could
conduct infinite number of attacks on. Let's assume that you
can make an infinite number of copies once you make one copy,
right?
Mr. Comey. I have no idea.
Mr. Issa. Well, let's go through what you asked. And I'm
doing this, because I came out of the security business, and
this befuddles me that you haven't looked at the source code,
and you don't really understand the disk drive, at least to
answer my rather, you know, dumb questions, if you will.
If there's only a memory, and that memory, that nonvolatile
memory sits here and there's a chip, and the chip does have an
encryption code that was burned into it, and you can make
10,000 copies of this chip, this nonvolatile memory hard drive,
then you can perform as many attacks as you want on it.
Now, you've asked specifically Apple to defeat the finger
code so you can attack it automatically, so you don't have to
punch in codes. You've asked them to eliminate the ten and
destroy, but you haven't, as far as I know, asked them, okay,
if we make 1,000 copies, or 2,000 copies of this, and we put it
with the chip, and we run five tries, 00 through 04, and then
throw that image away and put another one in and do that 2,000
times, won't we have tried, with a nonchanging chip and an
encryption code that is duplicated 2,000 times, won't we have
tried all 10,000 possible combinations in a matter of hours?
If you haven't asked that question, the question is, how
can you come before this Committee and before a Federal judge,
and demand that somebody else invent something, if you can't
answer the questions that your people have tried this?
Mr. Comey. First thing, I'm the Director of the FBI. If I
could answer that question, there would be something
dysfunctional in my leadership.
Mr. Issa. No. I only asked if your people had done these
things. I didn't ask you if that would work. I don't know if
that work. I asked you, who did you go to, did you get the
source code? Have you asked these questions, because you're
expecting somebody to obey an order to do something they don't
want to do, and you haven't even figured out whether you could
do it yourself. You just told us, well, we can't do it, but you
didn't ask for the source code, and you didn't ask the
questions I asked here today, and I'm just a--I'm just a guy
that----
Mr. Goodlatte. The time of the gentleman has expired, and
the Director is permitted to answer the question.
Mr. Issa. Thank you, Mr. Chairman.
Mr. Comey. I did not ask the questions you're asking me
here today, and I'm not sure I fully even understand the
questions. I have reasonable confidence, in fact, I have high
confidence that all elements of the U.S. Government have
focused on this problem and have had great conversations with
Apple. Apple has never suggested to us that there's another way
to do it other than what they've been asked to do in the All
Writs Act. It could be when the Apple representative testifies,
you'll ask him and we'll have some great breakthrough, but I
don't think so. But I'm totally open to suggestions. Lots of
people have emailed ideas. I've heard about mirroring, and
maybe this is what you're talking about. We haven't figured it
out, but I'm hoping my folks are watching this, and if you've
said something that makes good sense to them, we'll jump on it
and we'll let you know.
Mr. Issa. Thank you.
Mr. Goodlatte. The Chair recognizes the gentlewoman from
California, Ms. Lofgren, for 5 minutes.
Ms. Lofgren. Thank you, Mr. Chairman. And thank you,
Director Comey, for your service to our country and your
efforts to keep us safe. It is appreciated by every member of
this Committee. And along with your entire agency, we do value
your service and appreciate it.
I remember in law school the phrase ``bad cases make bad
law.'' I'm sure we all heard that, and I think this might be a
prime example of that rule. We can't think of anything worse
than what happened in San Bernardino, two terrorists murdering
innocent people. It's outrageous. It sickens us, and it sickens
the country. But the question really has to be, what is the
rule of law here? Where are we going with this?
And as I was hearing your opening statement talking about a
world where everything is private, it may be that the
alternative is a world where nothing is private, because once
you have holes in encryption, the rule is, it's not a question
of if, but when those holes will be exploited and everything
that you thought was protected will be revealed.
Now, the United States law often tends to set international
norms, especially when it comes to technology policy. And, in
fact, China removed provisions that required backdoors in its
counterterrorism law passed in December because of the strong
international norm against creating cyber weaknesses, but last
night, I heard a report that the ambassadors from America, the
United States, Canada, Germany, and Japan, sent a joint letter
to China, because they're now thinking about putting a hole in
encryption in their new policy.
Did you think about the implication for foreign policy,
what China might do, when you filed the motion in San
Bernardino, or was that not part of the equation?
Mr. Comey. Yeah. I don't think--I don't remember thinking
about it in the context of this particular investigation, but I
think about it a whole lot broadly, which is one of the things
that makes it so hard. There are undoubtedly international
implications, actually, I think less to the device encryption
question and more to the data in motion question, but, yeah, I
have no doubt that there's international implications. I don't
have good visibility into what the Chinese require from people
who sell devices in their country. I know it's an important
topic.
Ms. Lofgren. Before I forget, Mr. Chairman, I'd like to ask
unanimous consent to put in the record an op-ed that was
printed in The Los Angeles Times today authored by myself and
my colleague, Mr. Issa, on this subject.
Mr. Goodlatte. How could anyone object to that being a part
of the record?
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Ms. Lofgren. I just note that in terms of the--you
mentioned that the code at Apple, that they've done a pretty
good job of protecting their code and you didn't remember
anything getting out loose, but I do think, you know, if you
take a look, for example, at the situation with Juniper
Networks, where they had--their job is cybersecurity, really,
and they felt that they had strong encryption, and yet, there
was a vulnerability, and they were hacked and it put
everybody's data, including the data of the U.S., I mean, of
the FBI and the State Department and the Department of Justice
at risk, and we still don't know what was taken by our enemies.
Did you think about the Juniper Networks issue when you
filed the All Writs Act report, you know, remedy in San
Bernardino?
Mr. Comey. No. But I think about that and a lot of similar
intrusions and hacks all day long, because it's the FBI's job
to investigate those and stop those.
Ms. Lofgren. I was struck by your comment that Apple hadn't
been hacked, but, in fact, iCloud accounts have been hacked in
the past. I think we all remember in 2014, the female celebrity
accounts that were hacked from the cloud, from iCloud, and CNBC
had a report that China likely attacked iCloud accounts. And
then in 2015, last year, Apple had to release a patch in
response to concerns that there had been brute force attacks at
iCloud accounts.
So I am anticipating, we'll see, that Apple will take
further steps to encrypt and protect not only its operating
system that it has today, but also the protection as well as
the iCloud accounts.
And I'll just close with this. I have on my iPhone all
kinds of messaging apps that are fully encrypted, some better
than others. Some were designed in the United States, a bunch
of them were designed in other countries. And I'm not--I
wouldn't do anything wrong on my iPhone, but if I were a
terrorist, I could use any one of those apps and communicate
securely, and there wouldn't be anything that the U.S.
Government, not the FBI, not the Congress, or the President
could do to prevent that from occurring. So I see this as, you
know, the question of whether my security is going to be
protected, but the terrorists' will continue abate.
And I thank you, Mr. Comey, for being here. I yield back,
Mr. Chairman.
Mr. Goodlatte. The Chair thanks the gentlewoman.
And the Chair recognizes the gentleman from Texas, Mr. Poe,
for 5 minutes.
Mr. Poe. Thank you, Director. I appreciate you being here.
Start with a little--some basics. The Fourth Amendment
protects citizens from government. Citizens have rights;
government has power. There is nowhere I see in the Fourth
Amendment that there is an except-for-terrorists-cases
exception or fear cases, that the Fourth Amendment should be
waived. I signed lots of warrants in 22 years from everybody,
including the FBI. Four corners of the warrant, what is to be
searched, and law enforcement typically would fulfill the duty
or ability in that warrant as far as they could, which is a
good thing, and return the warrant.
Now we have a situation where the issue is not lawful
possession. FBI is in lawful possession of the San Bernardino
phone; lawful possession of the phone in New York. Do you agree
with me on that?
Mr. Comey. Yes.
Mr. Poe. So we're not talking about whether the phones are
in lawful possession. The issue is whether--the specific issue
is whether government can force Apple, in this case, to give
them the golden key to unlock the safe because they can't
develop the key. I know that's kind of simplistic, but is that
a fair statement or not?
Mr. Comey. No.
Mr. Poe. Not? Let me ask you this--okay, you say it is not.
Apple develops the software and gives it to--and unlocks the
phone, but this is not the only phone in question. Is that
correct? There are other phones that FBI has in lawful
possession that you can't get into.
Mr. Comey. Sure. Law enforcement increasingly encounters
phones, investigations all over the place that can't be
unlocked. I would mention the Baton Rouge case too.
Mr. Poe. All right. There's several. How many cases do you
have in lawful possession that you want to get into the phone
but you can't get into it because you don't have the software
to break into it or to get into it?
Mr. Comey. I don't know the number. A lot.
Mr. Poe. A lot.
Mr. Comey. And they are all different, which is what makes
it hard to talk about any one case without being specific about
what kind of phone it is.
Mr. Poe. But you are in lawful possession of all these
phones. This is not the issue of whether FBI lawfully possesses
them. You have these phones. You can't get into them. Here is a
specific phone. You want iPhone--Apple to develop software to
get into this phone.
My question is, what would prevent the FBI from then taking
that software and going into all those other phones you have
and future phones you seize?
Mr. Comey. I see. This seems like a small difference, but I
think it's actually kind of a big difference. The ask, the
direction from the judge is not to have Apple get us into the
phones; it's to have Apple turn off by developing software that
will tell the phone to turn off the auto erase and the delay
features so that we can try and guess the password.
And so, in theory, if you had another 5C running iOS 9,
which is what makes this relief possible--I mean it when I say
it's obsolete, because I understand the 6s--there is no door
for us to even try and pick the lock on, so it wouldn't work.
But if there were phones in the same circumstances, sure, you
could ask for the same relief from a court to try and make
effective the search warrant.
Mr. Poe. So, rather than giving you the key, it's really
you want Apple to turn the security system off so they can get
into the phone or you can get into the phone?
Mr. Comey. Yeah. My homely metaphor was: take away the
drooling watchdog that is going to attack us if we try and open
it. Give us time to pick the lock.
Mr. Poe. Or like the Viper system that Mr. Issa developed.
Turn off the Viper system so you can get into the phone.
And it boils down to the fact of whether or not government
has the ability to demand that occur. We have two court
rulings. They are different. I have read the opinions. They are
different, a little different cases. Would you agree or not,
Congress has to resolve this problem? We shouldn't leave it up
to the judiciary to make this decision. Congress should resolve
the problem and determine exactly what the expectation of
privacy is in these particular situations of encryption or no
encryption; key, no key? Do you agree or not?
Mr. Comey. I think that the courts are competent--and this
is what we've done for 230 years--to resolve the narrow
question about the scope of the All Writs Act. But the broader
question we're talking about here goes far beyond phones or far
beyond any case. This collision between public safety and
privacy, the courts cannot resolve that.
Mr. Poe. And only--the Congress should then resolve, what
is the expectation of privacy in this high-tech atmosphere of
all this information stored in many different places on the
cloud, on the phone, wherever it's stored, and--would you agree
or not? I am just asking, should Congress resolve this issue of
expectation of privacy of the American citizens?
Mr. Comey. I think Congress certainly has a critical role
to play. Like I said, since the founding of this country, the
courts have interpreted the Fourth Amendment and the Fifth
Amendment, so they are competent. That's an independent branch
of government. But I think it is a huge role for Congress to
play, and we're playing it today, I hope.
Mr. Poe. I agree with you. I think it's Congress'
responsibility to determine the expectation of privacy in this
high-tech world.
And I yield back, Mr. Chairman.
Mr. Goodlatte. The time of the gentleman has expired.
The gentleman from Tennessee is recognized for 5 minutes.
There's 9 minutes and 45 seconds remaining in this vote. I will
take a chance if the gentleman from Tennessee will.
Mr. Cohen. If you want to go, I will go, or I will come
back.
Mr. Goodlatte. I am trying to move it along and not keep
the Director any longer than we have to, so go ahead.
Mr. Cohen. Thank you.
Director Comey, are there limitations that you could see in
permitting the FBI or government in a court to look into
certain records, certain type of cases, certain type of
circumstances that you could foresee, or do you want it open
for any case where there could be evidentiary value?
Mr. Comey. I am not sure I am following you. I like the way
we have to do our work, which is go to a judge in each specific
case and show lawful authority and a factual basis for access
to anybody's stuff.
Mr. Cohen. But if we decided to pass a statute and we
thought it should be limited in some way, maybe to terrorism or
maybe to something where it's a reasonable expectation that a
person's life is in jeopardy or that you could apprehend
somebody who has taken somebody's life, have you thought about
any limits?
Because, you know, under what you are saying, you go to a
court, I mean, you could go to a court for cases that are not
capital cases, and that's--I don't think anybody here--what the
public is fascinated or riveted on is the fact that what
happened in San Bernardino was so awful, and if we can find
some communication or some list that was in the cloud that
these people contacted, you know, Osama bin Laden's cousin and
that they get--and find out that he has something to do with
it, then that's important. But if you are talking about getting
into somebody's information to find out who they sold, you
know, 2 kilos or two bags or whatever is a whole different
issue.
Where would you limit it if you were coming up with a
statute that could satisfy both your interest in the most
extreme, important cases and yet satisfy privacy concerns?
Mr. Comey. Yeah, I see. I am sorry. I misunderstood the
question.
I don't know and haven't thought about it well enough. And,
frankly, I don't think that ought to be the FBI making that--
offering those parameters to you. There is precedent for that
kind of thing. We can only seek wire taps, for example, on
certain enumerated offenses in the United States, so it has to
be really serious stuff before a judge can even be asked to
allow us to listen to someone's communications in the United
States. It can't just be any offense. So there's precedent for
that kind of thing, but I haven't thought about it well enough.
Mr. Cohen. Thank you. Because I am slow in getting up there
to vote and the Republicans hit the--real quickly, I am going
to yield back the balance of my time and start to walk fast.
Mr. Goodlatte. The Chair thanks the gentleman.
The Committee will stand in recess. We have two votes on
the floor, with 7 minutes remaining in the first vote.
Mr. Director, we appreciate your appearance. We will come
back soon.
[Recess.]
Mr. Goodlatte. The Committee will reconvene and continue
with questions for Director Comey.
And the Chair recognizes the gentleman from Utah, Mr.
Chaffetz, for 5 minutes.
Mr. Chaffetz. Thank you, Mr. Chairman.
And to the Director, thank you so much for being here.
As I have mentioned before, my grandfather was a career FBI
agent, so I have great affinity for the agency and what you do
and how you do it. They almost always make us proud.
But the big question for our country is, you know, how much
privacy are we going to give up in the name of security? And as
you said, there is no easy answer to that.
But when, historically, with all the resources and assets
of the Federal Government, all the expertise, all the billions
of dollars, when has it been the function of government to
compel or force a private citizen or a company to act as an
agent of the government to do what the government couldn't do?
Mr. Comey. That's a legal question. In lots of different
circumstances, private entities have been compelled by court
order to assist, again through the All Writs Act. New York
Telephone is the Supreme Court case, the seminal case on the
topic.
Mr. Chaffetz. So let's talk for a moment about what you can
see and what you can do. With all due respect to the FBI, they
did--they didn't do what Apple had suggested they do in order
to retrieve the data, correct? I mean, when they went to change
the password, that kind of screwed things up. Did it not?
Mr. Comey. Yeah, I don't know that that's accurate
actually. I wasn't there. I don't have complete visibility. But
I agreed with the questioner earlier: there was an issue
created by the effort by the county at the FBI's request to try
and reset it to get into it quickly.
Mr. Chaffetz. And if they didn't reset it, then they could
have gone to a WiFi, local WiFi, a known WiFi access, and
performed that backup so they could go to the cloud and look at
that data, correct?
Mr. Comey. Right. You could get in the cloud through that
mechanism anything that was backup-able--to make up a word--to
the cloud, but that does not solve your full problem. I think I
would still be sitting here talking about it otherwise.
Mr. Chaffetz. But let's talk about what the government can
see on using a phone, and it's not just an iPhone. But you can
look at metadata, correct?
Mr. Comey. Yes.
Mr. Chaffetz. The metadata is not encrypted, correct? If I
called someone else or that phone had called other people, all
of that information is available to the FBI, correct?
Mr. Comey. In most circumstances, right. Metadata----
Mr. Chaffetz. In this case--let's talk about this case. You
want to talk about this case. You can see the metadata,
correct?
Mr. Comey. My understanding is we can see most of the
metadata.
Mr. Chaffetz. How would you define metadata?
Mr. Comey. I was just going to say that. Metadata, as I
understand it, is records of time of contact, numbers assigned
to the particular caller or texter. It's everything except
content. You can't see what somebody said, but you can see that
I texted to you in theory.
My understanding is with text in particular, that's tricky.
Particularly texting using iMessage, there's limitations on our
ability to see the metadata around that. Again, I am not an
expert, but that's my understanding.
Mr. Chaffetz. And do you believe that geolocation, if you
are tracking somebody's actual--where they are, is that content
or is that metadata?
Mr. Comey. My understanding is it depends upon whether you
are talking historical or real time when it comes to
geolocation data, but it can very much implicate the warrant
requirement and does in the FBI's work a lot.
Mr. Chaffetz. So that's what we're trying to--what's
frustrating to me, being on Judiciary, being the Chairman of
the Oversight Committee, there is nobody on the this panel as
in a republic and representative of the people that have been
able to see what the guidance is post-Jones in understanding
how you interpret and what you are actually doing or not doing
with somebody's geolocation.
Mr. Comey. You have asked that of the FBI and not been able
to get it?
Mr. Chaffetz. Department of Justice, they have been asking
for this for years. What's frustrating is the Department of
Justice is asking for more tools, more compulsion, and we can't
even see what you are already doing. We can't even see to the
degree you are using stingrays and how they work. I mean, I
think I understand how they work, but what sort of requirements
are there? Is it articulable suspicion? Is there a probable
cause warrant that's being used or needed?
And it's not just the FBI. I mean, you have got the IRS and
Social Security and others using stingrays, again, other tools
that I would argue are actually content into somebody's life
and not just the metadata that you are able to see.
So how do we get exposure? How do we help you if we can't--
if you routinely refuse--and I say ``you,'' meaning the
Department of Justice--access in explaining to us what tools
you already do have and what you can access? How do we solve
that?
Mr. Comey. Yeah, I don't have a great answer sitting here.
I will find out what's been asked for and what's been given. I
like the idea of giving as much transparency as possible. I
think people find it reassuring, at least with respect to the
FBI. To take cell phone tower simulators, we always use search
warrants. And so that shouldn't be that hard to get you that
information.
Mr. Chaffetz. What I worry about, you may be responsible,
but I don't know what the IRS is doing with them, and I have a
hard time figuring out when that is responsible.
Last comment, Mr. Chairman. To what degree are you able to
access and get into, either in this case or broadly, are you
able to search social media in general, and are you using that
as an effective tool to investigate and combat what you need to
do?
Mr. Goodlatte. The time of the gentleman has expired. The
witness can answer the question.
Mr. Comey. Social media is a feature of all of our lives,
and so it's a feature of a lot of our investigations. Sometimes
it gives us useful information; sometimes not. It's hard to
answer in the abstract, but it's a big part of our work.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from Georgia, Mr. Johnson, for 5
minutes.
Mr. Johnson. Thank you, Director Comey.
The Framers of our Constitution recognized a right to
privacy that Americans would enjoy. The Fourth Amendment pretty
much implies that right to privacy. Does it not?
Mr. Comey. I am not a constitutional scholar. I think a
scholar, if he were sitting here, might say it's not the Fourth
Amendment that's the source of the right to privacy; it's other
amendments of the Constitution. But that's a technical answer.
The Fourth Amendment is critically important because it's a
restriction on government power. You may not look at the
people's stuff, their houses, their effects without a warrant
and without an independent judiciary.
Mr. Johnson. But it also grants impliedly to the
government, the Fourth Amendment, the authority to search and
seize when the search or seizure is reasonable. Is that
correct?
Mr. Comey. Again, to be technical, I think the answer is
Congress has given the government that authority through
statute. The Fourth Amendment is a restriction on that
authority.
Mr. Johnson. The Fourth Amendment says that the right of
the people to be secure in their place, in their persons,
housings, papers, and effects against unreasonable searches and
seizures shall not be violated and no warrant shall issue but
upon probable cause, supported by oath or affirmation.
And what I am reading into the Fourth Amendment is that the
people do have a right to privacy, have a right to be secure in
their persons, housings, papers, and effects, but I am also
reading into it an implied responsibility of the government to,
on occasion, search and seize. Would that be your reading of it
also?
Mr. Comey. Yes.
Mr. Johnson. And, of course, upon probable cause. But there
are some circumstances where, in a hot pursuit or at the time
of an arrest, there's some exceptions that have been carved out
to where a warrant is not always required to search and seize.
Is that correct?
Mr. Comey. Yes. You mentioned one, the so-called exigent
circumstances doctrine, where if you are in the middle of an
emergency and you are looking for a gun that a bad guy might
have hid, you know, in a car or something, you don't
necessarily have to go get the warrant. If you have the factual
basis, you can do the search and then have the judge look at it
and validate it.
Mr. Johnson. Now, even in a situation where exigent
circumstances exist, technology has now brought us to the point
where law enforcement or the government is preempted from being
able to search and seize. Is that correct? Technology has
produced this result.
Mr. Comey. Yeah, I think technology has allowed us to
create zones of complete privacy, which sounds like an awesome
thing until you really think about it. But those zones prohibit
any government action under the Fourth Amendment or under our
search authority.
Mr. Johnson. Well, it's actually a zone of impunity, would
it not be, a zone where bad things can happen and the security
of Americans can be placed at risk?
Mr. Comey. Potentially, yes, sir.
Mr. Johnson. And that is the situation that we have with
end-to-end encryption. Is that not correct?
Mr. Comey. I think that's a fair description, where we have
communications where, even with the judge's order, can't be
intercepted.
Mr. Johnson. Now, you said that you were not a
constitutional scholar, and neither am I, but does it seem
reasonable that the Framers of the Constitution meant to exempt
any domain from its authority to be able to search and seize if
it's based on probable cause or some exigent circumstance
allows for a search and seizure with less than a warrant and a
showing of probable cause?
Mr. Comey. Yeah, I doubt that they--obviously, I doubt that
they imagined the devices we have today and the ways of
communicating. But I also doubt that they imagined there would
be any place in American life where law enforcement with lawful
authority could not go. And the reason I say that is, the First
Amendment talks about the people's homes. Is there a more
important place to any of us than our homes?
So from the founding of this country, it was contemplated
that law enforcement could go into your house with appropriate
predication and oversight. So, to me, the logic of that tells
me they wouldn't have imagined any box or storage area or
device that could never be entered.
Mr. Johnson. So, from that standpoint, to be a strict
constructionist about the Constitution and the Fourth
Amendment, it's ridiculous that anyone would think that we
would not be able to take our present circumstances and shape
current law to appreciate the niceties of today's practical
realities. I know I am rambling a little bit. But did you
understand what I just said?
Mr. Comey. I understand what you said, sir.
Mr. Johnson. Would you agree or disagree with me?
Mr. Goodlatte. The time of the gentleman has expired. The
Director may answer the question.
Mr. Comey. I think it's the kind of question that
democracies were built to wrestle with and that the Congress of
the United States is fully capable of wrestling with in a good
way.
Mr. Johnson. Well, in prior times, we have been.
Mr. Goodlatte. The time of the gentleman has expired.
Mr. Johnson. Thank you.
Mr. Goodlatte. The Chair recognizes the gentleman from
Pennsylvania, Mr. Marino, for 5 minutes.
Mr. Marino. Thank you, Mr. Chairman.
Mr. Director, it's always a pleasure.
Mr. Comey. Same, sir.
Mr. Marino. I am going to expand a little bit on one of
Judge Poe's questions. Is the Bureau asking Apple to simply
turn over the penetration code for the Bureau to get into or
that you want the penetration code at your disposal? Do you
understand what I am saying?
Mr. Comey. As I understand the judge's order, the way it
could work out here is that the maker of the phone would write
the code, keep the phone and the code entirely in their office
space, and the FBI would send the guesses electronically. So we
wouldn't have the phone. We wouldn't have the code. That's my
understanding of it.
Mr. Marino. That's good point to clarify, because there's
some--there's a lot of rumors out there.
I am going to switch to the courts a little bit here. Do
you see the Federal court resolving the warrant issue that the
Bureau is presently faced with, whatever way that decision
eventually comes down, or should Congress legislate the issue
now, if at all?
Mr. Comey. I don't--I appreciate the question. I don't
think that's for me to say. I do think the courts--because some
people have said so in the middle of this terrorism
investigation, why didn't you come to Congress? Well, because
we're in the middle of a terrorism investigation. And so I
think the courts will sort that out faster than any legislative
body could, but only that particular case.
The broader question, as I said earlier, I don't see how
the courts can resolve this tension between privacy and public
safety that we're all feeling.
Mr. Marino. Another good point.
Given that most of our social, professional, and very
personal information is on our desktop computers, on our
laptops, on our pads, and now more than ever on these things,
what is your position on notching up the level at which members
of the Federal judiciary can approve a warrant to access
critically valuable evidence to solve a horrific felony,
particularly when fighting terrorism?
Mr. Comey. Do you mean making the threshold something above
probable cause?
Mr. Marino. No, no, not the threshold, the Federal judicial
individuals making this decision. Right now, I understand it's
a magistrate. When I was at the State level, we could do some
things at sort of the magistrate level or the district court,
but then we had to go to the superior court, and working in the
Federal system with you, we had to go to one or two different
levels. What's your position on that?
Mr. Comey. I see what you are saying. So, instead of having
magistrate judges decide these questions, the district court
might?
Mr. Marino. Yeah. And no disrespect to magistrate courts. I
am very good friends with a lot of those brilliant people who
will eventually, I know, go to the bench. But from a
perspective of the public that a more narrowly defined, limited
number of people making that decision concerning the
electronics that we have.
Mr. Comey. Honestly, Congressman, I haven't thought about
that. I agree with you. I have a number of friends who are
magistrate judges, and they are awesome. And they think well,
and they rule well. I think they are fully capable of handling
these issues, but I haven't thought about it well enough to
react, other than that.
Mr. Marino. Okay. And just for the record, I have managed a
couple of prosecution offices, and I have never gone to the
experts, whether it's in DNA or whether it's in these
electronics, and ask them, did you complete everything that you
should have completed?
Mr. Comey. Thank you, Mr. Marino.
Mr. Goodlatte. The Chair recognizes the gentlewoman from
California, Ms. Chu, for 5 minutes.
Ms. Chu. Director Comey, my district is next to San
Bernardino. After the terror attack, we mourned the loss of 14
lives and empathized with the 22 wounded, and there is indeed
fear and anxiety amongst my constituents. So our discussion
here today is particularly important to the people back home.
There are many in our area that want answers, but there are
also many that feel conflicted about putting their own privacy
at risk.
So my first question to you is: Under Federal law, we do
not require technology companies to maintain a key to unlock
encrypted information in the devices they sell to customers.
Some of the witnesses we will hear from today argue that if
such a key or software was developed to help the FBI access the
device used by Syed Farook, it would make the millions of other
devices in use today vulnerable. How can we ensure that we're
not creating legal or technical backdoors to U.S. technology
that will empower other foreign governments in taking advantage
of this loophole?
Mr. Comey. It's a great question. I think what you have to
do is just talk to people on all sides of it who are true
experts, which I am not, but I have also talked to a lot of
experts. And I am an optimist. I actually don't think we've
given this the shot that it deserves. I don't think the most
creative and innovative people in our country have had an
incentive to try and solve this problem.
But when I look at particular phones, in the fall of 2014,
the makers of these phones could open them. And I don't
remember people saying the world was ending at that point and
that we're all exposed. And so I do think judgments have been
made that are not irreversible. But I think the best way to get
at it is talk to people about, so why do you make the phone
this way, and what is the possibility?
The world I imagine is a world where people comply with
warrants. How they do it is entirely up to them. Lots of phone
makers and providers of email and text today provide secure
services to their customers, and they comply with warrants.
That's just the way they have structured their business. And so
it gives me a sense of optimism that this is not an impossible
problem to solve. Really, really hard, and it will involve you
all talking to the people who really know this work.
Ms. Chu. Well, I would like to ask about law enforcement
finding technical solutions. I understand that there may be
other methods or solutions for law enforcement when it comes to
recovering data on a smartphone. Professor Landau argues in her
testimony later today that solutions to accessing the data
already exist within the forensic analysis community, solutions
which may include jail breaking the phone, amongst others. Or
she says other entities within the Federal Government may have
the expertise to crack the code.
Has the FBI pursued those other methods or tried to get
help from within the Federal Government, such as from agencies
like the NSA?
Mr. Comey. Yes is the answer. We've talked to anybody who
will talk with us about it, and I welcome additional
suggestions. Again, you have to be very specific: 5C running
iOS 9, what are the capabilities against that phone. There are
versions of different phone manufacturers and combinations of
model and operating system that it is possible to break a phone
without having to ask the manufacturer to do it. We have not
found a way to break the 5C running iOS 9.
And, as I said, in a way, this is kind of yesterday's
problem because the 5C, although I am sure it's a great phone,
has been overtaken by the 6 and will be overtaken by others
that are different in ways that make this relief yesterday.
Ms. Chu. So let me ask you this: Like smart phones, safes
can be another form of storage of personal information.
Similarly to how technology companies are not required to
maintain a key to unlock encryption, safe manufacturers are not
required to maintain keys or combinations to locks.
Given this, law enforcement has been able to find a way to
get into safes under certain circumstances or obtain critical
information through other avenues. So how does this differ from
unlocking a smartphone? It's clear that technology is outpacing
law enforcement's ability to get information from devices like
the iPhone, even with a proper warrant, but isn't it the FBI or
the law enforcement agency who bears the responsibility to
figure out the solution to unlock the code?
Mr. Comey. I will take the last part first. Sure, if we can
figure it out. The problem with the safe comparison is there's
no safe in the world that can't be opened. And if our experts
can't crack it, we will blow it up. We will blow the door off.
And so this is different. The awesome, wonderful power of
encryption changes that and makes that comparison, frankly,
inept.
And so, sure, where law enforcement can appropriately
lawfully figure out how to do it, we will and should. But there
will be occasions, and it's going to sweep across--again with
the updating of phones and the changing of apps where we
communicate end-to-end encrypted--it's going to sweep across
all of our work and outstrip our ability to do it on our own.
Ms. Chu. Thank you. I yield back.
Mr. Goodlatte. The Chair thanks the gentlewoman.
The gentleman from South Carolina, Mr. Gowdy, is recognized
for 5 minutes.
Mr. Gowdy. Thank you, Mr. Chairman.
Director, thank you for your service to the country.
And I do appreciate your acknowledgment and that of my
colleagues of the difficulty in reconciling competing binary
constitutional principles like public safety, national
security, and privacy. And I confess upfront: my bias is toward
public safety.
Because of this loosely held conviction I have that the
right to counsel, the right to free speech, the right to a jury
trial just isn't of much use if you are dead, so I reconcile
those competing principles in favor of public safety.
And my concern as I hear you testify is that I have
colleagues and others who are advocating for these evidence-
free zones. They are just going to be compartments of life
where you are precluded from going to find evidence of
anything.
And I am trying to determine whether or not we as a society
are going to accept that, that there are certain--no matter how
compelling the government's interest is in accessing that
evidence, we are declaring right now this is an evidence-free
zone; you can't go here no matter whether it's a terrorist
plot--and I am not talking about the Feng case. That's a drug
case. The case the magistrate decided yesterday in New York is
a drug case. Those are a dime a dozen.
National security, there's nothing that the government has
a more compelling interest in than that, and we're going to
create evidence-free zones? Am I missing something? Is that how
you see it? You just can't go in these categories unless
somebody consents?
Mr. Comey. That's my worry, and why I think it's so
important we have this conversation. Because even I on the
surface think it sounds great when people say: Hey, you buy
this device; no one will ever be able to look at your stuff.
But there are times when law enforcement saves our lives,
rescues our children, and rescues our neighborhoods by going to
a judge and getting permission by looking at our stuff.
And so, again, I come to the case of a Baton Rouge 8-month
pregnant woman, shot when she opens her door. Her mom says she
keeps a diary on her phone. We can't look at the diary to
figure out what might have been going on in her life. Who was
she texting with? That's a problem. I love privacy. But all of
us also love public safety, and it's so easy to talk about. Buy
this amazing device; you will be private. But you have to take
the time to think: Okay. There's that, and what are the costs
of that? And that's where this collision is coming in.
Mr. Gowdy. Well, I love privacy too, but I want my fellow
citizens to understand that most of us also, in varying
degrees, also love our bodies and the physical integrity of our
body. But since Schmerber, the government has been able to
access orders for either blood against the will of the
defendant or, in some instances, surgical procedures against
the will of the defendant.
So when I hear my colleagues say, have you ever asked a
nongovernment actor to participate in the securing of evidence,
absolutely. That's what the surgeon does. If you have a bullet
from an officer who was shot in a defendant, you can go to a
judge and ask the judge to force a nurse or surgeon to
anesthetize and remove that bullet. So if you can penetrate the
integrity of the human body in certain categories of cases, how
in the hell you can't access a phone, I just find baffling.
But let me ask you this: If Apple were here--and they are
going to be here--how would they tell you to do it? If there
were a plot on an iPhone to commit an act of violence against,
say, hypothetically, an Apple facility, and they expected you
to prevent it, how would they tell you to access the material
on this phone?
Mr. Comey. I think they would say what they have said,
which I believe is in good faith, that we have designed this in
response to what we believe to be the demands of our customers
to be immune to any government warrant or our, the
manufacturer's, efforts to get into that phone. We think that's
what people want.
And that may be so, except I would hope folks will look at
this conversation and say, ``Really, do I want that?'' and take
a step back and understand that this entire country of ours is
based on a balance. It's a hard one to strike, but it's so
seductive to talk about privacy as the ultimate value. In a
society where we aspire to be safe and have our families safe
and our children safe, that can't be true. We have to find a
way to accommodate both.
Mr. Gowdy. So Apple, on the one hand, wants us to kind of
weigh and balance privacy, except they have done it for us.
They have said at least as it relates to this phone, we've
already done that weighing and balancing, and there is no
governmental interest compelling enough for us to allow you to
try to guess the password of a dead person's phone that is
owned by a city government. There's no balancing to be done.
They have already done it for us.
I would just--I will just tell you, Director, in
conclusion: We ask the Bureau and others to do a lot of things,
investigate crime after it's taken place, anticipate crime,
stop it before it happens. And all you are asking is to be able
to guess the password and not have the phone self-destruct. And
you can go into people's bodies and remove bullets, but you
can't go into a dead person's iPhone and remove data. I just
find it baffling.
But I am out of time.
Mr. Goodlatte. The gentleman's time has expired.
The Chair recognizes the gentleman from Florida, Mr.
Deutch, for 5 minutes.
Mr. Deutch. Thank you, Mr. Chairman.
Director Comey, thank you for being here. Thank you for
your service and that of the men and women who work for you.
We're all grateful for what they do.
And I just wanted to take a moment before I ask you a
couple questions here to let you know that Bob Levinson, who
was an agent for over 20 years, 28 years, at the Justice
Department, continues to be missing. I want to thank you for
what you have done. I want to thank you for the Facebook page
in Farsi that you have put up. I would love a report on the
effectiveness and what you have heard from that.
And I want to, more than anything else, on behalf of Bob's
family, I want to thank you for never forgetting this former
agent, and I am grateful for that.
Mr. Comey. Thank you, sir. He'll never be forgotten.
Mr. Deutch. Now, I want to agree with Mr. Gowdy that if
this were as easy as public safety or privacy, I think most of
us, probably all of us, if we had to make the choice, we're
going to opt for public safety for the very reason that Mr.
Gowdy spoke of.
I have some questions. What I am confused about is this:
The tool that you would need to take away the dogs, take away
the vicious guard dogs, it's a tool that would disable the
auto-erase. There's some confusion as to whether there's an
additional tool that you are seeking that would allow you to
rapidly test possible passcodes. Is there a second tool as
well?
Mr. Comey. Yeah. I think there's actually three elements to
it. And I have spoken to experts. I hope I get this right. The
first is what you said, which is to disable the self-destruct,
auto-erase type feature. The second is to disable the feature
that, between successive guesses--as I understand iOS 9, it
spreads out the time, so even if we got the ability to guess,
it would take years and years to guess. So do away with that
function. And the third thing, which is smaller, is set it up
so that we can send you electronic guesses so we don't have to
have an FBI agent sit there and punch in 1-2-3-4, like that.
Mr. Deutch. And once they created that, would you expect
them, after this case, would you expect them to preserve that
or destroy it?
Mr. Comey. I don't know. It would depend on what the
judge's order said. I think that's for the judge to sort out.
That's my recollection.
Mr. Deutch. So here is the issue: I think that vicious
guard dog that you want to take away so you can pick the lock
is one thing. But in a world where we do--I mean, it's true:
there are awful people, terrorists, child predators, molesters
who do everything on here. But so do so many of the rest of us,
and we would like a pack of vicious guard dogs to protect our
information to keep us safe, because there's a public safety
part of that equation as well.
And the example of surgical procedures, the reason that
that I don't think applies here is because, in that case, we
know the only one doing the surgical procedure is the doctor
operating on behalf of law enforcement. But when this tool is
created, the fear, obviously, is that it might be used by
others, that there are many who will try to get their hands on
it and will then put at risk our information on our devices.
And how do you balance it? This is a really hard one for
me. This isn't an either/or. I don't see it as a binary option.
So how do you do that?
Mr. Comey. I think it's a reasonable question. I also think
it's something the judge will sort out. Apple's contention,
which, again, I believe is made in good faith, is that there
would be substantial risk around creating this software. On the
government side, count us skeptical, although we could be
wrong, because I think the government's argument is that's your
business to protect your software, your innovation. This would
be usable in one phone. But, again, that's something the judge
is going to have to sort out. It's not an easy question.
Mr. Deutch. If it's the case, though, that it's usable in
more than one phone and that it applies beyond there, then the
public safety concerns that we may have, that a lot of us have
about what would happen if the bad guys got access to our
phones and our children's phones, in that case, those are
really valid. Aren't they?
Mr. Comey. Sure. The question that I think we're going to
have litigation about is how reasonable is that concern. And,
you know, slippery-slope arguments are always attractive, but I
mean, I suppose you could say, well, Apple's engineers have
this in their head. What if they are kidnapped and forced to
write software? That's why the judge has to sort this out
between good lawyers on both sides making all reasonable
arguments.
Mr. Deutch. And, finally, Mr. Chairman, I just worry, when
we talk about the precedential value, the discussion is taking
place wholly within a domestic context. There are countries
around the world where we know very well that the governments
do their best to monitor what happens in their country and,
through people's cell phones, are able to squash dissent, are
able to take action to throw people in jail and to torture
people.
And I think that precedential value is something else that
we have to bear in mind as we engage in this really important
and really difficult debate.
And I yield back, Mr. Chairman.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from Florida, Mr. DeSantis for 5
minutes.
Mr. DeSantis. Good afternoon, Director Comey. When you are
looking at a case like the Apple case, and you want to be able
to, as you said, remove the guard dogs and the FBI go in, are
you concerned about preserving the evidentiary value that can
then be used, or are you more interested in just getting the
information for intel purposes so that you can use that for
counterterrorism?
Mr. Comey. Our hope is to do both, but if we have to
choose, we want the information first, and then we would like
it, obviously, to be in a form that could be used if there was
a court proceeding against somebody someday.
Mr. DeSantis. I guess, are there instances in which maybe a
company would provide the data but would provide it to you in a
way that you would not necessarily be able to authenticate that
in court?
Mr. Comey. Sure. That happens all the time.
Mr. DeSantis. And that's something that the FBI, if that's
what you get, then you are fine with that?
Mr. Comey. Depends upon the case, but in general, that's a
tool that we use, private cooperation where we may not be able
to use the information in court.
Mr. DeSantis. And in terms of the guy in San Bernardino, it
wasn't even his phone, and then the owner of the phone has
consented for the FBI to have the information. Is that correct?
Mr. Comey. Right. We have a search warrant for the phone.
The guy who was possessing it is obviously dead. And the owner
of the phone has consented.
Mr. DeSantis. What's the best analogous case to what you
are trying to do here? Because people will look at it and say:
Well, you are basically commandeering a company to have to do
these things. That's typically not the way it works. So what
would you say is--outside of the technology context, what would
be an analogous case?
Mr. Comey. Well, everyone in the United States, to some
degree, has an obligation to cooperate with appropriate
authority. The question that the court has to resolve under the
All Writs Act is, what are the limits of that? Apple's argument
is that might be okay if it requires us to hand you something
we've already made to open a phone, but if we're going to make
something new, that's beyond the scope of the law.
As you know, that's something the courts do every day in
the United States, trying to understand the law and interpret
its scope based on a particular set of facts. So that's what
will be done in San Bernardino in a different context. It's
being done in Brooklyn, in the drug case in Brooklyn. I think
it's being done in different stages all over the country,
because in investigation after investigation, law enforcement
is encountering these kinds of devices.
Mr. DeSantis. In your cases, have you gotten an order under
the All Writs Act to just have a defendant, if you have a
search warrant, produce the code?
Mr. Comey. I don't know of a--I don't know of a similar
case.
Mr. DeSantis. In terms of, I know some of the technology
companies are concerned about if they are creating ways to, I
guess, penetrate their systems, that's creating like a back
door. And I guess my concern is terrorists, obviously, when
operating in a variety of spheres, one of the ways that they
get a lot of bang for their buck is cyber attacks.
And so if companies were creating more access for law
enforcement in some of these situations, would that create more
vulnerability for people and be more likely that they were
subjected to a potential cyber attack?
Mr. Comey. Potentially, sure. If there were access tools
that got loose in the wild or that could be easily stolen or
available to bad people, it's a concern. As I said, a huge part
of the Bureau's work is protecting privacy by fighting against
those cybercriminals. So it's something we worry about every
day.
Mr. DeSantis. Well, how would you then provide a
assurances, if you are requesting a company to work with you,
that this doesn't get out into the wild, so to speak?
Mr. Comey. I think in the particular case, we have
confidence--and I think it is justified--that Apple is highly
professional at protecting its own innovation, its own
information. So the idea here is: You keep it. You figure out
how to store it. You figure--you even take the phone and
protect it. I think that's something they do pretty well, but,
again, that is something the judge will sort out.
Apple's argument, I think, will be that's not reasonable
because there are risks around that. Even though we're good at
this, it could still get away from us. And the judge will have
to figure that out, what's reasonable in that circumstance.
Mr. DeSantis. Thank you.
I yield back the balance of my time.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from Illinois, Mr. Gutierrez.
Mr. Gutierrez. Thank you, Mr. Chairman.
And thank you, Director Comey, for coming and being with us
here this afternoon. I won't take my 5 minutes, so I will make
a couple of comments and beginning by saying that I hope that
all of the Members of the Committee would take note that the
Director is actually answering our questions, and that is
obviously very refreshing in that we get a lot of witnesses
here. And if they bring them, we might not like them; if we
bring them, they don't seem to like them. And it's good to get
information without passing judgment.
And I think that's what you have done very well here today.
You are not passing judgment on Apple and their motivation. And
I think in not questioning people's motivation, it's easier to
get a solution, because once you do that, everybody kind of
says: ``Okay, let's get all our defenses up.'' And, really,
what we need to be doing is defending the American people, not
Apple or any company or the FBI for that matter, but defending
the American people. So I want to thank you for that.
And I just want to suggest that we continue these
conversations. I buy a house. I have no reasonable expectation
that if you get a warrant, you are going to go into my--any
drawer in my bedroom. When I buy the house, I don't have any
expectation of privacy once you get a warrant to come. I do
expect you to get one.
I come from a time when I wasn't quite sure the Chicago
Police and law enforcement was actually getting warrants in the
city of Chicago in the 1960's to get that, so we want to be a
little careful and make sure. I am trusting of you. If you were
the FBI agent, I would say, no problem, Director Comey, come on
in.
But, unfortunately, there are human beings at all the
different levels of government, and I just want to say that I
am happy you came because I don't have that expectation in my
car. I don't have that expectation--I don't use the computer a
lot to--I still write. I don't have any expectation.
But the difference is--and I think you have made and I
think this Committee should take it into consideration--we do
put a lot of information in these contraptions, and the reason
we put them there is because we don't want to put them on a
notebook; we want to keep them private. But I really don't have
any expectation that once I put this, if you have a lawful
warrant, that you should be able to get it, even from my
computer. I think that's where you are going.
Could you--is that where you think--have I heard you right?
Mr. Comey. I do. I agree with you, except I think the case
for privacy is even stronger than you said. You do have a
reasonable expectation to privacy in your home, in your car,
and in your devices. The government, under our Constitution, is
required to overcome that by going to an independent judge,
making a showing of probable cause, and getting a warrant.
What we need to talk about as a country is we're moving to
a place where there are warrant-proof places in our life, and
yes, these devices are spectacular, because they do hold our
whole lives. They are different than a briefcase. They are
different than a drawer. So it is a source with--a place with a
tremendous reasonable expectation of privacy.
But if we're going to move to a place where that is not
possible to overcome that, that's a world we've never lived in
before in the United States. That has profound consequences for
public safety. And all I am saying is we shouldn't drift there,
right? Companies that sell stuff shouldn't tell us how to be.
The FBI shouldn't tell us how to be. The American people should
say: ``The world is different. How do we want to be?'' And
figure that out.
Mr. Gutierrez. Yeah, I think we're in the same place then,
because I do have a reasonable expectation of privacy in my
home. But if you go to court, you convince the judge, and you
overcome it, I have never had any expectation that a court
order, because I bought something, I am going to be able to
overcome a court order. So I think we're in the same place.
So thank you so much, Director, for coming and sharing
time. I hope to share more time with you so we can talk some
more. Thank you.
Mr. Goodlatte. The Chair recognizes the gentleman from
Iowa, Mr. King, for 5 minutes.
Mr. King. Thank you, Mr. Chairman.
Director, thanks for your testimony here and your
leadership with the FBI.
I am curious about this from a perspective that has to do
with our global war against radical Islamic terrorists. And I
have laid out a strategy to defeat that ideology. I would take
it back to our ability some years past to be able to identify
their cell phones and get into their cell phones in such a way
that we also got into their heads, which drove them into the
caves and really diminished a lot of their otherwise robust
activity that Al Qaeda might have carried out against us. I
think that was a successful effort.
Now we have global cyber operations going on with, I think
by your numbers from a previous report I read, well over
100,000 ISIS activities on Twitter and other cyber activity in
a single day. And so I am interested in how the parameters that
have been examined thoroughly by a lot of the lawyers on this
panel might apply to an all-out cyber warfare against ISIS and
any of their affiliates or subordinates that I think is
necessary if we're going to defeat that ideology.
And so I am thinking in terms of if this Congress might
diminish, slow down, or shut down access to this phone, that
also means access to any other phone that they might be using;
they would have a high degree of confidence that they could
operate with a level of impunity in the cyber world out there.
Do you have any comments you would like to make on the
implications that being locked out of an opportunity to unlock
this phone might mean to the global war on terror that could be
prosecuted in the next Administration aggressively across the
fields of cyber warfare? And I would just add to that for the
sake of enumerating them: financial warfare, educational
warfare, and human intelligence, and the network that would be
necessary, not just the kinetic activity, to defeat radical
Islamic terrorism.
Mr. Comey. Thank you, Mr. King.
This conversation we're having today and that I hope will
continue is really important for domestic law enforcement, but
it has profound implications for, among other things, our
counterterrorism work. Because since Mr. Snowden's revelations,
terrorist tradecraft changed, and they moved immediately to
encrypted apps for their communication in trying to find
devices that were encrypted, wrap their lives in encryption,
because they understand the power of encryption.
And so there's no place we see this collision between our
love for privacy and the security of encryption and public
safety than in fighting terrorism, especially ISIL. Because for
the FBI's responsibility, which is here in the United States,
every day we're looking for needles in a hay stack. And,
increasingly, the most dangerous needles go invisible to us,
because that's when ISIL moves them to an encrypted app that's
end-to-end encrypted and a judge's order is irrelevant there.
That's why this is such an urgent feature of our work. It
has huge implications for law enforcement overwhelmingly, but
it has profound implications in the fight against terrorism.
Mr. King. Do you get any signals that the American public
or the United States Congress is contemplating some of the
things that you discussed here to the depth that it would be a
component in the decisionmaking?
Mr. Comey. I don't know. I know everybody's interested in
this and everybody, all thoughtful people see both sides of
this and are trying to figure out how to resolve it, how to
resolve it practically, how to resolve it technically. And the
other challenge is--not to make it harder--there is no it.
There isn't a single it. There's all different kinds of
manifestations of this problem we call going dark.
So what I see is people of good will who care about privacy
and safety wrestling with this. Court cases are important, but
they are not going to solve this problem for us.
Mr. King. Let me suggest that--I will just say: I think
it's a known and a given that ISIS or ISIL is seeking a nuclear
device and has pretty much said that publicly. If we had a high
degree of confidence that they had--that they were on the cusp
of achieving such capability and perhaps capability of
delivering it, if that became part of the American
consciousness, do you think that would change this debate that
we're having here today?
Mr. Comey. I do worry that it's hard to have nuanced,
complicated conversations like this in an emergency and in the
wake of a disaster, which is why I think it's so important we
have this conversation now, because in the wake of something
awful happening, it will be hard to talk about this in a
thoughtful, nuanced way. And so I think that's why I so welcome
the Chairman having this hearing, and having further
conversations about it.
Mr. King. Thank you, Director. And I will just state that
my view is that I want to protect the constitutional rights of
the American people, and I would like to be able to have this
framed in law that reflects our constitutional rights. But I
would like to have us consider how we might keep a nation safe
in the face of this and how we might prosecute a global war
against radical Islam, even in the aftermath of a decision that
might be made by either a judge or the United States Congress.
I thank you, Mr. Chairman, and I yield back the balance of
my time.
Mr. Goodlatte. The Chair thanks the gentleman.
The gentlewoman from California, Ms. Bass, is recognized
for 5 minutes.
Ms. Bass. Thank you, Mr. Chair.
And thank you, Director Comey, for your time and your
patience with us today.
I had a townhall meeting in my district on Sunday, and
actually a couple hundred people showed up, and it was a
general townhall meeting talking about issues that Congress is
dealing with, and much to my surprise, this was a burning
issue. And many of my constituents came to ask me questions,
and I told them that they could suggest some questions and I
would ask you. So maybe you could speak to some of my
constituents today so I can send them a clip of your testimony.
Basically, in general, they had a hard time believing--I
mean, they were not supportive. They don't want, you know,
Apple to comply. But they had a hard time believing that the
FBI couldn't already do this. And so a couple of the questions
were: How have so many others cracked iPhones and shared their
findings with videos and how-to articles?
And given that you described it, not as a back door but
getting the dogs, you know, away so that you can pick the lock,
their question was: What other intelligence community agencies
has the FBI worked with, considering there's at least 12 in the
government? Between all of these agencies, how is it that you
haven't been able to call the dogs off and pick the lock?
Mr. Comey. There are actually 16 other members of the U.S.
intelligence community. It pains me to say this, because I--in
a way we benefit from the myth that is the product of maybe too
much television. The only thing that's true on television is we
remain very attractive people, but we don't have the
capabilities that people sometimes on TV imagine us to have. If
we could have done this quietly and privately, we would have
done it.
Ms. Bass. Right.
Mr. Comey. This litigation is difficult. It's especially
difficult, as I said, for the people who were victimized in San
Bernardino, and so we really can't. As I said, there may be
other models, other permutations and combinations where we have
different capabilities, but I'm here to tell you here--and,
again, maybe tonight someone will call us and say: I've thought
of something. Apple is very good at what it does. It's a
wonderful company. It makes wonderful products, right? They
have set out to design a phone that can't be opened, and
they're darn near succeeding. I think with the 6 and beyond,
they will have succeeded. That doesn't make them bad people,
that just poses a challenge for us that we're not yet up to
meeting without intervention from courts.
Ms. Bass. Since you can clone iPhone contents to compatible
hardware and test passwords on the clones without putting the
original at risk, can't you use so-called brute force methods
to guess the passcode?
Mr. Comey. Not with the--I think this is what Mr. Issa was
asking about. I think a lot of tech experts ask, why can't you
mirror the phone in some way and then play with the mirror? For
reasons I don't fully understand, not possible in this
circumstance. So we do want to try and brute force the phone;
that is the multiple guesses. But we need first--we'll do that
ourselves, but we need removed the auto-erase function and the
delay-between-guesses function, which would make us take 10
years to guess it. If we have those removed, we can guess this
phone's password with our computing power in 26 minutes, is
what we're told, because we have enormous computing power in
the U.S. Government, but we need to be able to bring it to bear
without the phone killing itself.
Ms. Bass. Thank you. I yield back the balance of my time.
Mr. Goodlatte. The Chair recognizes the gentleman from
Idaho, Mr. Labrador, for 5 minutes.
Mr. Labrador. Thank you, Mr. Chairman.
And thank you, Director, for being here. Thank you for what
you're doing. I know you have a very difficult job as you're
trying to balance both security and privacy.
I do have a few questions. As you're looking at the laws
that are in place, like CALEA and FISA, or the other different
avenues that we're talking about, something that concerns me is
that this is very different than some of the examples that have
been given here. For example, when you have--when you're going
into a home, if you're asking for a key, if you go to the
landlord, that key's already made, and you can go to the
landlord and you can say, ``I have a warrant here,'' and that
key is made, ``Can you please give me a key for that,'' where
the method of creating that key, even if the key does not
exist, is already--does already exist. This is very different
than that. Would you agree?
Mr. Comey. Yes. You're exactly right. There's a difference
between, ``Hey, landlord, you have this spare key; the judge
directs you to give it to us,'' and, ``Hey, landlord, we need
you to make a key for this lock.''
Mr. Labrador. Yeah.
Mr. Comey. And that's a legal question as to whether the
particular statutory authority we're using here, the All Writs
Act, extends to that.
Mr. Labrador. Correct.
Mr. Comey. We think in the government there's a reasonable
argument to be made it does and should, and on the other side,
lawyers for Apple argue it doesn't, and that's what the judge
will sort out.
Mr. Labrador. But this goes even one step further. In this
scenario, the landlord can create the key, has the ability to
create the key, and the technology to create the key already
exists. In the Apple case, that's not the case. They have never
created the key that you're asking for. Isn't that correct?
Mr. Comey. I don't know whether that's correct or not.
Mr. Labrador. Well, as far as we know, as far as they're
letting us know, there's no way for them, as they're telling
us--because if not, I think they would be violating the judge's
order. If they have an ability to do this, I do agree with you
that they would be violating the judge's order, but what
they're telling us is that ability does not exist. Isn't that
correct?
Mr. Comey. I think that's right. I think, obviously, their
general counsels are very smart guys here; he can talk about
this. But I think what they're saying is: We can do it, but it
would require us to sit at a keyboard and write new code that
doesn't currently exist.
Mr. Labrador. Correct.
Mr. Comey. Whether there's a meaningful distinction between
that, and someone who already has a key legally is something a
judge will have to sort out.
Mr. Labrador. So what concerns me is the old legal maxim
that, you know, bad cases make bad law. This is clearly a bad
case. We all want you to get access to this phone through legal
means, because maybe it would uncover some of the problems that
we have in the Middle East; maybe there's some evidence in
there that could really lead us to take some terrorists down. I
think we are all there, but the problem is that this is a bad
case. This is a person who, obviously, is dead, who has never
given his code to somebody else.
And I'm concerned that, as we're looking down this road,
what we're doing is we're opening the door for other things
that could actually be detrimental to our safety and security.
For example, I think you've testified many times that we're
getting hacked all the time. Isn't that correct?
Mr. Comey. Yes.
Mr. Labrador. So maybe one of the reasons that Apple is
refusing to do this or is hesitant to do something like this,
because they know that even they get hacked, and when you
open--when you create that key that doesn't exist at all right
now, you're actually opening up every other phone that's out
there. Do you see how that could be a concern?
Mr. Comey. I see the argument. The question the judge will
have to decide is, is that a reasonable argument?
Mr. Labrador. Because you----
Mr. Comey. Sorry.
Mr. Labrador. No. I'm sorry.
Mr. Comey. Go ahead.
Mr. Labrador. You said that Apple is highly--they are
highly professional in keeping secrets. Would you say that the
Federal Government also has very good people that are highly
professional in keeping secrets?
Mr. Comey. Parts of it.
Mr. Labrador. Me too.
Recently, we've learned that there's been a hacking
incident at the IRS. Are you familiar with that?
Mr. Comey. Yes.
Mr. Labrador. So that's what I'm concerned about. The
moment that you open up that door, the moment that you open up
that key that doesn't currently exist, you're actually allowing
all these hackers that are out there--and some of them are our
enemies that are trying to do us harm, whether it's economic
harm or whether it's actual terrorism. They're out there
looking for ways to actually get into your iPhone, into my
iPhone, into everybody else's iPhone, and at some point--that's
why you have such a difficult job--is we have to balance that
safety and security.
Do you think that this capability that you're asking for
can only be used pursuant to a warrant?
Mr. Comey. The capability that the judge has directed Apple
to provide?
Mr. Labrador. Correct.
Mr. Comey. I think that's the way it's--that's the
procedural posture of it. There's a warrant and the judge has
issued an order.
Mr. Labrador. That's how it is issued right now, but do you
think that that can only be obtained through a warrant? Are you
seeking to obtain it later through other means other than
warrants?
Mr. Comey. I don't know how we would if it's in Apple's
possession. Unless they voluntarily gave it to someone, there
would have to be a judicial process----
Mr. Labrador. Okay.
Mr. Comey [continuing]. If they maintained it afterwards.
Mr. Labrador. Thank you very much. I've run out of time.
Thank you.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from Louisiana, Mr. Richmond, for 5
minutes.
Mr. Richmond. Thank you, Mr. Chairman.
Before I start, I'd like to enter into the record two
articles. One is from the Toronto Star, titled
D1 deg.``Encrypted Evidence Is Increasingly Hampering
Criminal Investigations, Police Say.'' And another one is from
the Baton Rouge Advocate, which says, D2 deg.``The
Brittney Mills Murder Case Has Put Baton Rouge in the Middle of
the National Cell Phone Encryption Debate.''
Mr. Goodlatte. Without objection, they will be made part of
the record.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Richmond. Thank you, Mr. Chairman.
And let me just say, and Director Comey, you have mentioned
the Brittney Mills case a number of times, and I just want to
paint the scenario for everyone in the room and put a face with
it. This is Brittney Mills, and this is Brittney Mills almost 8
months pregnant with her daughter. In May of last year,
Brittney was murdered in my district. She was a mother. She was
8 months pregnant with her second child at the time. Someone
came to her door and killed her, and a couple days later, her
unborn child--or born child also died. And according to her
family and her friends, she kept a very detailed diary in her
phone. And her family, who are here today, Ms. Mills, Ms.
Barbara Mills, will you please stand, and Tia and Roger, her
family would like the phone opened so that our district
attorney, who is also here today--thank you for standing--our
district attorney, who is also here today, Hillar Moore, can
use that to attempt to find the murderer who committed this
crime.
And I guess my question is, we balance privacy, public
safety, and criminal justice, but are we in danger of creating
an underground criminal sanctuary for some very disturbed
people, and how do we balance that?
Mr. Comey. We are in danger of that. Until these awesome
devices--and that's what makes it so painful. They're
wonderful. Until this, there was no closet in America, no safe
in America, no garage in America, no basement in America that
could not be entered with a judge's order. We now live in a
different world, and that's the point we're trying to make
here. Before we drift to a place where a whole lot of other
families in incredible pain look at other district attorneys
and say, ``What do you mean you can't; you have a court
order,'' before we drift to that place, we've got to talk about
it, because privacy is awesome, but stopping this kind of
savagery and murder and pedophilia and all the other things
that hide in the dark spaces in American life is also
incredibly important to us.
That's why this conversation matters so much, but it's also
why we have to talk to each other. There are no demons in this
conversation; we care about the same things. But it is urgent,
and there's no more painful circumstance to demonstrate it than
in the death of that beautiful woman and her baby.
Mr. Richmond. Well, and I do appreciate your saying we have
to talk to each other, because just in the small time that I
was able to put the representatives of Apple and the district
attorney in the room, I think we made some progress and maybe
some alternatives, and maybe we'll get somewhere. But it is a
very difficult balancing act, and I think the people from Apple
are very well intentioned and have some real concerns.
But let me ask you this. I took a congressional delegation
trip over to the Ukraine. And when we landed our plane, we were
on the runway, and our security advisors came on to the back
and said, if you don't want your phone hacked and people to
have access to your text messages, your pictures, your emails,
and everything else, we advise you to power your phone off and
leave it on the plane. And no one is in close enough proximity
right now to do it, so if you need to make a call, make a call,
but when we get closer to the terminal, you need to power that
phone down.
So does Ukraine have better technology--well, they were
really worried about Russian hackers. But does Russia have that
much of a technology advantage over us that they can get into
my phone while I'm on it and it's in my possession, and we
can't get into a phone that we have in our possession?
Mr. Comey. The difference--and I'm going to be careful what
I say in an open setting--is that some countries have different
control over their infrastructure and require providers in
their country to make accommodations that we do not require
here to give them greater surveillance capabilities than we
would ever imagine in the United States. That's the first
thing.
The second thing is we are a rule of law country. The FBI
is not cracking into your phone or listening to your
communications except under the rule of law and going to a
judge. Those are the two big differences.
But countries have capabilities and, in part, based on
accommodations that device makers and providers have made in
those countries that are different than in this country.
Mr. Richmond. Thank you, Mr. Chairman. I see my time has
expired.
Mr. Goodlatte. The Chair recognizes the gentlewoman from
Washington State, Ms. DelBene, for 5 minutes.
Ms. DelBene. Thank you, Mr. Chairman.
And thank you, Director Comey, for being with us and for
all of your time.
I've worked my career in technology on email and mobile
communications and constantly heard from customers, both
consumers and businesses and even the government, to make sure
that information was protected and that devices were secure.
And in your testimony, you state that you're simply asking to
ensure that you can continue to obtain electronic information
and evidence, and you seem to be asking technology companies to
freeze in place or revert back to systems that might have been
easier to access, but don't you think in general that that's
much--an oversimplification of this issue, because we all know
that bad actors want to exploit vulnerabilities to break in to
any number of things, from a phone, a personal device, to our
power grid? These things aren't static. They're changing
constantly, and they're getting smarter every day. The bad
actors are getting smarter every day, and we need to be smarter
every day in terms of protecting information.
So, in that type of environment, how would you expect the
technology company not to continue to evolve their security
measures to keep up with new threats that we see?
Mr. Comey. First of all, I would expect security companies
and technology companies to continue to try and improve their
security. That's why it's important that all of us talk about
this, because it's not the company's job to worry about public
safety, right? It's the FBI's job, Congress's job, and a lot of
other folks in the government, so I don't put that on the
companies. But the other thing that concerns me a little bit is
this sense that if we have a world where people comply with
government warrants, it must be insecure. And I don't buy that,
because there are lots of providers today of email service, of
tech service who have highly secure systems who, because of
their business models, visualize the information in plain text
on their servers so they comply with court orders. I have not
heard people say their systems are insecure. They simply have
chosen a different business model.
So I actually don't think it's--again, a lot of people may
disagree with me. I actually don't think in the main it's a
technological problem. It's a business model problem. That
doesn't solve it, but that gets us away from this it's
impossible nonsense.
Ms. DelBene. But we know more and more, in fact, we're
seeing--we're talking about phones today, but we are talking
about the growth in the Internet of things of more and more
personal devices where security will be even more critical, and
so it's hard to say--you're talking about a world where it's
confined to the way the world works today. I think that
absolutely is not the situation that we're facing. We're seeing
evolution every day, and these are devices that are connected
to networks, and information is flowing, and that information
might be someone's financial information or personal
information that if it is exploited would create a security
issue itself.
Mr. Comey. I agree.
Ms. DelBene. So don't you believe that encryption has an
important role to play in protecting security?
Mr. Comey. Vital.
Ms. DelBene. So, now, when we've talked about what role
Congress plays versus what role the courts would play, and
you've kind of talked about both in different scenarios. You've
talked about privacy versus security and that Congress should
play a role there but that the courts should decide whether or
not there's a security breach if there's a piece of technology
that breaks into a device and whether or not there's a concern
that that will be widely available. Yet the tension isn't
really between just privacy and security. It's between security
and security and protecting people's information. So how do
you--where do you think Congress plays a role versus the courts
when you've talked about both of them in your testimony today?
Mr. Comey. I think the courts have a job to, in particular
cases, interpret the laws that Congress has passed throughout
the history of this country to try and decide: The government
is seeking this relief; does that fit within the statute?
That's the courts' job, and they're very, very good at it.
The larger societal problem we have is this collision--that
I think you've said well--between privacy and security; very
difficult to solve it case by case by case. We have to ask
ourselves, how do we want to govern ourselves? If you are a
manufacturer of devices in the United States or you provide
communication services in the United States, what are our, as a
country, what are our expectations of you and demands of you?
It's hard for me to see that being worked out on a common law
basis, honestly, but it's going to be, because the issue is
joined every single day in our law enforcement work. If nobody
else gets involved, the courts will have to figure it out.
Ms. DelBene. This isn't just an issue of U.S. companies
alone, because clearly there's access to technology that could
be developed in other countries that we'll not have access to
and that's widely available today and people can use. But,
also, then it is important, we have laws that are centuries and
decades old that have not kept up with the way the world works
today, and so it is very important that Congress plays a role,
because if courts are going to be interpreting those laws and
those laws were written with no awareness of what's happening
today, then Congress needs to play a role of making sure we
have laws that are up-to-date and setting that standard so that
courts can then follow.
Thank you. I yield back, Mr. Chair.
Mr. Goodlatte. The Chair thanks the gentlewoman and
recognizes the gentleman from New York, Mr. Jeffries.
Mr. Jeffries. Thank you, Mr. Chairman.
And thank you, Mr. Comey, for your presence here today. And
as one of my colleagues mentioned, your candor and open
dialogue and communication is much appreciated, and it's not
always the case with high-level government witnesses and
others.
You testified today that you don't question Apple's motives
in connection with the San Bernardino case. Is that correct?
Mr. Comey. Correct.
Mr. Jeffries. And you also testified that there are no
demons in this conversation, true?
Mr. Comey. Correct. I hope not.
Mr. Jeffries. But the Department of Justice has questioned
the company's motives in defending the privacy of the American
people. Isn't that right?
Mr. Comey. I don't know that they've questioned their
motives, in the sense that attributed sort of that they're
acting with evil intent or something. I think they've--I
remember a filing the department said where they think a lot of
Apple's position has to do with its market power, which I,
frankly, is not an illegitimate motive.
Mr. Jeffries. In fact, in the motion to compel that you
referred to, I believe the prosecutor said that: ``Apple's
current refusal to comply with the court's order, despite the
technical feasibility of doing so, appears to be based on its
concern for its business model and public brand marketing
strategy.''
Is that the statement that you're referring to, sir?
Mr. Comey. Yeah. And I think that's--that's fair. I bet
that's accurate. Apple has a legal obligation--because I used
to be the general counsel of a public company--to maximize
shareholder value. They're a business, and so I would hope
that's part of their motivation. And it's not a bad thing if
it's entirely their motivation. Their job is not to worry about
public safety. That is our job, all of us in this room who work
for the government.
Mr. Jeffries. William Bratton is the police commissioner of
the New York City Police Department. Is that right?
Mr. Comey. Yes.
Mr. Jeffries. That's the largest department in the country?
Mr. Comey. Yes.
Mr. Jeffries. And he's one of the most respected law
enforcement professionals in the country. Would you agree with
that?
Mr. Comey. I agree with that very, very much.
Mr. Jeffries. Now, at a February 18 press conference in New
York City, publicly accused Apple of corporate
irresponsibility. Are you familiar with that remark, sir?
Mr. Comey. I'm not.
Mr. Jeffries. Okay. Do you agree with that strident
statement, that Apple is engaging in corporate
irresponsibility----
Mr. Comey. I'm----
Mr. Jeffries [continuing]. By vindicating its----
Mr. Comey. I don't know that Bill said that, but I'm not
going to characterize it that way. I don't think they're acting
irresponsibly. I think they're acting as a corporation in their
self-interest, which is the way--which is the engine of
innovation and enterprise in this country.
Mr. Jeffries. Fundamentally, as it relates to the position
of those of us who are on the Judiciary Committee, as well as
Members in the House and in the Senate, guardians of the
Constitution, this is not about marketing or corporate
irresponsibility, correct, this debate?
Mr. Comey. I hope not. I mean, I hope part of it is, and
that's a voice to listen to, but they sell phones. They don't
sell civil liberties. They don't sell public safety. That's our
business to worry about.
Mr. Jeffries. Right. But in terms of our perspective, this
is really about fundamental issues of importance as it relates
to who we are as a country, the Fourth Amendment of the United
States Constitution, the reasonableness of government
intrusion, the rule of law, the legitimate centuries-old
concern as it relates to government overreach and the damage
that that can do. This is fundamentally a big picture debate
about some things that are very important to who we are as a
country, correct?
Mr. Comey. I agree completely.
Mr. Jeffries. Okay. Now, in terms of the technology that's
available today, Americans seem to have the opportunity to
choose between privacy or unfettered access to data which can
reveal the far reaches of their life to a third party, to a
government, to a bad actor. Would you agree that there's an
opportunity that the technology is providing for Americans to
choose privacy?
Mr. Comey. I don't agree with that framing, because it
sounds like you're framing it as we either have privacy or we
have unfettered access by bad actors. I don't accept that
premise.
Mr. Jeffries. Okay. So let me ask a few questions. One of
the obstacles to unfettered access is the passcode, correct?
The passcode.
Mr. Comey. Yeah.
Mr. Jeffries. A four-number or a six-number passcode.
Mr. Comey. I naturally quibble because I'm a lawyer, but
I'm just stuck on ``unfettered''----
Mr. Jeffries. Okay.
Mr. Comey [continuing]. But one of the obstacles to access
to a device----
Mr. Jeffries. Let me drop ``unfettered.''
Mr. Comey. Okay.
Mr. Jeffries. The passcode is an obstacle, correct?
Mr. Comey. Correct. Correct.
Mr. Jeffries. Now, you can choose a passcode or choose not
to activate a passcode, correct?
Mr. Comey. I think that's right.
Mr. Jeffries. Okay. Now, whether you back up your system or
not is an issue as it relates to access, correct? In other
words, if you don't back up your system, you don't have access,
correct, to the cloud?
Mr. Comey. Yeah. I think if you don't back up your system
to the cloud, there's nothing in the cloud that could be
obtained by a warrant.
Mr. Jeffries. Right. Now, with respect to auto erase, that
is a choice that's being made. In other words, you have to
actually affirmatively choose auto erase. If you didn't choose
it, in this particular case or in any other case, eventually
your computer is powerful enough to get access to the data,
correct?
Mr. Comey. I think that's right for the 5C. I think that's
right. And folks from Apple could tell you better. I think for
the later models, it's not a choice, but I think it's a--I'm
reasonably confident it's a choice for the 5C.
Mr. Jeffries. My time has expired, but I think it's
important as we frame this debate to understand that it is
actually the American citizen that is choosing on at least
three different occasions in three different ways the value of
privacy, and that's something that we should respect as
Congress attempts to craft a solution.
Mr. Comey. Okay.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from Rhode Island, Mr. Cicilline, for
5 minutes.
Mr. Cicilline. Thank you, Mr. Chairman.
Thank you, Director Comey, for your service to our country.
Thank you for being here today and for the outstanding work of
the men and women at the FBI.
We all, of course, acknowledge the incredible horrors of
the San Bernardino attack, but I think, in many ways, what
we're struggling with, as Ms. DelBene said, not necessarily
security versus privacy, but security versus security. And the
real argument that the danger that exists for the misuse of
this new technology by foreign agents, by terrorists, by bad
actors, by criminals will actually make us less safe in the
long term. And while it might achieve your objective in the
short term in this particular case, that the implications in
terms of our own national security and personal security pose
greater dangers. I think that's what at least I'm struggling
with.
I appreciate you said this is the hardest question you've
confronted, because I think it is a hard one. But the first
thing I want to ask is, this is different, would you agree,
than all the examples that have been used about producing items
in your custody. This is a different kind of one, because it's
actually compelling a third party to produce and create
intellectual property which doesn't exist today.
Mr. Comey. I understand that to be Apple's argument. I
don't know enough about the other possible comparisons to give
you a thoughtful response, but, yes, I understand that.
Mr. Cicilline. But don't you think it's hard to even
imagine how a court ultimately enforces that, because you have
to sort of get into the head of the engineers to figure out did
they actually comply with what the government order is
directing them to create.
I mean, I'm not saying it's not something you're not
allowed to ask for, but it is different, it seems to me, than
simply asking people to produce that which they are in
possession of, custodians of.
Mr. Comey. I see that. I mean, I heard someone earlier say
there's a difference between a landlord who has a key in his
pocket and you say, ``You got to give us the key,'' and, ``You
don't have one. Go make one for that door.''
Mr. Cicilline. Well, this will be more than----
Mr. Comey. And the question for the judge is what's----
Mr. Cicilline. Not just go make one, because that knowing
how to make keys exists, but to develop a whole new technology
and intellectual property. So I just want--I raise that because
I think we have to acknowledge it's different and then decide
what to do with it.
Mr. Comey. Yeah.
Mr. Cicilline. But in addition to that, you said repeatedly
that the government doesn't have the ability to do this
already. And, as you know, there was a decision yesterday by
Magistrate Judge Orenstein--I'd ask unanimous consent that that
memorandum and order be made part of the record--in which he
actually----
Mr. Goodlatte. It already is part of the record.
Mr. Cicilline. Okay. Which he--and he goes through and says
the All Writs Act doesn't apply. CALEA prohibits this by
omission, and I think in a very clear way. But in addition to
that, he goes on to say that the government argued in an
unrelated case that the government actually has the ability to
do this, the Department of Homeland Security Investigations,
that they are in possession of technology that would allow its
forensic technicians to override the passcode security feature
on the subject iPhone and obtain the data.
So I think this is a very important question for me. If, in
fact--is it in fact the case that the government doesn't have
the ability, including the Department of Homeland Security
Investigations, and all of the other intelligence agencies to
do what it is that you claim is necessary to access this
information?
Mr. Comey. Yes.
Mr. Cicilline. Because it is very--the answer's yes?
Mr. Comey. That is correct. And I don't know. I think--I
could be wrong, but I think the phone in the case from Brooklyn
is different, maybe both the model and the IOS, the operating
system is different, but for this--I can tell you, and, again,
people know the sound of my voice--if you've got an idea, let
us know, but 5C IOS 9, we do not have that capability----
Mr. Cicilline. Okay.
Mr. Comey [continuing]. Again, to disable. The problem is
we can get into that phone with our computing power if they
take off the auto-erase and the delay-between-guesses function.
We will get into that phone.
Mr. Cicilline. So do you agree, Director Comey, that if
there is authority to be given to do what you're asking, that
that authority has to come from Congress?
Mr. Comey. No, I don't agree with that.
Mr. Cicilline. So where do you think the authority comes
from?
Mr. Comey. Well, the government's already asked the court
and made the argument under the court that the All Writs Act
vests in the judiciary the ability to order this relief. That's
what the court case is going to be about.
Mr. Cicilline. So if the ruling made yesterday remains,
which rejects the notion that the All Writs Act applies and
that CALEA, in fact, is congressional intention on this, and
the fact that we didn't act on it means you have authorization
has not been provided, then would you agree that Congress is
the only place that can authorize this, and if so, what would
you recommend we do? What would that look like as we grapple
with this question? Because I can tell you, for me, having read
that, I think CALEA is clear; it doesn't authorize it. It's
clear the All Writs Act doesn't. So if there is to be
authority, assuming we decide that there should be, it seems it
must come from Congress. As the Director of the FBI, what do
you think that would--what would your recommendation be that
would respond to what you see as your needs but also the
national security interests of our country?
Mr. Comey. Yeah. I'm not prepared to make a recommendation,
but I think I get your question now. If the judges are right
you that can't use the All Writs Act for this relief, what
should Congress do to grant the relief? And I'm not prepared to
tell you specifically what to do. I do think it's something
that Congress is going to have to wrestle with.
Mr. Cicilline. Thank you. I yield back. Thank you, Mr.
Chairman.
Thank you, Director.
Mr. Goodlatte. The Chair would ask unanimous consent that
letters from the E1 deg.Computer Communications
Industry Association, dated February 29; a
E2 deg.statement for the record from Reynaldo Tariche,
President of the FBI Agents Association; and a
E3 deg.letter, dated February 29, from the American
Civil Liberties Union all be made a part of the record.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Director Comey, you've given us 3 hour--oh,
I'm sorry. I'm jumping the gun here.
The gentleman from California, Mr. Peters, is recognized
for 5 minutes.
Mr. Peters. Director Comey--I want to, first of all, thank
you, Mr. Chairman. I want to thank you for being here. I wanted
to just conclude by saying that I did hear very--did listen
carefully to your opening statement. I thought it was very
constructive. I think you appreciate the two objectives we have
here, which is to both preserve privacy and to deal with San
Bernardino. You've heard the comment: hard cases make bad law.
They're still hard cases, and the problem we see in terrorism
now is the onesies and the twosies. And the notion that we
would have invulnerable communications, I think, is something
that we should all be concerned about.
I hope that you and the panel to follow you will all be
part of a constructive discussion to figure out a way to serve
both objectives and that the lines won't be too hard drawn on
either side so we can do that.
And I appreciate, Mr. Chairman, the chance to thank
Director Comey for being here, and look forward to the next
panel.
Mr. Comey. Thank you.
Mr. Peters. Yield back.
Mr. Goodlatte. The Chair thanks the gentleman.
Director, you've donated 3 hours of your time to our
efforts today, or more, I'm sure, in getting ready, so we thank
you very much for your participation and for answering a
multitude of questions. And we are looking for answers, so if
you have more to add to the record later, we would welcome that
as well. Thank you very much.
Mr. Comey. Thank you, sir.
Mr. Issa. Mr. Chairman, would you entertain a unanimous
consent while we're changing panels?
Mr. Goodlatte. I would.
Mr. Issa. Then I would ask unanimous consent that a letter
I received late yesterday from a constituent in the technology
business concerning this case be placed in the record. This is
Emily Hirsch.
Mr. Goodlatte. Without objection, that will be made a part
of the record.*
---------------------------------------------------------------------------
*Note: The material referred to was not available at the time this
hearing record was finalized and submitted for printing on August 5,
2016.
---------------------------------------------------------------------------
Mr. Issa. Thank you.
Mr. Goodlatte. We ask the witnesses on the second panel to
please come forward and be seated.
And now that Mr. Sewell has been afforded similar attention
to the attention previously accorded to Director Comey, I'd ask
that the press move back so we can begin the second panel.
Ms. Lofgren. Mr. Chairman, I would not assume it was not
directed to Ms. Landau, this photography.
Mr. Goodlatte. Thank you.
We welcome our distinguished witnesses for today's second
panel. And if you would all please rise, I'll begin by swearing
you in.
Do you and each of you swear that the testimony that you
are about to give shall be the truth, the whole truth, and
nothing but the truth, so help you God?
Thank you very much. Let the record reflect that all of the
witnesses responded in the affirmative. And I will now
introduce the witnesses.
Bruce Sewell is senior vice president and general counsel
of Apple. Mr. Sewell serves on Apple's legal team and oversees
all legal matters, including global security and privacy. Prior
to joining Apple, Mr. Sewell was deputy general counsel and
vice president of Intel Corporation. He received his bachelor's
degree from the University of Lancaster, and a J.D. From George
Washington University.
Dr. Susan Landau is professor of cybersecurity policy at
Worcester Polytechnic Institute. Originally trained as a
theoretical computer scientist, Dr. Landau is an expert in
cryptographic applications. Within cybersecurity policy, her
work focuses specifically on communications surveillance
issues. Dr. Landau earned a bachelor's degree from Princeton
University, a master's from Cornell University, and a Ph.D.
From the Massachusetts Institute of Technology.
Our final witness, Mr. Cyrus Vance, Jr., is the district
attorney of New York County. Mr. Vance is currently serving his
second term as district attorney after being reelected in 2013.
He also serves as co-chair of the New York State Permanent
Commission on Sentencing. Previously, Mr. Vance worked in
private practice and taught at Seattle University School of
Law. He's a graduate of Yale University and the Georgetown
University Law Center.
All of your written statements will be entered into the
record in their entirety. And we ask that each of you summarize
your testimony in 5 minutes or less. To help you stay within
that time, there's a timing light on the table. When the light
switches from green to yellow, you have 1 minute to conclude
your testimony. When the light turns red, that's it; your time
is up.
And we'll begin with you, Mr. Sewell. Welcome.
TESTIMONY OF BRUCE SEWELL, SENIOR VICE PRESIDENT AND GENERAL
COUNSEL, APPLE, INC.
Mr. Sewell. Thank you very much, Mr. Chairman. Thank you
Members of the Committee and Ranking Member.
Mr. Goodlatte. Make sure that microphone is on and pulled
close.
Mr. Sewell. Thank you for that technology hint.
Thank you, Mr. Chairman. It's my pleasure to appear before
you and the Committee today on behalf of Apple. We appreciate
your invitation and the opportunity to be part of the
discussion of this important issue, which centers on the civil
liberties that are at the foundation of our country.
I want to repeat something that we've said since the
beginning, that the victims and the families of the San
Bernardino attacks have our deepest sympathies. We strongly
agree that justice should be served. And Apple has no sympathy
for terrorists.
We have the utmost respect for law enforcement and share
their goal of creating a safer world. We have a team of
dedicated professionals that are on call 24 hours a day, 7 days
a week, 365 days a year, to assist law enforcement.
When the FBI came to us in the immediate aftermath of the
San Bernardino attacks, we gave them all the information we had
related to their investigation. And we went beyond that by
making Apple engineers available to advise the FBI on a number
of investigative alternatives, but now we find ourselves at the
center of a very extraordinary circumstance.
The FBI has asked the court to order us to give them
something that we don't have, to create an operating system
that does not exist. The reason it doesn't exist is because it
would be too dangerous. They are asking for a backdoor into the
iPhone: specifically, to build a software tool that can break
the encryption system which protects personal information on
every iPhone.
As we have told them and as we have told the American
public, building that software tool would not affect just one
iPhone. It would weaken the security for all of them. In fact,
just last week, Director Comey agreed, and I think we heard the
same here today, that the FBI would likely use this as
precedent for other cases involving other phones. We've heard
from District Attorney Vance, who's also said that he
absolutely plans to use this tool on over 175 phones that he
has in his possession. We can all agree this is not about
access to one iPhone.
The FBI is asking Apple to weaken the security of our
products. Hackers and cybercriminals could use this to wreak
havoc on our privacy and personal safety. It would set a
dangerous precedent for government intrusion into the privacy
and safety of its citizens.
Hundreds of millions of law-abiding citizens trust Apple's
products with the most intimate details of their daily lives:
photos, private conversations, health data, financial accounts,
and information about a user's location, and the location of
that user's family and friends.
Some of you may have an iPhone in your pocket right now.
And if you think about it, there's probably more information
stored on that device than a thief could steal by breaking into
your house. The only way we know to protect that data is
through strong encryption.
Every day, over a trillion transactions occur safely over
the Internet as the result of encrypted communications. These
range from online banking and credit card transactions to the
exchange of healthcare records, ideas that will change the
world for the better, and communications between loved ones.
The U.S. Government has spent tens of millions of dollars
through the Open Technology Fund and other U.S. Government
programs to fund strong encryption. The Review Group on
Intelligence and Communications Technology, convened by
President Obama, urged the U.S. Government to fully support and
not in any way subvert, weaken, or make vulnerable generally
available commercial software.
Encryption is a good thing. We need it to keep people safe.
We have been using it in our products for over a decade. As
attacks on our customers' data become more sophisticated, the
tools we need to use to defend against them need to get
stronger too. Weakening encryption would only hurt consumers
and well-meaning users who rely on companies like Apple to
protect their personal information.
Today's hearing is entitled ``Balancing America's Security
and Privacy.'' We believe we can and we must have both.
Protecting our data with encryption and other methods preserves
our privacy and keeps people safe.
The American people deserve an honest conversation around
the important questions stemming from the FBI's current demand.
Do we want to put a limit on the technology that protects our
data and, therefore, our privacy and safety in the face of
increasingly sophisticated cyber attacks? Should the FBI be
allowed to stop Apple or any company from offering the American
people the safest and most secure products it can make? Should
the FBI have the right to compel a company to produce a product
it doesn't already make to the FBI's exact specifications and
for the FBI's use?
We believe that each of these questions deserves a healthy
discussion, and any decision should only be made after a
thoughtful and honest consideration of the facts. Most
importantly, the decision should be made by you and your
colleagues as Representatives of the people rather than through
warrant requests based on a 220-year-old statute. As Judge
Orenstein concluded yesterday, granting the FBI's request would
thoroughly undermine fundamental principles of the
Constitution.
At Apple, we are ready to have this conversation. The
feedback and support we're hearing indicate to us that the
American people are too. We feel strongly that our customers,
their families, their friends, and their neighbors will be
better protected from thieves and terrorists if we can offer
the best protections for their data; at the same time, our
freedoms and liberties we all cherish will be more secure.
Thank you for your time, and I look forward to your
questions.
[The prepared statement of Mr. Sewell follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Mr. Sewell.
Ms. Landau, welcome.
TESTIMONY OF SUSAN LANDAU, Ph.D., PROFESSOR OF CYBERSECURITY
POLICY, WORCESTER
Ms. Landau. Thank you. Mr. Chairman and Members of the
Committee, thank you very much for the opportunity to testify
today.
The FBI has pitched this battle as one of security versus
privacy, but as a number of the Members have already observed,
it's really about security versus security. We have a national
security threat going on, and we haven't solved the problem at
all. What have smartphones got to do with it? Absolutely
everything. Smartphones hold our photos and music, our notes
and calendars, much of that information sensitive, especially
the photos.
Smartphones are increasingly wallets, and they give us
access to all sorts of accounts, bank accounts, Dropbox, and so
on. Many people store proprietary business information on their
smartphones--their personal smartphones--even though they know
they shouldn't.
Now, NSA will tell you that stealing login credentials is
the most effective way into a system. In fact, Rob Joyce of the
Tailored Access Operation said so in a public talk a month ago.
Here's where smartphones are extremely important. They are
poised to become authenticators to a wide variety of systems--
services. In fact, they're already being used that way,
including at some high-placed government agencies.
Now, District Attorney Vance will tell you that law--has
said that large scale data breaches have nothing to do with
smartphone encryption, but that's not true. Look at today's New
York Times, where there's a story about the attack on the
Ukrainian power grid. How did it start? It started by the theft
of login credentials of system operators. We've got to solve
the login authentication problem, and smartphones are actually
our best way forward to do it, but not if it's easy to get into
the data of the smartphones.
Now, the Committee has already observed that there are many
phones that will go through the process of being unlocked, not
just the one in San Bernardino. And what that means for Apple
is that it's going to have to develop a routine to do so.
Now, what happens when you have--when you sign a piece of
code to update a phone and you're signing a piece of code
that's an operating system or firm where you do it once--you do
it occasionally. It's a whole ritual, and there are very senior
people involved. But if you're dealing with phones that are
daily being updated in order to solve law enforcement cases,
then what happens is you develop a routine. You get a Web page,
you get a low level employee to supervise it, and then it
becomes a process that's easy to subvert. I have lots of
respect for Apple's security, but not when it becomes a routine
process to build an update for a phone. And what will happen is
organized crime or a nation-state will do so using an update to
then hack into a phone, maybe the phone of the Secretary or the
chief of the Federal Reserve, maybe a phone of an HVAC employee
who's going to go service a powerplant. What we're going to do
is decrease our security. That's the security risk that's
coming from the requests.
Now, I get that law enforcement wants data protection that
allows them access under legal authorization, but an NSA
colleague once remarked to me that, while his agency had the
right to break into certain systems, no one ever guaranteed
that that right would be easy to do so.
The problem is when you build a way in for someone who
isn't the owner to get at the data, well, you've built a way in
for somebody else to get in as well.
Let me go to CALEA for a moment. CALEA is a security
nightmare. I know that Congress didn't intend it that way, but
that's what it is. If you ask the signals intelligence people,
they will tell you: there are many ways for nefarious sorts to
take advantage of the opening offered by law enforcement.
Instead of embracing the communications and device security
we so badly need, law enforcement has been pressing to preserve
20th century investigative techniques; meanwhile, our enemies
are using 21st century technologies against us.
The FBI needs to take a page from the NSA. You may recall
that, in the late 1990's, the NSA was complaining it was going
deaf from encrypted calls. Well, they've obviously improved
their technology a great deal. According to Mike McConnell,
from that time until now, NSA has had better SIGINT than any
time in history.
What we need is law enforcement to develop 21st century
capabilities for conducting electronic surveillance. Now, the
FBI already has some excellent people and expertise, but FBI
investment and capacity is not at the scale and level
necessary. Rather than asking industry to weaken protections,
law enforcement must instead development the capability for
conducting sophisticated investigations themselves. Congress
can help. The FBI needs an investigative center with agents
with deep technical understanding of modern telecommunications
technology and also, because all phones are computers, modern
computer--deep expertise in computer science. There will need
to be teams of researchers who understand various types of
fielded devices. They'll need to know where technology is and
where it will be in 6 months and where it will be in 2 to 5
years, communications technology in 2 to 5 years, so that they
can develop the surveillance technologies themselves.
Expertise need not be in-house. The FBI could pursue a
solution where they develop some of their own expertise and
closely managed contractors to do some of the work, but however
the Bureau pursues a solution, it must develop modern, state-
of-the-art capabilities. It must do rather than trying to get
industry to weaken security.
Your job is to help the FBI build such capabilities,
determine the most efficient and effective way that such
capabilities could be utilized by State and local law
enforcement, for they don't have the resources to develop that
themselves and to also fund that capabilities. That's the way
forward that does not put our national security at risk. It
enables law enforcement investigations while encouraging
industry to do all it can do to develop better, more effective
technologies for securing data and devices. That is a win-win
and where we should be going. Thank you.
[The prepared statement of Ms. Landau follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Ms. Landau.
Mr. Vance, welcome.
TESTIMONY OF CYRUS R. VANCE, JR., DISTRICT ATTORNEY, NEW YORK
COUNTY
Mr. Vance. Thank you. Good afternoon, Chairman Goodlatte,
Ranking Member Conyers, and Members of the House Judiciary
Committee. Thank you so much for allowing me to participate
today. I'm testifying as a district attorney but on behalf of
the National District Attorneys Association. And I'm very
grateful for you giving us the opportunity to be here, because
much of the discussion in the prior panel and in the comments
by the other speakers here has been about the Federal
Government and about the issue of security and cybercrime in
the Federal context. But it's important, I think, for all of us
to recognize that State and local law enforcement agencies
handle 95 percent of the criminal cases each year around the
country. So we have a very deep interest in the subject matter
of this hearing today, and thank you for letting us
participate.
Apple and Google's decision to engineer their mobile
devices to, in essence, be warrant-proof has had a real effect
on the traditional balance of public safety versus privacy
under our Fourth Amendment jurisprudence. And I agree with the
comments. I think of everyone here, including the many Members
of the House, that we really need Congress to help solve this
problem for us, and it's why it's so important that you're
undertaking this effort. But I think in looking at this issue,
there are some basic facts from the State law perspective that
really are very important in this debate but are not in
dispute.
And, number one, as Tim Cook said in his open letter to his
customers of Apple of February 16 of this year: Smartphones,
led by iPhone, have become an essential part of our lives.
Nothing could be more true. We are all using our cell phones
for every aspect of our lives.
Number two, is that smartphones are also essential to
criminals. Our office investigates and prosecutes a huge
variety of cases, from homicide to sex crimes, from
international financial crime, and including terrorism cases,
and criminals in each of those cases use smartphones to share
information, to plan and to commit crimes, whether it's through
text messages, photographs, or videos.
Number three, criminals know that the iOS 8 operating
system is warrant-proof. Criminals understand that this new
operating system provides them with the cloak of secrecy, and
they are, ladies and gentlemen, quite literally laughing at us.
And they are astounded that they have a means of communication
totally secure from government reach. And I don't ask you to
take my word for it. In one lawfully recorded phone
conversation from Rikers Island in New York, an inmate, talking
about the iOS 8 default device encryption, called it, and I'm
quoting, ``a gift from God.''
Number four, the encryption Apple provided on its mobile
devices prior to iOS 8, that is before October 2014, was
represented to be both secure for its customers and,
importantly, was amenable to court-authorized searches. We know
this because Apple told us this. Apple characterized its iOS 7
operating system as the ultimate in privacy. It touted its
proven encryption methods and assured its users that iOS 7
could be used with confidence in any personal or corporate
environment. During the time when iOS 7 was the operating
system, Apple also acknowledged, and I think importantly, its
responsibility to help, again in Apple's own words, ``police
investigating robberies and other crimes, searching for missing
children, trying to locate a patient with Alzheimer's disease,
or hoping to prevent a suicide.'' So Apple's experience, I
believe, with iOS 7 demonstrated that strong encryption and
compliance with court orders are not mutually exclusive.
A default device encryption has had a profound impact on my
office and others like it. In November of 2015, my office
published a white paper on public safety and encryption, and at
that time, there were 111 iPhones from which we were locked
out, having obtained search warrants for those devices. Now,
2\1/2\ months later, when we submitted our written testimony
for this Committee, the number was 175. Today, it is 205, which
represents more than one out of four of the approximately 700
Apple devices that have been analyzed by our office's own cyber
lab since the introduction of iOS 8.
And, of course, that problem isn't just in Manhattan.
Prosecutors in Houston have been locked out of more than 100
iPhones last year, 46 in Connecticut, 36 in Chicago since
January, and those are just a few of the thousands of phones
taken into evidence each year around the country.
So centuries of jurisprudence that have been talked about
today have held that no item, not a home, a file cabinet, a
safe, or even a smartphone, is beyond the reach of a court-
ordered search warrant. But the warrant-proof encryption today
gives two very large companies, we believe, functional control
over the path to justice for victims of crime, including who
could be prosecuted and, importantly, who may be exonerated.
So our point, Mr. Chairman, is that we believe this line
being drawn between public safety and privacy is extremely
important. It's affecting our lives. It's affecting our
constituents' lives. And we believe that you should be drawing
it, and we ask you to address this problem quickly. Time is not
a luxury for State and local law enforcement, crime victims, or
communities can afford. Our laws require speedy trials.
Criminals have to be held accountable. And victims are, as we
speak and we know in this audience, asking for justice.
[The prepared statement of Mr. Vance follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Mr. Vance.
We'll now proceed with questioning of the witnesses under
the 5-minute rule, and I'll begin by recognizing myself.
Mr. Sewell, Director Comey created a dichotomy between this
being a technology problem or a business model problem, and
said that Apple was addressing this as a business model
problem. Is that a fair contrast, or is this something else?
Mr. Sewell. It's by no means a fair contrast, Mr. Chairman.
I've heard this raised before. It was raised in New York. It's
been raised in San Bernardino, and every time I hear this, my
blood boils.
This is not a marketing issue. That's a way of demeaning
the other side of the argument. We don't put up billboards that
talk about our security. We don't take out ads that market our
encryption.
We're doing this because we think that protecting the
security and the privacy of hundreds of millions of iPhone
users is the right thing to do. That's the reason that we're
doing this. And to say that it's a marketing ploy or that it's
somehow about PR really, really diminishes what should be a
very serious conversation involving this Congress, the
stakeholders, the American people.
Just with respect to the New York case, Judge Orenstein
last night took on this issue head-on, and he said, in footnote
14 on page 40, he said: I reject the government's claim. I find
Apple's activities and the position that they are taking
conscientious and not with respect to PR or marketing.
Mr. Goodlatte. Director Comey and Mr. Vance seem to suggest
that the security provided by encryption on prior devices is
fine, but advancing encryption technology is a problem. What do
you think about that?
Mr. Sewell. So it's important to understand that we haven't
started on a path of changing our technology. We haven't
suddenly come to the notion that encryption security and
privacy are important.
At Apple, this began back in 2009 with our encryption of
FaceTime and iMessage. We've been on a path from generation to
generation as the software and the hardware allow us to provide
greater security and greater safety and privacy to our
customers.
What happened between iOS 7 and iOS 8 was that we were able
to transform the encryption algorithm that is used within the
software and the hardware of the phone to provide a more secure
solution.
Mr. Goodlatte. We are moving to end-to-end encryption on
many devices and apps, not just Apple iPhones. Why is that
happening?
Mr. Sewell. I think it's a combination of things. From our
perspective at Apple, it's because we see ourselves as being in
an arms race, in an arms race with criminals, cyberterrorists,
hackers. We're trying to provide a safe and secure place for
the users of our devices to be assured that their information
cannot be accessed, cannot be hacked or stolen. So, from our
perspective, end-to-end encryption move is an effort to improve
the safety and security of our phones. From the terrorist's
perspective, I think it's an effort to communicate in ways that
cannot be detected, but the terrorists are doing this
independently of the issues that we're discussing here today.
Mr. Goodlatte. Now, if the FBI succeeds in getting the
order that is in dispute that Apple has appealed to a final
resolution, however long that takes, and they then get Apple to
develop this device that will allow the 10 times and your--by
the way, all of us here, we can't turn that off, so----
Mr. Sewell. Well, we could show you how to do that.
Mr. Goodlatte. Well, but inside our firewall here, we can't
do that. So we understand the reason, but that creates a
separate vulnerability, does it not, for people whose device
falls in someone else's hands, they could willfully try 10
times and erase what hasn't been backed up on the device.
But be that as it may, if they were to get you to develop
that code and to apply it and then to crack the four-digit code
to get into the device, once they get in there, they could find
all kinds of other restrictions that Apple has no control over,
right, with regard to apps that are on the phone, with regard
to various other communications features that the consumer may
have chosen to put on there? Is that correct?
Mr. Sewell. That's absolutely right, Mr. Chairman. One of
the most pernicious apps that we see in the terrorist space is
something called Telegraph. Telegraph is an app that can reside
on any phone. It has nothing to do with Apple. It can be loaded
either over the Internet or it could be loaded outside of the
country. And this is a method of providing absolutely
uncrackable communications.
If what happens here is that Apple is forced to write a new
operating system, to degrade the safety and security in phones
belonging to tens or hundreds of millions of innocent people,
it will weaken our safety and security, but it will not affect
the terrorists in the least.
Mr. Goodlatte. Thank you very much.
My time has expired.
The gentleman from Michigan, Mr. Conyers, is recognized for
5 minutes.
Mr. Conyers. Thank you, Mr. Chairman.
And welcome to the witnesses.
Let me start off with Professor Landau. Director Comey has
just testified that until the invention of the smartphone,
there was no closet, no room, or basement in America that the
FBI couldn't enter. Did encryption exist before the invention
of the iPhone?
Ms. Landau. Encryption has existed--for centuries. And, in
particular, there have been fights over encryption and the use
of encryption in the 1970's about publication; in the 1980's
about whether NIST or the NSA would control the development of
encryption for nonnational security agencies; in the 1990's
about whether there would be export controls on devices with
strong encryption. The White House changed those rules in 2000.
We expected to see widespread use of strong encryption on
devices and on applications, and the technologists' response to
Apple is: What took you guys so long? How, in the face of all
the cybersecurity problems that we've had, did it take industry
so very long to do this?
Well, as our technical expert, let me ask you this: Is
there any functional difference between asking Apple to break
its own encryption, and what the FBI has demanded in
California?
Ms. Landau. I'm sorry. Asking Apple to break--I don't quite
understand the question.
Mr. Conyers. All right.
Ms. Landau. What Apple is being asked to do is to subvert
the security controls and go around. So it's not breaking the
encryption, but it's subverting its own security controls.
Mr. Conyers. Right.
Ms. Landau. And is there any functional difference between
that and----
Mr. Conyers. And what the FBI has demanded in California.
Ms. Landau. What it's demanded in California is that Apple
subvert its own security controls.
Mr. Conyers. Uh-huh. Let me ask Mr. Bruce Sewell the same
question: What is the functional difference between ordering
Apple to break its encryption, and ordering Apple to bypass its
security so the FBI can break the encryption?
Mr. Sewell. Thank you, Ranking Member.
Functionally, there is no difference. What we're talking
about is an operating system in which the passcode is an
inherent and integrated part of the encryption algorithm. If
you can get access to the passcode, it will affect the
decryption process itself.
What we're being asked to do in California is to develop a
tool, a tool which does not exist at this time, that would
facilitate and enable the FBI, in a very simple process, to
obtain access to the passcode. That passcode is the
cryptographic key. So essentially, we are throwing open the
doors, and we are allowing the very act of decryption to take
place.
Mr. Conyers. I was hoping you'd go in that direction. Let
me ask you this: There has been a suggestion that Apple is
working against law enforcement, and that you no longer respond
to legal process when investigators need your assistance. Is
that accurate?
Mr. Sewell. It's absolutely false. As I said in my opening
statement, we care deeply about the same motivations that
motivate law enforcement. The relationship with law enforcement
falls within my shop at Apple. The people that we have who
assist law enforcement every day are part of my team, and I'm
incredibly proud of the work they do.
We have dedicated individuals who are available around the
clock to participate instantly when we get a call. As we've
discussed a little bit earlier in Director Comey's testimony--
--
Mr. Conyers. I want to squeeze in one more question before
my time runs out.
Mr. Sewell. All right. I'll try to be very quick. We do
everything we can to assist law enforcement, and we have a
dedicated team of people who are available 24/7 to do that.
Mr. Conyers. Why is Apple taking this stand? What exactly
is at stake in the San Bernardino case?
Mr. Sewell. This is not about the San Bernardino case. This
is about the safety and security of every iPhone that is in use
today.
And I'd like to address one thing that Director Comey
raised. This is--there's no distinction between a 5C and a 6 in
this context. The tool that we're being asked to create will
work on any iPhone that is in use today. It is extensible; it
is common; the principles are the same. So the notion that this
is somehow only about opening one lock or that there's some
category of locks that can't be opened with the tool that they
are asking us to create is a misnomer. It's something that we
needed to clarify.
Mr. Conyers. Thank you for your responses.
Mr. Goodlatte. The Chair recognizes the gentleman from
Wisconsin, Mr. Sensenbrenner, for 5 minutes.
Mr. Sensenbrenner. Thank you very much.
Mr. Sewell, I think you know that I have been one of the
privacy hawks on this Committee. And the whole debate over the
USA FREEDOM Act was whether the NSA should go to court and get
some type of an order or a warrant specifically naming the
person or persons whose data is requested. And here, the FBI,
you know, has done that.
Now, in your prepared testimony, you said the questions
about encryption should be decided by Congress rather than
through a warrant based on a 220-year-old statute. I point out
that the Bill of Rights is about the same age. Now, the FBI's
attempting to enforce a lawful court order. Apple has every
right to challenge that order, as you have done. But why is
Congress and not the courts the best venue to decide this
issue?
Mr. Sewell. Congressman, I think that, ultimately, Congress
must decide this issue. So I'm completely in support of the
position that you're articulating.
I think we find ourselves in an odd situation in a court in
California, because the FBI chose to pursue, in an ex parte
fashion, a warrant that would compel Apple to do something. We
view that not as an extension of the debate, not as a way to
resolve this issue; we view that as a way to cut off the
debate. If the court were to grant the relief that the FBI is
seeking, we would be forced to do the very thing which we think
is at issue and should be decided by the American people. We'd
be forced to create the tool.
Mr. Sensenbrenner. Okay. Now, what's your proposed
legislative response? Do you have a bill for us to consider?
Mr. Sewell. I do not have a bill for you to consider.
Mr. Sensenbrenner. Okay. Thank you. That answers that.
Now, the FBI has provided some fairly specific policy
proposals to ensure that law enforcement can access encrypted
data with a warrant. What policy proposal would Apple support?
You don't like what the FBI said. What's your specific
response?
Mr. Sewell. What we're asking for, Congressman, is a debate
on this. I don't have a proposal. I don't have a solution for
it. But what I think we need to do is to give this an
appropriate and fair hearing at this body, which exists to
convene and deliberate and decide issues of legislative
importance.
We think that the problem here is we need to get the right
stakeholders in the room. This is not a security-versus-privacy
issue. This is a security-versus-security issue, and that
balance should be struck, we think, by the Congress.
Mr. Sensenbrenner. Well, you know, let me make this
observation, you know, having dealt with the fallout of the
Snowden revelations and the drafting and garnering support of
USA FREEDOM Act. I can tell you, I don't think you're going to
like what comes out of Congress.
Mr. Sewell. Congress, we will follow the law that comes out
of this process. We certainly understand.
Mr. Sensenbrenner. Okay. Well, the thing is, I don't
understand. You don't like what's being done with the lawfully-
issued warrant. And most warrants are issued on an ex parte
basis, where law enforcement submits an affidavit before a
magistrate or a judge, and the judge determines whether the
allegations of the affidavit are sufficient for the warrant to
issue.
Now, you're operating in a vacuum. You've told us what you
don't like. You said that Congress ought to debate and pass
legislation. You haven't told us one thing about what you do
like. What are we going to hear what you do like so that Apple
has a positive solution to what you are complaining about? You
said it's Congress' job to do it. Now, we won't shirk from
that. This hearing, you know, is a part of this debate. The FBI
has provided some policy suggestions on that. You haven't said
what Apple will support. So all you've been doing is saying,
no, no, no, no.
Now, our job in Congress, honestly, you know, as we did
with the FREEDOM Act, and as we are doing with the Electronic
Communications Privacy Act update, is to balance our belief
that there should be privacy for people who are not guilty or
suspected of terrorist activity, and that there should be
judicial process, which there has been, in this case.
And, you know, I guess that while your position is because
you don't have anything positive, you know, is to simply leave
us to our own devices. Well, we'll be very happy to do that,
but I can guarantee you, you aren't going to like the result.
I yield back.
Mr. Sewell. Congressman, I do think we have said what we
stand for and what we believe is the positive place.
Mr. Sensenbrenner. No. You know, the thing is you've asked
Congress to do something, and I asked you what Congress should
do. You said we have nothing. Then I said the FBI has provided
specific policy proposals to ensure law enforcement is able to
get this information.
Now, here we're talking about the iPhone of a dead
terrorist that was not owned by the terrorist, but was owned by
San Bernardino County. Now, you know, the thing is is that I
don't have a government iPhone. I have my own iPhone, which I
use extensively. But the terrorist had, you know, a government
iPhone which belonged to the government. I think the
government, San Bernardino County specifically, would like to
get to the bottom of this, and you're resisting it.
I said my peace.
Mr. Goodlatte. Time of the gentleman has expired.
The gentleman from New York, Mr. Nadler, is recognized for
5 minutes.
Mr. Nadler. Thank you, Mr. Chairman.
Let me begin by welcoming my constituent and the great
district attorney of New York County, Cy Vance, by saying that
I appreciate his enlightenment of the district attorney's views
of this dilemma that we all face.
Let me also suggest, in answer to Mr. Sensenbrenner's
questions, that I assume that Apple may have legislative
suggestions for us after the courts come out with their
determinations, and Apple decides they like the determinations
or they don't like the determinations, at which point Apple,
and a lot of other people in institutions, I assume, will
decide on specific legislative proposals. And it may very well
be that this Congress will wait to see what the courts do, but
we will see.
Let me begin my questions. District Attorney Vance,
Director Comey suggested earlier today that the relief sought
by the FBI is limited to this one device, running this
particular operating software in this one case. Now, I gather
that you've mentioned you have over 200 phones faced with a
similar problem----
Mr. Vance. Yes.
Mr. Nadler [continuing]. That you don't really think that
this case will be limited to the one device; that, obviously,
it's going to set a precedent, maybe not the only precedent,
for a large class of devices, including the ones that you're
interested in.
Mr. Vance. There may well be an overlap between action in
Federal court where the FBI is in litigation and in State
court. I do believe that what we should be seeking,
collectively, is not a phone-by-phone-by-phone solution to
accessing devices and the contents when there's probable cause;
we should be creating a framework in which there are standards
that are required to--for a court to authorize access to a
device and that it's not based upon litigation as to whether
you can get into a West Coast phone or an East Coast phone.
Mr. Nadler. Well, I assume that, eventually, either the
courts will set one standard, or Congress will have to consider
it.
Mr. Vance. Right. Yes.
Mr. Nadler. Professor Landau, several of your colleagues
recently published the results of a survey of over--and this is
similar to a question I asked Director Comey. Several of your
colleagues recently published results of a survey of over 600
encryption products that are available online. More than 400 of
these products are open sourced and made or owned by foreign
entities.
If Congress would have passed a law, or for that matter, if
the courts were to impose a requirement, that forcing U.S.
companies to provide--forcing U.S. companies to provide law
enforcement with access to encrypted systems, would that law
stop bad actors from using encryption from open sources or
foreign sources?
Ms. Landau. Absolutely not. Absolutely not. And what
Apple's product does is it makes encryption easy by default.
And so it means, as I said, the secretary to the Chair of the
Federal Reserve, the HVAC employee, the chief of staff in your
office--of course, your office should be protected anyway, but
the regular person using a phone has the phone secured.
If Congress were to pass a law prohibiting use of
encryption on Apple phones or however--you know, you wouldn't
say it just for Apple, what it would do is it would weaken us,
but not change it for the bad guys.
Mr. Nadler. And if someone purchased a phone from a foreign
company, it could have the encryption that we prohibited an
American company from creating?
Ms. Landau. That's--if someone purchased a foreign phone,
somebody can just download the app from abroad. They don't have
to buy a foreign phone. They can just download the app from
anywhere.
Mr. Nadler. And let's assume that Congress decided to
prohibit purchase of foreign encryption systems. Is there any
practical way we can enforce that?
Ms. Landau. No. I mean, you would have to start inspecting
so much as it comes over the Internet that it becomes an
intrusive----
Mr. Nadler. So what you're saying is that we are really
debating something that's undoable?
Ms. Landau. That's right. And we were there 20 years ago,
which the open-source issue was part of the reason for the U.S.
Government's change in export controls, which is part of what
enabled----
Mr. Nadler. Okay. Let me ask two very quick questions
before my time runs outs.
Mr. Sewell, the Eastern District Court yesterday, in its
ruling that has been referred to, cited no limiting principle
to the legal theory behind the FBI's request as a reason to
deny the order. Is there a limiting principle in the San
Bernardino case?
Mr. Sewell. Absolutely none, Congressman.
Mr. Nadler. None. So it can be expanded indefinitely.
And finally, Mr. Sewell, your brief, Apple's brief to the
court lays out several constitutional concerns. There's
computer code speech as protected under the First Amendment.
What are the First and Fifth Amendment--well, let me just ask,
what are the First and Fifth Amendment questions does this case
raise? We've been talking about statute, but let's ask about
First and Fifth Amendment questions.
Mr. Sewell. Right. Good question, Congressman. And bear in
mind that what we're being asked to do is write a brand new
computer code, write a new operating system. The law, with
respect to the applicability of computer code to speech, I
think, is well established. So this is a compelled speech by
the government for the purpose of the government.
Mr. Nadler. Which is a First Amendment problem.
Mr. Sewell. Which is absolutely a First Amendment problem.
And bear in mind, this is a speech which Apple does not want to
make. This is our position.
On the Fifth Amendment, the issue is conscription. The
issue is forced activity, forced labor.
Mr. Nadler. Does anybody else on the panel want to comment
on that question?
If not, thank you. My time is expired, Mr. Chairman.
Mr. Goodlatte. The gentleman from California, Mr. Issa, is
recognized for 5 minutes.
Mr. Issa. Thank you, Mr. Chairman.
And I'll pick up where you left off on forced labor. Do you
know of any place in our history in which, except in time of
war, when things are commandeered and people are told to do
that, or when police are in hot pursuit, do you know a time in
which people were forced to apply their inventive genius
against their will?
Mr. Sewell. Congressman, I'm not aware of it. The steel
cases during the war were the ones that were most applicable.
Mr. Issa. Sure. And I certainly understand a different time
and a different set of circumstances.
Now, I want to do two things: So Ms. Landau, I'm going to
come to you first. Your expertise is encryption. You were
probably very young, but you remember 20 years ago the
argument. Wasn't it the FBI and then the late Mike Oxley and
others that were championing that if we allowed more than 256-
bit encryption, then the FBI couldn't easily decode it, and
that would be the ruin of their investigations?
Ms. Landau. Right. And what you get instead is over the
last 20 years, the NSA has increasingly supported the secure
technologies for private sector communications infrastructure,
including the 256-bit algorithm.
Mr. Issa. Okay. I'm going to ask a quick question, and it's
old technology, because I'm very good with analog world. But
this happens to be a January 29, 2015, patent that's already in
the record, and it's a patent on basically self-destructing the
contents inside if someone tries to forcibly open it.
Now, the funny thing is, I was looking for the old patents
going back decades and decades, because the military and others
have used these. They've had acids and even more punitive, if
you will, responses inside when we wanted to secure it. It's
not a new technology, but there's a new twist on it.
Aren't we, in a sense, the equivalent of saying, well, you
can make something that destroys the documents but then you
have to tell us how to defeat it?
Ms. Landau. That's exactly right.
Mr. Issa. Okay. And I'm looking and saying, there's no
history in that, but we've had plain safes for a very, very
long time. This isn't new. Do you know of any shredder company
that has been told that they have to show you how to reassemble
what they've shredded?
Ms. Landau. I don't study shredding companies, but I'd be
very surprised if there were.
Mr. Issa. Mr. Vance, have you ever ordered a shredding
company to put the paper back together, use their inventive
genius----
Mr. Vance. Of course I haven't, Congressman, but--but----
Mr. Issa. So you're asking, in this case, for somebody to
create a product for your service. And I want to focus on that
and I'll get to you, I promise.
But Mr. Sewell, I'm going to look at you as the
representative of the one of the great technology companies in
our country. Apple gets its great technology people, I assume,
from Stanford and MIT and other great universities, right?
Mr. Sewell. We do, yes, indeed.
Mr. Issa. And you don't get all the graduates, right?
Mr. Sewell. No, we don't. We wish we did.
Mr. Issa. So when I was talking to the Director, and
saying, well, if you take--and it's a hypothetical. My level of
knowledge is way less than any of your folks, and probably any
of the FBI's. But if you take this hard drive, solid-state hard
drive, you pull it apart--and he even used the word
``mirroring.'' Obviously, he had some discussion at some
point--and you make as many images as you want, then you have a
true original; but even if the self-destruct occurs, that
original, you throw it away you take another one.
So that part of what he's asking you to do, they can do
themselves by pulling the chip out and having it imaged, if you
will, in all likelihood. We're not saying for sure. But he
hadn't checked it. So that's a possibility. Is that right?
Mr. Sewell. I believe so. We don't know what the condition
of the phone is and we don't know what the condition of the RAM
is, but yes.
Mr. Issa. Sure. And of course, we're not really talking
about one phone. We know that. We're talking about thousands of
phones.
And as I understand the technology used in your chip is you
have burnable traces in your chip. So randomly, or in some way,
when you're producing each chip, you burn traces which create
the encryption algorithm, and it's internal. So the chip has
its algorithm separate from the software.
But that chip, when interfacing with an image, if you keep
giving it new images, that's the part that changes. So isn't it
at least conceivable that as to that phone, and perhaps the 175
in New York and others, that the FBI, or the NSA could, in
fact, come up with an elegant brute force attack that would
work on your phones and also would work on hundreds of other
types of phones around the world; and that that technology
with, if you will, those brilliant young minds from Stanford,
MIT, and Kent State, my alma mater, you know, could, in fact,
produce something that would not be available to the public;
they would have control over, and they would be able to make it
more universal than just trying to go through your source code,
which, I understand--is it correct--they've never asked for. Is
that right?
Mr. Sewell. We've never been asked for our source code.
Mr. Issa. Okay. Mr. Chairman, if anyone else wants to opine
on it, I would appreciate they be able to.
Mr. Goodlatte. Chair thanks the gentleman and recognizes
the gentlewoman from California, Ms. Lofgren, for 5 minutes.
Ms. Lofgren. Well, thank you very much. I think this
hearing is very helpful.
And just to get it on the record, Mr. Sewell, I mean,
you're not objecting--let me step back. If you have something,
and you are served with a warrant, you give that something up.
Is that correct?
Mr. Sewell. That's absolutely correct, yes, Congresswoman.
Ms. Lofgren. So the issue here is you don't have it, you've
got no way to get it, and, therefore, you can't give it, right?
Mr. Sewell. That's correct.
Ms. Lofgren. Now, if it were possible to do something that
would get just this one thing without opening the door to
everybody else's stuff, would you have a problem with that?
Mr. Sewell. Let me----
Ms. Lofgren. Let me rephrase that, because you're in court.
Mr. Sewell. Sure.
Ms. Lofgren. That would be a different issue than breaking
encryption generally, wouldn't it be?
Mr. Sewell. The best analogy that I can come up with, and
I've been struggling with how do we create the right kind of
analogy for this situation. If Apple had a box somewhere that
we could guarantee, we could assure 100 percent certainty, that
anything that was put in that box was not susceptible to
thievery, to attack, to corruption; if we had such a place in
the world, we wouldn't be here today----
Ms. Lofgren. Right.
Mr. Sewell [continuing]. Because what we would have done is
gone to our customers and we would have said, give us your
passwords. We can absolutely 100 percent protect them. And then
if you lose your phone, if you need our help, we can just give
you the passcode.
Ms. Lofgren. But you didn't do that because you can't
guarantee that, which is why you encrypted this phone.
Mr. Sewell. Exactly right. And now the bizarre situation is
that essentially, the FBI is saying, We all realize it's silly
that everybody would give you your password, but instead, we
want you to build a tool that will get those passwords, and
we're telling you, you can put that tool in this box that
doesn't exist.
Ms. Lofgren. So let me ask you this: Is it possible,
theoretically, to create code that would preclude you from
creating a system that would allow you to defeat the 10-try
erase function?
Mr. Sewell. We could write a program that would suppress
that protective measure.
Ms. Lofgren. So that you couldn't do what it is you're
being asked to do?
Mr. Sewell. Right. We're being asked to do three things,
but it is capable--we are capable of doing those three things.
The issue is what's the consequence of doing those?
Ms. Lofgren. Right. But the question is also, I mean, this
hearing caused me to go in and turn on the 10-erase function
which I neglected to do before the hearing, thank you very
much. But, you know, as you go forward, people are insecure
about what's safe.
Mr. Sewell. Absolutely.
Ms. Lofgren. And, you know, for example, you don't have--
and I think for good reason--what's in iCloud is not encrypted.
Is it possible to encrypt the data in iCloud?
Mr. Sewell. Yes, actually, in the iOS 8 and 9 generation,
we have encrypted the iCloud data. It's encrypted in a
different way than it was before and we think in a more secure
way.
Ms. Lofgren. Right. But you can still provide access to
that?
Mr. Sewell. It is encrypted in a different way----
Ms. Lofgren. But you could change that if you wished?
Mr. Sewell. Yes.
Ms. Lofgren. Now, let me ask you this, Dr. Landau: Now, you
were involved with that paper that was published, I think, last
year.
Ms. Landau. Keys under Doormats.
Ms. Lofgren. Thank you. That was an excellent paper. And I
think for anybody who has--it's dense. I had to read some pages
two and three times to understand it. But for anybody--and
actually, I've asked unanimous consent, Mr. Chairman, to put
that paper in the record from the cryptographers.**
---------------------------------------------------------------------------
**Note: The material referred to is not printed in this hearing
record but is on file with the Committee. Also, see Lofgren Submission
at:
http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104573
Mr. Goodlatte. Without objection, it will be made a part of
the record.
Ms. Lofgren. If you just go to the questions at the end,
you see that this is a fool's errand. We'll never be able to do
what is being asked of us by the FBI. It's a practical matter;
it's just not achievable.
But I'm interested in your take on, you know, Director
Comey said, you know, they don't want the master key. They just
want this one bypass on security. Isn't that exactly the same?
Ms. Landau. It's wrong, and it's just, as Mr. Sewell said,
once they've built that software, that software works for other
phones. Of course, it has to have the serial number of the
particular phone, so Apple has to sign--you know, has to take
the software, put in a new serial number, sign it so the new
phone accepts it. And that's where all the security risks comes
in, because it becomes a routine process, and as I mentioned
during my remarks, routine processes get subverted.
Ms. Lofgren. I'll ask the final question. Mr. Sewell, it
was asked earlier by my colleague, Mr. Richmond, about whether
these other countries have better security than we do. If I
take my phone, my iPhone with the current operating system to
Russia or China, can they break into it?
Mr. Sewell. With respect to the phone itself, we believe
the encryption we provided in iOS 8 makes that effectively
impossible. With respect to the things that are going on at the
Internet level, there are very sophisticated techniques that
can be used by malicious actors who have access to the Internet
itself. There are ways to fool the Internet into thinking that
something is what it isn't. And so I think there is a
vulnerability still in that regard. But on the phone, what
we've tried to do is to remove that possibility with iOS 8 and
9.
Ms. Lofgren. Thank you very much, all of you, for your
testimony.
Mr. Goodlatte. The Chair thanks the gentlewoman and
recognizes the gentleman from Texas, Mr. Poe, for 5 minutes.
Mr. Poe. Thank the Chairman.
Thank you all for being here. Fascinating, important
discussion on this issue of, as you say, security/insecurity.
As you know, I'm a former prosecutor and former judge, and
dealt with warrants for 30 years, either requesting them or
signing them. And this particular case, I think we're really
talking about two cases now. We're talking not just about the
San Bernardino case, but the New York case as well. Different
facts, different issues.
Fourth Amendment, we have discussed--Fourth Amendment
doesn't really apply too much to this situation, because the
possession of the item is lawful in the possession of
government. I do think it's ironic, however, we're talking
about privacy, United States is supposed to lead on the issue,
I think, on the issue of privacy. We're the only one that has a
Fourth Amendment. But we see that other countries seem to have
more concern about privacy in their technology than maybe we
do. I find that somewhat ironic.
Let me ask you a couple questions. You discuss the idea of
constitutional right, right of privacy. But in one of your
testimonies, and I think it was Mr. Nadler from New York, he
and I have a language barrier problem, so I'm not sure I
understood his question. You mentioned the First Amendment and
the Fifth Amendment. Is that correct?
Mr. Sewell. I did, that's correct.
Mr. Poe. Briefly explain how you see this as a First
Amendment issue as well as a Fifth Amendment issue. We don't
need to talk about the Fourth Amendment. We've discussed that.
Mr. Sewell. The Fifth Amendment issue derives from the fact
that we're being asked to write code, and code is speech, and
Supreme Court has held that that speech is protectable. So
we're being asked to speak by the government. That speech is
not speech that we want to make. And the First Amendment
provides us with protections against being compelled to speak
by the government. So that would be the First Amendment
argument in a nutshell.
The Fifth Amendment provides us with protection from
conscription, protection from being forced into labor at the
government's will, except under the most extraordinary of
circumstances, which I discussed with Congressman Issa. But
that's the Fifth Amendment issue.
Mr. Poe. All right. Thank you.
What this request, the results of the request, how would
that affect Apple worldwide in other countries?
Mr. Sewell. Well, there are a number of parts of that
question, Congressman, so thank you. The way that this would
affect Apple is that it would affect our customers. It would
affect everyone who owns an iPhone, and it would create a risk
for everyone who owns a phone that their data could be
compromised, that their security could be compromised.
With respect to the international question, I agree with
you. I think America should be leading on this issue. And I
think that the world is watching what happens right now in our
government and what happens, even today, with respect to this
particular debate.
Our ability to maintain a consistent position around the
world, our ability to say that we will not compromise the
safety and security of any of our users anywhere in the world
is substantially weakened if we are forced to make that
compromise here in our own country. So I urge this Congress,
and I urge the government generally to understand that to take
a leadership role, give us the strong support that we need to
resist any effort by other governments to weaken security and
privacy.
Mr. Poe. One of the questions that was asked was talking
about what is your solution, and I actually agree with Mr.
Nadler. I know this is going to bother him a little bit, that
there may be, after all this litigation, and there may be a
solution that we haven't thought of yet, but would not one
option be Congress taking the position that prohibits the
backdoor key security system, the Viper system, as I call it,
from----
Mr. Issa. Thank you, Mr. Poe.
Mr. Poe. I said that earlier but you stepped out. The Viper
system from being imposed, required, prohibit that from
government requiring that type of system in specific technology
like an iPhone?
Mr. Sewell. I think that is certainly one possibility, yes,
sir.
Mr. Poe. Prohibit the key.
Let me ask you something else. If courts rule that you're
required to develop the technology, develop the software, would
that software be able to be used on all those other hundreds of
phones that are out there that the government lawfully has in
their possession but they can't get into?
Mr. Sewell. Absolutely. There's nothing that would preclude
it from being used on any iPhone that is in use today.
Mr. Poe. And my last question, would other countries then,
if U.S. takes the position thou shalt give government the key,
what will other countries, like China, require or request or
demand of Apple?
Mr. Sewell. So to date, we have not had demands like that
from any other country. The only place that we're having this
debate is in our own country. But as I said before, I think if
we are ordered to do this, it will be a hot minute before we
get those requests from other places.
Mr. Poe. All right. Thank you, Mr. Chairman. I yield back.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentleman from Georgia, Mr. Johnson, for 5
minutes.
Mr. Johnson. Thank you, and thank the witnesses for being
here.
Mr. Vance, what's the difference between a company being
ordered to use its best efforts--I think the language is--let's
see--reasonable--an order--a court order requiring reasonable
technical assistance. What's the difference between a court
order requiring reasonable technical assistance to accomplish
the bypassing or disabling of the auto-erase function versus a
civil subpoena, or a court order pursuant to a subpoena, a
motion to compel the delivery of information under that
person's custody and control? Is there a difference?
Mr. Vance. I'm not sure, Congressman, there is a
difference. They're both court orders that are directing an end
result. One may be in a civil context; one in a criminal
context.
But I would say that in this discussion, it's very much a
part of our history in America that when companies produce
items or objects, or commerce becomes ubiquitous in a
particular area, that the company has to have the realization
that part of a group of people who are using its products are
using it to commit criminal purposes.
Take a look at the banking system, currency transaction
reports. So once it became obvious that criminals were moving
cash through the banks, the response was you have to create and
file transaction reports when cash is moved.
When two companies like these two hugely successful and
important companies own 96.7 percent of the world's smartphone
market, and we know that criminals--we know that criminals are
using the devices to commit crimes--we've heard some of those
stories--I don't think that it is new in American history, or
in the context of business ethics or oversight for companies to
have to adapt to the realities of the product they've created.
Mr. Johnson. Because they are the only ones that can--a
bank that received the cash would be the only entity in a
position to submit a currency transaction with the court?
Mr. Vance. It would be the only one required to. If someone
else had information about it, they could submit it, but it
would be the only one who had firsthand knowledge.
Mr. Johnson. Okay. Now, Ms. Landau, is it your opinion that
the government should not have the ability to compel Apple to
use its best efforts to accomplish a technical feat? Is that
your opinion?
Ms. Landau. So there are two answers to that. If you're
asking me a lawyer question, then I'm not a lawyer and I'll
dodge; but if you're asking me as a technologist, then I would
say that it is a security mistake. It's a security mistake
because that code----
Mr. Johnson. Because what Apple would do would inherently
cause an insecurity in their system?
Ms. Landau. That's right. And it will be the target of
organized crime and nation states, because it will be very
valuable for somebody who puts a phone down as they go through
Customs, for somebody who goes to a business meeting, and
they're not allowed to bring their phone in because it's a
meeting under nondisclosure, and the phone is sitting outside
for a few hours. All sorts of situations. The phone will become
very interesting. And if there's code that can actually get
into the phone and get the data, that code is going to be the
target of nation states----
Mr. Johnson. So once Apple creates the code, then it makes
it susceptible to being stolen and misused?
Ms. Landau. That's right.
Mr. Johnson. So, therefore, Apple should not be required to
comply with the court order?
Ms. Landau. I'm not answering the legal question. I'm
answering the security question. The security question, it
makes a real mistake.
Mr. Johnson. Yeah. Okay. And, Mr. Sewell, you would agree
with that?
Mr. Sewell. I would agree that if we're forced to create
this tool, that it reduces the safety and security not within
our systems, Congressman, but with our users.
Mr. Johnson. Let me ask you a question. What about the
security and the safety of those whose liberty can be taken and
lives can be taken due to an ongoing security situation which
the FBI is seeking to get access to information about? Is there
an interest in the public security that we're talking about
here?
Mr. Sewell. Congressman, that's what----
Mr. Goodlatte. The time of the gentleman has expired, but
Mr. Sewell may answer the question.
Mr. Sewell. That's what makes this such a hard issue,
because we're balancing two different but very similar issues:
private security, the security of people who use iPhones, the
location of your children, the ability to prevent your children
from being kidnapped or harmed, versus the security that's
inherent in being able to solve crimes.
So it's about how do we balance these security needs, how
do we develop the best security for the United States. If you
read the statements by General--any of the encryption
specialists today, we'll say that de-featuring or debilitating
encryption makes our society less safe overall. And so that's
what we're balancing. Is it the right thing to make our society
overall less safe in order to solve crime? That's the issue
that we're wrestling with.
Mr. Johnson. Thank you.
I yield back.
Mr. Goodlatte. The Chair recognizes the gentleman from
South Carolina, Mr. Gowdy, for 5 minutes.
Mr. Gowdy. Thank you, Mr. Chairman.
Now, Mr. Sewell, you just mentioned a balancing. Can you
give me a fact pattern where Apple would consent to the
magistrate judge's order in California?
Mr. Sewell. Congressman, we will follow the law. If we're
ordered to do this----
Mr. Gowdy. No, I'm asking for a fact pattern. You mentioned
balancing. I want you to imagine a fact pattern where you
balance the interest in favor of what the Bureau is asking you
to do as opposed to your current position. Give me a fact
pattern.
Mr. Sewell. Congressman, what I said was we have to balance
what is the best security for the country. Not balance when we
should give law enforcement what they're asking, but balance
what's the best security for the country.
Mr. Gowdy. I thought that's what we were balancing is
public safety versus privacy. You also mentioned the First and
Fifth Amendment. Can you give me a fact pattern where Apple
would consent to the order of the magistrate judge?
Mr. Sewell. Congressman, what I said was privacy, security,
personal safety.
Mr. Gowdy. Perhaps I'm being ambiguous in my asking of the
question. Can you give me a fact pattern where you would agree
to do what the Bureau is asking you to do in California,
whether it be nuclear weaponry, whether it be a terrorist plot?
Can you imagine a fact pattern where you would do what the
Bureau is asking?
Mr. Sewell. Where we would create a tool that doesn't
exist----
Mr. Gowdy. Yes.
Mr. Sewell [continuing]. In order to reduce the security
and safety of our users?
Mr. Gowdy. Yes.
Mr. Sewell. I'm not aware of such a fact pattern.
Mr. Gowdy. So there is no balancing to be done. You have
already concluded that you're not going to do it.
Mr. Sewell. No, I've said that we will follow the law. If a
balance that is struck, if there is an order for us to comply
with, we----
Mr. Gowdy. There is an order.
Mr. Sewell. That order is being challenged at the moment as
we speak. There's an order in New York that says----
Mr. Gowdy. I'm glad you mentioned the order in New York.
That's a drug case. You would agree with me the analysis in
drug cases is very different from the analysis in national
security cases. And even if you didn't agree with that, you
would agree that in footnote 41, the magistrate judge in New
York invited this conversation about a legislative remedy,
which brings me back to Chairman Sensenbrenner's question:
Where is your proposed legislative remedy?
Mr. Sewell. We don't have legislation to propose today,
Congressman. What we've suggested----
Mr. Gowdy. Well, then how will we know whether or not you
think it strikes the right balance if you don't tell us what
you think?
Mr. Sewell. Congressman, where we get to the point where
it's appropriate for us to propose legislation, not just Apple,
but the other stakeholders that are engaged in this process,
I'm sure there will be legislation for Congress to consider.
Mr. Gowdy. Well, let the record reflect I'm asking you for
it now. I would like you to tell us what legislative remedy you
could agree with?
Mr. Sewell. I don't have an answer for you today. No one's
had an answer for you today.
Mr. Gowdy. Can you give me one? I don't know whether Apple
has a lobbyist. I suspect that you may have a government
relations department, possibly. Can you submit legislation to
Chairman Sensenbrenner's question that you could wholeheartedly
support and lobby for that resolves this conundrum between you
and the Bureau?
Mr. Sewell. It is my firm belief that such legislation can
be drafted. I do not have language for you today.
Mr. Gowdy. Well, but, see, Mr. Sewell, we draft it and then
your army of government relations folks opposes it. So I'm just
trying to save us time. The judge in New York talked about a
lengthy conversation. Sometimes circumstances are exigent where
we don't have time for a lengthy conversation. So why don't we
just save the lobbying and the opposing of whatever, Cedric
Richmond or Hakeem or Luis and I come up with. Why don't you
propose it? Tell us what you could agree to?
Mr. Sewell. Congressman, we're willing to and we've offered
to engage in that process.
Mr. Gowdy. The legislative process or the debate process?
Mr. Sewell. Both, of course.
Mr. Gowdy. Will you submit legislation to us that you could
live with and agree with?
Mr. Sewell. If, after we have the debate to determine what
the right balance is, then I think that's a natural outcome.
Mr. Gowdy. Well, how long is the debate going to last?
Mr. Sewell. I can't anticipate that, Congressman.
Mr. Gowdy. Well, let me ask you this: You mentioned the
First Amendment, which I found interesting. Are you familiar
with voice exemplars?
Mr. Sewell. I'm sorry. Is that a case, Congressman?
Mr. Gowdy. No. Voice exemplars are ordered by courts and
judges for witnesses or defendants to actually have to speak,
So a witness can see whether or not that was the voice that
they heard during a robbery, for instance. Because you
mentioned you have a First Amendment right to not speak. What
about those who have been immunized and still refuse to
cooperate with a grand jury, and they are held in contempt and
imprisoned? So there are lines of cases where you can be forced
to speak.
Mr. Sewell. Congressman, we've made an argument, a
constitutional argument. If the courts determine that that
argument isn't firm, then we will lose the argument.
Mr. Gowdy. I'm just asking you whether or not you agree
that there are exceptions?
Mr. Sewell. You've given me two examples that I've not
heard of before.
Mr. Gowdy. All right. How about back to the Fifth
Amendment, because I'm out of time. Really quickly, the Fifth
Amendment, you say you're being conscripted to do something.
But there's also a line of cases where folks are conscripted to
perform surgical procedures, or cavity searches or other things
I won't go into in mixed company, where they are looking for
contraband. So that's a nurse or a doctor or an
anesthesiologist that is conscripted by the government, you
would agree?
Mr. Sewell. I'm not familiar with these cases. But this is
what the court will decide.
Mr. Gowdy. Here's what I'll do. I'm out of time. I'll get
you the cases I'm relying on, if you'll help me with the
legislative remedy. Deal?
Mr. Sewell. I look forward to the cases.
Mr. Gowdy. Deal. Thank you.
Mr. Goodlatte. Time of the gentleman has expired.
The Chair recognizes the gentleman from Florida, Mr.
Deutch, for 5 minutes.
Mr. Deutch. Thank you, Mr. Chairman.
I would start by saying this is really hard. I'm not
looking to Apple to write the legislation to balance these very
difficult issues between privacy and public safety. I don't
expect you to do it. I expect us to grapple with it. And that's
what we're trying to do here today.
And I had raised the point earlier, but it's a perfect
lead-in to the questions I want to ask, that this focus on
surgical procedures that we can force--that the government can
force a surgical procedure to be done, sounds like it's somehow
equivalent. Certainly if we can do that, then we can require
that a company create a way into its phone.
Except, as I said earlier with Director Comey, that
surgical procedure is going to be done by the person that the
government says should do it. And there is no one from around
the world who, from their remote location, is going to be able
to figure out how to conduct surgery on that individual.
Yet, in this case, and this is why this is so hard for me,
in this case, there are people all over America and around the
world who would be trying to figure out how to utilize whatever
it is that's created here, if this is where this goes, to
access the phone.
And Director Comey earlier--Mr. Sewell, Director Comey said
it's a three step--he believes it's a three-step process that
they're asking. Can you just speak to that process?
Mr. Sewell. I absolutely can. Thank you, Congressman.
First, I agree with you that this is not a problem which--
there are people that are trying to break into these systems.
There are people who are trying to steal this information, if
it existed. And their capabilities are increasing every day. So
this is not a threat which is static. This is a threat which is
increasing.
The three parts that we're being asked to develop are,
first, a method to suppress the data deletion after 10 failed
attempts. The second thing that we're being asked to suppress
is the time delay between successive attempts. Both of these
are specifically tailored to deal with the situation where your
phone is stolen, or some bad person is trying to break into it,
and it's specifically designed to defeat the brute force
attack.
The third piece is interesting, because the third piece is
the government asking for us to rewrite the code that controls
the touch screen, and allow them to put a probe into the phone
and to bypass the need to enter numeric digits through the
touch screen. The only reason that that makes sense,
Congressman, is if you anticipate that this is going to be
technology used on other phones, and other phones that likely
have more complicated passcodes.
Mr. Deutch. Right. So that's the question, and Mr. Sewell,
it's a question for you, and Mr. Vance, it's a question for
you. This is one where if I believed--if I understand that
what's being asked of you is to create this weigh-in to this
one phone, then I want you to do it. I do. And I can get past a
lot of these privacy issues, if I believe that it's, once in,
and then this can then be disposed of, destroyed, and that will
be the end of it.
The question is, is that the case? And when you create it
for this one, is it something that can be used on other phones?
Director Comey, I don't think, was clear about that, so I'd ask
you that question, and Mr. Vance, I'd ask you the same
question.
Mr. Vance. If I can refer to actually the Doctor's own
paper. You need the phone physically at Cupertino to open it.
And I refer you to her----
Mr. Deutch. I don't have much time. I'm not sure that I
understand what that means. I just want to know--cutting to the
chase, I just want to understand, if this is created, is it
something that not just could be used by you in the pursuit of
justice, but by the criminal cyber terrorist, hackers, and
really dangerous people who are looking to do bad things every
day of the year going forward?
Mr. Vance. Congressman, my point is simply that if this
code is created, and you are looking at the risk to other
devices, other Apple phones in the world, those phones are
going to have to come to Cupertino to be opened. This is----
Mr. Deutch. Well, let me ask Mr. Sewell, then. I only have
a couple seconds left.
Mr. Sewell. That is incorrect.
Mr. Deutch. Well, the question is, even if that's correct,
I'd like you to speak to it. Is it true that the hackers of the
world, that there will be those who try to find a way to get
around having to take the phone to Cupertino in order to
conduct whatever operation is necessary to break in?
Mr. Sewell. Unquestionably, Congressman, and that's exactly
the risk and the danger that we foresee.
With respect to the comment that Mr. Vance just made, in
fact, the request that we got from the government in this case
was that we should take this tool and piece--put it on a hard
drive, and send the hard drive to the FBI. The FBI would then
load that hard drive into a computer, hook the phone up to the
computer, and they would perform the entire operation. So that
this whole tool is transportable on a hard drive. So this is a
very real possibility.
Mr. Deutch. So should we be concerned, Mr. Vance? I mean,
look, I want to get into this phone, but shouldn't we be
concerned, if that's accurate, that there's something that's
being created that's transported on a hard drive that winds up
on another computer, that there is at least the risk that that
gets stolen and then--and suddenly, there is--that not just a
bad person and these terrorists that we desperately want to get
and get this information, but suddenly, all the rest of us who
are trying to protect ourselves from the bad people and are
trying to protect our kids from these bad people are
potentially at risk, too?
Mr. Vance. Congressman, I respectfully disagree with the
colleague from Apple, but I will confess that his knowledge of
the company is great. Apple has created a technology which is
default disk encryption. It didn't exist before. It exists now.
Apple is now claiming a right of privacy about a technology
that it just created. That right of privacy didn't exist before
Apple created the technology, number one.
Number two, I can't answer how likely it is that if the
Federal Government is given a source code to get through the
front door of the phone, that is at risk of going viral. I
think it may be overstated to suggest that.
But I can tell you this: If there's an incremental risk
that providing the source code creates a vulnerability, what is
that risk? Don't tell us just millions of phones might be
affected; tell us--I think they can do better than just giving
us broad generalizations without specifics.
But I can tell you this: The consequence, the other side of
the weight, the consequence is in cases all over the country
right now, in my jurisdiction, your jurisdiction, everywhere,
families like the Mills family are not getting justice.
And the direct consequence of this disk encryption is that
innocent victims all over the country are not getting their
cases solved, prosecutors are not doing the job that they have
been elected and sworn to do, and there is a significant
consequence to default disk encryption that I think needs to be
balanced against a speculative claim of increased insecurity.
Ms. Landau. I'd like to just add a couple of comments. This
is not about a new right of privacy; it's about a new form of
security. And if we think about how the phones are used and
increasingly how the phones are used, I certainly have two-
factor authentication I use through my phone, but there are
ways of using the phones as the original authentication device.
And if you make the phone itself insecure, which is what is
being asked for by law enforcement, you preclude that, and that
is the best way to prevent stealing of log-in credentials, the
use of the phone as authenticator.
In terms of the risk of the disk and so on, it's not the
risk of the disk going out because the disk is tied to a
particular phone. The risk is that somebody will come into
Apple and provide a rogue certificate that, you know, they're
from law enforcement or wherever and will get the ability to
decrypt a phone that should not be decrypted, whether it's the
Chinese Government, or an organized crime group or whatever.
That's the risk we're facing.
Mr. Vance. May I, Congressman, with the Chairman's
permission?
Mr. Deutch. My time is up. The Chairman has been very
generous.
Mr. Goodlatte. Well beyond the time, but briefly.
Mr. Vance. The professor has not answered what about the
people, the residents, the citizens, the victims whose cases
are being put on the side, and not addressed why we have an
academic discussion, an important one----
Mr. Goodlatte. Well, it's an important academic discussion
because before these phones existed, the evidence that you're
talking about didn't exist in the form that you have had access
to. Now the technology is moving to a new generation, and we're
going to have to figure out a different way to help law
enforcement. But I don't think we say we're not going to ignore
these vulnerabilities that exist in order to not change the
fact that law enforcement is going to have to change the way it
investigates and gathers evidence.
The time of the gentleman has expired.
The Chair recognizes the gentleman from Illinois, Mr.
Gutierrez.
Mr. Gutierrez. Thank you, Mr. Chairman.
First of all, I'd like to ask through the Chair if
Congressman Lofgren has a need for any time, I'd like to yield
to her first.
Ms. Lofgren. Well, I thank you very much.
You know, I don't know you, Mr. Vance. I'm sure you're a
great prosecutor. I do know Mr. Sewell. He's a great general
counsel.
But the person who really knows technology on the panel is
Dr. Landau. And I'm interested in your comments about the
vulnerabilities that would be created by complying with the
magistrate's order. And some have suggested that it's
speculative and, you know, academic and the like, but is that
what your take on this is?
Ms. Landau. Absolutely not.
Ms. Lofgren. The theory--I mean, we're moving to a world
where everything is going to be digital, and you could keep
track of, you know, my--when I'm walking around the house I'm
in, my temperature, opening the refrigerator, driving my car.
And if that all is open to a legitimate warrant--I'm not
downplaying the problem the prosecutors have, but this is
evidence you currently don't have access to--how vulnerable is
our country going to be? That's the question for you.
Ms. Landau. Extremely vulnerable. David Sanger's article in
today's New York Times about the Ukraine power grid says that
they got in, as I mentioned earlier, through the log-in
credentials. It's based on a DHS memorandum that talks about
locking down various systems.
I served for a number of years on NIST Information Security
and Advisory--Security and Privacy Advisory Board, and we used
to talk to people from the power grid and they would say, oh,
it's okay. We're not--our systems aren't connected to the
Internet. Well, they were fully connected.
We are--whether you're talking about the power grid, the
water supply, whatever--we're connected in all sorts of the
disastrously unsafe ways. And as I mentioned earlier, the best
way to get at those systems is through log-in credentials.
Phones are going to provide the best way to secure
ourselves. And so this is not just about personal safety of the
data that all of you have on your phone, and it's not just
about the location of where your family is, and it's not just
about the business credentials, but it's really about the, as
you say, Congressman Lofgren, it's really about the way we are
going to secure ourselves in the future.
And what law enforcement is asking for is going to preclude
those strong security solutions. It also is very much a 20th
century way of looking at a 21st century problem. And I didn't
get a chance to answer Congressman Gowdy, but the FBI, although
it has excellent people, it hasn't put in the investment.
So Director Comey said--we talked to everyone who will talk
to us, but I was at a meeting--I briefed at FCC a couple of
years ago, and some senior people from DOJ were there. And I
said, well, you know, NSA has scale X and scale Y, and DOJ said
they won't share it with the FBI, except in exceptional
circumstances, they keep it for themselves.
We're in this situation where I think law enforcement needs
to really develop those skills up by themselves. And you ask
about what it is this Committee can do, it's thinking about the
right way for law enforcement to develop those capabilities,
the right level of funding. The funding is well below what it
should be, but they also don't have the skills.
Mr. Gutierrez. Thank you.
So, I'm happy I yielded the time to you. I always know it's
one of the smartest things I do is work with Congressman
Lofgren in this Committee.
But I just want to share with you, look, I understand the
competing interests here. But I think, Mr. Sewell, you should
understand that I love your products. You know, I used to
think, you know, house, then a car, now I think technology.
Between what they charge me for the Internet, all the stuff I
buy just to get information every day, it's--but don't worry, I
can afford it. I'm not going into the poorhouse because of it.
So I'm excited about all of the new things that I get to
and how it improves my life. And so I'm thankful to men and
women in technology for doing that. But a lot of times in this
place, there's adversarial positions taken, and I would hope,
simply, that we would look for a way in which we put the safety
interests of the American people.
I understand that you think that if we find a back door,
that that causes all kinds of insecurity. But in this
Committee, I'm going to work with Congressman Lofgren, but I'm
also going to work with Trey Gowdy. We're going to work--a lot
of times bipartisanship in this place is many times promoted,
but very rarely rewarded in this place, because everybody says,
oh, you should take one position or another.
I'm going to take a position for the American people. While
you might dispute, I kind of look at apple as an American
company. I look at Toyota as a Japanese company, BMW as a
German. I look at you as an American company, and so that's the
way I see you. You can dispute that, you may look at yourself
as an international entity, but I always looked at you as the
pride. When I take this phone as a member of the Intelligence
Committee, and I take this phone to China, the Intelligence
Community of the United States of America, the first thing
before I get off that plane, they take it away from me. So
there are bad actors out there already intervening with your
products, or I don't think the fine people of the Intelligence
Community would take away one of the things that I need the
most in my life.
So having said that, I hope we might find a way so that we
could balance the security needs and the safety needs of the
people of the United States and their rights to privacy. I
think it's essential and important. And I want to thank you
guys for coming and talking to us, and let's try to figure it
out all together. Thanks.
Mr. Sewell. Thank you, Congressman. And I absolutely--I
agree with what you said. And I think that--I am proud to work
for Apple. And I think Apple embodies so many of the most
valuable characteristics that make up America, make America a
great place. We stand for innovation, we stand for
entrepreneurship, we stand for empathy, we stand for all boats
rise. And so I am very proud. And we are an American company,
and we're very, very proud of that.
The point about security outside the United States is
exactly the point that drives us. We are on the path to try to
create the very best, most secure, and most private phones that
we can. That's a path that will probably never end, because the
people that we're competing with, the bad guys, not just in the
United States, but all over the world, are on an equally
aggressive path to defeat everything that we've put into the
phone. So we will continue from generation to generation to
improve the technology, to provide our users with a safer
experience.
Mr. Gutierrez. Thank you, Mr. Sewell.
Thank you, Mr. Chairman.
Mr. Goodlatte. The gentleman from Louisiana, Mr. Richmond,
is recognized for 5 minutes.
Mr. Richmond. And I'm happy to follow Luis, because I guess
we're going to start--I'll start where he left off. And I think
about a 9-year-old girl who asked, you know, why can't they
open the phone so we can see who killed my mother, because I
was there and heard it happen.
So let me start with this: If the FBI developed the ability
to brute force open a phone, would you have a position on that?
Mr. Sewell. Without involving Apple, without having Apple--
--
Mr. Richmond. Yes.
Mr. Sewell. - complicit in that. I don't think we have a
position to object or not object to that. I think if the FBI
has a method to brute force a phone, we have no ability to stop
them.
Mr. Richmond. But are you okay with it?
Mr. Sewell. Well, I think that privacy and security are
vitally important national interests. I think that if you
weaken the encryption on the phone, then you compromise those
vitally important interests.
Mr. Richmond. Well, I'm not asking you about the
encryption. If they could brute force open a phone, do you have
a problem with that? I think that's just an easy question.
Mr. Sewell. Then I'm sorry. Perhaps I'm misunderstanding.
If the FBI had the ability to brute force a phone, I would
suggest that that's a security vulnerability in the phone. So I
would have a problem with it, yes.
Mr. Richmond. Let me ask you another question, because I
see you're a lawyer, I'm a lawyer, and I would feel awful if I
didn't ask this. Brittney Mills----
Ms. Landau. I--can I just say something for a second?
Mr. Richmond. In a second. Let me get through this
question.
Brittney Mills had a 5S phone operating on an 8.2 iOS. Does
Apple, any employee, subcontractor, subsidiary, or anyone that
you know of possess the knowledge or the ability to open that
phone? Or unlock that phone?
Mr. Sewell. We don't. And I'm glad that you asked about the
Mills case, because I think it's instructive about the way that
we do work together cooperatively. I know that we met with
members of your staff----
Mr. Richmond. Look, and I'm not suggesting that you all
don't, but I just want to--I want to know, does anybody have
the ability to unlock the phone first? And if you tell me no,
then I get a no in public on the record and I feel a lot better
about what I'm doing.
Mr. Sewell. Congressman, let me be clear. We have not said
that we cannot create the tool that the FBI has asked us to
create.
Mr. Richmond. Right. And I'm not asking about creating
anything. I'm saying does it exist now? Do you know anybody--or
does anyone have the ability to do it right now?
Mr. Sewell. Short of creating something new, no.
Mr. Richmond. Now--and I--oh, I'm sorry. Ms. Landau. I
promised to let you answer.
Ms. Landau. I just wanted to add that in security, we have
an arms race. People build good products, somebody finds a
vulnerability. It could be the FBI, it could be--now, the FBI
may not tell anybody about the vulnerability, but we have this
arms race where as soon as somebody finds a problem, the next
role of technology comes out, and that's the way we do things.
Mr. Richmond. So what would be your feeling if the FBI
developed a technology that they can plug something into the
iPhone----
Ms. Landau. I think that the FBI should be developing the
skills and capabilities to do those kinds of investigations. I
think it's absolutely crucial. And I think that they have some
expertise, but it's not at the level that they ought to have.
And I think we're having this conversation exactly because they
are--they are really using techniques from--they're using a
mind-set from long ago, from 20 years ago, rather than the
present.
Mr. Richmond. So they're antiquated?
Mr. Goodlatte. Would the gentleman yield?
Mr. Richmond. Sure.
Mr. Goodlatte. I just want to clarify. Both Mr. Sewell and
Ms. Landau did not say subject to an authorized court-ordered
warrant.
Ms. Landau. Well, I certainly----
Mr. Goodlatte. And you're not suggesting they develop this
technology and then do what they think is best. They've got to
do it subject to a warrant.
Ms. Landau. Of course. Thank you.
Mr. Richmond. And I'm glad you cleared that up, because I
want to make sure that everybody understands what I'm saying. I
don't think any of this should happen without a court order.
Now, you know, maybe I watch too many movies, and maybe I
listen to Trey Gowdy too much. Some people would suggest if I
listen to him at all, that's too much. But in the instance that
there's a terrorist that has put the location of a nuclear bomb
on the phone, and he dies, how long would it take Apple to
develop the technology to tell us where that nuclear bomb was,
or would Apple not be able to develop that technology to tell
us in a short period of time?
Mr. Sewell. The first thing we would do is to try to look
at all of the data that surrounds that phone. There is an
enormous change in the landscape over the last 25 years with
respect to what law enforcement has access to. So when we have
an emergency situation like that, whether it be a lost child or
the airplane--when the Malaysia airline went down, within 1
hour of that plane being declared missing, we had Apple
operators cooperating with telephone providers all over the
world, with the airlines, and with local law--well, the FBI, to
try to find a ping, to try to find some way that we could
locate where that plane was. So the very first thing that we
would do in the situation is to bring to bear all of the
emergency procedures that we have available at Apple to try to
find them.
Mr. Richmond. Thank you.
Mr. Chairman, can I just clarify, because I don't want
anyone to leave out of here thinking that Apple has not been
cooperative with our district attorney in the effort to access
the data, and, in fact, they came up with new suggestions, but
my questions are just about the government's ability to just
brute open a phone at any point with a court order. So I don't
want to suggest that Apple has not been working diligently with
my DA, who's also been working diligently. So thank you, Mr.
Chairman. I yield back.
Mr. Sewell. I appreciate that, Mr. Congressman.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentlewoman from Washington State, Ms. DelBene.
Ms. DelBene. Thank you for being here and enduring this for
a while. It's very, very important.
In the earlier part of the hearing, Director Comey said
that it is not a company's job to worry about public safety,
and I think that that is--would be very concerning for a
company to send that message, given that we have technologies
that impact people's everyday lives in so many ways. And I
assume you agree with that, Mr. Sewell.
Mr. Sewell. I absolutely do. I do not subscribe to the
position articulated by Director Comey.
Ms. Landau. I've worked for two Silicon Valley companies,
Sun Microsystems and Google, and that's certainly not what I
saw at either one of them.
Ms. DelBene. In the Brooklyn case decided yesterday, Judge
Orenstein stated, in his opinion, that the world of the
Internet of things, all of the connected devices and sensors
that we see coming forward, the government's arguments would
lead quickly to a world of virtually limitless surveillance and
intrusions on personal privacy.
So I'd like to explore the issue of encryption and securing
the Internet of things a little bit. We often talk about
security by design when it comes to the Internet of things. And
I'm sure we can all imagine the horror stories of insecure
Internet of things, types of devices, like appliances being
hacked that could cause a fire, or spying through baby
monitors, hacking into a car, or tampering with a home security
system.
So I'm wondering--Dr. Landau, I'm wondering if you could
comment on what this means in the encryption context and
whether directives we've heard from the FTC, for example, to
adopt security by design in the interests of protecting
consumers from malicious actors is inherently incompatible with
what you might call insecurity by design should that be
mandated by the courts.
Ms. Landau. Well, here you're in a situation where the
companies often want to collect the data. So, for example, if
you're using smart meters, the company wants the data, the
electric company wants the data to be able to tell your
dishwasher, no, don't turn on at 4 in the afternoon when air
conditioning requirements are high in Silicon Valley right now,
turn it on at 8 at night or 2 a.m. And so, in fact, it actually
wants the individualized data. And if it has the individualized
data, then it can certainly share it with law enforcement under
court order.
The security by design is often in the Internet of things
securing data on the device and securing the transmission of
the data elsewhere.
The issue in the Apple phone is that the data stays on the
device, and that's the conflict that we're having. For the
Internet of things, it's most useful if the data goes off the
device to somewhere else where it can be used in a certain way.
Ms. DelBene. And, Mr. Sewell, could companies open
themselves up to liability if vulnerabilities through law
enforcement end up being exploited by a bad actor?
Mr. Sewell. I think that's absolutely true. Somewhat
ironically, I suppose, we have the FTC at this point actively
policing the way in which technology companies deal with these
issues, and we can be liable under the--Section 5 or under the
authority of the FTC if we fail to close a known vulnerability.
Ms. DelBene. And, Ms. Landau, you talked about the issue of
security versus security, and that this really is a debate
about security versus security. Could you explain a little bit
more why? And are national security and cybersecurity
incompatible, in your opinion?
Ms. Landau. So what we really have here over the last 20
years, as I mentioned earlier, is you see the NSA, and Snowden
revelations aside, we don't have time for me to describe all of
the subtle points there, but you really see the NSA working to
secure private sector telecommunications infrastructure, many,
many examples.
We have moved to a world of electronic devices, you talk
about the Internet of things, that leak all sorts of data. And
in order to protect ourselves, whether ourselves, our health
data, our bank data, the locations of our children and so on,
we need encryption and so on. But if you think more broadly
about the risks that our nation faces and the risks of people
coming in and attacking the power grid, people coming in and
stealing data from whatever company, and stealing patented
information and so on, you see a massive national security
risk. And you've been hearing it from General Keith Alexander,
we've been hearing it from Hayden, we've been hearing it from
Mike McConnell, we've been hearing it from Chertoff, all the
people who have been involved on the DHS and NSA side.
The only thing that can secure that is security everywhere,
and the move that Apple makes to secure the phones is one of
the many steps we need in that direction.
Ms. DelBene. Thank you. My time's expired. I yield back,
Mr. Chair.
Mr. Marino [presiding]. Thank you. I now am going to
recognize myself for some questions. So welcome to everyone.
We'd like to start with Mr. Sewell.
I'm sorry. Mr. Sewell, pronouncing that name correctly?
Mr. Sewell. You are.
Mr. Marino. All right. I have some questions for you
concerning China. In 2014, you moved your--what's referred to
as your Chinese cloud to China. Is that correct?
Mr. Sewell. That is correct.
Mr. Marino. Okay. And can you tell me whose data is stored
in that Chinese cloud? Is it just people in China? Is my data
stored in that cloud as well?
Mr. Sewell. Your data is not stored in that cloud.
Mr. Marino. Is it strictly limited to Chinese people?
Mr. Sewell. There are a number of things that are in the
cloud, so I should probably be clear about what's there.
Mr. Marino. Okay.
Mr. Sewell. With respect to personal data, no personal data
is there unless the individual's data--the individual himself
has registered as having a Chinese address and having a Chinese
access point. In addition, we have other data, which has to do
with film content, movies, books, iTunes music. The reason we
do that is because of something called latency. If you're
streaming across the Internet, and you have to bring the data
from the United States to China, there's a lag time, there's a
latency piece, whereas if we move that data closer to China,
either Hong Kong or mainland China, then we can provide a much
better service to our customers.
Mr. Marino. Okay. Can you tell me, what was the cost, in a
ballpark figure, in the time to make the move to--for the
United States to move Chinese information over to China in
their cloud?
Mr. Sewell. Sorry. Did you say in time?
Mr. Marino. Yeah. Cost and time.
Mr. Sewell. So the time--the cost is building the
facilities. I don't have a number for that. It's certainly not
something that I am aware of, although, of course, the company
has that information. In terms of the time, once--once the
server exists, once there is a receptacle for the data, in
theory, it's instantaneous.
Mr. Marino. Okay. You may or may not know, but I was a
prosecutor for a while, both at the State and Federal level.
And we prosecutors are focused on a case and the crime
concerned, and we want going to get our hands on anything we
can to see that justice is served, but on the other side of
this too, we're talking about privacy issues. And I'm very
concerned about to what extent, if, for some reason, you were
to change your mind about working with the FBI, or the court
ordered that, what does that mean to our privacy?
Mr. Sewell. I think it means that we have put our privacy
at risk. The tool that we're being asked to prepare is
something which could be used to defeat both the safety and the
privacy aspects of----
Mr. Marino. Let me get this clear, because there are many
rumors flying around. And you've probably answered this a
couple times, and I apologize. I've had to run and do something
else.
Are you saying that there is no method that exists now that
you could unlock that phone and let the FBI know what is in
there?
Mr. Sewell. Short of creating the tool that they have asked
us----
Mr. Marino. Right.
Mr. Sewell [continuing]. We are not aware of such a method,
no.
Mr. Marino. Now, you talk about the cost is an unreasonable
burden and the time involved. That's why I asked you what did
it cost to move the cloud, what was the time. And you're the
expert, I'm not.
Mr. Sewell. Congressman, to be fair, we haven't claimed
that the time that it would take to create the tool is the
undue burden. Our claim is that the undue burden is to
compromise the safety and security of all of our customers.
Mr. Marino. So it's your position that if you do what the
FBI wants to one phone, could you elaborate on that in the 33
seconds I have left as to why that would be an undue burden,
keeping in mind that I'm very critical about our privacy?
Mr. Sewell. Congressman, the answer is very simple. We
don't believe this is a one-phone issue. We don't believe that
it can be contained to one phone or that it would be contained
to one phone.
Mr. Marino. Okay. I see that my time has just about run
out, so I'm going to yield back.
And who's next? Mr. Jeffries, Congressman Jeffries is next.
Mr. Jeffries. I thank my good friend from Pennsylvania for
yielding. I want to thank all of the witnesses for your
presence here today. It's been a very informative discussion.
In particular, I want to thank DA Vance for your presence, and
certainly for the many progressive and innovative programs that
you have in Manhattan, proving that you can be both tough and
fair as a prosecutor, and that has not gone unnoticed.
Let me start with Mr. Sewell. There's an extensive record
of cooperation that Apple has with law enforcement in the San
Bernardino case. Isn't that fair to say?
Mr. Sewell. That's correct. For over 75 days, we've been
working with the FBI to try to get to more information to try
to help solve this crime.
Mr. Jeffries. I think it's useful to put some of this on
the record. On December 5, the Apple emergency 24/7 call center
received a call concerning the San Bernardino shooting. Is that
right?
Mr. Sewell. That's right. In fact, the call came in to us
at 2:47 a.m. On a Saturday morning. We have a hotline that
exists; we have people who are manning that hotline.
Mr. Jeffries. And you responded with two document
productions that day, correct?
Mr. Sewell. By 2:48 that morning, we were working on the
case, and we responded by giving the FBI all of the information
that we could immediately pull from our sources, and then we
continued to respond to subpoenas and to work directly with the
FBI on a daily basis.
Mr. Jeffries. Right. In fact, the next day, I think, Apple
received a search warrant for information relating to at least
three email accounts. Is that right?
Mr. Sewell. That's correct.
Mr. Jeffries. You complied with that request?
Mr. Sewell. We did comply with that and subsequent
requests.
Mr. Jeffries. And so I think also on January 22, you
received another search warrant for iCloud information related
to the iPhone that was in possession of the male terrorist. Is
that right?
Mr. Sewell. That's right. And it's important that in the
intervening stage, we had actually sent engineers to work
directly with FBI technicians in Washington, D.C., and in
Cupertino, and we provided a set of alternatives, or options
that we thought should be tried by the FBI to see if there
might be some possibility that we could get into this phone
without having to do the tool that we're now being asked to
create.
Mr. Jeffries. So the issue here is not really about
cooperation, as I understand it. Apple has clearly cooperated
in an extensive fashion as it relates to all of the information
that you possess.
The question, I think, that we all, on the Judiciary
Committee and beyond, have to consider is the notion of you
being asked, as a private company, to create anti-encryption
technology that currently does not exist and could jeopardize
the privacy and security of presumably hundreds of millions of
iPhone users throughout the country and the world. Is that
right?
Mr. Sewell. We're being asked to create a method to hack
our own phones.
Mr. Jeffries. Now, Mr. Vance, are you familiar with the
Arizona v. Hicks Supreme Court case from the late 1980's?
Mr. Vance. If you give me the facts, I'm sure I have read
it.
Mr. Jeffries. Okay. The Supreme Court held that police
conducted an unconstitutional search of evidence that was not
in plain view. It was a decision that was written by Justice
Antonin Scalia. And the most important point that I want you to
reflect upon is, he stated, in authoring the majority opinion,
that ``There is nothing new about the realization that the
Constitution sometimes insulates the criminality of the few in
order to protect the privacy of us all.''
Do you agree that embedded in the fabric of our
Constitution, the Fourth Amendment, and beyond, is the notion
that we value the privacy rights of Americans so deeply, that,
at times, it is something that will trump law enforcement
convenience?
Mr. Vance. Congressman, I do sincerely believe that. What
concerns me about the picture we are seeing from the
State perspective is that Apple has decided that it's going
to strike that balance now with no access by law enforcement
for full disk-encrypted devices even with a warrant. So they
have created their own balance. They now have decided what the
rules are, and that changes radically the balance that existed
previously, and it was done unilaterally. So this Committee----
Mr. Jeffries. Well, I think--if I can----
Mr. Vance. Yeah.
Mr. Jeffries [continuing]. Just interject. I mean, I think
that that is a balance that ultimately the Congress is going to
have to work out, and also the Article III court systems,
certainly beyond an individual magistrate, who is not even
appointed for lifetime tenure, is going to have to work itself
through the court system, a district court judge, maybe the
Ninth Circuit, ultimately the Supreme Court, and so the company
exercising its right in an adversarial system to have all facts
being aired on both sides of the debate is very consistent, in
my view, with American democracy and jurisprudence.
There is just one last question that I wanted to ask as my
time is expiring, because you raised an interesting point
earlier in your testimony about an individual who is a
suspected criminal who claimed that the encryption technology
was a gift from God. But I also noted, I think, in your
testimony that this individual communicated that in an
intercepted phone conversation that presumably your office or
others were wiretapping. Is that right?
Mr. Vance. No, it's not right. All phone calls from prison,
out of Rikers----
Mr. Jeffries. Right.
Mr. Vance [continuing]. Are recorded.
Mr. Jeffries. Right.
Mr. Vance. There's a sign, when you pick up the phone, if
you are in Rikers Island, that this is happening. So there's a
tape, and ultimately that tape was subpoenaed, and it's from
that tape that that conversation was transcribed.
Mr. Jeffries. And if I could just, in conclusion, I
appreciate the Chair's indulgence. I think that illustrates the
point, presumably, that it's fair to say that, in most
instances, bad actors will make a mistake, and at the same time
that he is heralding the availability of encryption technology
to shield his activity from law enforcement surveillance and
engagement, he is ignoring a plain-view sign that these
conversations are being recorded and subjecting himself to
unfettered government surveillance. And I think that I have
faith in your ability, in the FBI's ability ultimately to
outsmart the criminals and the bad actors without jeopardizing
the privacy and the security of the American people.
Mr. Vance. And in that case, our challenge is, because of
our inability to access the phone, our inability to investigate
further, any evidence of sex trafficking is not made available
to us.
So, yes, he did something that was not smart, but the
greater harm is the inability, in my opinion, of being able to
get to the true facts, which, in fact, are extremely important
as a matter of public safety to get access to.
Mr. Jeffries. My time is expired. I thank you.
Mr. Marino. I thank the gentleman from New York.
And the Chair recognizes now the gentleman from Rhode
Island, Congressman Cicilline.
Mr. Cicilline. Thank you, Mr. Chairman.
And thank you to our witnesses for your testimony and for
this very important discussion.
I think we all recognize there are few absolutes in the
law, and so balancing occurs all the time. There are risks in
developing this software that have been articulated very well
during this hearing, and indeed, there are risks associated
with an inability to access critical information. So I think we
are living in a world there are risks in both ways forward, and
I guess my first question is: Many people who agree that Apple
or any other company should not be required and there's no
authorization to require them to produce a product that doesn't
exist or to develop an intellectual property that doesn't
exist, many people who think that that's correct wonder whether
Apple has considered, in limited circumstances and maybe a
standard you would set internally, if it in fact is a situation
that would prevent immediate death or serious bodily injury,
coupled with a consent of the person or lack of objection--in
this case, the person is deceased--where there is no privacy
claim asserted, in some very narrow category, whether there is
a set of protocols you might voluntarily adopt to provide that
information or that software with then instruction that it be
immediately destroyed; it be done in a SCIF, in a secure safe.
I mean, is that practical, something like that? Should that be
part of this discussion that we keep hoping that the industry
and the Justice Department will have in trying to develop
something, or is that fraught with so many problems that it's--
--
Mr. Sewell. Thank you for the question, Congressman. We
have and spend a lot of time thinking about how we can assist
our customers in the event that they have a problem, if they
have lost a phone, if they have--they're in a situation where
they're trying to recover data. We have a number of mechanisms
to do that, and we will continue to improve those mechanisms as
we move forward.
It's very important to us that we try to think about the
consequences of the devices that we create. In this particular
case, the passcode unlock is not something that we think lends
itself to a small usage. The problem with this particular issue
is that once you take that step, once you create the mechanism
to unlock the phone, then you have created a back door, and we
cannot think of a way to create a back door that can only be
used beneficially and not be used by bad people.
Mr. Cicilline. So you have, in fact, sort of already
contemplated other ways in which you could make this
information available in this case that would not have those
sorts of broader implications?
Mr. Sewell. And we have provided information in this case.
We have provided logs. We have provided iCloud backup. We've
provided all the things that we have that are available at our
disposal.
Mr. Cicilline. Thank you.
Ms. Landau, you say in your written testimony, the--in your
written testimony, the point is that solutions to accessing the
data already exist with the forensic analysis community. We did
ask Director Comey, and we probably limited our question too
narrowly because we asked about the intelligence communities of
the United States. It sounds like you're suggesting that there
may be capabilities outside the United States Government that
the Justice Department or the FBI could contract with that are
capable of doing what it is they're asking a court to order
Apple to do.
Ms. Landau. That's right. So I noticed that when Director
Comey answered the question, he said: We talked to everyone who
will talk with us.
And I, as I mentioned earlier, I don't know if you were
here at that point, I had a conversation with some senior DOJ
people a few years ago about using NSA tools in law enforcement
cases, and they said: NSA is very loathe to share, because of
course, when you share a tool, it can get into a court case,
and then the tool is exposed.
And so I don't know in the ``we talked with everyone who
will talk with us'' how much NSA revealed about what they know
and what they can do, so that's the first place I would ask.
Now, I phrased that incorrectly. That's the first place that I
suspect has some tools for exactly this problem. But, yes,
there were discussions last week in Silicon Valley. There have
been discussions I've had with colleagues where people believe,
as Congressman Issa portrayed various potential solutions, that
there are ways to break into the phone.
There is, of course, a risk that the data might be
destroyed, but I have described both in my testimony--written
and verbal testimony, the FBI has not tried to develop this
level of expertise and they should.
Mr. Cicilline. So it seems as if, you know, we are
contemplating whether or not Congress should take some action
to either grant this authority and then figure out what is the
appropriate standard and test, et cetera. It sounds as if you
think that is problematic and that, in fact, the real answer is
a substantial increased investment in the intelligence
capability, the law enforcement capability to sort of keep pace
with the advances that companies like Apple are making, that
that's really the best protection in terms of both law
enforcement and the long-term security of the United States.
Ms. Landau. That's right. I don't think actually there
needs to be more authority, but there needs to be a completely
different view of how it's done. There probably needs to be
some authority in terms of how do you handle it for State and
local, because State and local will not have the resources, and
so there has to be some sort of sharing of tools. And that's a
jurisdictional issue and also just a--you know what, an issue
between bureaucracies that will have to be worked out, and that
will have to be worked out through law and policy.
But in terms of creating new authority, the FBI already has
that authority, but it uses it at a much lower level, and I'm
sure it's funded at a much lower level. They need to move from
the situation they're in to dealing with 21st century
technologies in the appropriate way.
Mr. Cicilline. Thank you.
I thank you, Mr. Chairman. I yield back.
Mr. Marino. You bet.
The Chair recognizes Ms. Lofgren from California.
Ms. Lofgren. Could I ask just one quick question, Mr.
Sewell, because I forgot when it was my turn? And we had asked
Mr. Comey, somebody asked Mr. Comey about the changing of the
password, apparently the county did it at the request of the
FBI. What did that do? Can you explain what happened?
Mr. Sewell. Certainly. One of the methods that we might
enable the phone in San Bernardino to do what's called an auto
backup. That is, the issue that the FBI is struggling with is
to find data between a certain timeframe, the time of the last
backup and the time of the horrific incident in San Bernardino.
If the phone would backup, that evidence, that information
would become available to the FBI. The way that we can back
these phones up in an automatic way is we connect them to a
known WiFi source, a source that the phone has already
connected to before and recognizes. If you plug the phone in
and you connect it to a known WiFi source, it will, in certain
circumstances, auto backup, and so the very information that
the FBI is seeking would have been available, and we could have
pulled it down from the cloud.
By changing the password--this is different than passcode--
but by changing the password, it was no longer possible for
that phone to auto backup.
Ms. Lofgren. Thank you, and thank you, Mr. Chairman, for
letting me get that information out.
Mr. Marino. Mr. Sewell, I have one more question for you.
Does China--does the Chinese Government have access to the
cloud, or is there any indication that they have tried to hack
the cloud in China to get information on the Chinese people?
Mr. Sewell. Let me be clear about the question. The
Chinese, undoubtedly, have the ability to access their own
cloud.
Mr. Marino. Yes.
Mr. Sewell. But with respect to the U.S. cloud, we believe
that--again, I'm struggling because of the words. The cloud is
a synonym for the Internet.
Mr. Marino. Yes.
Mr. Sewell. So, of course, Chinese people have access to
the Internet. Are we aware of a Chinese hack through Apple? No.
But beyond that, I can't say.
Mr. Marino. You answered my question. Thank you.
This concludes today's hearing. I want to thank the panel
very much for being here.
Without objection, all Members will have 5 legislative days
to submit additional written questions for the witnesses or
additional materials for the record. The hearing is adjourned.
[Whereupon, at 6 p.m., the Committee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
Material submitted by the Honorable Bob Goodlatte, a Representative in
Congress from the State of Virginia, and Chairman, Committee on the
Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Material submitted by the Honorable Doug Collins, a Representative in
Congress from the State of Georgia, and Member, Committee on the
Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Questions for the Record submitted to the Honorable James B. Comey,
Director, Federal Bureau of Investigation
---------------------------------------------------------------------------
Note: The Committee did not receive a response to the questions
submitted to this witness at the time this hearing record was finalized
and submitted for printing on August 5, 2016.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Response to Questions for the Record from Bruce Sewell,
Senior Vice President and General Counsel, Apple, Inc.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Response to Questions for the Record from Susan Landau, Ph.D.,
Professor of Cybersecurity Policy, Worcester Polytechnic Institute
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Response to Questions for the Record from Cyrus R. Vance, Jr.,
District Attorney, New York County
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]