Skip to Content

Menu ×

Cotton Questions Legal and National Security Experts About Encryption During SASC Hearing

July 14, 2016

Contact: Caroline Rabbitt (202) 224-2353

Washington, D.C.-- Today, during a Senate Armed Services Committee hearing Senator Tom Cotton (R-Arkansas) questioned the Honorable Kenneth Wainstein, Mr. Cyrus Vance, and Mr. John Inglis about encryption. A full transcript of their exchange can be found below. Click here to watch the video in full. 

Senator Cotton: Thank you all gentleman for being here on this important topic. I speak today as a friend of encryption, someone who recognizes its vital role in protecting some of the most important data that we all have, whether its our email, text messages, phone calls, health information, financial information. But also someone who wants to protect the American people, to protect them from mass casualty terrorist attacks, to prevent them from being shot in night clubs or in community centers, or blown up in malls. Something that is as important, if not more important than protecting that data. I also recognize the great contribution that companies like Apple, and Twitter, and Facebook have made to our society and the way that we live today. And I hope that there is some way that we can all find some compromise, or alignment as Mr. Inglis called us, to address all of these threats to the American people. Mr. Inglis I want to touch on a point you just made, in this debate we often hear a lot about backdoors, but as you said many companies employ software update mechanisms that could be thought of as a backdoor because they change or update the functionality of a device periodically and sometimes without even notice. These require additional keys or pathways to enter a device. So could you elaborate a little bit on if a company can build a safeguard or additional key for updates and patches, why they could not do so for safeguards or keys for emergency purposes, like terrorism, like kidnappings, like child pornography and so forth?

Mr. Inglis: I think your point is well made, sir. I think they can. The question isn't whether that capability exists or not. It certainly does exist-that you can upgrade software, that you can add other parties, legitimate parties, at the behest of the user to conversations, whether its the retraction or to pull store data or whether it is a conversation in motion. The question is, is there a legitimate purpose that we understand and say that's sufficiently noble and we are going to engineer the solution? And do we have the controls on that, such that we are confident it will be used for that purpose and no other. It's the bookends, not the capability that then should be the focus of our conversation. So I think the technology does exist, the question is whether we can engineer that and have confidence in its ethicacy.

Senator Cotton: Ok. So let's put this question in a bit of broader societal and legal context. Mr. Vance, we all have an expectation of privacy in our bank accounts, of course. However, you, I would assume, regularly obtain lawful subpoenad from a court to obtain the bank records of someone suspected in engaging in criminal activity. Is that correct?

Mr. Vance: Correct.

Senator Cotton: We also have reasonable expectation of privacy in our telephone conversations, the actual content of those conversations. However, I would assume that you often seek court ordered wire taps from telecom providers when there is a reasonable suspicion of criminal activity?

Mr. Vance: Correct.

Senator Cotton: Is there any reason why tech and data companies should be treated differently from banks or telephone companies in our society?

Mr. Vance: Senator, I believe there is no legitimate objective reason. I think what is interesting about the state of affairs we find ourselves in today is that, sticking with Apple for a second, they have re-engineered the phones so they can no longer be opened by the company. Now that was a conscious choice. But having done that, they have now argued that they have created a right to privacy that previously didn't exist because of their engineering decisions to block access by law enforcement. I think that is ironic, but that is where we are today. But I find no logical, reasonable reason why the technology companies should not be subject to the same sorts of rights and obligations that other industries have come to adapt and have worked through over the decades and I think that is something that is fair to look at going forward.

Senator Cotton: Mr. Wainstein do you have any perspective on whether there should be some kind of special set of rules for technology and data companies as opposed to banks or telephone companies?

Mr. Wainstein: No, Senator Cotton. Look, I agree with Mr. Vance on this. As part of a compact with our government, we all-individuals, industries, companies-we have to submit to lawful court orders. And despite this encryption, as Mr. Vance said, they did not create a new zone of privacy, they can't do that. The privacy is as dictated in the Constitution and by the decisions of our courts. And they have an obligation to provide that information. They've tried to litigate it. At the end of the day I think they are going to lose on the fundamental issue, I'm quite confident they will. And I think that it is really up to Congress to make the point legislatively that if, unless you voluntarily accept the solution to this, its of such paramount importance to the national security and to the enforcement of our laws that we are going to legislate it.

Senator Cotton: We all have certain rights to privacy under our constitution, but we also have a duty to provide information when subjected to a lawful court order. And that would be a duty not to our government, but to our fellow citizens.