So I watched the Hearing...
All of it. Do not recommend.
There were a variety of questions, some repeated but reframed, but for the most part the theme was two brick walls talking at each other. The Senators had laser focus on "kiddie porn is still a thing, you aren't doing enough, why don't you have a (procedural) solution?", where as the tech rep for Apple's position was "We can't see any (practical) solution to give law enforcement access without weakening encryption for all". The rep for Facebook didn't really have much to add on the subject of encryption at rest (the main focus of the hearing) as FB doesn't manufacture phones.
It boils down to competing priorities, and it's incredibly frustrating to listen to. Apple et alia don't think the cost to end user security is worth weakening encryption for law enforcement access (fair), and the Senators are framing it as an issue of principle, being protection of children (also fair, although a little dishonest in this context).
There were some interesting points raised though; Vance pointed out that most law enforcement agencies / departments don't have the funding to pay for 0-day's and custom tools to break into these devices, which I think is probably something that the Senate and Congress can do something about. Namely, funding and resourcing as a start. As for the custom tools to get access, bulk expensive yes, but there are also a handful of TLA Agencies on that side of the pond who have teams of people dedicated to developing exploits (thank you Snowden et alia for bringing that stuff to light); are we expected to believe that it is impossible for law enforcement and the intel community to leverage their resources between them? Is that really less reasonable than expecting tech companies to compromise the security of their customers?
Beyond that, same shit different day; Senators and other non tech types don't understand the subject matter (with the exception of Mr Lee for this hearing), Round and round and round and round and round and round....
Adjacent but related thoughts:
- A lawman who openly claims to not be a technologist but insists that claims there is no practical solution to accommodate law enforcement without weakening security for all as false (para 7 of the opening statement in his written testimony) should be viewed with skepticism
- Same lawman repeatedly asserting that Apple had keys to decrypt stuff before iOS 8, even after the Apple rep clarified 4 or more times that there was never any unlocking (data provided by apple under warrant at that time was not encrypted) indicates lack of basic comprehension skills (yelled at my computer and called the dude a fucking neanderthal at one point)
- And again repeatedly framing the release of iOS 8 as an effort to undermine law enforcement / government at large.
- Prof. Matt Tait asserting that a legislative solution is possible without outlining what those solutions would be is irritating; I would love to hear what these possible solutions are, else how are we all going to look at them and see if they are genuinely useful??? Having said that, I think he's right on the subject of E2E encryption for data in transit (but again, how to implement).
- Senator Whitehouse (approx 1hr15m mark) inferring that companies like Apple introducing full disk encryption etc are somehow morally liable for the harm caused to victims of child abuse is fucking outrageous, and I am baffled that no-one at the hearing had anything to say about that - the parallels to vicarious liability in other industries like automotive, alcohol and firearms are pretty obvious, would have thought at least some of the R's in the room would have said something
- Hearing briefly diverting to "Facebook blah blah data blah blah" is annoying. The points raised are correct, but not relevant to the hearing; waste of time.
- Sen. Mike Lee was by far the voice of reason in the hearing. His first round of questioning was good, but he requested a second round and I think he really delivered there (2hr12m50s to the end of the hearing). Worth a watch if you have the time.
I think the only other point was made firstly by Sen. Graham, but by others too, and that's the "Find a solution off your own back, or we'll do it for you". With respect to the Senator, I think the senate and congress would have as much success doing that as legislating that the sun won't rise on Tuesdays. Unless they can legislate business priorities and consumer concerns under the same power, and guarentee that any process implemented will not be abused by the US government, or indeed any government / malicious actor (re: IG FISA report to see why that's bullshit), they are really toothless in this space.
anyway, just my 2 cents.