Encryption Hinders Investigations: FBI Chief - InformationWeek
Mobile // Mobile Devices
06:06 PM
Connect Directly
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Encryption Hinders Investigations: FBI Chief

The Senate Judiciary Committee heard a different story from technologists, who argue that surveillance has never been easier.

10 Great Websites For Learning Programming
10 Great Websites For Learning Programming
(Click image for larger view and slideshow.)

FBI Director James Comey appeared before the Senate Judiciary Committee on Wednesday to argue for legal support to weaken strong encryption, which he claims obstructs criminal investigations.

The title of the hearing, "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy," borrows Comey's characterization of encryption as a way to conceal evidence of criminal acts.

"We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet, or a laptop -- evidence that may be the difference between an offender being convicted or acquitted," said Comey and Sally Quillian Yates, US Deputy Attorney General, in joint prepared remarks. "If we cannot access this evidence, it will have ongoing, significant impacts on our ability to identify, stop, and prosecute these offenders."

The concerns of Comey and Yates were echoed by Cyrus Vance Jr., District Attorney for New York County, who, last fall, complained about the device encryption deployed by Apple and Google.

"Before September 2014, investigators could access a locked iPhone with a warrant," said Vance at the hearing. "Today, unless we have a passcode, we cannot ... Criminals are literally and figuratively laughing in the faces of law enforcement."

(Image: ISerg/iStockphoto)

(Image: ISerg/iStockphoto)

FBI officials have been using the term "going dark" at least since 2008. And worries about technologies that may inhibit surveillance go back further still. In 1994, the Communications for Law Enforcement Act was passed to address FBI concerns that the shift toward fiber optic cable would render traditional phone tapping obsolete.

Yet legal and technical experts at the Senate Judiciary hearing Thursday, as well as those weighing in through open letters, argued against any requirement that companies provide a way to bypass encryption.

Peter Swire, professor of law and ethics at Georgia Institute of Technology, challenged the premise of Comey's argument. "It is more accurate to say that we are in a 'Golden Age of Surveillance' than for law enforcement to assert that it is 'Going Dark,'" said Swire in a prepared statement.

Conceding that strong encryption on devices can render some data inaccessible to investigators, Swire stressed that any loss of access is more than made up for by the availability of location data, social network connections, and databases full of details about suspects' digital lives.

(Image: Chris Dag via Flickr)

(Image: Chris Dag via Flickr)

As Swire and co-author Kenesa Ahmad put it in a 2011 paper, "We live in a new age where most people carry a tracking device, a mobile phone."

In May, dozens of prominent technologists, civic organizations, and companies signed an open letter to President Obama urging him to preserve strong encryption in order to protect national security and US business interests. "Whether you call them 'front doors' or 'back doors,' introducing intentional vulnerabilities into secure products for the government's use will make those products less secure against other attackers," the letter argued, adding that any such requirement would harm the market for such products abroad.

Earlier this week, a group of cryptography experts published a similar letter warning that demands for exceptional access to encrypted data by law enforcement are fraught with problems. "We find that [granting law enforcement exceptional access] would pose far more grave security risks, imperil innovation, and raise thorny issues for human rights and international relations," the letter said.

As examples of the risk of compromised cryptography, the Electronic Frontier Foundation has cited past security flaws in Cisco's wiretapping architecture and the compromise of Google's legal compliance system in China.

In the 1990s, the technology and business community pushed back against export controls on encryption and a government effort to encourage mobile handset makers to use the Clipper Chip, a mobile phone chipset developed by the NSA that provided authorities with a backdoor.

The technology community prevailed in this so-called Crypto War, or so it seemed until 2013. Documents made available by Edward Snowden revealed that the NSA has developed a variety of tools and techniques to access electronic information. These techniques demonstrate that strong encryption cannot compensate for weak security practices elsewhere, and that some strong encryption may not be as strong as supposed.

More recently, the hacking of Italian surveillance software vendor Hacking Team offered a reminder that the NSA is not alone in practicing such techniques. Ironically, the incident also demonstrated the problem with exceptional access -- the Motherboard website reported that the company's surveillance software contains a previously undisclosed backdoor.

Law enforcement's war against math (cryptography) and speech (computer code) never ended. And it isn't likely to end soon. But it isn't a war that can be won by fiat. Mandating compromised encryption to protect society will only ensure universal vulnerability.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/9/2015 | 5:13:55 PM
Next hearing ...
Once again, law enforcement took the federal center stage on encryption and provided no instances when encryption has prevented them from doing their jobs. In addition, Yates couldn't give any indication on the number of times when she believed encryption was an obstacle or in use. I'm not expecting them to crack a case or give tips to Comey's "bad guys" on the public stage. But, if there is an expectation of a "compromise", as it was repeatedly described (and ignoring the technological issues with that phrase), there should be some offering on when and how crypto is blocking court orders or the current tools law enforcement has in play. Exposure of widespread surveillance and invasive communications dragnets can, you know, cause a chilling effect. And next hearing, maybe members of Congress could add a panelist or two from the tech/data companies that were faulted by Comey and Yates as being reluctant to hand out keys/access.
Thomas Claburn
Thomas Claburn,
User Rank: Author
7/9/2015 | 12:11:15 PM
Re: Wrong Problem?
>Article mentions that they used to be able to compel access with a warrant, but no longer can. That sounds like the root problem that should be fixed.

The problem is that when a third party like Apple doesn't have the encryption key, it cannot be compelled to decrypt the data. Math trumps a court order. Moreover, companies have discovered that it's not helpful to their businesses to be the go-to source for law enforcement. Many don't want the responsibility (or compliance cost) of betraying customers on-demand.

It's possible to make it a crime to withhold encryption keys when authorities ask the first party/suspect, but in the US that presents consitutional problems against self-incrimination. Authoritarian regimes can simply declare you must provide us access or we'll beat you, jail you, or seize your assets. But that doesn't make for an appealing business climate.
User Rank: Ninja
7/9/2015 | 11:43:44 AM
Wrong Problem?
Article mentions that they used to be able to compel access with a warrant, but no longer can. That sounds like the root problem that should be fixed.
User Rank: Ninja
7/9/2015 | 7:41:38 AM
They don't get it
This is the biggest problem facing politics and linked organisations: the people involved don't come from technological backrounds. This means that they don't really understand the ramifications of what they're saying. 

The fact that government databases like the White House Office of Personnel were stolen should show that encryption is one of the few ways to truly protect data. Messing with that would open the door to all sorts of problems.

Or more likely it would mean that people didn't use that encryption standard and instead used another. It's a bizarre idea to assume that terrorists or other groups would use something that they know is easily breakable by law enforcement. 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll