Editor's note (11/16/15): Following the terrorist attacks in Paris on November 13 and the ensuing debate about counterterrorism efforts and encrypted communications, Scientific American is republishing the following article.
Yesterday, FBI Director James Comey told Congress that the federal government was increasingly concerned about the widespread use of data encryption in consumer technology, implying—although not explicitly demanding—that tech companies give law enforcement easier access to cryptographically scrambled customer data. Comey’s testimony came one day after some of the world’s top cybersecurity experts and computer scientists issued a report arguing that the government’s call for special access to encrypted information is technically unfeasible and unworkably vague. Law enforcement officials need to get specific about what they want, the report’s authors argued, instead of simply waving their hands and hoping for a technological unicorn that gives them on-demand access to personal information while also protecting user privacy and securing data.
And this is where the debate gets complicated. Here’s what each side wants and what might happen next:
What is FBI director Comey asking for?
Comey called for a “front-door” approach to customer data access in an October 2014 speech but he was unclear about how this might work outside of a nebulous call for tech companies to build “intercept solutions” into their products. National Security Agency (NSA) Director Michael Rogers proposed something a bit more concrete in April when he suggested that technology companies be required to create a digital key that could open any smartphone or other locked device, but dividing that key into pieces so it could not be used unilaterally. The Center for Democracy & Technology quickly shot down the split-key proposal as impractical.
In his written statement before the Senate Judiciary Committee, Comey was careful to avoid asking companies to allow surreptitious “backdoor” access to customer data and communications. Documents leaked by former NSA contractor Edward Snowden in 2013 indicated that his former agency had done this, for example, by deliberately weakening encryption standards issued by the National Institute of Standards and Technology. The backlash against the government’s alleged tampering with encryption standards and government demands for customer data has created a growing rift between Silicon Valley companies and Washington, D.C.
Why does the government say it should have this capability?
Federal law enforcement officials are concerned that criminals and terrorists will go “dark” by hiding their communications in encrypted e-mails and smartphones. Newer versions of the Apple iOS and Google Android mobile operating systems have emphasized encryption, to the point where company executives have said they would be unable to unlock customer data for law enforcement even if ordered to do so. “With sophisticated encryption, there might be no solution [for law enforcement], leaving the government at a dead end—all in the name of privacy and network security,” Comey said in October. Others in law enforcement have taken even more extreme positions. “Apple will become the phone of choice for the pedophile,” John Escalante, chief of detectives for the Chicago Police Department, told The Washington Post in September.
New York City District Attorney (NYCDA) Cyrus Vance, who likewise testified before the Judiciary Committee on Wednesday, was more specific in his objection to device encryption. In his written testimony, he stated that asking his office to investigate the more than 100,000 criminal cases they handle each year without smartphone data is to “fight crime with one hand tied behind our backs.” Following the hearing, Wired reported that the NYCDA’s office has since September encountered 74 iPhones whose full-disk encryption locked out a law enforcement investigation. Vance later singled out Apple during his testimony for having a double standard with regard to its encryption policy. The company allows its customers to have sole possession of the decryption key for gadgets running iOS 8. Meanwhile, Apple does have the ability to decrypt customer data stored in the company’s iCloud storage service if ordered to do so.
The FBI does need to intercept communications from time to time. Doesn’t Comey have a point?
Security experts have criticized law enforcement officials for overstating the need for access. “It's all bluster,” security expert Bruce Schneier wrote on his blog in October. Schneier, one of 15 co-authors of the new report by Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory (CSAIL), added, “Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there's no evidence that encryption hampers criminal investigations in any serious way. In 2013 encryption foiled the police nine times, up from four in 2012—and the investigations proceeded in some other way.”
What technical objections do security experts have to “special access”?
CSAIL issued its 34-page report yesterday—you can find it here. It highlights several reasons why special access would create more problems than it would solve. The security researchers interpret Comey’s comments to mean tech companies should create a cryptographic key escrow—in other words, a stored digital skeleton key—that law enforcement could use to unlock encrypted information for use in criminal or terrorism investigations. But any cryptographic key created for law enforcement would become a major target for hackers, would be difficult to secure and would discourage newer security practices such as “forward secrecy,” in which decryption keys are deleted immediately after use and new keys are created for each subsequent transaction. A small but growing number of sites—including Google, Twitter, the Wikimedia Foundation and Facebook—have over the past few years begun using forward secrecy to secure transactions and data.
Is there any way to create special access that would make everyone happy?
The authors of the report argue that any effort to create front doors for law enforcement would also make software and devices much more complex, difficult to secure and expensive for tech companies to maintain.
What is the government’s track record for protecting sensitive data?
Not good. Last year alone the government reported successful hacks into unclassified White House, State and Defense department e-mail systems. The security researchers, led by Daniel Weitzner, director of M.I.T.’s Cybersecurity and Internet Policy Research Initiative and a former deputy chief technology officer at the White House, specifically cite the recent hack of the U.S. Office of Personnel Management (OPM) to illustrate the harm that can arise when many organizations entrust private information to a single institution for safekeeping. In the case of OPM, numerous federal agencies lost sensitive data because the office had insecure infrastructure.
Is there any precedent for what the government is asking to do?
The current debate must seem like déjà vu for many of the report’s authors, many of whom in 1997 opposed a Clinton administration proposal that sought to require information and communication services to engineer their products to guarantee law enforcement access to all data. The White House ultimately abandoned its push to have tech companies install what came to be known as the Clipper chip. The plan behind Clipper was to have all encryption systems retain a copy of keys necessary to decrypt information entrusted to a third party who would turn over the keys to law enforcement on proper legal authorization.
What was the case against Clipper?
The researchers at the time determined it was not possible to create the technology that Clipper proposed—a master key the government could use to access large numbers of encrypted communications. Nor was there any consensus over who would serve as the trusted third-party that would hand over the master key when the government secured a court order to use it.
What happens next?
The FBI’s Comey insisted Wednesday he was not asking to expand the government’s surveillance authority; rather, his goal was to ensure that law enforcement can continue to gather electronic information and evidence from emerging technologies when needed. The security researchers say Comey and his colleagues should be as specific as possible about what they need and then engage cybersecurity experts and lawmakers to come up with an approach that takes into account both data security and user privacy. Now that both sides have spoken publicly, we will probably see some direct dialogue between them.