CHESTNUT HILL, Ma.—FBI director James B. Comey today revived the Going Dark discussion during a keynote address at the Boston Conference on Cyber Security, saying it’s time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security investigations.

Comey, during his 45-minute address at Boston College, did not address the expansive leaks of CIA hacking tools yesterday by WikiLeaks or Russia’s alleged manipulation of the U.S. presidential election. He did not take questions from media in attendance, though he did answer a few from attendees.

Comey’s stance on strong encryption has remained largely unchanged in the past two years, running in parallel with the growth in mainstream adoption of secure messaging applications such as Signal, WhatsApp and others. The director contends that strong crypto not only impedes investigations, but cuts the legs out from judicial warrants that allow law enforcement on the local and federal level to seize digital devices.

Comey said that between October and December of last year, the FBI took possession of 2,800 devices, and there were 1,200 that the bureau could not crack and access stored data.

“That’s a big deal,” Comey said.

Comey acknowledged that strong crypto has always been around, but prior to Edward Snowden’s leaks of NSA secrets, it was largely the purview of nation states and sophisticated criminal groups.

“These apps are now a default feature of much less sophisticated actors, drug dealers, bank robbers, pedophiles, some terrorists,” Comey said. “Their shadow is spreading across more of our work.”

In the past, Comey has challenged technology companies to try harder to come up with a reasonable solution that does not require a backdoor or one that weakens encryption. Today, he backed off the challenge to tech companies and called for a discussion among the relevant parties that he says share the same values.

“We have to have a hard conversation about what we’re doing,” Comey said.

He also rebuked claims made by experts in the past that law enforcement could gain valuable intelligence from intercepted metadata, which is not encrypted and often includes information about call records, email headers and physical location.

“Metadata is limited, especially when we are obligated to prove guilt beyond a reasonable doubt,” Comey said. “We just can’t get there against a pedophile or a terrorist.”

“Other say that maybe you can develop a hacking tool. That’s expensive and it doesn’t scale,” Comey said, harkening back to the Apple-FBI debate. “Something like that cannot be used broadly because they are perishable.”

Comey tried to tug on some patriotic heart strings as well, pointing out that the country’s founders struck a bargain that the government cannot invade one’s privacy without probable cause and a court order. What they founding fathers were saying, Comey countered, is that with good reason, the government can invade one’s privacy.

“There is no absolute right to privacy,” Comey said, adding, “with respect to default, strong encryption, it changes that bargain, and shatters it, in my view.”

Comey began his keynote by explaining the FBI’s ranking of cyber adversaries, starting with nation states at the top (he named China, Russia, Iran and North Korea), followed by multinational crime syndicates that sometimes work on behalf of nation-states, followed by insiders, hacktivists and terrorists at the bottom of the stack. He also explained the importance of the FBI increasing the cost of attacks for hackers, one of the FBI’s five strategic goals. That strategy includes increasing international pressure to prosecute hackers, or at least name and shame them as the government did in the case of China’s PLA hackers or Iranian actors allegedly responsible for DDoS attacks against U.S. banks in 2012 and 2013.

“We want to make sure they feel our breath on their neck,” Comey said.

Feature photo via @BCcybersecurity.

Categories: Government, Privacy

Comments (3)

  1. Rob Shein
    1

    Mr. Comey starts out by asking for an adult conversation…and then reverts to the puerile and disingenuous argument that encryption is somehow a magic bullet that makes all other investigative means infeasible and grants “absolute” privacy. No, someone does not have an “absolute” right to privacy…in fact, no rights are “absolute.” But while a person has no absolute right to not being killed by their government…say, if they were holding hostages and were shot by a sniper to save other lives…that does not mean that law enforcement should be able to kill randomly and with impunity either.

    Crypto does not grant absolute privacy, and it’s time that law enforcement stopped lying to us with the pretense that it does. in fact, the increasingly digital nature of our society has given them better and faster ways of doing their jobs than ever before; everyone with a smartphone has a tracking device that leaves a trail of their movement, for example. License plate readers track the location of cars in every metropolitan area. Crypto does not obviate any of this; it’s nothing more than a slight limiter on one aspect of investigations.

    Comey, like others in his profession, needs to stop stomping his feet and whining that he’s not having his cake and eating it too.

    Reply
  2. Marcus
    2

    Comey’s arguments that metadata just isn’t enough are nonsensical. Are we supposed to believe that a competent DA can’t get a conviction against someone with metadata records showing that they frequently log in to “Pervo’s Pre-Pubescent Porn Palace” or “Tariq’s Terrorist Tactical Team”?

    Reply
  3. Alexander
    3

    Metadata is more than enough. It is difficult to say that one who writes offensive things is not been hacked.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>