The United States government has eased off off its demands for “exceptional access” to encrypted communication, and instead volleyed the problem back to technology companies and asked them to try harder to come up with a solution.
The government’s concern is that recent enhancements to encryption, in particular on mobile devices where companies such as Apple and Google no longer hold encryption keys, inhibit law enforcement and national security efforts. The government calls this scenario “Going Dark,” and as of last fall, fostered calls for tech companies to build in access to devices and have keys escrowed among trusted parties.
This morning during a Senate Judiciary Hearing, FBI Director James B. Comey Jr., and Deputy Attorney General Sally Quillian Yates said that warrants and court orders are no longer useful tools in gathering evidence in cases where encryption is being used. Since Apple, Google and others no longer hold encryption keys, they cannot be compelled to turn over user data to law enforcement or the government.
But rather than call for legislative help in compelling companies to build in specialized access, the two officials said they intend to continue conversations with providers hoping they can come up with an adequate resolution. They did not, however, rule out pursuing a legislative solution down the road.
“I’ve heard that it’s too hard, that there’s no solution. Really?” Comey said, mentioning Silicon Valley by name. “Maybe it is too hard, but given the stakes, we’ve got to give it a shot and I don’t think it’s been given an honest hard look.
“We want people to be in position to comply with judges’ orders in the U.S. We want creative people to figure out how to comply with court orders,” Comey said later in the hearing. “You shouldn’t be looking at the FBI director for innovation.”
Yates, meanwhile, said the government does not expect a one-size-fits-all solution.
“We want to work with communications providers to get the access we need, and at the same time protect the privacy and internet security interests we all have,” said Yates, who has been on the job six months. “Rather, we’d like to have each provider think about it and work out a way where they can respond to court orders. We are not seeking a frontdoor, backdoor or direct access, but just to work with industry to be able to respond to these orders.”
Comey and Yates leaned on national security interests to make their case, pointing to terrorists from the Islamic State co-opting encryption for their own purposes. Comey said terrorists from the Islamic State (ISIS), for example, are recruiting new followers online—over Twitter in particular—and directing them to use end-to-end encrypted chat applications to continue their dialogue. Neither Comey nor Yates—nor any of the senators on the committee—noted that encryption technologies also protect the privacy and personal safety of activists, journalists and many others worldwide.
Yates said that despite comparisons to the Crypto Wars of the 1990s, this was not a situation where she expected or wanted government to retain encryption keys.
“We’re talking about individual companies, many of which are [retaining keys] right now for business purposes, while maintaining strong encryption,” Yates said. “We’re asking that national security be one of the factors they use when considering what type of encryption to use.”
Today’s hearing came one day after 13 leading cryptographers published a report explaining the risks associated with the exceptional access to encrypted data that government desires. The experts’ paper points out that the introduction of a vulnerability such as backdoor access makes it a target for criminals and nation-state actors. The cryptographers’ paper, written by experts including Steve Bellovin, Whitfield Diffie, Peter Neumann, Ron Rivest, and Bruce Schneier, among many others, argues that the economic impact of such access would be much more harmful than 20 years ago when the Clipper Chip debates were in full swing.
A backdoor would also undo advances made to encryption that were accelerated by the Snowden revelations, including deployment of forward secrecy, a cryptographic system where one-time crypto keys secure sessions and are immediately destroyed, so that if that key is stolen, it can be used only once, keeping past and future communication safe. They also argue that building in front doors would introduce complexity, which they deem to be “the enemy of security” since new features interact and likely introduce new vulnerabilities.
Sen. Al Franken (D-Minn.) challenged Yates as to whether the government has numbers backing up its claims that encryption thwarts law enforcement or national security investigations. Yates said she did not, and that it is close to impossible since the Justice Department does not seek a warrant where it’s known that the information it seeks is end-to-end encrypted.
Comey, meanwhile, said that the challenge is to find a balance between national security and law enforcement interests, and those of personal privacy and Internet security.
“Smart people say we can’t [reduce risks] and maybe that’s case,” Comey said. “I don’t think we’ve given it the try as a country that it needs to be given.”