Now that encryption has been elevated to a default technology on mobile devices, the government has heightened its “Going Dark” rhetoric, again on Wednesday insisting during a Senate Judicial Committee hearing that Silicon Valley figure out how to deliver plain-text communication between criminal and terror suspects to law enforcement.

FBI Director James Comey and California Sen. Dianne Feinstein testified that encryption continues to be an insurmountable barrier for legal and national security investigators, and as Feinstein put it, “encryption ought to be able to be pierced.”

The nation’s top law enforcement officer has argued for more than a year that mobile devices that are encrypted by default and only by the user put the FBI and police behind the eight-ball, unable to access communications between individuals, even with legal court orders and judge-issued warrants to do so.

The government has long hinted at some kind of exceptional access to encrypted data, which many have interpreted as an intentional backdoor left in by technology companies such as Apple and Google, both of whom have relinquished control over the private encryption keys that previously unlocked users’ devices. Those keys are now on the device and can only be unlocked by the user who knows the four-to-six digit PIN.

Comey said during yesterday’s hearing that government has had exchanges with technology companies and acknowledged that both sides of the argument see the collision between the desire to be safe and private online and the needs of public safety officials.

“All of those conversations have convinced me it’s not a technical issue,” Comey said. “There are a lot of folks who have said over the last year or so that we are going to break the Internet or have unacceptable insecurity if we try to get to a place where court orders are complied with.”

Comey said many technology companies provide secure services or make “good phones” that can be unlocked and still comply with court orders. “In fact, the makers of phones today that can’t be unlocked, a year ago they could be unlocked,” he said, adding that the government doesn’t want a backdoor, nor does it favor legislation mandating such access.

“We want to get to a place where if a judge issues an order, the company figures out how to supply that information to a judge and figures out on its own how to do that,” Comey said. “The government shouldn’t be telling people how to operate their systems. We are in a place where we understand it’s not a technical issue, it’s a business model question.”

The Electronic Frontier Foundation (EFF), however, posted a rebuttal to Comey’s testimony, pointing out that solutions such as key escrow or splitting keys—which experts have said introduces untenable complexity—or companies simply choosing not to offer encrypted services are equally unacceptable.

Staff attorney Andrew Crocker wrote:

“Rather than seeking legislation mandating backdoors, which would allow involvement, technical review, and criticism by encryption experts and the public, the FBI will rely on backroom pressure to make companies compromise encryption, or even eliminate business models it doesn’t like. Some services—like most flavors of webmail—currently don’t use end-to-end encryption, so they won’t have to change. But for other types of tools (chat or encryption of data at rest), cryptographers are unanimous—designing their tools in the way that Comey wants will have potentially disastrous effects on user security.”

Categories: Cryptography, Government, Privacy

Comments (8)

  1. Nonya
    1

    You can’t have it both ways. Encryption must remain un-compromised and uncompromisable. Privacy MUST ALWAYS trump those who want access to private data. FBI, CIA, NSA, police, and courts will just have to live with the fact that there will always be some private data that they cannot have access to. Anything else is violating people’s right to privacy.

  2. David A. Lessnau
    2

    What these government officials seem to forget is why we have a (supposedly) limited government with multiple branches: it’s the government that bears watching, not the people. By definition and by history, the government is NOT a trusted player. That’s why we’ve granted them only specified powers via the Constitution. If these government people can’t/don’t/won’t understand that, then they’re in the wrong business.

  3. Cornelius N.
    3

    It is truly amazing how ignorant these people are… Just because the US changes its laws to weaken cryptography does not mean the rest of the world will.

    The tech companies can also move these parts of their industry to better climates (say Ireland – which has some very friendly tax laws etc). Or the industry already will leverage the advantage and grab more of the market. Besides, weakening crypto in the US only gives every other spying nation an edge.

    Regardless, there is always a way around it like breaking into the that makes a fair share of the worlds SIM cards. Why not do that to the factories producing processors (most of the production is centered in Taiwan and China making for a smaller target area)?

    So far there has been no clear proof that encryption has been used (or rather successfully used) by terrorists and criminals. In some cases they use “specially made” encryption software (such as the pgp derivative ) which actually helps by flagging the communication as encrypted by someone that is using known terrorist software. Even when criminals go to extreeme lenghts such as the Mexican cartell that built it’s own phone we find solutions.

    Enough with the hysteria, scare mongering and security theater.

    • Josh
      4

      They don’t need to pass the laws in other countries. The main phone developers are here in the US. All they need to do is force Apple and Google to put in a backdoor or weaken the crypto somehow and it will effect everyone. Now if they moved their headquarters to another country they might be able to skirt around any laws pushed out but unless that happens everyone is subject to any laws the government decides to pass in regards to cell phone encryption.

  4. dude@nra.gov
    5

    Granting people their constitutional rights with the 2nd amendment, guns and mass shootings on a weekly basis, scores of innocents being killed – that’s fine.

    Granting right to privacy, where no one has died from encryption – let’s focus on that instead.

  5. J. "Jon" Rogue
    6

    I’m aware of the potential logical fallacy behind the notion of “If you have nothing to hide, then you have nothing to fear” – when that notion is presented in a broad context. It’s an age-old debate that likely won’t be settled soon.
    In this context, far too many are presenting “privacy” as a blanket-argument against some measures of security – all riddled with their own logical fallacies.
    Those who resort to a binary “privacy” vs. “security” don’t understand that it’s not black and white. This happens on both sides of the debate.
    If sufficient controls exist, blindly advocating privacy above all demonstrates nothing but ignorance.
    Sure, I’m certain either side can cite references that would support their binary position. I’d argue that too few are developing a dynamic position based on the totality of the circumstances.
    In this context, there should be a method of some sort, with appropriate controls, to give those with appropriate authority, access, and oversight to utilize this information asset.
    Blanket statements such as “Privacy MUST ALWAYS trump those who want access to private data” is a demonstration of a binary position. It’s unfortunate that the ignorant are often the most vocal.

    • Khürt Williams
      7

      “In this context, there should be a method of some sort, with appropriate controls, to give those with appropriate authority, access, and oversight to utilize this information asset.”

      The government has not proven itself capable of exercising the appropriate control. This authority and access will be abused. The oversight will be negligible.

  6. lolz
    8

    It is indeed a business decision. Support in-secure crypto and lose any business opportunity where secure crypto is required. I hope they can get the criminals to adhere to using weak crypto.

Comments are closed.