FBI Director James Comey believes that in a "post-Snowden" world, the pendulum has swung too far — and unchecked encryption could lead us all to a "dark, dark place" where criminals walk free.
Speaking at an event at the Brookings Institute in Washington, D.C., Comey said that public misconceptions over the data collected by the US government and technological capabilities of agencies such as the NSA have encouraged heightened encryption — but the consequences could be dire.
The FBI chief, who has been in his post just over a year, said that "the law hasn't kept pace with technology, and this disconnect has created a significant public safety problem." In particular, "Going Dark" worries law enforcement the most — the spectre of facing black spots in surveillance, and not being able to gather or access evidence related to suspected criminals.
"We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so," Comey admitted.
Current law governing the interception of telecommunications data and records requires broadband and network providers to build interception capabilities into their networks, under the terms of the Communications Assistance for Law Enforcement Act (CALEA). However, this law was brought in 20 years ago — and now technology has outstripped this legislation, as new communication technologies are not necessarily covered by the act.
According to the FBI Director, "if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place." Comey commented:
Encryption is nothing new. But the challenge to law enforcement and national security officials is markedly worse, with recent default encryption settings and encrypted devices and networks — all designed to increase security and privacy.
Encryption isn't just a technical feature; it's a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels.
The remarks were made in reference to Google and Apple, both of which have pledged to encrypt their mobile devices by default. Apple has recently added two-factor authentication to iCloud following celebrity photo leaks, and in iOS 8, the encryption keys are given to the customer. On the heels of Apple's announcement, Google said this level of encryption will also be enabled in the next version of Android.
By handing encryption keys over to the customer, neither company can decrypt user data, even if the US government obtains a court order and demands it.
Comey calls these features a marketing pitch, and it's likely that is the case. Following Snowden's disclosures, customers have lost trust in technology and telecommunications firms — and heightening basic security is a step towards regaining user trust.
While privacy advocates have applauded Apple's and Google's efforts, the FBI Chief has a different opinion. Comey commented:
If this becomes the norm, I suggest to you that homicide cases could be stalled, suspects walked free, child exploitation not discovered and prosecuted. Law enforcement needs to be able to access communications in a lawful way in order to bring people to justice. Those charged with protecting our people aren't able to access the evidence we need, even with lawful authority.
Comey goes on to imply that CALEA needs an update, saying that the law agency is comfortable with court orders and legal process, and is "not seeking a back-door approach — we want to use the front door." However, one could argue that leaving any kind of intercept door in a system weakens security — and Comey ignores these risks.
"Cyber adversaries will exploit any vulnerability they find," the FBI Chief noted. "But it makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact. And with sophisticated encryption, there might be no solution, leaving the government at a dead end — all in the name of privacy and network security."
Finally, Comey says that the FBI understands the private sector need to remain competitive in the global marketplace, and "it isn't our intent to stifle innovation or undermine US companies." However, he encouraged these companies to "take a step back, to pause, and to consider changing course" on encryption, and said the law agency needs to "find a way to help these companies understand what we need, why we need it, and how they can help, while still protecting privacy rights and providing network security and innovation."
Read on: In the world of security