FBI Director James Comey told senators on Wednesday that increased encryption on mobile devices is complicating the FBI’s job.
Comey, along with a roster of Obama administration officials, has been asking Silicon Valley companies for months for a solution that would allow law enforcement to monitor communications with a court order, while protecting the privacy of consumers. Technology companies like Apple and Google have resisted their entreaties, setting off a tense debate over encrypted data and a user’s right to own their own information.
After former NSA contractor Edward Snowden revealed, among other things, that the NSA and other agencies were siphoning off data and hacking into data centers, technology companies started building encrypted devices that essentially would cut them out of the process. The government couldn’t demand companies turn over information because the new technology would give them no way to comply with a court order — increasingly, they are introducing devices that can be opened only by the user, something known as “strong encryption.”
The FBI director said that is becoming a problem. “We cannot break strong encryption,” Comey told lawmakers on the Senate Intelligence Committee. “I think people watch TV and think the bureau can do lots of things. We cannot break strong encryption.”
To make his case, Comey gave senators specific examples in which encryption blocked the FBI from getting electronic information, even though agents had a warrant. He said he couldn’t come up with a specific number of such cases, but he did say it was coming up with increasing frequency.
Consider the case of Usaamah Rahim, a Boston man who was killed when FBI and Boston police sought to question him last month. Allegedly, he was a follower of the self-proclaimed Islamic State, also known as ISIS or ISIL. Comey said FBI agents knew that Rahim was contemplating an attack, but the agents who were tracking him electronically couldn’t see exactly what he was planning because he disappeared into an encrypted site — something the bureau calls “going dark.”
“ISIL does something al-Qaida would never imagine: they test people by tasking them,” Comey told the senators. “Kill somebody and we’ll see if you are really a believer. And these people react in a way that is very difficult to predict. What you saw in Boston is what the experts say is flash-to-bang being very close. You had a guy who was in touch in an encrypted way with these ISIL recruiters and we believe was bent on doing something on July 4th. He woke up one morning, June 2nd, and decided he was going to go kill somebody.”
In court documents filed last month, officials say that in a wiretapped phone conversation, Rahim said he wanted to “meet Allah” before July 4, when he and several other men allegedly wanted to attack Pam Geller, the New York woman who organized the Draw Muhammad contest in Garland, Texas. They were goaded to action, authorities say, by ISIS. Two other men have been arrested in connection with the case and are awaiting trial.
The FBI director said the encryption problem goes beyond terrorism cases. He said that encryption technology is affecting everything from child pornography to kidnapping. He talked about a Miami case in which a long-haul trucker kidnapped his girlfriend, held her captive in his truck, and drove her from state-to-state, sexually assaulting her. She eventually escaped and pressed kidnapping and sexual assault charges against him. The trucker claimed the sex had been consensual.
As it turns out, he had videotaped his assaults on his smartphone and the phone didn’t have the encryption enabled. The FBI got a warrant and the video was used as evidence and he was convicted. If there was one-key or end-to-end encryption on that phone, Comey said, the case might have ended differently.
End-to-end encryption means that law enforcement has to go directly to a target to get the data instead of turning to a company for a password or key. If there had been end-to-end encryption in the trucker case, the FBI might not have had access to the incriminating video.
Comey also addressed the concerns raised by an elite group of 14 security technologists who released a paper Tuesday night called “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications.” They concluded that governments can’t demand special access to encrypted data without putting critical infrastructure in peril. The paper offered the first in-depth technical analysis of the proposals the Obama administration has floated as alternatives to the end-to-end encryption regime.
Their concerns were three-fold. First, the report said, providing exceptional access would fly in the face of best practices now making the Internet more secure because it would be making exceptions. Second, the technologists said that building exceptional access into the system would create vulnerabilities.
“[N]ew technology features would have to be deployed … in telecommunications and Internet access services … Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious — making security testing difficult and less effective.”
And finally, there is the hacker problem, they said. “If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege.”
This technologist group included pioneers in the field of public key cryptography like Whitfield Diffie and Ronald L. Rivest, who is the “R” in the RSA algorithm that has set the standard in public cryptography.
Comey seemed to distance himself from the ideas that the administration had previously been floated to deal with “going dark.” He said he was open to any ideas that technology companies might have to solve the encryption problem. The solution, he suggested, might be something that hasn’t even been discovered yet.