Did U.S. Use Secret Court To Force Tech Companies To Weaken Encryption?

Image courtesy of ash

Legislators in D.C. are currently considering a law that would compel tech companies to have weak device and software encryption so that law enforcement can snoop when necessary, while federal prosecutors have repeatedly used a 227-year-old law to try to force Apple and Google to work around existing security on their products. A new lawsuit seeks to find out if the government has also been using a highly secretive court to force tech companies to assist in breaking their own encryption.

Created in the late 1970s, the Foreign Intelligence Surveillance Court [FISC] is responsible for reviewing requests from the government for surveillance involving issues of national security. Decisions made by FISC and its appellate kin, the Foreign Intelligence Surveillance Court of Review [FISCR] have long been classified, resulting in secretive programs like the National Security Agency’s sweeping PRISM project, which allowed the NSA to use FISC orders to collect stored data from large Internet companies.

Then, in June 2015, President Obama signed the USA FREEDOM Act [PDF], which includes a requirement that “significant” FISC and FISCR decisions be declassified.

More precisely, Sec. 402(a) of the new law order the Director of National Intelligence and the U.S. Attorney General to conduct a declassification review of “each decision, order, or opinion issued” by these two courts “that includes a significant construction or interpretation of any provision of law” and to make each document “publicly available to the greatest extent practicable.”

Given the Justice Department’s public efforts to compel Apple and others to unlock devices and weaken encryption, the folks at the Electronic Frontier Foundation have been trying to figure out whether or not the NSA or other agencies have tried using FISC to secretly make the same demands of these companies.

In Oct. 2015, the EFF filed a Freedom of Information Act [FOIA] request with the Justice Department’s National Security Division, seeking any applications to FISC to compel technical assistance under the Foreign Intelligence Surveillance Act [FISA]; any written FISC opinions or orders regarding these applications; and any related briefings or correspondence with FISC, its staff, or any third party concerning these applications.

Two months later, the DOJ responded, claiming that it could find no applications or orders that fit the EFF’s request, but that there were some pieces of correspondence that may relate. However, the government contends that the sought-after documents were exempt from disclosure under the FOIA guidelines.

EFF subsequently appealed that decision, arguing that the DOJ “had failed to conduct an adequate search for records” and that the government “had improperly withheld records under FOIA.”

In March, before the DOJ responded to that appeal, EFF filed new FOIA requests, effectively seeking access to all of the documentation — from 1978 through June 2015 — that was to be declassified by the USA FREEDOM Act.

Though the DOJ has conversed with EFF about ways to prioritize such a sweeping request, the government has yet to provide any documents or respond in any substantive way. However, in early April it shot down the EFF’s appeal of its initial FOIA query.

And so, today the non-profit advocacy group filed a lawsuit [PDF] in a federal court in California, accusing the DOJ of violating FOIA by “failing to conduct an adequate search for records… failing to produce all records in the agency’s possession responsive to Plaintiff’s request, and by failing to adequately segregate responsive from non-responsive records.”

The EFF is asking the court to order the DOJ to immediately process the FOIA requests in their entirety, and make copies available.

“If the government is obtaining FISC orders to force a company to build backdoors or decrypt their users’ communications, the public has a right to know about those secret demands to compromise people’s phones and computers,” explains the EFF’s Nate Cardozo. “The government should not be able to conscript private companies into weakening the security of these devices, particularly via secret court orders.”

Regardless of whether or not the first FOIA request turns up examples of tech companies being compelled to weaken or bypass encryption, the EFF maintains that the lawsuit is necessary to force the DOJ to comply with the declassification order required by the FREEDOM Act.

“Congress wanted to bring an end to secret surveillance law, so it required that all significant FISC opinions be declassified and released,” says Mark Rumold of the EFF. “Our lawsuit seeks to hold DOJ accountable to the law.”