FBI Attorney: Tech Companies Are Helping Dumb Criminals By Providing Quality Encryption

Image courtesy of bluwmongoose

Much of the debate about encrypted devices and messaging services has been centered on more sophisticated criminal or terrorist activities, where the people involved are actively searching out ways to avoid detection by law enforcement. However, the FBI’s top attorney contends that tech companies may be inadvertently giving dimwitted crooks a leg up by making quality encryption so widely available.

“End-to-end encryption, or decryption of devices, is increasingly available by default,” said FBI General Counsel James A. Brady yesterday at a Center for Strategic & International Studies panel discussion on privacy and law enforcement. “Your average bad guy, who’s not particularly sophisticated, can avail himself of high quality encryption, so that’s part of our problem.”

Brady seemed to question the logic of making full-disk encryption the default on phones and other devices, when — in his view — most people aren’t thinking about this issue.

“The super-sophisticated bad guys are always going to be able to find tools to try to thwart us,” he added. “They think about it actively and they will endeavor to do that.”

To demonstrate the volume of encryption challenges law enforcement now faces, Brady says that in just three months of 2016, the FBI attempted to access 2,870 different devices; this includes devices brought to the agency by state and local authorities in need of assistance.

Of those, 1,715 were encrypted and protected by password locks, but the FBI was only able to crack the passwords for 470, leaving the contents of 1,245 devices still locked up tight.

“Lawful hacking” — the process of getting a court to compel a company to aid in opening a secured device — “provides some relief,” said Brady, “but only some. It’s slow, it’s expensive, it’s fragile; it’s just not a comprehensive solution to this problem. We’ll use it when necessary, but it’s not a panacea.”

It’s not as difficult to obtain metadata — things like when and who you texted or emailed, but without any content — but Brady noted that this is rarely the kind of information that can lead to a criminal prosecution.

After both Apple and Google moved to encrypt their smartphone operating systems so that even they couldn’t access a device without a password, Brady’s boss, FBI Director James Comey, called on Congress to come up with some solution to make it less difficult for law enforcement to access suspect’s locked devices.

Brady, without suggesting anything specific, also noted that it’s ultimately up to lawmakers to sort out where to draw the line.

“At the end of the day, the FBI works for the American people and we will use whatever tools you want us to have to deal with the threats that you want us to address,” he explained.

So far, suggestions about what such a law would look like have been limited to “make tech companies put in a back door” or “require that tech companies be able to crack their own encryption upon request.” Privacy and cybersecurity advocates say that such practices and policies are effectively like leaving out a welcome mat to hackers.

“No matter how thick the door or tough the lock, the house is now more vulnerable to intrusion in at least three ways: The door can be battered down,” wrote Washington Post tech columnist Craig Timberg in 2014. “The keys can be stolen. And all the things that make doors work – the hinges, the lock, the door jamb – become targets for attackers. They need to defeat only one to make the whole system fail.”

Brady, at yesterday’s panel, tried to downplay the level of access the FBI seeks, but also provided such an all-encompassing description of the factors in play that it’s doubtful any policy could address even a majority of them.

“The FBI is not pushing some particular solution,” said Brady, who then showed off his predilection for making lists: “We’re not trying to undermine encryption. We’re not trying to create a backdoor. We don’t want a golden key. We don’t want any of that. We want something that is safe and effective.

“We need some type of solution,” he continued, “that adequately addresses all of the values that I think we all share with respect to protecting public safety, protecting cybersecurity, maintaining the innovativeness and competitiveness of U.S. companies, protecting privacy, free expression, freedom of association — all of that.”

Brady conceded that it may require multiple policies, but “Whatever we come up with… it’s gotta really accommodate all of those values otherwise it’s not really a solution.”

This battle over encryption between the FBI and tech companies was pushed into the spotlight following the Dec. 2015 terrorist attack in San Bernardino, CA. The FBI had sought to compel Apple’s help in unlocking one of the killer’s iPhones, but Apple fought back. The company said that not only did it not have the ability to crack the encryption, but that forcing a company to find a vulnerability in its own security put other users at risk and allegedly violated Apple’s rights.

That matter was never resolved when an unnamed third party provided the FBI with a solution for bypassing the encryption.

Victoria A. Espinel, President and CEO of BSA|The Software Alliance, said it’s important to separate the bigger policy issues from individual tragedies, as the rhetoric from both sides of this debate can “make it difficult to find common ground.”

“Individual horrible events can create — understandably — pressure on policymakers,” explained Espinel, adding that this discussion needs to happen now, but “outside the shadow of a particular event.”

Brady agreed, noting that “time is of the essence. We should move forward quickly, smartly, but promptly because… we don’t want to have this debate driven by some type of catastrophe down the road.”