Comey calls encryption a business model issue, raises hackles of privacy advocates
In testimony Wednesday before the Senate Judiciary he pleaded his case for tech companies to allow government access to encrypted data.
While Federal Bureau of Investigation (FBI) Director James Comey didn't make the case that encrypted communications aided terrorists who launched attacks in San Bernadino, Calif., and Paris, in testimony Wednesday before the Senate Judiciary he pleaded his case for tech companies to allow government access to encrypted data.
Comey may call the encryption issue a “business model question,” Electronic Frontier Foundation (EFF) Staff Attorney Andrew Crocker wrote in a Wednesday blog, “it's clear that what the FBI wants is what it has always wanted: access to all encrypted data, both secure communications and data at rest.”
Coming just a day after Amy Hess, executive assistant director for science and technology at the FBI, told the Washington Post that the agency used zero day exploits, Comey's testimony at the oversight hearing poured fuel on an already heated debate between encryption advocates who hail encryption as the essential and uncompromisable tool of privacy and law enforcement who say their efforts to investigate and prosecute criminals and terrorists will be hampered by encryption.
“Unfortunately, noting that some business models happen to enable FBI access, while other more secure models cannot, doesn't reconcile anything,” EFF's Andrew Crocker wrote in the blog, noting that businesses only have two options to meet Comey's goal. Either they allow “government access to encrypted data through technical means that badly compromise their users' security (such as key escrow or split keys)” or they don't they don't offer customers “robust encryption in the first place,” he said.
Carl Herberger, a former Air Force cybersecurity officer and vice president of security solutions at Radware, noted in comments emailed to SCMagazine.com that “while governing bodies make these types of requests for the sake of protecting the general public, it's really a slippery slope toward eroding our individual right to privacy.” He added that just as with “research and development on weapon systems, we must realize that opening back doors for one constituent has unintended consequences for all."
But computer forensics and security expert Darren Hayes, an assistant professor and director of cybersecurity at Pace University's Seidenberg School of Computer Science and Information Systems in New York, told SCMagazine.com, that by moving to place encryption keys locally on user devices as Apple and Android have done rather than leaving the keys on servers puts the country “at risk.” Hayes said his research showed that post-Snowden and WikiLeaks jihadists are increasingly placing importance on encryption.
And he noted that currently the Manhattan DA's office currently has more than a 100 cases pending that it can't prosecute because it is unable to get to encrypted information.
Crocker contended that Comey's advocacy for each tech company to determine what the right answer is could have “disastrous effects” on the security of users. “Rather than seeking legislation mandating backdoors, which would allow involvement, technical review, and criticism by encryption experts and the public, the FBI will rely on backroom pressure to make companies compromise encryption, or even eliminate business models it doesn't like,” the EFF attorney wrote. “Some services—like most flavors of webmail—currently don't use end-to-end encryption, so they won't have to change.” But changes to the design of other tools like chat or the encryption of data at rest could leave users at risk.
The terrorist attacks in Paris and San Bernadino have renewed the debate and added a sense of urgency on the side of proponents, mainly law enforcement and some legislators. While Comey has been a vocal critic of encryption that won't allow authorities to access communications, he has reiterated, as has the White House, that no plans are currently underway to push for legislation that would require backdoors. At the same hearing, though, Crocker pointed out, Sen. Dianne Feinstein (D-Calif.) said she would introduce such legislation going forward. “We'll be watching that closely,” Crocker wrote.
Hayes called for legislative changes “to address the shortcomings of the Communications Assistance for Law Enforcement Act (CALEA), that law enforcement had traditionally relied upon to gain access to communications stored by telecommunications companies like AT&T.Representatives from the EFF and Access Now met Friday with senior White House staff to urge President Obama to come out with a statement that supports strong encryption. The two groups had organized a SaveCrypto.org petition that received 104,110 signatures, enough to get it on the White House's radar screen. The staffers told the reps they were drafting a response to the petition and were eager to "continue to hear the public's concerns," Jamie Tomasello, technology director at Access Now, said in a release. "We strongly believe the president needs to make a clear, unambiguous statement before the end of the year."