FBI's Comey Calls for Making Impenetrable Devices Unlawful

10_17_james_comey
Jose Luis Magana/AP

Apple and Google’s landmark privacy update has both delighted civil liberties advocates and rattled law enforcement in recent weeks—it prevents the companies from unlocking devices and accessing their data, even when a warrant is obtained.

In his first major policy speech as FBI director on Thursday, James Comey doubled down on a previous condemnation, calling default encryption a sign that “the post-Snowden pendulum has swung too far in one direction” and advocating the private sector and Congress to undo it. But Comey’s “elaboration” seemed to indicate he had given little consideration before suggesting a policy change.

In his speech, Comey said that the security feature prevents law enforcement from properly doing its job. While he noted that encryption is nothing new, he said recent advancements—the growing number of providers, networks and means of communicating—have also hindered law enforcement’s ability to surveil.

“Some believe that the FBI has these phenomenal capabilities to access any information at any time—that we can get what we want, when we want it, by flipping some sort of switch,” he told the room. “It may be true in the movies or on TV. It is simply not the case in real life.

Comey compared the enhanced device security to “a closet that can’t be opened, a safe that can’t be cracked” and warned that this “black hole” is something that criminals will take advantage of to avoid being detected. He warned that default encryption threatens to leave law enforcement in the dark, a place “we shouldn’t go to without careful thought and debate as a country.”

But he didn’t act like he was up for much debate. “I think that when you aggregate the risks, putting enforcement in the dark is not the way to go,” he said. Comey called for Congress to codify a ban into law. As the question-and-answer period of the event progressed, Comey showed that he hadn’t given much consideration to the other side; he didn’t appear fluent in the technicalities of encryption and hadn’t seemed to consider the implications of creating an access point for law enforcement, or the ripples that may cause.

When explaining his case that Apple and Google should “change course” on default encryption, Comey said, “There is a misconception that building a lawful intercept solution into a system requires a so-called ‘back door,’ one that foreign adversaries and hackers may try to exploit. But that isn’t true. We aren’t seeking a backdoor approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law.” But Christopher Soghoian, the principal technologist at the ACLU, said this made little sense.

We’re not really sure what the difference is,” he told Newsweek. “Where he seems to be drawing the line is between a law enforcement interface built with planning on day one, as opposed to one that is added after the fact.… Technical experts are in broad agreement that when you add a lawful interception system to a communication service, you fundamentally weaken the security of that service.”  Essentially, if a key exists, someone will try to steal it.

Soghoian added that it seemed a bit tone deaf to call for companies to weaken their encryptions at a time when we are learning about one major data breach a week. Just last week for instance, a hacking called The Snappening led to the leak of around 90,000 sensitive SnapChat photos and 9,000 videos. Kmart also reported that malicious software compromised checkout registers and exposed customers' credit card information throughout the month of September.

When asked technical questions about the solution he was suggesting, Comey didn’t have the answers. At one point, the host, Benjamin Wittes, a senior fellow at the Brooking Institution, asked Comey to explain his “front door” distinction, to which he responded, “I don’t think I am smart enough to tell you what 'front door' means.” Soghoian found the lack of knowledge odd. “You would think that if he is going to give a keynote about encryption, he should be able to answer questions about the details,” he said, “or they should have someone sitting next to him on stage who can.” And that isn’t where the shortsightedness ended.

Comey was clear that his cost-benefit analysis of Google and Apple’s security measure was confined to the impacts it had on law enforcement. Comey said that leaving law enforcement in the dark was worse than risks associated with creating an access point. But when probed about the impact on groups other than the FBI, he admitted he hadn’t thought about it much.

While civil liberties advocates consider the features a victory for privacy and security, Comey called it “a marketing pitch.” But he failed to acknowledge that there are serious implications for these U.S. companies that have a significant portion of their profits coming from foreign sales. “Germans don’t want an iPhone with an FBI front door or back door,” Soghoian said. “The fact that a U.S. court would be required to issue an order isn’t going to be much comfort.… How can the FBI director come with this proposal without thinking about how this kind of change would undermine the sales of major U.S. companies?”

When an audience member asked if he had done cost-benefit analysis regarding the potential impact “going bright” will have on more repressive countries around the world that will follow suit, he said he hadn’t thought about it. And at no point did he delve into the impact adding a security vulnerability will have on U.S. citizens who have their devices stolen. Comey maintained that it is better to deal with whatever risks arise than block law enforcement’s access.

Comey said he planned to work with Congress to create a legislative fix involving the Communications Assistance for Law Enforcement Act (CALEA), the 20-year-old law that governs U.S. wiretapping. It calls for companies involved in telecommunication to design their equipment and services in a way that allows federal agencies to monitor communications. But CALEA protects companies that want to offer encrypted communications that they themselves cannot monitor. “Without changing that part of CALEA, without addressing this encryption question he doesn’t really get what he wants,” Soghoian said, “Reading between the lines, he is actually calling for CALEA to be changed in a pretty significant way.”

Comey recognized that many view the debate for and against default encryption as one of liberty versus security. But Comey said law enforcement is merely looking for “security that enhances liberty.” He added, “A commitment to the rule of law and civil liberties is at the core of the FBI” and “that no one in this country should be above or beyond the law.” But the FBI has already proven it works outside of the law, stealing crypto keys to access information. In 2001, for instance, MSNBC reported that the FBI was developing software known as “Magic Lantern” that is capable of inserting a virus into a suspect’s device and obtain encryption keys.

For Comey’s FBI mantras to remain true, he must work to mold existing law and make default encryption illegal or succumb to the idea that it is now a reality. Otherwise, the FBI will have to do what law enforcement has been caught doing in the past.