Photo via FBI (Public Domain)
Welcome back, hope you had a great summer, let's get right back to our regularly scheduled cyber programming: A global war over encryption.
FBI Director James Comey, who has spent the last six months itching to get back into a public debate over the spread of encryption and mandated special backdoor government access to data, took to a spotlighted stage on Tuesday to pointedly criticize tech companies who offer default strong encryption on devices, saying he was preparing for the argument to extend into 2017 and beyond.
The encryption debate stormed onto center stage last year when the FBI tried to compel Apple to decrypt an iPhone of one of the San Bernardino terrorists. The debate has recently shrunk from public view as the 2016 election approaches, but it promises to return in full force after the votes are counted.
"I can't resist talking about encryption and going dark," he said Tuesday morning to the 2016 Symantec Government Symposium.
"Going dark"—Comey's phrase for data rendered inaccessible due to encryption—is not a technical problem, he argued on Tuesday, but a business model problem: Tech companies are choosing a path of encryption for marketing, not security, he claimed.
Although he did name-check Snowden early in his talk, Comey conspicuously omitted the political shockwave over surveillance that the NSA contractor's whistleblowing produced.
Instead, Comey referred to the "the agreement" between security and privacy "at the core" of the ideals of the United States, but he made no explicit mention of the global debate over American spying that was such a forceful catalyst for this debate and the subsequent spread of encryption.
That's a continuous and glaring omission, but it fits neatly with Comey's past positions on civil liberties. In 2006, with the Patriot Act at the center of the American political conversation, Comey dismissed the critics then as well:
“There has not been a tradeoff between liberty and security in our response to terrorism in this country and in our efforts to offer security to the people of the United States."
On Tuesday, the head of the FBI focused instead on making the the case that American tech companies pushing default encryption—Apple's decision to encrypt iPhones by default has attracted the most attention—have lied by omission in their public statements on encryption. He pointed specifically to a May 2016 letter from Silicon Valley firms to President Barack Obama, which Comey said listed the benefits but ignored the "costs of widespread, ubiquitous encryption."
"Either they don't see the costs, or they're not being fair minded about the costs," Comey said. "And that's a bit depressing."
Encryption is the process of encoding data so that only authorized users can access it. This can protect data from hackers, spies, surveillance, criminals, police, and the FBI—even when they have a court order. Encryption protects everything from credit card transactions online to private communications.
The debate so far has focused on a few key points, including government overreach eroding privacy and the risk that encryption backdoors would undermine security for anyone who uses it.
Comey argued that mandating special access backdoors into encrypted data would not necessarily weaken encryption and overall cybersecurity. A large and vocal pack of technologists disagree with the director.
"If there is a 'golden key' or 'backdoor', then it can be leaked or stolen, and then [that] puts everyone at risk because the key or backdoor is not device/user specific but works for everyone," Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, told the Daily Dot after Comey's speech. "Even if it was user or device specific it would still mean that there is a weakness in the encryption/security of the data."
Robert Graham, CEO at Errata Security, echoed Sehnaoui's assessment last year. “The FBI makes this proposal to look like they’re looking for a simple law to add a simple feature,” he said. “But when you look into it, what they’re really asking for is dramatic, it’s a huge thing. They’d need to outlaw certain kinds of code. Possessing crypto code would become illegal.”
"You can't build a backdoor that only the good guys can walk through," cryptographer and author Bruce Schneier has argued. "Encryption protects against cybercriminals, industrial competitors, the Chinese secret police, and the FBI. You're either vulnerable to eavesdropping by any of them, or you're secure from eavesdropping from all of them."
Other experts offered another view.
"It's not possible to make a Going Dark solution that has zero risk," Matt Tait, CEO of Capital Alpha Security, said told the Daily Dot, "but Comey is right that the technical risks are largely overstated by the privacy community and the risks of going dark are not borne by the technology companies, who are locally minimizing risk to themselves, rather than globally minimizing risk to the public."
"Not only is the risk of theft lower than the privacy community makes it out to be, but the impact if it were to occur can also be minimized, so that golden key loss wouldn't imply mass loss of data.
"From the privacy community, the objection to golden keys is unambiguously ideological, not technically motivated. That's why we hear lots of 'it can't be done' and 'it's not secure' rather than 'here's a solution but these are the risks.'"
Comey pleaded for an "adult conversation" that avoided the "intensity of emotion" that characterized earlier debates around encryption. He laid out his arguments for an audience of cybersecurity professionals in Washington, D.C.:
"The challenge we face is that the advent of default, ubiquitous strong encryption is making more and more of the room we are charged to investigate dark.
"There was always a corner of the room that was dark. Sophisticated actors could always get access either for devices or for live comms to encryption.
"What has happened in the three years I've been Director [of the FBI], post-Snowden, is that that dark corner of the room, especially through default encryption, especially through default encryption on devices, that shadow is spreading through more and more of the room."
In Europe, however, the encryption debate is already rising in temperature after French and German officials called for new legislation on the technology. That debate is set to begin in early September and, as in the U.S. and elsewhere, will stretch into the new year and beyond.
Contact the author: Patrick Howell O'Neill, firstname.lastname@example.org