Speaking at a Boston College cybersecurity conference, Comey revealed that the Federal Bureau of Investigation had attempted to access some 2,800 devices, presumably mostly cellphones and laptops, between September and November last year. As many as 1,200 of the devices could not be opened “with any technique,” he said.
The debate over limiting the strength of encryption to aid law enforcement—colloquially known as the “Crypto Wars”—is decades old, but it grew heated again last year after the FBI publicized the difficulties its forensic team had in acquiring data from an iPhone belonging to one of the San Bernardino shooters.
“We need to stop bumper-stickering each other. This isn’t the ‘FBI versus Apple,’” said Comey, who was scheduled at SXSW this year but canceled this week due to a scheduling conflict. “We need to build trust between the government and private sector.”
The FBI refers to its growing inability to compromise electronic storage devices and intercept online communications as “Going Dark,” a phrase which many privacy and security experts claim is a misnomer, arguing that the FBI has infinitely greater access to intelligence today than it ever had before the internet became a household utility.
Admiral Michael Rogers, head of the National Security Agency (NSA) and the nation’s top authority on cyberwarfare, has in the past argued in favor of a solution which has come to be known as the “Golden Key,” a digital passphrase of some sort that would give law enforcement and intelligence agencies a “backdoor” into any consumer device guarded by advanced encryption.
But the nation’s top cryptographers say the so-called “Golden Key” is little more than fantastic euphemism for an inherent vulnerability that would inevitably leave American consumers at the mercy of malicious cybercriminals. Top researchers have long argued that introducing a master key for all encrypted devices that only specific government agencies could access constitutes an unacceptable risk. And the idea that the government is capable of securing such an incredibly powerful tool seems dubious at best.
For example, Comey’s remarks arrived on the heels of an apparent significant security breach at the Central Intelligence Agency—the second in as many months—in which a trove of confidential and secret documents released by WikiLeaks revealed various methods and tools the clandestine agency uses to compromise the cellphones and other “smart” devices of terrorists and other foreign actors.
The latest CIA leak occurred six months after the NSA was compromised by a group calling itself Shadow Brokers, which released online a tranche of hacking tools and previously undisclosed exploits linked to the NSA. It wasn’t the first time. German newsmagazine Der Spiegel disclosed a variety of NSA toolbox in December 2013, after obtaining access to a secret catalog of cyberweapons.
The publication of a “Golden Key”—by WikiLeaks or a group like Shadow Brokers, for instance—would be a nightmare scenario for American technology manufacturers, potentially leaving millions of consumers vulnerable to cybercriminals. And with the intelligence community’s inability to keep secret code used by only a select few in their ranks, it’s unclear how they could ever hide a key that, presumably, thousands of law enforcement professionals would require some level of access to on a routine basis.
Bruce Schneier, a security author and widely regarded expert on cryptography, said that both the Shadow Brokers incident and the recent release of CIA files demonstrates the government’s inability to keep things secret. “If they say they can, they’re fooling themselves,” he said.
Senator Ron Wyden (D-Ore.), who sits on the Senate Select Committee on Intelligence and remains one of the most vocal supporters of privacy in Congress, was unable to comment on the recent leak of CIA data. But in regards to Comey’s remarks on Wednesday, a spokesman for the senator told the Daily Dot that, obviously, he strongly opposes “any effort to weaken encryption or government mandates to create backdoors.”
In a speech last week, Wyden addressed the issue of the U.S. government using malware, specifically with regards to its effect on U.S. citizens’ privacy. He said: “If law enforcement agencies are going to use malware—in other words to hack into the computers, phones, webcams and microphones of Americans, such hacking needs to be pursuant to a narrow warrant, to strict judicial oversight, and law enforcement agencies must take steps both to limit collateral harm — to innocent Americans and to U.S. technology companies whose products the government is hacking — and be ready to clean up the mess when they do in fact hack innocent people or when their hacking tools fall into the wrong hands.”
Update 4pm CT, March 8: Updated with addition comments from Sen. Wyden.