Senator Richard Burr: Confused And Wrong On Encryption

from the this-is-ridiculous dept

Senator Richard Burr, head of the Senate Intelligence Committee and long time friend to the intelligence community, has now penned a ridiculous, misleading, fear-mongering opinion piece for the Wall Street Journal, entitled: Stopping Terrorists From “Going Dark.” It’s pretty much exactly what you’d expect if you’ve paid any attention to the ridiculous “going dark” debate in the US. But, let’s dig in and show just how bad this one is:

While the terrorist attacks in Paris, San Bernardino, Calif., and Garland, Texas, have brought discussions about encryption to the front pages, criminals in the U.S. have been using this technology for years to cover their tracks. The time has come for Congress and technology companies to discuss how encryption?encoding messages to protect their content?is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.

Right, except so far officials haven’t been able to show evidence of any of those cases actually using encryption. Similarly, law enforcement has failed to show that criminals using encryption have really been that much of a problem either. And that’s because it’s not a problem. Even in the (still mostly rare) cases where encryption is being used, criminals still reveal plenty of information that would allow law enforcement to track them down. It’s called doing basic detective work.

Consumer information should be protected, and the development of stronger and more robust levels of encryption is necessary. Unfortunately, the protection that encryption provides law-abiding citizens is also available to criminals and terrorists. Today?s messaging systems are often designed so that companies? own developers cannot gain access to encrypted content?and, alarmingly, not even when compelled by a court order. This allows criminals and terrorists, as the law enforcement community says, to ?go dark? and plot with abandon.

Yes, criminals and terrorists can use encryption just like law-abiding citizens. But that’s true of any technology. There’s no way to build technology that “only the good people can use.” Criminals use cars and computers and guns. And they eat food and drink too. Some of them talk to each other in person. Yet we don’t freak out about any of that other stuff. And, again, it’s simply incorrect to say they can “plot with abandon.” They cannot. Even when using encryption, many people either mess it up or still leave other clues. Most encrypted communication still reveals metadata about who was contacted, for example.

Leaving aside the terrorism challenges, encryption is affecting the investigations of kidnapping, child pornography, gang activity and other crimes. Federal, state, local and tribal law-enforcement officers can obtain legal authority to conduct electronic communications surveillance on terrorists and criminals. But encrypted devices and applications sometimes block access to the data. This means that even when the government has shown probable cause under the Fourth Amendment, it cannot acquire the evidence it seeks.

Yes, yes, the FBI and folks like the Manhattan DA’s office keep making this claim, but every time they’re asked to provide actual evidence of investigations stymied because of encryption, they come up empty. Official stats on lawful interception orders show that encryption is almost never a problem. They just don’t run into it.

Technology has outpaced the law. The core statute, the Communications Assistance for Law Enforcement Act, was enacted in 1994, more than a decade before the iPhone existed. The law requires telecommunications carriers?for instance, phone companies?to build into their equipment the capability for law enforcement to intercept communications in real time. The problem is that it doesn?t apply to other providers of electronic communications, including those supporting encrypted applications.

This is wrong. Technology has not outpaced the law — quite the opposite. Thanks to technology, law enforcement has more access to more information about every person alive than ever before in history. Technology now allows police to know where basically everyone has been at any moment in the day, who they spoke with, who they called or who they contacted via email. The fact that one small bit of data might be encrypted is hardly the case that technology has somehow outpaced the law.

Separately, yes, it’s true that CALEA (the wiretapping statute) requires that phone calls can be tapped, but that’s entirely different than undermining encryption. In fact, as we noted last week law already makes clear that phone companies are not required to backdoor encryption.

Federal Bureau of Investigation Director James Comey has said that one of the two Garland, Texas, shooters who died carrying out an attack on a Muhammad art exhibit in May exchanged 109 messages with an operative overseas. ?We have no idea what he said,? Mr. Comey told the Senate this month, ?because those messages were encrypted.? He described this as a ?big problem??and I couldn?t agree more.

Yes, yes, this is the example it took Comey over a year to finally come up with, but again it’s an incredibly weak one. Note: the encryption did not stop them from knowing who the shooter was communicating with, because the encryption does not impact the metadata. Yes, it may limit the ability to read the exact content of the messages, but the same would be true if they had just communicated via a phone call on an untapped line. Or if they had simply communicated with a simple code that those two knew and the FBI did not. This is really no different than any other criminal investigation situation, and it’s not the encryption that’s the problem.

Last month Manhattan District Attorney Cyrus R. Vance Jr. released an in-depth report specifically on ?smartphone encryption and public safety.? Many cellphones, including those designed by Apple and Google, now encrypt by default all the data they store, which is accessible only with a passcode.

Yeah, and we talked about how ridiculously wrong that report was at the time. And, again, the default mobile encryption only applies to data stored on those phones, not metadata. Apple would still have the keys to most data backed up in the cloud. Same with information shared with others where encryption may not be used. The amount of data that is truly “unobtainable” is minimal — which is why no one has any really good examples of it being a problem.

The challenges presented by encryption extend to financial transactions. In August Sen. Elizabeth Warren wrote letters to six federal agencies voicing concerns that banks were using Symphony, an encrypted messaging system that could prevent regulators from detecting illegal activities. The letter came shortly after New York?s top banking regulator, the New York State Department of Financial Services, raised the same concern with several major banks and Symphony?s developer.

In response, the banks agreed to store decryption keys with independent custodians, and Symphony agreed to retain electronic communications for seven years. All parties also agreed to a periodic review process to make sure that oversight keeps in sync with new technologies.

It would seem to me that daily financial flows shouldn?t command more attention than terrorist or criminal communications, yet here we are. Although the agreement described above may not be the solution for all encrypted communications, it does show that cooperative solutions are possible.

That is not an apples to apples comparison by any stretch of the imagination. The reason for the concern with the banks is that banks are a highly regulated industry in which they are legally required to keep records of certain communications. That’s not true of the general public, and unless Senator Burr is looking to wipe out the 4th Amendment, he shouldn’t even pretend these things have anything in common.

Second, what a cheap politician’s trick to pull out the “daily financial flows shouldn?t command more attention than terrorist or criminal communications” line. This is blatant fear mongering, because the issue is not about terrorists or criminals, but you, me, and everyone reading this who has an expectation of privacy. The only way to break encryption for “terrorists and criminals” is to make everyone less safe by putting in dangerous backdoors.

And, every time we put backdoors into encryption we see how it’s abused — such as with the recent Juniper vulnerability.

Finally, the “cooperative solution” in the case of the financial industry is an entirely different animal as well. Again, that’s a limited use case in a specific, highly regulated industry. To even suggest that because of that specific use case, there must be some sort of “cooperative solution” once again highlights a near total ignorance of how encryption works.

I and other lawmakers in Washington would like to work with America?s leading tech companies to solve this problem, but we fear they may balk. When Apple objected to a recent court order in a New York criminal case requiring it to unlock an iPhone running iOS 7?an operating system that Apple can unlock?the company refused, arguing: ?This is a matter for Congress to decide.? On that point, Apple and I agree. It?s time to update the law.

You fear they may balk? You want to know why? Perhaps because your friends in the intelligence community spent the last fifteen years breaking into their systems at every opportunity, undermining the trust and security of all of their users. You think that might have something to do with it? Maybe?

Senator Burr is doing something incredibly dangerous here. He’s misleading the American public in a totally ignorant way, that will put our security at risk. He is making the world a more dangerous place, on purpose, because of a misunderstanding of how technology works. He has no place regulating technology issues at all.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senator Richard Burr: Confused And Wrong On Encryption”

Subscribe: RSS Leave a comment
Ninja (profile) says:

I wonder if Mr Burr would support a law that demanded everybody to carry voice recorders for personal conversations and have the data, including who and where, stored and available to the Government anytime. Terrorists do speak face to face you know? One can never bee too careful.

He’s basically doing that but he either doesn’t understand it or he’s being dishonest.

Mike Masnick (profile) says:

Re: Re:

Mike – are you aware of anyone having contacted the Wall Street Journal to try to get an OpEd of their own published to act as a counterpoint to enemy-of-the-tech-industry-and-menace-to-public-safety Senator Richard Burr?

Yes, though I didn’t realize it when I wrote this post, the WSJ actually published a counterpoint at the same time, written by Cindy Cohn, the head of EFF:

Anonymous Coward says:

Re: UP next...

LEt’s take it s atep further:

It is now a Class 1 Felony to talk to, or about, someone or something accused of a crime. Crimes include:

Talking too loudly;
Thinking counter to government;
Mel Brooks and viewing anything related to Mel Brooks;
Rock music;
Black Lives Matter; and
Hugh Jackman.

(NB: This is a non-profit fan-based parody. Criminal acitvity is a product of the United States Government and the Department of Justice. Please support the official release.)

CanadianByChoice (profile) says:

Not really comparable

With banks (and other financial institutions), they are one of the endpoints of the encryption, and, therefore, have a key. They don’t have to make a “back door”. (Why, however, do I feel “less protected” knowing that there is another copy of that key “out there somewhere”?)
With phone encryption, the manufacturer is not and endpoint of the communication, so they – properly! – do not have a key.
The way it’s supposed to work: if LEO show up with a warrent, banks either produce the information or loose their charter; with people, they produce the information or go to jail (for contempt and obstruction).
I fail to see the actual problem here. And, using the “banks do it” example, the same avenue already exists for “private communications”!

Anonymous Coward says:

Here is what happens when you fail to use encryption.

Perhaps the good senator would agree to everyone carrying voice recorders to everything is recorded in real time. (That includes you senator) No more hiding by anyone.

If it is terrorists you’re worried about, they already have a home brewed encryption program. You can be sure they are not going to change that program for a state sponsored one. Why would they knowing this sort of push is in the air. So it comes down to the real point of this isn’t terrorists but rather the domestic population. What the senator proposes is that no one in the US be allowed to communicate privately on line. Again I remind the senator what is good for the goose is good for the gander. That means those intelligent committee meetings should be open as well so the public knows what is being discussed. Sounds fair to me.

Anonymous Coward says:

“This is wrong. Technology has not outpaced the law — quite the opposite.”

Is it though? CALEA was designed to require exceptional access on the PSTN. Now many communication occurs over IP (note that VoIP is covered under CALEA when it connects to PSTN).

CALEA set a precedent that communications providers must allow exceptional access. There is a real debate as to whether there should be a CALEA II*, but from a procedural standpoint it would fall under the precedent of CALEA. Calling attention to the other ways LE has access to investigatory material is a red herring, and does not address the precedent set by CALEA.


MrTroy (profile) says:

Re: Re: Re: “Criminals use cars and computers and guns”

Ah. Now that’s just wrong, and I say that as someone who thinks the second amendment is a stupid idea.

Trying to clamp down on guns at this point will be about as effective as trying to clamp down on encryption, for many of the same reasons. And the idea that clamping down on guns will only hurt bad actors is about as accurate as the idea that clamping down on encryption will only hurt bad actors.

Just because you don’t see any constructive uses for guns doesn’t mean that they don’t exist. Would you ban archery, martial arts, knives, explosives, loud noises, strong acids, …?

MrTroy (profile) says:

Re: Re: Re:2 “Criminals use cars and computers and guns”

Sorry, you said “will primarily impact bad people” while I responded “will only hurt bad actors”… I do think that any kind of ban will primarily impact good people rather than bad, even guns.

Unless you have a magic wand that will remove all guns from a (city? country? world?), as well as the knowledge of how to make new guns, anyway. If that’s the case, then we can have a completely different conversation.

Anonymous Coward says:

I kinda hope Burr gets this sort of law (saying that the government has the right to know anything if a judge gives permission) passed. Then I’d like to see the following warrants issued:

Historians must reveal the origins of the Voynich Manuscript.

Mathematicians required to come up with a clear and indisputable proof of the validity of the Continuum Hypothesis.

Physicists must produce the Theory of Everything by noon on Friday.

Universe must explain where that weird hum is coming from. Please. Honestly, where is that damn humming sound coming from!?

Anonymous Coward says:

Re: Re: Re:

I was thinking of the Hum Generator for the last item, and just assumed there were xkcd’s for the others. MrTroy got one for the VM. Surprisingly few completely applicable to the other two items, but:

CH: Either this or this.
TOE: Maybe this?
Or maybe CH+TOE would be this

I got myself Thing Explainer for Xmas. Kinda fun, but don’t try to enjoy it on a phone. (Instead, enjoy this game.)

Monday (profile) says:

Happy you wrote this; Mad because you think THEY care...

THEY being those very old and ridiculously expensive Law Makers and Decision Makers currently in office, and if what I am told is true, on their way out very soon. Age and ignorance is now more than a factor than ever when it comes to running a Country.
I really, really wanted to read an argument for Criminals and Terrorists, and all the relevant technology they employ in the acts they imagine, create, and then carry out EVERYDAY.
Do you think Hezbollah manufactures the rockets they fire off every now and then. IS does not have an arms factory building them Kalashnikovs.

Threats Levels are truly an arbitrary point now, where it concerns actual threats. Encryption has to be exposed for what it is… A tool ‘Ready at Hand‘ for use in everyday life. I have add-ons, extensions, a Tor browser, and VPNs, but it doesn’t mean that I am any more secure.

Governments and their agencies have more access and tools than we can imagine – and some people have very vivid imaginations.

I sat with a former ‘Military’ Pilot nee Commercial, who explained to me in no uncertain terms that anything I can think of, the “Government is at least twenty years beyond that”, although I should think because that is a twenty year old conversation, those gaps have been seriously closed – the public sector pays better, and treats their employees surprisingly well.

What I am saying here, is that the government has everything at its fingertips – all of it, and the “stuff” they don’t have, is because it is truly out of everyone’s reach. I am, you are, truly out of league if you think you’re anonymous, or insecure. Briefly recall that the CELLBRITE only costs ten grand and you get almost everything… imagine what a twenty, fifty, or two-hundred million dollar budget gets you.

I’m just saying. The old ways are lost, but not altogether. I needed an Ambulance Tout de suite; Ive had the same cellphone since 2001; it took them almost twenty minutes to get to me because they couldn’t find me. They had absolutely no idea where I was except that I was somewhere in Halifax.

Eventually I made it to the hospital, started breathing again, then got a small lecture on getting my technology updated. I think it works just fine, and I spent a hundred and ten thousand on my education, so I better have a freaking answer if somebody asks me – I do not need google on my cellphone (or Twitter or Facebook or SoundCloud or Spotify or Ello or blah blah blah).

This is what leads me to the assumption that governments are less concerned with encryption, and more concerned with location. Conversations can be had if needed; locations are needed.

Encryption will forevermore be a buzz word. Budgets need it… The ‘Old Guard is leaving, and a new, and hopefully smarter, shift is about to punch in – although there is still a huge problem with trying to keep State and Church separate.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...