Moving Beyond Backdoors To Solve The FBI's 'Going Dark' Problem
from the though-it-seems-the-FBI-should-be-doing-more-to-solve-it... dept
Former FBI Director James Comey stated on more than one occasion that he’d like to have an “adult conversation” about device encryption. He wasn’t sincere. What he actually meant was he’d like to have all the “smart people” in the tech world solve his problems for him, either by capitulating to his requests for encryption backdoors or by somehow crafting the impossible: a secure backdoor.
Comey is gone, but his legacy lives on. The FBI wants to keep the “going dark” narrative alive. Deputy Attorney General Rod Rosenstein has already asked Congress for $21 million in “going dark” money, supposedly to help the agency explore its options.
The problem is, the options could be explored for a much lower price. Kevin Bankston offers up a few solutions — or at least a few improved adult conversational gambits — for the low price of $free over at Lawfare. The starting point is Comey’s “adult conversation” talking point. Bankston points out you can’t hold an adult conversation if you refuse to act like one.
Recently in Slate I responded to Comey’s repeated calls for an “adult conversation” on this seemingly endless debate. I replied that an “adult conversation” means moving past any discussion of discouraging or undermining the deployment of unbreakable encryption, in light of the broad consensus outside of the FBI that such a move would be dangerously bad policy. Rather than continuing to argue about whether or how we might force encryption technology to adapt to law enforcement’s needs, our time would be better spent focusing on how we can help law enforcement adapt to the technology.
This is a point many have tried to make, but Comey refused to listen. Let’s stop talking about crafting magical backdoors and accept the fact it just isn’t possible. Once this is accepted, everyone can move on. Plenty of options remain for law enforcement and, with the exception of the usual post-terrorist attack calls for backdoors, no one is really pushing backdoor legislation. Legislators are well-aware of the fact that weakening encryption causes far more problems than it solves and asks citizens to sacrifice their safety and security for the good of the nation a single federal law enforcement agency.
Bankston moves the discussion forward by discussing three areas the FBI could explore. The first involves lawful device hacking, which uses exploits and/or external hardware/software to access the content of locked devices. This sounds more nefarious than it actually is (vulnerability disclosure concerns aside). Basically, this just means doing what the FBI did to open up the iPhone seized in the San Bernardino shooting case.
The main problem Comey had with this approach is that it wouldn’t scale. But that’s kind of the point.
[T]he objection that hacking will never give law enforcement as much access as would a backdoor into or a ban on user-controlled encryption misunderstands the problem we’re trying to solve. The societal goal here is not to ensure that law enforcement can access every piece of data it might ever seek, but that it can get enough information to do its job, and hacking is certainly a part of the solution.
This route also involves legislation, both to define the limits of lawful hacking as well as to act as oversight for these activities. Obviously, both of these are things Congress doesn’t do all that well: oversight and writing computer laws. So, there will be concerns that need to be addressed, but hacking is a far better solution than legislated backdoors or judicial precedent that does the same thing by allowing a 1789 law to govern access to smartphones and other locked devices.
Another key area Bankston addresses is the tech curve itself. Law enforcement often laments it’s losing the Tech War to the bad guys. It’s not as though this needs to be a foregone conclusion. Criminal minds are rarely the brightest minds. Even though the same could be said for law enforcement minds, the good guys do have a distinct advantage: the ability to coordinate talent and expertise for the benefit of all agencies. That, and a mostly cooperative bunch of tech companies that still want to help the good guys beat the bad guys.
Another key aspect of upping government investigators’ tech game is making sure that they all know exactly what data they can lawfully obtain from internet companies today, without any new technical mandates. That means we need companies to step up and educate law enforcement and everyone else about the data they have—all of it, and not just the data they typically offer as matter or course in response to legal process.
It’s not like there’s only one path to data and communications stored on a suspect’s phone. Almost everything is backed up somewhere else by service providers. Concerns about users’ privacy will need to be addressed by everyone involved, starting with a revamping of the Third Party Doctrine. But tech companies will also need to be more honest with their customers, letting them know exactly what’s being stored outside of their devices and what law enforcement needs to have (warrant, subpoena, etc.) before the company turns over information.
[C]omprehensive transparency to law enforcement and the public about what data the companies are creating and storing is the only way that policymakers or the market will ever be able to enforce any real accountability over those practices, and I think (or at least hope) that the overall benefit to consumers’ privacy from that accountability will balance out the harmful effects of giving the government a full menu of data.
The final aspect Bankston addresses is obtaining data and communications stored overseas. Much of this is academic now that jurisdiction limitations have been removed by the recent Rule 41 changes. Unfortunately, there’s little positive to note here. Mutual assistance treaties take too long to be of much use (6-12 months for compliance) and there being little direct translation of civil liberties between participating countries makes this even more difficult.
Unfortunately, as Bankston points out, American exceptionalism doesn’t seem to be working out in our favor. It appears President Trump is trying to work out an exclusive deal with the UK to make this process easier. But “easier” just means more collateral damage to civil liberties and privacy on both sides of the pond. This may work in law enforcement’s favor, but it’s hardly the best solution to “going dark,” seeing as it ignores 99% of the stakeholders (citizens) to give each government what it wants.
The answers aren’t easy and they will involve compromises not everyone will be happy with. But it’s far better than taking the FBI’s approach, which appears to be demanding concessions from every tech company it might have to deal with. The discussion does need to push forward, with or without the FBI’s input. It can’t stay hung up where it is now, due to Comey’s stubborn refusal to ask for anything but the impossible.
Filed Under: backdoors, encryption, fbi, going dark
Comments on “Moving Beyond Backdoors To Solve The FBI's 'Going Dark' Problem”
Right, it doesn’t sound so bad when you brush aside the major concern with it. Let’s also ignore some years of evidence of the government’s shockingly fluid interpretations of "lawful".
I might say they take long enough. The difficulty is not a bug.
Maybe just on the UK side, if extradition law is any indication.
Give them an inch and they'll demand a mile
That means we need companies to step up and educate law enforcement and everyone else about the data they have—all of it, and not just the data they typically offer as matter or course in response to legal process.
A distinct problem with the ‘go all in helping law enforcement’ idea is that going back to the San Bernardino case Apple actually had the fact that they were willing to be helpful in the past used against them. ‘They helped us before, and now they’re not, clearly they need to be forced to help.’
Given I highly doubt such a ‘we deserve anything we want’ mindset was a temporary thing the issue with tech companies going out of their way to do more than they have to is that there will always be demands for them to do more. ‘You gave us A and B when you only had to hand over A, so what about handing over C and D while you’re at it?’
If the ones calling for broken encryption were capable of having an adult conversations and accepting ‘No’ as an answer then this wouldn’t be nearly as big of an issue, and my concern is that tech would give concessions and try to be helpful while law enforcement would simply take it as what they were owed… and then demand more, and more, and more.
Adult conversations?
Every time I hear or read the phrase “”adult conversation” about device encryption.” I can’t help it. My sense of humor demands that I mutter back “talk nerdy to me” at the screen.
Re: Adult conversations?
Thank you! I’m not the only one!
Re: Adult conversations?
And what the f*ck is an adult anyway? Far as I know half of the world population is an adult, meaning from 18 to 80+ years old, from all nationalities, ethnicities, religions, customs and views about life, from all branches of science, knowledge and with all types of ignorance attached. So saying “adult conversation” is just stupid, a generalization, stereotyping and ambiguous as f.
Reality
The reality (in general) is that criminals are stupid and greedy. If they weren’t they wouldn’t be criminals. They leave bird crumbs all over the place. Even if you can’t access their phones you can just collect the other evidence they leave behind.
There is a class of smart, organized and tech savvy criminals. Banning consumer encryption doesn’t do much good because criminals tend to break laws. They’ll use the many strong encryption products already available or create their own. Isis, for example, developed their own product. You may be able to outlaw the product but math is here to stay.
It wastes a lot of time and effort dwelling on the impossible rather than moving forward with strategies that work around limitations. Just because we can’t cure cancer outright doesn’t mean we stop moving forward in the interim, treating it successfully by attacking it indirectly.
Law enforcement often doubles down on unsuccessful programs for years and even decades. Maybe it’s time to replace ego and self-interest with genuine dedication to the public good. It would be a novel approach at least.
Re: Reality
those smart and organized criminals have a name: The NSA! Only problem is that periodically someone like Ed Snowden doesn’t get with the program.
Re: Reality
Going dark really means going back to the tried and true techniques that existed before people recorded every detail of their lives in electronic form one way or another. They will still have as much information available as they had when crime was plotted in smoke filled back rooms.
The problem for law enforcement is that that requires that they make connection with the people that they are policing, rather than treating everybody as criminals.
You’d think that before cell phones, nobody ever got convicted of a crime.
Look, you can commit any crime you want without a cell phone. And there are vanishingly-few crimes that you can commit WITH one–it’s not heavy enough or sharp enough to be a useful weapon, and anything you say into it is speech to a particular person (which given the U.S. Constitution is hardly ever a crime.) Nobody ever charged into a bank wearing ski masks and wielding cell phones–“Everybody freeze, this thing has a 1.4 f-Stop and I’m not afraid to use it.”
They’re only looking at the cell phone because they think that the criminal is stupid enough to use it to collect evidence against himself–in other words, it’s always and only a fishing expedition.
Re: Re:
“they think that the criminal is stupid enough to use it to collect evidence against himself”
To be fair, they’re usually not wrong. But, the basic protections for the rest of us should remain. In the past, “we think the criminal wrote details of his crime in his diary” wasn’t an excuse to raid his home, so modern mistakes shouldn’t be an excuse to bypass protections today either.
Re: Re:
Yes, exactly, came to the comments to make this same point. The real “going dark” is not using a phone at all. So let’s say they get their government mandated backdoors, how will they force terrorists/criminals to use those devices if they refuse to do so?
Re: Re: Re:
They’ll probably count that as a win, since it means the bad guys don’t have the advantages and conveniences (mainly, fast communications) which come from using modern technology, and so are less likely to succeed at committing their crimes.
It is more than a decade to late to make a difference
Human beings went dark around 2002, the level of failure that is being justified by all of the people involved in state violence is pathetic, these are all sociopaths, their objective is to harm people, individuals not states, your wife, father, daughter, son, brother those are the people they want to put in jail or defame through databases or outright murder if they get the chance, everyone that works for the state is a traitor.
All intelligence chiefs belong in jail
If the various heads of the intelligence agencies were investigated for criminal behavior, they’d be facing centuries in prison. Comey in particular is known within Washington insiders as being one of the worst offenders. Think House of Cards except in real life.
Inb4 the $21 million also goes dark. (I.e. disappears with no records where it went.)
Law enforcement is seemingly willfully naive of the fact that the internet has created a huge data set that previously didn’t exist. They’re not being restricted by the internet, they’re being given more opportunities.
Re: Re:
True, but they are addicted to electric data and suffer from withdrawal symptoms when they cannot get their hands on data they ‘know’ will prove their hunches.
Hacking is just as bad if not...
… even worse than a backdoor into encryption. While it may not scale well, you, as the law enforcement agency, will need a reliably working exploit against each system you want to compromise to obtain some arbitrary data.
In case you wonder how this approach will play out you may want to turn your attention to Germany, where the parliament just made it legal for law enforcement to gain access to your communications by utilizing Trojans.
All in the name of keeping us safe.
From what I learned over the years in IT however, Trojans never boosted anyone’s security or privacy for that matter.
Though they make encryption a non-issue.
Re: Hacking is just as bad if not...
I’ll disagree on this point only because whenever there is a cat-mouse game, technology evolves to outsmart the other. If law enforcement starts to get into this game, their attempts at OpSec will obviously leak and show us new 0-day vulnerabilities which will then be patched and we will progressively get safer. Adding more hackers into the pool (especially ones without super-nefarious purposes) is good news for everyone all around.
Due to the high burden, it isn’t like Joe Beat Cop can use his hacking arsenal on his girlfriend… this isn’t a Sting Ray you can just throw in your squad car and drive down to her house… it would be way too difficult and costly to implement. They’ll have to save this as a ‘nuclear’ option.
End of the day, it makes us more safe, gives police another tool that will have oversight (compelled due to complexity and security).
The whole going dark is a myth. It’s laughable!!! We’re more open with Data then ever. People do everything online these days. People use Credit Cards and Debit cards for everything instead of cash. We put Mic’s and Camera’s in our own homes which can be used to spy on us. Going dark, far from it.
Re: going dark is a myth.
Duh. Why do you think I’m always talking?
"Backdoors" are most useful for snooping on the honest, innocent people
The push for backdoors in encryption is solely for snooping on the people en masse. Any criminal or other nefarious actor will simply move to “home-baked” encryption without any backdoor access. They will just run their securely encrypted messages within the compromised communication channels.