William Barr Turns Up The Heat On The DOJ's Anti-Encryption Rhetoric
from the 4000-words,-zero-concessions dept
The DOJ has now spent more than a year dodging an obligation it created itself. For years, FBI directors and DOJ officials have told anyone who’d listen — conference attendees, Congressional reps, law enforcement officials — the world was going dark. Device encryption was making it far more difficult for the FBI to collect evidence from seized devices and the problem was escalating exponentially.
It wasn’t. Every new “going dark” speech contained a larger number of impenetrable devices the FBI was sure contained all sorts of juicy evidence. When the FBI was asked about these devices by members of Congress, it finally decided to take a look at its numbers. The numbers were wrong. The FBI said there were around 8,000 locked devices in its possession. In reality, the number is probably less than 2,500.
The problem is we don’t actually know what the correct number is. The DOJ has been promising an update since May 2018, but it has yet to release this number. Instead, it has released the mouth of its top man — William Barr, a longtime fan of domestic surveillance.
Barr’s keynote address to the International Conference on Cyber Security didn’t deal much with cybersecurity. Instead, it was 4,000-word anti-encryption rant. William Barr wants encryption backdoors. There’s no use in the DOJ denying after his verbal assault on device encryption and device manufacturers. There is no subtlety and no hedging. The only concession Barr makes is that encryption shouldn’t vanish entirely. But any form of encryption that remains should leave a key under the doormat for the G-men.
While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society’s ability to defend itself against other types of criminal threats. In other words, making our virtual world more secure should not come at the expense of making us more vulnerable in the real world. But, unfortunately, this is what we are seeing today.
Service providers, device manufacturers and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances. As a result, law enforcement agencies are increasingly prevented from accessing communications in transit or data stored on cell phones or computers, even with a warrant based on probable cause to believe that criminal activity is underway. Because, in the digital age, the bulk of evidence is becoming digital, this form of “warrant proof” encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy.
According to Barr, the government has a right to the contents of encrypted devices. He attempts to draw this conclusion by referring repeatedly to the Fourth Amendment. This safeguards citizens against unreasonable searches. Unreasonable searches can be performed as long as the government has a warrant. That’s as far as Barr takes this line of thought. As he sees it, encryption shouldn’t be able to nullify a search warrant. He believes encryption does this.
The Fourth Amendment strikes a balance between the individual citizen’s interest in conducting certain affairs in private and the general public’s interest in subjecting possible criminal activity to investigation. It does so, on the one hand, by securing for each individual a private enclave around his “person, house, papers, and effects” — a “zone” bounded by the individual’s own reasonable expectations of privacy. So long as the individual acts within this “zone of privacy,” his activities are shielded from unreasonable Government investigation. On the other hand, the Fourth Amendment establishes that, under certain circumstances, the public has a legitimate need to gain access to an individual’s zone of privacy in pursuit of public safety, and it defines the terms under which the Government may obtain that access. When the Government has probable cause to believe that evidence of a crime is within an individual’s zone of privacy, the Government is entitled to search for or seize the evidence, and the search usually must be preceded by a judicial determination that “probable cause” exists and be authorized by a warrant.
Nothing is preventing the government from seizing devices. The warrant can still accomplish that. What Barr is arguing is that the Fourth Amendment guarantees government access to evidence, which it doesn’t. It only gives it the right to search for it. A search warrant may result in a searched house or vehicle, but there’s no guarantee any useful evidence will be recovered. The evidence it’s looking for may not be on the premises. Or it may reside in a safe law enforcement isn’t able to crack. Or it simply may not exist at all.
The “locked safe” is the closest equivalent to an encrypted device. The government is free to continue trying to open the safe, but the warrant only allows it to seize evidence or items likely to contain evidence. It doesn’t obligate the safe manufacturer to build master keys for all safes and distribute them to law enforcement. Encryption backdoors make that demand. And they make that demand of any device manufacturer or software developer that secures customers’ communications and data with encryption.
So, how does Barr think this will be accomplished? It appears he thinks everyone else should spend time figuring that out and let the DOJ get back to the difficult work of not answering questions about the FBI’s encrypted device stash.
He thinks the courts should fix it, pointing to the Supreme Court’s 1925(!!) decision creating the automobile exception to search warrant requirements. He feels this concession to law enforcement (one that’s abused frequently by cops searching for seizable cash) should be followed by more concessions. Courts may not be able to order across-the-board backdoors, but they can create useful precedents for compelled access — either for device owners or device manufacturers.
He thinks society in general should fix this, even if it can’t contribute directly. What society can do is stop arguing about the deliberate weakening of encryption and just accept the fact that governments (and whoever else can find the backdoor) should have access to their communications and data. It’s a sacrifice we, the people, should be willing to make for our government, which pretty much has only its own interests in mind.
And Barr thinks the tech community should fix it. He lists a bunch of bad proposals, one of which was proposed by none other than the UK’s version of the NSA. He talks up Ray Ozzie’s take on key escrow and (former GCHQ security specialist) Matt Tait’s “layered envelopes” pitch he made for a blog that’s headed by noted surveillance state apologist, Ben Wittes. Those are the “experts:” the GCHQ, a former GCHQ employee, and a software pioneer.
Barr says the real risk posed by compromised encryption is worth it. He doesn’t explain how it’s worth to the millions of people he’ll put at risk in exchange for law enforcement access, but he seems to assume we’ll all feel much better about it when criminals start disappearing from the streets.
[T]he argument is that a business is thwarted in its purpose of offering the best protection against bad actors unless it can also override society’s interest in retaining lawful access. Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability — a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.
In the end, Barr hopes we’ll be hit with a tragedy so awful, Congress will decide to end the debate by outlawing un-backdoored encryption.
Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.
This is much worse than the handful of spoken asides uttered by FBI directors and a handful of DOJ officials. This was the only focus of Barr’s 4,000-word keynote address. He spent a few words at the opening to at least indicate to the crowd he knew where he was (a cybersecurity conference) before spending the rest of it arguing against effective encryption. This is Barr’s DOJ and, by extension, his FBI. This is the issue the DOJ’s going to run with as long as he’s in charge.