New Report Says The Feds' Focus On Device Encryption Is Holding Local Law Enforcement Back

from the get-what-you-can-instead-of-dreaming-about-an-all-access-pass dept

CSIS (Center for Strategic and International Studies) has just released another report [PDF] on device encryption. But there's a difference: this one isn't so much about encryption but what law enforcement isn't doing to access the wealth of digital data available to it. (h/t Robyn Greene)

What CSIS found is there are plenty of powerful tools and options available. The problem -- especially at the local level -- is law enforcement appears to be unsure of how to proceed when seeking digital data. This results in a couple of problems, the latter of which has definite civil liberties implications.

Our survey of federal, state, and local law enforcement officials suggests that challenges in accessing data from service providers—much of which is not encrypted—is the biggest problem that they currently face in terms of their ability to use digital evidence in their cases. Specifically, the inability to effectively identify which service providers have access to relevant data was ranked as the number-one obstacle in being able to effectively use digital evidence in particular cases.

Following closely after that is the difficulty of obtaining data and evidence from service providers if agencies do manage to narrow down where it's located. While there are a variety of federal resources available to train and educate law enforcement investigators about seeking digital evidence, they're underfunded and underutilized.

This lack of education and overall uncertainty is leading to unfortunate results -- both in terms of targeted citizens and the law enforcement agencies hoping to hold onto whatever evidence they may obtain. Overbroad warrants are routine and it's not always the result of a "collect it all" philosophy.

Law enforcement claims... they often lack enough information to know what data is and is not available and make the kind of relevancy determination needed. Put simply, unless law enforcement officials are adequately informed about what kind of data providers have available, they are not in a position to know what there is to ask for—let alone determine if it is relevant. Law enforcement officials also point out that in many cases it is appropriate to ask for “any and all data,” particularly when the universe of available data is sufficiently limited—for example, if the request is directed toward “any and all data” about a particular account and during a specific time horizon.

These broad requests result in pushback from tech company recipients (who, unfortunately, likely understand the law better), which further strains the relationship between service providers and law enforcement agencies. The problem with the law enforcement side is the numbers don't support this perception.

The number of law enforcement requests, at least as directed at the major U.S.-based tech and telecom companies, has significantly increased over time. Yet, the response rates have been remarkably consistent.

The increase in requests has led to an increase in rejected requests as a whole -- which fuels the perception service providers are giving lawmen the figurative finger -- but the percentage of rejected requests (around 20%) has remained constant.

It's not just law enforcement personnel needing more training and info. The lack of training leads to broad warrant requests and subpoenas from law enforcement. These requests should be receiving pushback before they're delivered to service providers. But far too often, they're not receiving enough scrutiny at the judicial level. This is also an education/information problem.

[R]esources should be invested in training judges, in addition to law enforcement officials engaged in the investigative and prosecutorial functions. Judges serve as crucial intermediaries in the request process, ensuring that data requests are lawful and appropriately tailored. Resources should also be expended to train defense attorneys, who also need the ability to access and interpret digital evidence in order to mount an adequate defense.

The broad requests that do make it through post additional issues that are rarely discussed. While FISA court orders authorizing surveillance (including domestic surveillance) stress minimization of non-target info, demands for data from service providers aren't subject to these restrictions. Data/communication dumps can expose a lot of info about non-targets and there's almost zero recourse for non-targets whose privacy has been violated. "Incidental" collection isn't just something the NSA does. It's the inevitable byproduct of overbroad requests and few, if any, rules governing the collection and use of this info.

The report details a large number of deficiencies in the process which has made law enforcement's job far more difficult than it needs to be. Tech advances don't solely benefit crafty criminals. They also aid law enforcement, but there's been no cohesive effort made by the federal government to ensure local agencies can make the most of the tools available. Until this is nailed down, worrying about defeating or bypassing encryption is a waste of time.

That the FBI's director has decided that's how he's going to use his time and energy, suggests the agency -- the most frequent contact for local agencies seeking tech help -- isn't going to prioritize sharing knowledge over seeking legislative mandates. The FBI is hurting itself and others by limiting their ability to do everything they can right now in hopes of getting a law enforcement-sized hole drilled in encryption at some point in the next few decades.

Filed Under: doj, encryption, fbi, going dark, law enforcement
Companies: csis

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 26 Jul 2018 @ 5:53am

    Re: HA, HA.

    You talking about that kid who possibly coined the term e-mail but advertises himself as the kid who invented e-mail?

    What does he have to do with this article?
    Are law enforcement working to obtain evidence against him showing how he misled investors with his claims of inventing something he did not invent?
    Seems like such things should be a crime but what do I know, my IQ is likely 20 points below his, amazing I can even write this message.

    Thanks for the off-topic discussion.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.