FBI Director Chris Wray Pitches Weakened Encryption At A Cyber Security Conference

from the piling-on-the-unintended-irony dept

On May 29, 2018, the FBI promised to deliver an updated count of encrypted devices in its possession. As James Comey and his replacement, Chris Wray, continued to advocate for weakened encryption, the number of phones the FBI couldn't get into swelled from 880 in 2016 to over 7,800 by the time the FBI realized its phone-counting method was broken.

This number still hasn't been updated. An early internal estimate by the FBI put the real number of locked devices at ~1,200. But the official number still hasn't been released. This hasn't stopped Chris Wray from continuing his attacks on encryption, painting pictures of a dark future that isn't supported by the small number of encrypted devices in the agency's possession.

The attacks continue. They're more subtle than Attorney General Bill Barr's aggressive pitches, but they're still happening. Chris Wray spent his time at a recent cyber security conference in Boston making the case for strong encryption before (yet again) making a plea for tech companies to give law enforcement the encryption backdoors Wray still refuses to call backdoors.

Today we’re worried about a wider-than-ever range of threat actors, from multi-national cyber syndicates to nation-state adversaries. And we’re concerned about a wider-than-ever gamut of methods continually employed in new ways, like the targeting of managed service providers—MSPs—as a way to access scores of victims by hacking just one provider.

[...]

We’re also battling the increasing sophistication of criminal groups that places many hackers on a level we used to see only among hackers working for governments. The proliferation of malware as a service, where darkweb vendors sell sophistication in exchange for cryptocurrency, increases the difficulty of stopping what would once have been less-dangerous offenders. It can give a ring of unsophisticated criminals the tools to paralyze entire hospitals, police departments, and businesses with ransomware. Often the hackers themselves haven’t actually gotten much more sophisticated—but they’re renting sophisticated capabilities, requiring us to up our game as we work to defeat them, too.

These all sound like arguments for strong encryption. They're not, I guess. Because the very next thing out of Wray's mouth is this:

We’re having to fight these increasingly-dangerous threats while contending with providers increasingly shielding indispensable information about those threats from any form of lawful access—through warrant-proof encryption.

"Warrant-proof encryption" is just encryption. It's protecting all the people Chris Wray says need to be protected from cyber threats. Just because it's made gathering evidence slightly more difficult is no reason to portray encryption as an evil the nation needs to be saved from.

But Wray's disingenuousness doesn't stop there.

We are all for strong encryption—and contrary to what you might hear, we’re not advocating for “back doors.” We’ve been asking for providers to make sure that they themselves maintain some kind of access to the encrypted data we need, so they can still provide it in response to a court order.

It's still a door -- one that wasn't there previously. Trying to dodge the "backdoor" term by asking service providers to leave themselves a key under the doormat is a weak and transparent effort to pre-distance Wray from any subsequent damage his desires might cause. Wray doesn't want to be the villain if anti-encryption laws are ever enacted. But he won't waste any time availing himself of the access it provides, even as it undermines the security of the nation.

Filed Under: chris wray, doj, encryption, fbi


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Peter, 12 Mar 2020 @ 4:24am

    Here's the thing about criminals

    Criminals break the law. Thus if they feel the need to have strong encryption, that is what they will use.

    Arguing for weakened encryption is like banning guns and expecting that will magically stop criminals using them.

    reply to this | link to this | view in chronology ]

    • identicon
      Bruce C., 12 Mar 2020 @ 5:49am

      Re: Here's the thing about criminals

      Exactly. Even in Wray's "perfect world" where all the phone makers, app makers, service providers and websites implemented the "key under the doormat", he still runs into the first amendment when it comes to researchers investigating and publishing full "strong encryption" algorithms. People who want to be secure will simply go to offshore companies that aren't bound by US restrictions, and the crooks will roll their own as usual.

      And that doesn't even begin to address the issue that these business organizations can't even properly protect the information about us that they already have. There have been literally billions of user accounts and personal data records breached over the years. To think that hardware makers and service providers have a chance at preventing the extraction and sale or publication of these backdoor keys is insane. A cybercriminal would probably pay mid-6 figures or more for a backdoor from (say) Apple, or the Bank of America.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2020 @ 11:50am

        Re: Re: Here's the thing about criminals

        Even in Wray's "perfect world" where all the phone makers, app makers, service providers and websites implemented the "key under the doormat", he still runs into the first amendment when it comes to researchers investigating and publishing full "strong encryption" algorithms. … crooks will roll their own as usual.

        Criminals rolling their own is about the best result he could hope for. It's like the #1 way to get an insecure system.

        reply to this | link to this | view in chronology ]

        • identicon
          Bruce C., 12 Mar 2020 @ 6:15pm

          Re: Re: Re: Here's the thing about criminals

          Well, not necessarily. Sometimes the crooks can afford to hire experts, other times they're nation-state actors. The average idiots are the ones who will get caught, just like the armed robbers who then go and brag on social media.

          reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 13 Mar 2020 @ 6:44am

          Re: Re: Re: Here's the thing about criminals

          "Criminals rolling their own is about the best result he could hope for. It's like the #1 way to get an insecure system."

          The most secure encryption algorithms today are all open source. What it takes is for criminals to not employ an incompetent moron for them to be effective.

          So in other words criminals will have the best possible encryption. The citizenry will have, effectively, none. At least after someone has used the 5 dollar wrench attack to obtain Apple's master key from their lead technician.

          reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 12 Mar 2020 @ 7:11am

      Re: Here's the thing about criminals

      No need to ban guns.

      What if instead we had 'weakened' guns?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2020 @ 7:49am

        Re: Re: Here's the thing about criminals

        All guns should have back doors ... with good guy access only.

        reply to this | link to this | view in chronology ]

        • icon
          Toom1275 (profile), 12 Mar 2020 @ 9:21am

          Re: Re: Re: Here's the thing about criminals

          You jest, but that exact moronic idea has actually been seriously tried before - a mandate that all guns be hampered with electric fingerprint locks.

          reply to this | link to this | view in chronology ]

      • identicon
        Lawrence D’Oliveiro, 12 Mar 2020 @ 4:11pm

        Re: No Need To Ban Guns?

        The difference being, encryption is a constructive technology with lots of useful, nonviolent uses (like securing your online banking), while guns are just destructive weapons designed only to blow holes in things. When a gun is causing destruction, injury and death, it is only working as designed.

        Conflating the two is not helpful to the discussion. The fact that guns need to be controlled to minimize their harm cannot be used as an argument that encryption needs to be controlled.

        reply to this | link to this | view in chronology ]

        • icon
          Toom1275 (profile), 12 Mar 2020 @ 4:13pm

          Re: Re: No Need To Ban Guns?

          Lawrence's law:

          A conversation cannot mention guns without the troll Lawrence D'Oliveiro leaving a big, steaming pile of bullshit.

          reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 13 Mar 2020 @ 6:41am

      Re: Here's the thing about criminals

      "Arguing for weakened encryption is like banning guns and expecting that will magically stop criminals using them."

      Worse. It's like banning math and expecting criminals to stop using it.

      A gun still requires physical hardware. Encryption is essentially just information.

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 13 Mar 2020 @ 6:57am

        Re: Re: Here's the thing about criminals

        Oh yah, forgot this bit;

        Encryption is essentially communicating privately.
        Something i believe to be implicitly guaranteed in every constitution around in the western world.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2020 @ 4:26am

    There are a few ways to increase cybersecurity but encryption standards aren't as relevant as many people think they are.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2020 @ 6:19am

      Re:

      "encryption standards aren't as relevant "

      What is irrelevant about how people have defined encryption?
      . The number of significant digits in the key?
      . Method used to generate random numbers?

      What specifically is it that people think is relevant but you think is not?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2020 @ 9:59pm

        Re: Re:

        The major cyber problem can't be solved by encryption.

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 13 Mar 2020 @ 7:01am

          Re: Re: Re:

          "The major cyber problem can't be solved by encryption."

          No, but it's pretty much guaranteed we'll never be rid of PEBKAC.

          What we CAN do is to ensure that everyone has access to basic, simple to use communications which make use of a good encryption standard.

          If some moron later on sees fit to use a password on the top ten dictionary attack laundry list to access his bank that's no longer our problem.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Mar 2020 @ 8:39am

          Re: Re: Re:

          "The major cyber problem can't be solved by encryption."

          I do not recall claiming it can.

          reply to this | link to this | view in chronology ]

  • icon
    Jeremy Lyman (profile), 12 Mar 2020 @ 4:32am

    Golden Toilet Key

    Anyone else surprised he's not railing against the scourges of fire, paper shredders, or flushable toilets? Think of all the essential information to which these warrant-proof devices have deprived law enforcement access. Can these technologies possibly be worth the societal cost? We should all go back to shitting in a bucket. Yeah. For the greater good.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2020 @ 6:26am

      Re: Golden Toilet Key

      What about private conversations in pubs, clubs and cafes? Will he require that the owners install microphones so that they can record all conversations? That is what he wanting the tech companies to do for any conversazioni that use their servers.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2020 @ 4:42am

    "Look, we can't be expected to catch burglars if you don't let us just walk into anyone's house to search it at any time, so that's why in order to combat the burglary epidemic we need to outlaw locks on the doors of houses!"

    reply to this | link to this | view in chronology ]

  • identicon
    teka, 12 Mar 2020 @ 5:35am

    "we don't want keys to everyone's houses, we just want to require all door installers and lock makers to keep a spare key for every house for themselves and then give it to us whenever we want with no questions or restrictions whenever we want. Anyone who is against that must be a kiddie-porn terrorist who also sells drugs and is some kind of foreigner"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2020 @ 5:47am

    The FBI will get what it wants

    Any Coronavirus relief bill will probably have a rider covering this stuff.

    reply to this | link to this | view in chronology ]

  • identicon
    bobob, 12 Mar 2020 @ 7:20am

    The government is so duplicitous in making those arguments. What they want is unrestricted access to everyone's phones and data and the rest of the bullshit is just an excuse to justify it.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 12 Mar 2020 @ 7:41am

    Next up...

    FBI Director Chris Wray Pitches Partial Pregnancy.

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 13 Mar 2020 @ 7:07am

      Re: Next up...

      "FBI Director Chris Wray Pitches Partial Pregnancy."

      No he isn't!

      He's very explicitly saying that he isn't asking for partial pregnancy. He's asking for sort-of-but-not-quite pregnancy.

      What I really have to ask, at this point, is whether Chris Wray is so monumentally inept he doesn't realize what he's asking for, or he knows damn well what he asks for and keeps ignoring it because he doesn't really give a fsck?

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 13 Mar 2020 @ 2:01pm

        Re: Re: Next up...

        It's the latter, guaranteed. For the former to be even possible he'd either have to have a literal inability to remember things that he doesn't like, or be so stupid that he would be incapable of doing any task that required even the most modest amount of thinking.

        He knows that what he's asking for is not only stupid but dangerous, he simple doesn't give a damn as it's a price he's willing to have the public pay.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2020 @ 8:22am

    FBI Director Chris Wray Pitches Weakened Encryption At A Cyber Security Conference

    That's like pitching reduced public education funding to a teachers' union or net neutrality to a consortium of service providers. Only far less sensical.

    Good fucking luck with that.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 12 Mar 2020 @ 2:29pm

    Kiss your credibility goodbye

    Inviting someone with a demonstrable history of antagonism against encryption to a security conference is like inviting a known arsonist to a fire-fighters' conference.

    I'm sure there's a better way to make clear that you care more about the spectacle than the actual subject of the conference than inviting someone known to be against said subject, but for the life of me I can't think of it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2020 @ 8:07pm

      Re: Kiss your credibility goodbye

      Personally I'd like to think of it as they needed something to laugh at and found a willing sucker to demonstrate his idiocy to all the experts...

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 13 Mar 2020 @ 7:10am

        Re: Re: Kiss your credibility goodbye

        Huh. I'm not sure whether making Poe's Law a utility is good, in the long run.

        Even if it must have saved them a fortune on having to hire an actual comedian for the fifteen minute break.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.