FBI Director James Comey is apparently a likable guy, but if he's going to attack encryption, it might help if he actually understood it better than, say, the editorial board of the Washington Post
, who recently argued against "backdoors" in technology, and for a magical "golden key" -- as if the two were somehow different. We wrote
a quick take on Comey's Brooking's talk
last week, but the deeper you dive into his talk the more and more evident it is that he not only doesn't quite understand the issues he's talking about, but that he doesn't even seem to understand when his own statements conflict with each other.
Just two days earlier, in a 60 Minutes interview, Comey had insisted, incorrectly, that the FBI can never read your email without a court order. This was simply false
, and Comey had to 'fess up
to that at the Brookings event when called on it. But if he needed to "clarify" that, it seems like he needs to do much more clarifying as well. Because much of his speech presented scenarios for why
the phone encryption now being put in place by Apple and Google would have harmed investigations -- and after digging into those examples, it appears that his explanations were, once again, incorrect. Here are his examples:
In Louisiana, a known sex offender posed as a teenage girl to entice a 12-year-old boy to sneak out of his house to meet the supposed young girl. This predator, posing as a taxi driver, murdered the young boy and tried to alter and delete evidence on both his and the victim’s cell phones to cover up his crime. Both phones were instrumental in showing that the suspect enticed this child into his taxi. He was sentenced to death in April of this year.
In Los Angeles, police investigated the death of a 2-year-old girl from blunt force trauma to her head. There were no witnesses. Text messages stored on her parents’ cell phones to one another and to their family members proved the mother caused this young girl’s death and that the father knew what was happening and failed to stop it. Text messages stored on these devices also proved that the defendants failed to seek medical attention for hours while their daughter convulsed in her crib. They even went so far as to paint her tiny body with blue paint—to cover her bruises—before calling 911. Confronted with this evidence, both parents pled guilty.
In Kansas City, the DEA investigated a drug trafficking organization tied to heroin distribution, homicides, and robberies. The DEA obtained search warrants for several phones used by the group. Text messages found on the phones outlined the group’s distribution chain and tied the group to a supply of lethal heroin that had caused 12 overdoses—and five deaths—including several high school students.
In Sacramento, a young couple and their four dogs were walking down the street at night when a car ran a red light and struck them—killing their four dogs, severing the young man’s leg, and leaving the young woman in critical condition. The driver left the scene, and the young man died days later. Using “red light cameras” near the scene of the accident, the California Highway Patrol identified and arrested a suspect and seized his smartphone. GPS data on his phone placed the suspect at the scene of the accident and revealed that he had fled California shortly thereafter. He was convicted of second-degree murder and is serving a sentence of 25 years to life.
The evidence we find also helps exonerate innocent people. In Kansas, data from a cell phone was used to prove the innocence of several teens accused of rape. Without access to this phone, or the ability to recover a deleted video, several innocent young men could have been wrongly convicted.
Powerful stories, right? Just imagine if the data on those phones were locked up and unavailable to law enforcement? Well, imagine-no-more, because people have been looking into these stories, and Comey's fear mongering doesn't check out. First up, The Intercept looked into these cases
and their results can be summed up in the URL slug which includes "FBI Dude Dumb Dumb."
In the three cases The Intercept was able to examine, cell-phone evidence had nothing to do with the identification or capture of the culprits, and encryption would not remotely have been a factor.
In the most dramatic case that Comey invoked — the death of a 2-year-old Los Angeles girl — not only was cellphone data a non-issue, but records show the girl’s death could actually have been avoided had government agencies involved in overseeing her and her parents acted on the extensive record they already had before them.
In another case, of a Lousiana sex offender who enticed and then killed a 12-year-old boy, the big break had nothing to do with a phone: The murderer left behind his keys and a trail of muddy footprints, and was stopped nearby after his car ran out of gas.
And in the case of a Sacramento hit-and-run that killed a man and his girlfriend’s four dogs, the driver was arrested a few hours later in a traffic stop because his car was smashed up, and immediately confessed to involvement in the incident.
The link provides a lot more details about each of those cases, suggesting phones had little to nothing to do with any of those stories, and if there were encryption on those phones it wouldn't have made the slightest difference. And it's not just the folks over at The Intercept
recognizing this. The Associated Press called bullshit
on most of the examples as well.
And, remember, these were the hand-picked examples the FBI came up with after weeks
of time to prepare its case for not allowing such encryption. And they don't hold up under scrutiny.
During the Q&A, Comey was again challenged on these and asked for "real live examples" where encryption would be an issue and his answer did not inspire confidence
that Comey has any idea what he's talking about:
Rescuing someone before they’re harmed? Someone in the trunk of a car or something? I don’t think I know – yet? I’ve asked my folks just to canvas – I’ve asked our state and local partners are there some examples where this – I think I see enough, but I don’t think I’ve found that one yet. I’m not looking. Here’s the thing. When I was preparing the speech, one of the things I was inclined to talk about was — to avoid those kids of sort of ‘edge’ cases because I’m not looking to frighten people. Logic tells me there’re going to be cases just like that, but the theory of the case is the main bulk of law enforcement activity. But that said I don’t know the answer. I haven’t found one yet.
In the talk, Comey also disputed the notion of a "back door," but rather claimed he wanted a "front door."
We aren’t seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process—front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks.
Right. So, just like the question of what's the difference between a back door and a magic golden key, Comey was asked
about the difference between a front door and a back door, and his answer was... he doesn't know.
When asked technical questions about the solution he was suggesting, Comey didn’t have the answers. At one point, the host, Benjamin Wittes, a senior fellow at the Brooking Institution, asked Comey to explain his “front door” distinction, to which he responded, “I don’t think I am smart enough to tell you what 'front door' means.”
Yup. You're the director of the FBI and you just gave a key speech -- pushing for legislation -- which focuses on the idea of wanting a "front door" into technology, and when questioned on what the hell that means your answer is "I don't think I'm smart enough to tell you what 'front door' means"? This isn't making me feel any safer.
You know what would make me feel safer? A hell of a lot more encryption. And you know who agrees? the FBI
. This is from the FBI's own website for "safety tips to protect your mobile device"
In case you can't read it, it says:
Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
It also recommends passcode protecting your phone (which is how these default encryption systems now work). So, um, here we have the FBI telling people to encrypt their phones... and complaining that such things will lead to the end of the world, though it's unable to actually give an example, or even explain what its new proposal is really about. As Marcy Wheeler pointed out before the speech
, this sort of clueless dichotomy seems to follow Comey around. In that 60 Minutes interview, he both talked about how dangerous the internet is, and why people need to protect themselves... and then attacked one of the most important tools for people to protect themselves.
It's almost as if Comey has absolutely no idea what he's talking about.
And that's because he almost certainly does not. He may understand other issues related to crime and law enforcement, but when it comes to encryption, it appears he's reading the hastily prepared script of someone else. The simple fact is that he's wrong. Strong encryption is in the public interest
and not only protects people from questionable surveillance, but from bad actors as well. It's the best way
to make us all safer -- much better than relying on FBI agents running around trying to snoop on phones.
Thankfully, so far, the folks in Congress don't sound particularly impressed
by Comey's demand for "front doors" that he's not smart enough to understand. Hopefully it stays that way.