Pages

19 October 2014

F.B.I. Director Hints at Action as Cellphone Data Is Locked

David E. Sanger and Matt Apuzzo
New York Times, October 17, 2014

James B. Comey, the director of the F.B.I., during an hourlong speech at the Brookings Institution in Washington on Thursday. Credit Jose Luis Magana/Associated Press

WASHINGTON — The director of the F.B.I., James B. Comey, said on Thursday that the “post-Snowden pendulum” that has driven Apple and Google to offer fully encrypted cellphones had “gone too far.” He hinted that as a result, the administration might seek regulations and laws forcing companies to create a way for the government to unlock the photos, emails and contacts stored on the phones.

But Mr. Comey appeared to have few answers for critics who have argued that any portal created for the F.B.I. and the police could be exploited by the National Security Agency, or even Russian and Chinese intelligence agencies or criminals. And his position seemed to put him at odds with a White House advisory committee that recommended against any effort to weaken commercial encryption.

Apple and Google have announced new software that would automatically encrypt the contents of cellphones, using codes that even the companies could not crack. Their announcement followed a year of disclosures from Edward J. Snowden, the former government contractor who revealed many government programs that collect electronic data, including information on Americans.

The new encryption would hinder investigations involving phones taken from suspects, recovered at crime scenes or discovered on battlefields. But it would not affect information obtained by real-time wiretaps, such as phone conversations, emails or text messages. And the government could still get information that is stored elsewhere, including emails, call logs and, in some cases, old text messages.

But F.B.I. agents see the encryption as a beachhead they cannot afford to lose. With the latest software, the new phones will be the first widely used consumer products to encrypt data by default. If that is allowed to stand, investigators fear other technology companies will follow suit. If all desktop computers and laptops were encrypted, it would stymie all kinds of criminal investigations, they say.

Mr. Comey’s position has set up a potentially difficult struggle between law enforcement agencies and the nation’s high-technology manufacturers, who have rebuffed the government’s demands for a way to decode data.

It has also touched off a debate inside the government that highlights the difference between cybersecurity and traditional crime fighting. Any technology that allows the United States government to bypass encryption in the name of solving crimes could also allow hackers and foreign governments to bypass encryption in the name of stealing secrets.

Justice Department officials and company representatives have discussed these issues privately. Some Obama administration officials believe that the companies would be successful in killing any legislation that seems to weaken privacy protections and that it makes no sense to pick a public fight with Apple and Google or push for new legislation.

Just 10 months ago Mr. Obama’s advisory committee on the N.S.A., created in light of the Snowden disclosures, recommended that the government “not in any way subvert, undermine, weaken or make vulnerable generally available commercial software.” The committee also recommended that the government “increase the use of encryption and urge U.S. companies to do so.”

Mr. Comey made no reference to that report in an hourlong speech and discussion at the Brookings Institution, and White House officials have said they are still struggling to come up with a policy for Mr. Obama to adopt.

While Apple and Google declined to respond to Mr. Comey’s speech, just last week, at an event in Palo Alto, Calif., executives of several companies made clear they would not slow their efforts to offer encryption. In fact, they said, the effort would accelerate, and they would develop algorithms that would take the government months or years to crack, and then insist that consumers themselves create their own encryption keys so that the companies would be unable to crack the code or provide it to the government.

Colin Stretch, the general counsel for Facebook, called encryption “a key business objective” for technology companies. “I’d be fundamentally surprised if anybody takes the foot off the pedal of building encryption into their products,” he said.

Mr. Comey’s complaint is that technology is vastly outpacing the ability to assure that authorities can track suspects however they communicate — by cellphone, text message or over a smartphone app. Four years ago the F.B.I. pressed to update a 20-year-old law that required traditional communication providers — like AT & T or Verizon — to build into their systems an ability to immediately comply with wiretap orders.

But many different companies, including small start-ups and foreign firms, now transmit communications. The F.B.I.’s effort to require many kinds of companies to provide unencrypted, plain-text information to the government if served with a court order failed. Last year the F.B.I. called back its proposal so that companies would still be permitted to offer messaging that would be entirely encrypted between users.

The Snowden disclosures about the surveillance carried out by the National Security Agency killed all those proposals. Now Mr. Comey appears to be going even further, seeking a way into data stored on phones even if it is never transmitted. And he wants to make sure that Apple, or other phone manufacturers, do not “throw away the key” that allows that information to be unencrypted. The companies, meanwhile, are going the other way: They want to convince customers that their data will be private, even from the phone’s maker.

“Just as people won’t put their money in a bank they won’t trust, people won’t use an Internet they won’t trust,” Brad Smith, the general counsel for Microsoft, said recently.

Recognizing America’s suspicion of government surveillance, Mr. Comey has based his argument on the need to conduct investigations into child pornographers and kidnappers, not terrorists. The office of the director of national intelligence and the N.S.A. have deliberately stayed out of this argument, leaving the issue to Mr. Comey.

But under questioning from Benjamin Wittes, a cybersecurity expert at Brookings, and from reporters and audience members, Mr. Comey made clear he was speaking only for the F.B.I. As a result, he made no commitment that the N.S.A. or other American intelligence agencies would never exploit the technology that could unencrypt data.

Mr. Snowden’s revelations, backed up by classified documents, were rife with examples of how the agency secretly tapped into communications lines between Google’s servers — then still unencrypted — to drain out data, and took similar steps to find holes in encryption systems marketed by American companies. While the presidential commission found no evidence that the government had created a “backdoor” that gave the United States unauthorized access to data, it concluded that “the use of encryption should be greatly expanded to protect not only data in transit, but also data at rest on networks, in storage and in the cloud.”

Mr. Comey did not specify what kind of technological fix he wanted, other than to say that if the companies built one into their software, it would be far easier to assure that it was not exploited by others. But he also said that “we may get to a place where the U.S. Congress forces this” on American manufacturers.

No comments:

Post a Comment