Real security requires strong encryption -- even if investigators get blocked

Police without a back door into encryption systems still have several options for obtaining evidence.

The Conversation

This article was first posted on The Conversation.

The FBI and the Department of Justice have been fighting against easy, widespread public access to encryption technologies for 25 years. Since the bureau’s dispute with Apple in 2016 over access to the encrypted iPhone of one of the two people who shot 14 victims in San Bernardino, Calif., this battle has become more pitched.

This dispute is not about whether regular people can or should use encryption: The U.S. government is in favor of using encryption to secure data. Rather, it’s about the FBI’s demand that encryption systems include “exceptional access,” enabling police who get a warrant to circumvent the encryption on a device or on an encrypted call.

Nearly every element of American society is a potential target for sophisticated hackers. That makes the conflict complicated; giving law enforcement officers a way into secure systems makes breaking in easier for others as well. In 2016, I testified before Congress in support of Apple and against the FBI position; and as I explain in my forthcoming book, “Listening In: Cybersecurity in an Insecure Age,” the FBI’s stance would make people, and society, less secure, not more so.

A new battle in an old war

Today, the American public is engaged in the second round of what have been called the “encryption wars.” During the 1990s, the U.S. had restrictions on encryption software and algorithms, allowing their use within the country, but preventing them from being exported to other countries. As a result, U.S. software companies faced a choice between creating two versions of every program -- a strong system for U.S. customers and a weak system for everyone else -- or providing only the weak version. Most chose the latter. That limited the availability of encryption software in the U.S., so export control worked well for both the National Security Agency’s intelligence gatherers and the FBI’s investigators.

But in 2000, the two agencies’ interests split. The Clinger-Cohen Act required the Department of Defense to buy commercially available communications and computer equipment -- and the agency wanted encryption built in. To boost the strength of cryptography in the marketplace, the NSA supported loosening the export controls.

This was a time when NSA itself was facing a new reality. Encrypted communications had become the norm in government work -- and not just for technologically sophisticated nations. NSA adapted. Details are shrouded in secrecy, but we know that just like hackers, NSA takes advantage of unpatched vulnerabilities to break in to targets. NSA also relies heavily on communications metadata, the when, where, how long -- and sometimes who -- of a communication. And NSA apparently uses stealthy techniques, such as intercepting communication equipment while being shipped, to install eavesdropping tools. The result? Despite widespread use of encryption by its targets, NSA is largely able to obtain the information it seeks.

Adapting to an encrypted world

Today, the FBI is facing a similar situation to the NSA’s two decades ago. Consumer products and apps like WhatsApp regularly use strong encryption to protect communications and devices. And sometimes that prevents investigators from viewing potential evidence -- as it did in San Bernardino, for a time. The bureau can keep fighting the battle to weaken encryption, which it has been losing for decades, or it can follow the NSA’s lead and adapt.

Police without a back door into encryption systems have several options. Since at least the early 2000s, the FBI has been getting court orders letting agents hack into criminals’ computer and communication systems to install recording and surveillance software. But that’s not the only possibility for investigators.

Other kinds of nonencrypted data may provide valuable information that can serve as an alternative, and computer systems can be enormously helpful in finding and analyzing that data. In the wake of the 1993 World Trade Center bombing, investigators had to wade through paper copies of phone company records to discover who talked to whom when, and from there draw connections between members of the bombing conspiracy. Modern software -- and digital phone, financial and other records available with a warrant -- can make that analysis immeasurably faster.

The internet of things  provides another potential treasure trove for investigators: In one instance, for example, the history of a person’s heart rate as measured by his data-collecting pacemaker led to his indictment for arson when his story of his actions during the fire didn’t hold up. In another case, a woman’s activity level, as tracked by her Fitbit, contradicted her husband’s account of her death -- and led to murder charges against him.

Following suspects is a third area where technology really helps police: Using a team of trackers cost approximately US$275 an hour -- but tracking a suspect’s phone as it travels drops the price to $5.21 an hour.

Such technological advances aren’t used as easily by state and local investigators, who conduct more than half of law enforcement wiretaps in the U.S. Sometimes state and local police are stymied by relatively simple issues, such as the wide variety of phones, internet providers and data formats. In 2013, the FBI stepped up to help, creating training programs through its National Domestic Communications Assistance Center to help police gather digital evidence without needing to break encryption.

Even as these varied investigatory techniques will help, sometimes encryption will simply prevent investigators from getting the goods -- or getting them quickly enough to prevent a crime. But law enforcement has always had to deal with blocks to obtaining evidencethe exclusionary rule, for example, means that evidence collected in violation of a citizen’s constitutional protections is often inadmissible in court.

Facing new threats

The importance of strong cryptography in protecting people’s privacy has become clearer in recent years. Attackers are more sophisticated -- as shown in the 2015 Russian hack of the Democratic National Committee emails and the 2017 Equifax data breach, among others. And any groups “viewed as likely to shape future U.S. policies” were targets of Russian hacking efforts, according to the Office of the Director of National Intelligence. That could include almost any organization -- activist groups, church associations, community foundations, professional societies, nongovernmental organizations and more -- that forms the underpinning of democratic societies.

This broad threat to fundamental parts of American society poses a serious danger to national security as well as individual privacy. Increasingly, a number of former senior law enforcement and national security officials have come out strongly in support of end-to-end encryption and strong device protection (much like the kind Apple has been developing), which can protect against hacking and other data theft incidents.

As technology changes, the jobs of police and intelligence workers must also change; in some ways, it will be harder, in others, easier. But the basic need for security supports the call for wide use of strong encryption -- and without modifications that make it easy for Russians, or others, to break in.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.