Real security requires strong encryption -- even if investigators get blocked

This article was first posted on The Conversation.

The FBI and the Department of Justice have been fighting against easy, widespread public access to encryption technologies for 25 years. Since the bureau’s dispute with Apple in 2016 over access to the encrypted iPhone of one of the two people who shot 14 victims in San Bernardino, Calif., this battle has become more pitched.

This dispute is not about whether regular people can or should use encryption: The U.S. government is in favor of using encryption to secure data. Rather, it’s about the FBI’s demand that encryption systems include “exceptional access,” enabling police who get a warrant to circumvent the encryption on a device or on an encrypted call.

Nearly every element of American society is a potential target for sophisticated hackers. That makes the conflict complicated; giving law enforcement officers a way into secure systems makes breaking in easier for others as well. In 2016, I testified before Congress in support of Apple and against the FBI position; and as I explain in my forthcoming book, “Listening In: Cybersecurity in an Insecure Age,” the FBI’s stance would make people, and society, less secure, not more so.

A new battle in an old war

Today, the American public is engaged in the second round of what have been called the “encryption wars.” During the 1990s, the U.S. had restrictions on encryption software and algorithms, allowing their use within the country, but preventing them from being exported to other countries. As a result, U.S. software companies faced a choice between creating two versions of every program -- a strong system for U.S. customers and a weak system for everyone else -- or providing only the weak version. Most chose the latter. That limited the availability of encryption software in the U.S., so export control worked well for both the National Security Agency’s intelligence gatherers and the FBI’s investigators.

But in 2000, the two agencies’ interests split. The Clinger-Cohen Act required the Department of Defense to buy commercially available communications and computer equipment -- and the agency wanted encryption built in. To boost the strength of cryptography in the marketplace, the NSA supported loosening the export controls.

This was a time when NSA itself was facing a new reality. Encrypted communications had become the norm in government work -- and not just for technologically sophisticated nations. NSA adapted. Details are shrouded in secrecy, but we know that just like hackers, NSA takes advantage of unpatched vulnerabilities to break in to targets. NSA also relies heavily on communications metadata, the when, where, how long -- and sometimes who -- of a communication. And NSA apparently uses stealthy techniques, such as intercepting communication equipment while being shipped, to install eavesdropping tools. The result? Despite widespread use of encryption by its targets, NSA is largely able to obtain the information it seeks.

Adapting to an encrypted world

Today, the FBI is facing a similar situation to the NSA’s two decades ago. Consumer products and apps like WhatsApp regularly use strong encryption to protect communications and devices. And sometimes that prevents investigators from viewing potential evidence -- as it did in San Bernardino, for a time. The bureau can keep fighting the battle to weaken encryption, which it has been losing for decades, or it can follow the NSA’s lead and adapt.

Police without a back door into encryption systems have several options. Since at least the early 2000s, the FBI has been getting court orders letting agents hack into criminals’ computer and communication systems to install recording and surveillance software. But that’s not the only possibility for investigators.

Other kinds of nonencrypted data may provide valuable information that can serve as an alternative, and computer systems can be enormously helpful in finding and analyzing that data. In the wake of the 1993 World Trade Center bombing, investigators had to wade through paper copies of phone company records to discover who talked to whom when, and from there draw connections between members of the bombing conspiracy. Modern software -- and digital phone, financial and other records available with a warrant -- can make that analysis immeasurably faster.

The internet of things  provides another potential treasure trove for investigators: In one instance, for example, the history of a person’s heart rate as measured by his data-collecting pacemaker led to his indictment for arson when his story of his actions during the fire didn’t hold up. In another case, a woman’s activity level, as tracked by her Fitbit, contradicted her husband’s account of her death -- and led to murder charges against him.

Following suspects is a third area where technology really helps police: Using a team of trackers cost approximately US$275 an hour -- but tracking a suspect’s phone as it travels drops the price to $5.21 an hour.

Such technological advances aren’t used as easily by state and local investigators, who conduct more than half of law enforcement wiretaps in the U.S. Sometimes state and local police are stymied by relatively simple issues, such as the wide variety of phones, internet providers and data formats. In 2013, the FBI stepped up to help, creating training programs through its National Domestic Communications Assistance Center to help police gather digital evidence without needing to break encryption.

Even as these varied investigatory techniques will help, sometimes encryption will simply prevent investigators from getting the goods -- or getting them quickly enough to prevent a crime. But law enforcement has always had to deal with blocks to obtaining evidence; the exclusionary rule, for example, means that evidence collected in violation of a citizen’s constitutional protections is often inadmissible in court.

Facing new threats

The importance of strong cryptography in protecting people’s privacy has become clearer in recent years. Attackers are more sophisticated -- as shown in the 2015 Russian hack of the Democratic National Committee emails and the 2017 Equifax data breach, among others. And any groups “viewed as likely to shape future U.S. policies” were targets of Russian hacking efforts, according to the Office of the Director of National Intelligence. That could include almost any organization -- activist groups, church associations, community foundations, professional societies, nongovernmental organizations and more -- that forms the underpinning of democratic societies.

This broad threat to fundamental parts of American society poses a serious danger to national security as well as individual privacy. Increasingly, a number of former senior law enforcement and national security officials have come out strongly in support of end-to-end encryption and strong device protection (much like the kind Apple has been developing), which can protect against hacking and other data theft incidents.

As technology changes, the jobs of police and intelligence workers must also change; in some ways, it will be harder, in others, easier. But the basic need for security supports the call for wide use of strong encryption -- and without modifications that make it easy for Russians, or others, to break in.