The head of the FBI has described its inability to access encrypted data from electronic devices as a “major public safety issue”.
In remarks prepared for the FBI International Conference on Cyber Security in New York, the bureau’s director, Christopher Wray, revealed that in FY2017 the organisation was unable to access the content of 7775 devices “using appropriate and available technical tools” despite having the legal authority to do so.
“Being unable to access nearly 7,800 devices is a major public safety issue,” Wray said. “That’s more than half of all the devices we attempted to access in that timeframe — and that’s just at the FBI.”
The issue of “going dark” comes up “in almost every conversation I have with leading law enforcement organisations, and with my foreign counterparts from most countries,” Wray said.
Wray claimed the FBI supported information security and “strong encryption”, but “information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe.”
Wray said that a solution to the issue “isn’t so clear-cut”.
“It will require a thoughtful and sensible approach, and may vary across business models and technologies, but — and I can’t stress this enough — we need to work fast,” he said.
The FBI needs the private sector’s help, Wray said.
“We need them to respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cyber security,” he said.
“I recognise this entails varying degrees of innovation by the industry to ensure lawful access is available,” the FBI director said. “But I just don’t buy the claim that it’s impossible.”
He gave the example of the Symphony messaging platform used by a number of major banks. The platform offers “guaranteed data deletion” as a feature, Wray said.
The New York State Department of Financial Services struck an agreement with four banks within its jurisdiction that use the platform to keep a copy of all communications sent through Symphony for seven years and store copies of decryption keys with independent custodians.
“So the data in Symphony was still secure and encrypted — but also accessible to regulators, so they could do their jobs,” Wray said.
“I’m confident that with a similar commitment to working together, we can find solutions to the going dark problem.”
The FBI director said he isn’t pushing for a “backdoor”, which he defined as a “secret, insecure means of access”.
“What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause,” he said.
The FBI isn’t alone in pushing tech companies to find ways to give law enforcement agencies access to encrypted data.
In Australia, the federal government last year said it would create new laws to deal with the issue. The government is yet to introduce a bill or release an exposure draft of any proposed legislation.
The government has indicated its legislation will be based on the UK’s Investigatory Powers Act. The UK act allows law enforcement agencies to issue a Technical Capability Notice to tech companies requiring them to assist in accessing a communication.
The government has said it is not interested in mandating the creation of backdoors, though like Wray it has a somewhat narrow definition of a backdoor.
Then-attorney-general Senator George Brandis in July said that the government would seek “to extend the existing law that says to individuals, citizens and to companies, that in certain circumstances you have an obligation to assist law enforcement if it’s within your power to do so”.
Any laws that have the effect of weakening the encryption schemes used by popular Internet services could have unintended consequences, according the chief technology officer of security software vendor Sophos.
“I think it’s unreasonable to ask anyone who writes any kind of software to intentionally weaken the security of that software, whether that’s in the form of introducing a backdoor or whether it’s in the form of creating this kind of a ‘reversible crypto scheme’ where data could subsequently be decrypted even by authorised party,” Joe Levy, CTO at Sophos, told Computerworld in an interview conducted in late 2017.
“No matter how you slice it, you’re basically asking the vendor to weaken the security of the product.”
“It might be requested with the very best of intentions and certainly fighting terrorism is a very important and a very noble goal, but there’s this unintended consequence of creating these vast exposures that are inevitably going to be exploited by some bad actor,” Levy said.
“You can’t just trust that it will only be the government who is going to have that key or have that ability to decrypt content. You just have to expect that, with knowledge that this capability exists in the product, that bad actors are going to seek to exploit that, especially when you have any kind of a centralisation of an ability to do that.”
“It’s basically an advertisement saying ‘come and attack me; this will give you the keys to the kingdom’,” the CTO said.