Is the FBI Trying to Bolster Its War on Cryptography?

Was their miscount of unlockable phones truly a mistake or part of an agenda?


Christopher Wray
Tom Williams/CQ Roll Call/Newscom

If you were to take law enforcement at its word, you would believe that the encryption techniques that secure our data actually end up serving criminals who would do us harm. For the past few years, the FBI and other authorities have revived the "War on Crypto" because they say it prevents them from accessing devices that they need to bring killers and terrorists to justice.

FBI director Christopher Wray has been fond of claiming that the Bureau was locked out of some 7,775 devices last year. In January, he argued that "being unable to access nearly 7,800 devices in a single year is a major public safety issue."

It turns out that the FBI wildly inflated those figures, according to the Washington Post. The Bureau still doesn't know the exact number of devices that have apparently been so central in the miscarriage of justice. If previous numbers are to be believed—which have hovered around 700 to 800 devices—the true number is probably closer to 1,000.

The FBI told the Post that "programming errors" were responsible for the over-counting, since they were apparently pulling their numbers from three separate databases. But that excuse seems awfully convenient, given the agency's recent antagonism towards security technologies.

Sen. Ron Wyden (D-Ore.) issued a scathing letter to the FBI in response to their admission of error, chiding that because the FBI is "struggling with basic arithmetic" it should "not be in the business of dictating the design of advanced cryptographic algorithms." He pointedly noted that such a major miscalculation could either be the product of "sloppy work" or something more nefarious: "pushing a legislative agenda."

Could this "accidental miscounting" have been a purposeful ploy to undermine strong encryption? A review of the FBI's recent public and behind-the-scenes activities certainly makes it look that way. The agency has been engaged in an all-out public war on encryption using emotional rhetoric to push for the access into our devices they have long sought.

Encryption technologies have been a chief bugaboo of America's top feds for about as long as these security technologies have been available to the public, which is to say for most of you and I's experiences on the internet. In the 90's, authorities argued that strong encryption techniques were a kind of munition, and tried to prevent computer scientists from deploying security measures. Thankfully, the computer scientists won the previous battles over public-key encryption.

But the question of device encryption has taken on a new political urgency following the high-profile attacks in San Bernardino in December of 2015. With the so-called "Going Dark" problem, authorities argue that the measures that keep our phones secure can prevent them from accessing critical data in an investigation. Thus, they want technology companies to build special government access into our phones, called a "backdoor."

It is easy to sympathize with investigators who work to bring criminals to justice. But unfortunately, with the San Bernardino incident, it looks like FBI leadership was more motivated by a general antipathy to encryption than a specific need to access particular data.

Consider the specifics of the case. Authorities could have discreetly and respectfully approached engineers for solutions to access suspected terrorist Syed Rizwan Farook's locked iPhone. After all, the FBI was eventually able to access the phone through a technical tool purchased by a private vendor. No across-the-board security-limiting technology changes needed.

But that's not what the FBI did. Instead, it engaged in a public-relations blitz against Apple to argue that government operatives needed a backdoor into all of our devices so that they could access data at their leisure. The feds pushed this issue all the way through the courts, attempting to litigate a backdoor, until it eventually turned tail when it was able to access the data without it.

An inspector general's report from March finds that the FBI "may not have been interested in researching all possible solutions" and "[delayed seeking] and obtaining vendor assistance that ultimately proved fruitful." One Bureau employee told the IG that the San Bernardino case was viewed as a "poster child" for the Going Dark crusade. As Sen. Wyden's letter points out, the report suggests that "the FBI was more interested in establishing a powerful legal precedent than gaining access to the terrorist's iPhone."

Other evidence corroborates the theory that the intelligence community used Apple as a convenient foil to promote their crusade against encryption as well. In August of 2015, a top lawyer for US intelligence urged authorities to wait for "a terrorist attack of criminal event where strong encryption can be shown to have hindered law enforcement." Officials could then take advantage of that tragedy to pull on America's heart strings and put pressure on legislators to finally mandate the backdoors for which they have long salivated. Just a few months later, San Bernardino presented a perfect opportunity.

Thankfully, there has not been another "San Bernardino" that authorities could exploit to promote their political ends. Perhaps this is why the FBI turned to numbers, instead. Without a newsworthy event to point to, FBI director Wray may have found the sky-high number of reported locked phones to be a convenient rhetorical fallback.

But even the lower figure deserves our scrutiny. The mere presence of a locked device in some investigation on its own is not very compelling. Perhaps there is no relevant information on the device. Maybe the device belonged to some suspect who was later cleared. And how many devices are associated with a single case? The lower figure that the FBI provided likely contains many such instances.

What we need to know is how many investigations were significantly hindered because authorities could not access specific data on a specific device. It's relatively rare for people to solely store data on their phone, given the rise of cloud computing. Much inference can be gleaned from metadata, which is often unencrypted. And perhaps the evidence on any particular device is redundant with other evidence, anyway.

Wyden demanded answers to these and related questions in his blistering rebuke to the FBI. Until we have more information on how many cases fall into this narrower and relevant bucket, we should take the FBI's figures with a grain a salt.

The FBI should not have inflated the number of devices that they say they cannot access. This egregious error would be especially contemptible if it was a naked lie in pursuit of a policy goal. But even if those figures were true, it wouldn't really change the Going Dark debate. Undermining encryption would make us all less secure, no matter what the justification for doing this. The FBI's recent "miscalculations" and behind-the-scenes antagonism toward security technologies suggest that the agency is unfortunately far from internalizing these truths.

NEXT: Protectionism vs. Cheap Beer

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. This is the same FBI that is being totally honest when they spy on Trump, right?

    1. Look, they were doing him a favor by spying on him, that ingrate bastard.

      1. When are you mouthbreathing neanderthals going to appreciate that our only waking thought is how to better protect and serve you?

        1. It’s a cookbook!

  2. Obvious exception to rule of Headline Asks A Question is obvious.

  3. The FBI told the Post that “programming errors” were responsible for the over-counting, since they were apparently pulling their numbers from three separate databases.

    Three databases: their butts, their asses and their sphincters.

  4. I doubt the FBI will have any problems spying on people now that they’ve successfully gotten everybody to reboot their routers to head off a Russian hacking attempt allow the FBI to install spyware on everybody’s routers.

    1. Yes, I know I’m supposed to add the “adjusts tinfoil hat” tag to the end of that, but at this point the FBI’s credibility is so thoroughly shot to hell that it doesn’t take much to suspect that if the FBI is telling everybody to reboot their routers that it might be a good idea *not* to reboot your router. Is the “Russian hacking attempt” any more credible than the “Russians hacked the DNC server” story or the “FBI thwarts a terrorist bombing (that we instigated, funded and directed because the jackass we framed had no knowledge of how to build a bomb, no means of procuring the materials and no capability of planning a bombing exercise)” or the many other lies the FBI has told about the investigation of Russian/Trump collusion?

      1. One of the most remarkable things about the whole FBI spying on Trump saga that no one seems to have noticed is how matter of fact the FBI Agent and his lawyer girlfriend were about the whole thing in the text messages. You would think the decision to spy on a Presidential candidate would be kind of a big deal and something that would give even the FBI pause. But, it appears that it didn’t. To me, that is pretty strong evidence that this wasn’t the first time they have done this. If the full truth ever comes out, which is a big if, I bet they have been spying on political enemies for a very long time.

        1. Spying on political enemies for a long time? Only since the days of good ol’ J. Edgar.

          1. Exactly. One might simply ask if the FBI ever got out of the business of spying on political enemies since we already know for a fact that this is how it was used at it’s inception. That it continues to do so is perhaps surprising, but when considering it’s history it really shouldn’t be.

      2. It’s one step away from “anyone found not to have rebooted their router will be prosecuted as an accomplice to Russian hackers, to include charges of treason, and cyberterrorism”.

        1. And it is a small step. I once heard Stewart Baker, formerly of the Bush Administration DHS and now of the Volkh Conspiracy argue that it should be a federal crime to go on the internet without updated virus software. I kid you now.

    2. Fortunately, they’re probably too incompetent to effectively spy on anyone they aren’t directly targeting.

      1. If you collect and store everything, whenever you decide to directly target someone you already have everything you need.

  5. There’s something terribly wrong with the idea that freedom isn’t worth it if it costs us a certain number of convictions.

    Jury trials, the right to remain silent, the right to an attorney, etc. presumably cost the FBI a certain number of convictions every year, as well. What other rights would the FBI have throw away because of that inconvenience?

    All of them?

    1. Ask Paul Cassell or Stewart Baker over there on the Volokh tab.

      1. I cannot believe that Volkh calls itself a Libertarian blog and then has Baker as one of its contributors. Baker isn’t necessarily a bad guy, but there is nothing Libertarian about him. Baker made his entire career claiming that safety and the threat of foreign intelligence services outweigh the privacy of Americans.

        1. I like to think that Baker represents the “loyal opposition” giving the governments side of the arguments in any debate, but I have a suspicion that there’s a certain amount of “look at us, we’ve got a big name author here”, too.

          But there’s really no excuse for giving Cassell a platform, this is a former federal judge whose major ambition is to get Miranda overturned on the grounds that it gives criminals too many ways to wiggle out of a conviction. He’s flat said that sometimes the only way to get a conviction is by sweating a confession out of a crook, betraying the prosecutorial mindset that if the cops have arrested somebody they must be guilty because why else would the cops have arrested them? If the only way to convict somebody is through a confession, isn’t that an admission that you have no other evidence, that the guy you’ve arrested is merely a *suspect*, an *alleged* criminal, and there should be at least a suspicion that the guy you’re trying to sweat a confession out of is in fact an innocent man? Not to Paul Cassell. And just to be clear on the point, this guy was a federal judge. How would you feel having to appear before him as an appellant knowing that’s his mindset?

          1. I honestly cannot understand how anyone with any experience in the practice of criminal law could deny the existence and prevalence of false confessions. I did criminal law for five years in the Army, where things are a thousand times more professional and protective of the accused than in the civilian world. And I came into it naively thinking that false confessions didn’t really happen and were just a bullshit myth invented by defense attorneys. I learned otherwise.

            It is totally legal for the police to lie to you about the evidence they have during an interrogation. The vast majority of confessions are obtained by the police lying to the suspect and telling him that they have an airtight case against him and that refusing to tell the truth will only make it worse on them. A lot of interrogations are of guilty people and this cracks the case. But a lot of them are of innocent people. And a decent number of those lie and confess to something they didn’t do because they don’t understand that the cops are lying to them and rationally see it as the best of a bad set of options. It happens all of the time. And anyone who says otherwise is either lying, willfully ignorant or just doesn’t care.

        2. Does anyone on the VC actually refer to it explicitly as a libertarian blog? I figured it was a law blog (not Bob Loblaw’s) that covered many things relevant to constitutional law and individual liberty, and thus eventually found it’s home on a libertarian website.

        3. I cannot believe that Volkh calls itself a Libertarian blog and then has Baker as one of its contributors. Baker isn’t necessarily a bad guy, but there is nothing Libertarian about him.

          To be fair, if libertarian blogs like Volokh and Reason limited themselves to only libertarian contributors, they’d only have maybe two contributors at first, and that would quickly drop to just one after the two were unable to agree on anything.

          And then they would split up and form their own blogs (with black jack and hookers), and spend all of their time flaming each other.

        4. Volokh doesn’t call itself a libertarian blog. The tagline at the top reads:

          Mostly law professors, blogging on whatever we please since 2002 ? Hosted by The Washington Post, 2014-2017 ? Hosted by Reason 2017 ? Sometimes contrarian ? Often libertarian ? Always independent

          Often =/= always.

      2. Could this “accidental miscounting” have been a purposeful ploy to undermine strong encryption?

        No, it is just the normal federal bureaucracy tactic of overstating everything to get the budget inflated. For the children.

    2. It is more than just freedom. It is safety and security. There is no way that the FBI can be trusted to keep any special backdoor they have secret. So giving the FBI a backdoor is eventually giving criminals a backdoor. This isn’t just about freedom and privacy, though those are important as well. It is also about depriving the public of the ability to protect itself from criminals. Giving the FBI a backdoor doesn’t just make us less free, it makes us less safe.

    3. It my honest opinion that many police agencies are not good at old fashion police work anymore.

      They want the easy conviction like some incriminating info found on your cell phone or they cannot collect enough evidence to get a jury to convict a defendant. Police also depend on stacking, pleas, and excessive bail to force people to avoid juries which tend to demand more police evidence than a judge in a simple plea bargain.

  6. But I am assured by many people that the FBI spies on people for their own protection. That is why they spied on Trump, right? How can the FBI protect you if it can’t read your emails?

    Sarcasm aside, of course, the FBI was lying about this. Their argument never made any sense. The encryption only stops you from reading something important if you have the right guy. And finding the right guy is kind of the whole point? To assume encryption really does prevent the FBI from prosecuting criminals and breaking up terror plots, you have to assume that terrorists and criminals encrypt information that cannot be obtained any other way and is not already discovered in the process of finding the person who owns the device in the first place. And that is just fantasy and how it works on TV but not in real life. Moreover, in the same way, that people are given reasons to tell what they know, they can also be given reasons to turn over their password. Could it make a difference? Sure, maybe if you have a terrorist who dies in the act and has a computer full of information that is encrypted with no way to find the password. Even then, it is hard to imagine there being any value in that information beyond who they were plotting with and that can be found by looking at their phone records and through other means. The whole thing is a sham.

    1. The FBIs argument also took the Us vs Them perception to a whole new level.

  7. People should be able to have access to any encryption they would like.

    If the government, even with a search warrant, cannot crack the encryption- too bad.

    There is nothing in the Constitution that dictates that the People’s choices are to be limited based on the potential need for a government search warrant under the 4th Amendment.

  8. Preserve liberty and protect the Constitution.

    Disband the FBI.

    1. The FBI was created at a time when the only other federal law enforcement agencies were the Secret Service and the US Marshalls. The FBI became what we know it today before states could quickly communicate with each other and interstate crime was a real problem. Today we have an alphabet soup of federal law enforcement agencies and states have access to databases that make the kinds of interstate crime sprees that went on in the 20s and 30s impossible. The FBI is a totally redundant organization. It is generally loathed in the LEO community and famous for showing up for a press conference to take credit for other agencies’ work.

      So, yes, the FBI needs to go. It has a long history of incompetence and abuses of the public’s trust. Take its counterterrorism and counterintelligence missions and give them to DHS. Everything else is covered and covered well by the other federal law enforcement agencies. Here we are 40 years after the Church Commission and the FBI is just as much of a threat to civil liberties and the rule of law as it ever was. I think it is long past time to declare it beyond hope and make an example of it.

      1. By quietly sweeping all the staff into other agencies? I think the FBI would manage to survive underground like a secret society.

        “Hail Hydra!”

        1. It would but it would not be a very good life. The other agencies hate the FBI. And the former FBI guys who ended up at other agencies would never have the careers they had in the FBI. If Congress would ever kill one of these agencies, any of them, it would terrify the entire executive.

      2. But teaming up with the FBI on an investigation often lets local LEOs get around restrictions on how seized assets are used, so they’ve got that going for them, which is nice.

      3. It should have been a big fucking clue that they invented the DHS to do the job that was literally the mission of the FBI.

  9. Encryption is like a gun. It’s a tool; nothing more. If you outlaw it, only outlaws will use it. If you regulate it, the burden falls solely on the law-abiding. If you try to control it in order to achieve some public safety goal, you will fail and then you will claim you need even stricter controls. Then you will repeat the process.

    It will be interesting how the gun control lobby overlaps with the encryption control lobby over the coming decades.

  10. It is easy to sympathize with investigators who work to bring criminals to justice.

    Not really. If they need to access a suspect’s encrypted device, they can get a warrant. If they’re unable to get into the device, they can get a subpoena to force the device manufacturer to unencrypt the specific phone for them. What they don’t get to do is demand that all encrypted devices have a backdoor built in so that they can access any phone they want at any time just to make their job easier. Their job is supposed to be hard. If following the legal, constitutional process means that some “bad guys” go free, so be it. Boo-fucking-hoo.

  11. >which is to say for most of you and I’s experiences on the internet.

  12. The FBI is just getting back to it’s Edgar J. days, although this assumes facts not in evidence such as the notion that they were anything other than a nefarious organization in the first place.

    Like most American bureaucracies, whatever the name of the organization, you can usually safely assume it does the opposite of what it says. Case in point, the Department of Justice has nothing to do with justice but actually involves the miscarriage of justice.

    One can only hope conservatives shed themselves of their reflexive support of these intuitions since they’re largely the tool of progressives these days. I assume most individual agents are probably good people, but the institution is largely shit. I still have trouble getting over how virtually the entire field of forensics as the FBI practices them are almost totally non-peer reviewed pseudoscience, and they lock people up with it.


  13. ” you and I’s ”

    I think the author meant “you’s and I’s”

  14. Simple because;
    there are sites right now that enable anyone to go dark.

    As much marketing of late you’d think
    encryption has been conquered. But quite the opposite as they market there own flawed products as the answer.
    The talk on irc is clear. Tech places like FreeEmailEncryption’s million bit variable encryption with replay attack
    protection is why they are scared. They are not allowed to brute force crack passwords anymore. Its over.
    The people won. It would seem spies are out of the job now and no justification of budget. Humanity has the ability now to become private again. Been decades and its a right. Cheers mates

  15. As per the usual the government wants to have all the power and fuck the peons. The government is there for us to use, not the other way around.

  16. I am amazed how quickly the whole CLIPPER CHIP issue has been forgotten and we find ourselves fighting the same battle again. The exact same argument was used to advance the argument by the Clinton Administration in 1993. It used an algorithm developed by the NSA and an unnamed agency would hold 1/2 of the decryption key in “escrow.” It was later discovered that the second half of the key could be easily derived from the key that the government held.

    The argument was made that if the government could break the cipher, so could a committed hacker or a foreign government.

    As I noted, it is amazing how quickly we have forgotten the import of the issue and are repeating the same issue 25 years later.

Please to post comments

Comments are closed.