Is the FBI Trying to Bolster Its War on Cryptography?
Was their miscount of unlockable phones truly a mistake or part of an agenda?
If you were to take law enforcement at its word, you would believe that the encryption techniques that secure our data actually end up serving criminals who would do us harm. For the past few years, the FBI and other authorities have revived the "War on Crypto" because they say it prevents them from accessing devices that they need to bring killers and terrorists to justice.
FBI director Christopher Wray has been fond of claiming that the Bureau was locked out of some 7,775 devices last year. In January, he argued that "being unable to access nearly 7,800 devices in a single year is a major public safety issue."
It turns out that the FBI wildly inflated those figures, according to the Washington Post. The Bureau still doesn't know the exact number of devices that have apparently been so central in the miscarriage of justice. If previous numbers are to be believed—which have hovered around 700 to 800 devices—the true number is probably closer to 1,000.
The FBI told the Post that "programming errors" were responsible for the over-counting, since they were apparently pulling their numbers from three separate databases. But that excuse seems awfully convenient, given the agency's recent antagonism towards security technologies.
Sen. Ron Wyden (D-Ore.) issued a scathing letter to the FBI in response to their admission of error, chiding that because the FBI is "struggling with basic arithmetic" it should "not be in the business of dictating the design of advanced cryptographic algorithms." He pointedly noted that such a major miscalculation could either be the product of "sloppy work" or something more nefarious: "pushing a legislative agenda."
Could this "accidental miscounting" have been a purposeful ploy to undermine strong encryption? A review of the FBI's recent public and behind-the-scenes activities certainly makes it look that way. The agency has been engaged in an all-out public war on encryption using emotional rhetoric to push for the access into our devices they have long sought.
Encryption technologies have been a chief bugaboo of America's top feds for about as long as these security technologies have been available to the public, which is to say for most of you and I's experiences on the internet. In the 90's, authorities argued that strong encryption techniques were a kind of munition, and tried to prevent computer scientists from deploying security measures. Thankfully, the computer scientists won the previous battles over public-key encryption.
But the question of device encryption has taken on a new political urgency following the high-profile attacks in San Bernardino in December of 2015. With the so-called "Going Dark" problem, authorities argue that the measures that keep our phones secure can prevent them from accessing critical data in an investigation. Thus, they want technology companies to build special government access into our phones, called a "backdoor."
It is easy to sympathize with investigators who work to bring criminals to justice. But unfortunately, with the San Bernardino incident, it looks like FBI leadership was more motivated by a general antipathy to encryption than a specific need to access particular data.
Consider the specifics of the case. Authorities could have discreetly and respectfully approached engineers for solutions to access suspected terrorist Syed Rizwan Farook's locked iPhone. After all, the FBI was eventually able to access the phone through a technical tool purchased by a private vendor. No across-the-board security-limiting technology changes needed.
But that's not what the FBI did. Instead, it engaged in a public-relations blitz against Apple to argue that government operatives needed a backdoor into all of our devices so that they could access data at their leisure. The feds pushed this issue all the way through the courts, attempting to litigate a backdoor, until it eventually turned tail when it was able to access the data without it.
An inspector general's report from March finds that the FBI "may not have been interested in researching all possible solutions" and "[delayed seeking] and obtaining vendor assistance that ultimately proved fruitful." One Bureau employee told the IG that the San Bernardino case was viewed as a "poster child" for the Going Dark crusade. As Sen. Wyden's letter points out, the report suggests that "the FBI was more interested in establishing a powerful legal precedent than gaining access to the terrorist's iPhone."
Other evidence corroborates the theory that the intelligence community used Apple as a convenient foil to promote their crusade against encryption as well. In August of 2015, a top lawyer for US intelligence urged authorities to wait for "a terrorist attack of criminal event where strong encryption can be shown to have hindered law enforcement." Officials could then take advantage of that tragedy to pull on America's heart strings and put pressure on legislators to finally mandate the backdoors for which they have long salivated. Just a few months later, San Bernardino presented a perfect opportunity.
Thankfully, there has not been another "San Bernardino" that authorities could exploit to promote their political ends. Perhaps this is why the FBI turned to numbers, instead. Without a newsworthy event to point to, FBI director Wray may have found the sky-high number of reported locked phones to be a convenient rhetorical fallback.
But even the lower figure deserves our scrutiny. The mere presence of a locked device in some investigation on its own is not very compelling. Perhaps there is no relevant information on the device. Maybe the device belonged to some suspect who was later cleared. And how many devices are associated with a single case? The lower figure that the FBI provided likely contains many such instances.
What we need to know is how many investigations were significantly hindered because authorities could not access specific data on a specific device. It's relatively rare for people to solely store data on their phone, given the rise of cloud computing. Much inference can be gleaned from metadata, which is often unencrypted. And perhaps the evidence on any particular device is redundant with other evidence, anyway.
Wyden demanded answers to these and related questions in his blistering rebuke to the FBI. Until we have more information on how many cases fall into this narrower and relevant bucket, we should take the FBI's figures with a grain a salt.
The FBI should not have inflated the number of devices that they say they cannot access. This egregious error would be especially contemptible if it was a naked lie in pursuit of a policy goal. But even if those figures were true, it wouldn't really change the Going Dark debate. Undermining encryption would make us all less secure, no matter what the justification for doing this. The FBI's recent "miscalculations" and behind-the-scenes antagonism toward security technologies suggest that the agency is unfortunately far from internalizing these truths.