The FBI's Anti-Encryption Campaign
The loss of public key encryption service providers would make us all more vulnerable, both physically and financially.
On April 24, the FBI's war against public key encryption technology—the kind many of us use for texting, emailing, and online banking—entered a new phase. The FBI published a notice in the Federal Register seeking public comment on its proposal to "collect data on the volume of law enforcement investigations that are negatively impacted by device and software encryption."
Tellingly, the bureau is not asking state and local law enforcement agencies how many times they were able to get into cell phones, tablets, or computers despite the presence of encryption technology. This new, skewed "data collection" rule is designed to further the FBI's longstanding "going dark" narrative: that encryption is making the bureau's job next to impossible in terms of fighting crime.
But that's a false narrative. And senior FBI officials will frequently say or do something that proves it so.
At a public meeting held in 2016 at the National Academy of Sciences, then-FBI General Counsel James Baker acknowledged that the bureau was able to get into locked mobile devices in its possession 87 percent of the time.
In December 2020, the Department of Justice (DOJ) announced the international takedown of a criminal-focused virtual private network in what the department dubbed "Operation Nova." The FBI worked withGermany, France, Switzerland, the Netherlands, and European Union's police agency (Europol) in the operation.
In June 2021, the FBI's international Trojan Shield operation, in which the bureau ran its own encrypted device company called ANOM, resulted in more than 500 arrests globally and involved partners in Australia, New Zealand, Sweden, Lithuania, and the Netherlands, among others.
Even the FBI's overseas partners are having success in cracking encryption and targeting encryption service providers. In February of this year, Dutch authorities announced they had penetrated and shut down another encrypted phone provider, Exclu.
Many major tech companies actually collude with the FBI and other law enforcement agencies, despite ritualistic pronouncements from them about their commitment to user privacy. In a December 2021 piece on Just Security, longtime security researcher Riana Pfefferkorn put it bluntly:
"Given the FBI's years-long campaign against encryption, it makes a strange bedfellow to the encrypted service providers it has condemned by name in public speeches. But service providers and the FBI both benefit from a popular misconception that underestimates the user data available to investigators from certain [end-to-end encryption] services. That misapprehension simultaneously maintains the providers' image in the eyes of privacy-conscious users while upholding the FBI's narrative that it's "going dark" in criminal investigations due to encryption."
The phone-cracking company Cellebrite actively advertises its success in cracking encryption on Apple and Android devices,citing worldwide law enforcement partners. The very existence of such services undermines the entire rationale for encryption "backdoors"—and the FBI's new and misleading buzzword, "lawful access."
Further, the FBI's obsession with undermining public key encryption has the potential to put its own agents and staff at risk.
As Moxie Marlinspike, the founder of the encrypted messenger app Signal, noted in April 2021, Cellebrite's own software is vulnerable to exploitation. Hostile intelligence services or drug cartels could manipulate the software to ensure any phones captured by Cellebrite's law enforcement partners will, in turn, infect partners' devices. The hunters would then become the prey.
The bureau also faces fundamental legal and constitutional problems with trying to get Congress to help it compromise public key encryption.
In its 1999 decision in Bernstein v. DOJ et al, the 9th Circuit Court of Appeals upheld district court rulings that said attempts by the Departments of State and Commerce to require licensing of encryption software represented an unconstitutional prior restraint on a professor's speech—in effect ruling that "code equals speech." The ruling referred specifically to the source code underpinning encryption software.
Further, government attempts to statutorily mandate encryption "backdoors" involves forcing encryption service providers to build products that are, by definition, defective—creating an inherent liability risk that would be borne not by the government, but the encryption product/service providers. Setting aside questions of the legality of such legislation, if it were passed and actually upheld by federal courts, an encryption product company/service provider might elect to cease operations rather than run the risk of unwinnable consumer lawsuits under prevailing product liability laws.
The loss of public key encryption service providers would make us all more vulnerable, both physically and financially. The notion that such "backdoors" could be kept safe in government or even corporate hands doesn't pass the laugh test.
Indeed, there are only two kinds of I.T. systems on this planet: those that have been breached, and those that will be breached. It is difficult enough to write secure code or otherwise keep cyberattackers at bay without deliberately injecting vulnerabilities into the coding process. See the breaches of the U.S. Office of Personnel Management, the Department of Energy, and LastPass as examples.
The American Founders used encryption, sending secret messages incorporating codes only they knew. If the Founders thought public use of encryption was at odds with other principles of the Constitution, they would've included a ban on it or a "lawful access" provision in the Fourth Amendment. They didn't.
If Congress abets the FBI's quest to destroy public key encryption in an effort to solve a discreet number of crimes, it will only make us all—including law enforcement officers and their families —more vulnerable to a vastly greater range of crimes in the future. That's a tradeoff none of us can afford.
Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.
Please
to post comments
“If Congress abets the FBI’s quest to destroy public key encryption in an effort to solve a discreet number of crimes, it will only make us all—including law enforcement officers and their families —more vulnerable to a vastly greater range of crimes in the future. That’s a tradeoff none of us can afford.”
Hey, if you don’t have anything to hide….whataya got to worry about, right?
Exactly only paranoid conspiracy theorists would think the FBI/DHS would change the meaning of terrorist to include angry parents.
I am making a good salary from home $6580-$7065/week , which is amazing under a year ago I was jobless in a horrible economy. I thank God every day I was blessed with these instructions and now it’s my duty to pay it forward and share it with Everyone,
🙂 AND GOOD LUCK.:)
Here is I started.…………>> http://WWW.RICHEPAY.COM
Without PKI the entirety of the web shopping experience just dies. The end. And if the channels to safely encrypt transactions exist, people can use them to send messages. The end.
This quest is 100% doomed.
Start now earning every week more than $5,000 by doing very simple and easyhome based job online. Last month i have made $19735 by doing this online jobjust in my part time for only 2 hrs a day using my laptop. This job is justawesome and easy to do in part time. Everybody can now get this and startearning more dollars online just by follow instructions here…………
.
.
Now Here ————————————->> https://Www.Coins71.Com
make us all more vulnerable, both physically and financially?
That’s the plan.
Is Reason being critical of the FBI? This is unpossible. Reason loves the FBI because the organization has been weaponized by Democrats against Republicans. That means this article does not exist.
Poor sarc.
The sad drunk is always telling everyone how independent he is.
Does he think people don’t take notice?
Guys, if you want to avoid this, just remember to put the FBI on copy when you send an email.
In a December 2021 piece on Just Security, longtime security researcher Riana Pfefferkorn put it bluntly
Awwww. I remember when Riana was just an undergrad. 😀 <3
So a lot of I’m an expert because I say I am
My proposed solution is to disband the FBI.
The FBI can kiss my patootie. Whatever they outlaw, I can defeat with steganography, which conceals that information is embedded in an innocent-looking sound or image file.
So the notice says “Comments are encouraged and will be accepted for 60 days until June 23, 2023.” Not much time, but hey this is a high tech topic so of course you can just click the submit a formal comment button and…..
It tells you that “Submitting a formal comment directly via federalregister.gov is not available for this document at this time. However, you can click the button below to view more information on alternate methods of comment submission.”
Click on that button and it tells you “If you have additional comments especially on the estimated public burden or associated response time, suggestions, or need a copy of the proposed information collection instrument with instructions or additional information, please contact Edward Abraham, Unit Chief, Federal Bureau of Investigation, Criminal Justice Information Services Division, Module D–1, 1000 Custer Hollow Road, Clarksburg, West Virginia 26306 (phone: 304–625–4830).”
So if we want to make comments we have to contact this one guy before we can even find out how to do so, we had 60 days from posting to do it (now 45 days), and they also appear to be trying to direct comments away from criticism of the likely use of this information and towards issues like public burden where they have pat answers.
It’s almost as though they want to avoid comments, and want ones they do get to be easily dismissable, thus allowing them to say the pubic has no real concerns about what the FBI is doing to undermine encryption.
I’m surprised Mr. Eddington didn’t say something about this.
In the last few years the FBI fighting crime is basically non-existent. Their time is spent going after the Dems conservative du jour. This is just an effort to take away one of the last tools of privacy we have. It’s all smoke and mirrors, lies and bullshit. Hope it doesn’t happen.