Encryption

The FBI's Anti-Encryption Campaign

The loss of public key encryption service providers would make us all more vulnerable, both physically and financially.

|


On April 24, the FBI's war against public key encryption technology—the kind many of us use for texting, emailing, and online banking—entered a new phase. The FBI published a notice in the Federal Register seeking public comment on its proposal to "collect data on the volume of law enforcement investigations that are negatively impacted by device and software encryption."

Tellingly, the bureau is not asking state and local law enforcement agencies how many times they were able to get into cell phones, tablets, or computers despite the presence of encryption technology. This new, skewed "data collection" rule is designed to further the FBI's longstanding "going dark" narrative: that encryption is making the bureau's job next to impossible in terms of fighting crime. 

But that's a false narrative. And senior FBI officials will frequently say or do something that proves it so.

At a public meeting held in 2016 at the National Academy of Sciences, then-FBI General Counsel James Baker acknowledged that the bureau was able to get into locked mobile devices in its possession 87 percent of the time.

In December 2020, the Department of Justice (DOJ) announced the international takedown of a criminal-focused virtual private network in what the department dubbed "Operation Nova." The FBI worked withGermany, France, Switzerland, the Netherlands, and European Union's police agency (Europol) in the operation.

In June 2021, the FBI's international Trojan Shield operation, in which the bureau ran its own encrypted device company called ANOM, resulted in more than 500 arrests globally and involved partners in Australia, New Zealand, Sweden, Lithuania, and the Netherlands, among others. 

Even the FBI's overseas partners are having success in cracking encryption and targeting encryption service providers. In February of this year, Dutch authorities announced they had penetrated and shut down another encrypted phone provider, Exclu.

Many major tech companies actually collude with the FBI and other law enforcement agencies, despite ritualistic pronouncements from them about their commitment to user privacy. In a December 2021 piece on Just Security, longtime security researcher Riana Pfefferkorn put it bluntly:

"Given the FBI's years-long campaign against encryption, it makes a strange bedfellow to the encrypted service providers it has condemned by name in public speeches. But service providers and the FBI both benefit from a popular misconception that underestimates the user data available to investigators from certain [end-to-end encryption] services. That misapprehension simultaneously maintains the providers' image in the eyes of privacy-conscious users while upholding the FBI's narrative that it's "going dark" in criminal investigations due to encryption."

The phone-cracking company Cellebrite actively advertises its success in cracking encryption on Apple and Android devices,citing worldwide law enforcement partners. The very existence of such services undermines the entire rationale for encryption "backdoors"—and the FBI's new and misleading buzzword, "lawful access."

Further, the FBI's obsession with undermining public key encryption has the potential to put its own agents and staff at risk.

As Moxie Marlinspike, the founder of the encrypted messenger app Signal, noted in April 2021, Cellebrite's own software is vulnerable to exploitation. Hostile intelligence services or drug cartels could manipulate  the software to ensure any phones captured by Cellebrite's law enforcement partners will, in turn, infect partners' devices. The hunters would then become the prey.

The bureau also faces fundamental legal and constitutional problems with trying to get Congress to help it compromise public key encryption. 

In its 1999 decision in Bernstein v. DOJ et al, the 9th Circuit Court of Appeals upheld district court rulings that said attempts by the Departments of State and Commerce to require licensing of encryption software represented an unconstitutional prior restraint on a professor's speech—in effect ruling that "code equals speech." The ruling referred specifically to the source code underpinning encryption software.

Further, government attempts to statutorily mandate encryption "backdoors" involves forcing encryption service providers to build products that are, by definition, defective—creating an inherent liability risk that would be borne not by the government, but the encryption product/service providers. Setting aside questions of the legality of such legislation, if it were passed and actually upheld by federal courts, an encryption product company/service provider might elect to cease operations rather than run the risk of unwinnable consumer lawsuits under prevailing product liability laws.

The loss of public key encryption service providers would make us all more vulnerable, both physically and financially. The notion that such "backdoors" could be kept safe in government or even corporate hands doesn't pass the laugh test.

Indeed, there are only two kinds of I.T. systems on this planet: those that have been breached, and those that will be breached. It is difficult enough to write secure code or otherwise keep cyberattackers at bay without deliberately injecting vulnerabilities into the coding process. See the breaches of the U.S. Office of Personnel Management, the Department of Energy, and LastPass as examples.

The American Founders used encryption, sending secret messages incorporating codes only they knew. If the Founders thought public use of encryption was at odds with other principles of the Constitution, they would've included a ban on it or a "lawful access" provision in the Fourth Amendment. They didn't.

If Congress abets the FBI's quest to destroy public key encryption in an effort to solve a discreet number of crimes, it will only make us all—including law enforcement officers and their families —more vulnerable to a vastly greater range of crimes in the future. That's a tradeoff none of us can afford.