Moving Beyond Backdoors To Solve The FBI's 'Going Dark' Problem
from the though-it-seems-the-FBI-should-be-doing-more-to-solve-it... dept
Former FBI Director James Comey stated on more than one occasion that he'd like to have an "adult conversation" about device encryption. He wasn't sincere. What he actually meant was he'd like to have all the "smart people" in the tech world solve his problems for him, either by capitulating to his requests for encryption backdoors or by somehow crafting the impossible: a secure backdoor.
Comey is gone, but his legacy lives on. The FBI wants to keep the "going dark" narrative alive. Deputy Attorney General Rod Rosenstein has already asked Congress for $21 million in "going dark" money, supposedly to help the agency explore its options.
The problem is, the options could be explored for a much lower price. Kevin Bankston offers up a few solutions -- or at least a few improved adult conversational gambits -- for the low price of $free over at Lawfare. The starting point is Comey's "adult conversation" talking point. Bankston points out you can't hold an adult conversation if you refuse to act like one.
Recently in Slate I responded to Comey’s repeated calls for an “adult conversation” on this seemingly endless debate. I replied that an “adult conversation” means moving past any discussion of discouraging or undermining the deployment of unbreakable encryption, in light of the broad consensus outside of the FBI that such a move would be dangerously bad policy. Rather than continuing to argue about whether or how we might force encryption technology to adapt to law enforcement’s needs, our time would be better spent focusing on how we can help law enforcement adapt to the technology.
This is a point many have tried to make, but Comey refused to listen. Let's stop talking about crafting magical backdoors and accept the fact it just isn't possible. Once this is accepted, everyone can move on. Plenty of options remain for law enforcement and, with the exception of the usual post-terrorist attack calls for backdoors, no one is really pushing backdoor legislation. Legislators are well-aware of the fact that weakening encryption causes far more problems than it solves and asks citizens to sacrifice their safety and security for the good of the nation a single federal law enforcement agency.
Bankston moves the discussion forward by discussing three areas the FBI could explore. The first involves lawful device hacking, which uses exploits and/or external hardware/software to access the content of locked devices. This sounds more nefarious than it actually is (vulnerability disclosure concerns aside). Basically, this just means doing what the FBI did to open up the iPhone seized in the San Bernardino shooting case.
The main problem Comey had with this approach is that it wouldn't scale. But that's kind of the point.
[T]he objection that hacking will never give law enforcement as much access as would a backdoor into or a ban on user-controlled encryption misunderstands the problem we’re trying to solve. The societal goal here is not to ensure that law enforcement can access every piece of data it might ever seek, but that it can get enough information to do its job, and hacking is certainly a part of the solution.
This route also involves legislation, both to define the limits of lawful hacking as well as to act as oversight for these activities. Obviously, both of these are things Congress doesn't do all that well: oversight and writing computer laws. So, there will be concerns that need to be addressed, but hacking is a far better solution than legislated backdoors or judicial precedent that does the same thing by allowing a 1789 law to govern access to smartphones and other locked devices.
Another key area Bankston addresses is the tech curve itself. Law enforcement often laments it's losing the Tech War to the bad guys. It's not as though this needs to be a foregone conclusion. Criminal minds are rarely the brightest minds. Even though the same could be said for law enforcement minds, the good guys do have a distinct advantage: the ability to coordinate talent and expertise for the benefit of all agencies. That, and a mostly cooperative bunch of tech companies that still want to help the good guys beat the bad guys.
Another key aspect of upping government investigators’ tech game is making sure that they all know exactly what data they can lawfully obtain from internet companies today, without any new technical mandates. That means we need companies to step up and educate law enforcement and everyone else about the data they have—all of it, and not just the data they typically offer as matter or course in response to legal process.
It's not like there's only one path to data and communications stored on a suspect's phone. Almost everything is backed up somewhere else by service providers. Concerns about users' privacy will need to be addressed by everyone involved, starting with a revamping of the Third Party Doctrine. But tech companies will also need to be more honest with their customers, letting them know exactly what's being stored outside of their devices and what law enforcement needs to have (warrant, subpoena, etc.) before the company turns over information.
[C]omprehensive transparency to law enforcement and the public about what data the companies are creating and storing is the only way that policymakers or the market will ever be able to enforce any real accountability over those practices, and I think (or at least hope) that the overall benefit to consumers’ privacy from that accountability will balance out the harmful effects of giving the government a full menu of data.
The final aspect Bankston addresses is obtaining data and communications stored overseas. Much of this is academic now that jurisdiction limitations have been removed by the recent Rule 41 changes. Unfortunately, there's little positive to note here. Mutual assistance treaties take too long to be of much use (6-12 months for compliance) and there being little direct translation of civil liberties between participating countries makes this even more difficult.
Unfortunately, as Bankston points out, American exceptionalism doesn't seem to be working out in our favor. It appears President Trump is trying to work out an exclusive deal with the UK to make this process easier. But "easier" just means more collateral damage to civil liberties and privacy on both sides of the pond. This may work in law enforcement's favor, but it's hardly the best solution to "going dark," seeing as it ignores 99% of the stakeholders (citizens) to give each government what it wants.
The answers aren't easy and they will involve compromises not everyone will be happy with. But it's far better than taking the FBI's approach, which appears to be demanding concessions from every tech company it might have to deal with. The discussion does need to push forward, with or without the FBI's input. It can't stay hung up where it is now, due to Comey's stubborn refusal to ask for anything but the impossible.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, fbi, going dark
Reader Comments
Subscribe: RSS
View by: Time | Thread
Right, it doesn't sound so bad when you brush aside the major concern with it. Let's also ignore some years of evidence of the government's shockingly fluid interpretations of "lawful".
I might say they take long enough. The difficulty is not a bug.
Maybe just on the UK side, if extradition law is any indication.
[ link to this | view in chronology ]
Give them an inch and they'll demand a mile
That means we need companies to step up and educate law enforcement and everyone else about the data they have—all of it, and not just the data they typically offer as matter or course in response to legal process.
A distinct problem with the 'go all in helping law enforcement' idea is that going back to the San Bernardino case Apple actually had the fact that they were willing to be helpful in the past used against them. 'They helped us before, and now they're not, clearly they need to be forced to help.'
Given I highly doubt such a 'we deserve anything we want' mindset was a temporary thing the issue with tech companies going out of their way to do more than they have to is that there will always be demands for them to do more. 'You gave us A and B when you only had to hand over A, so what about handing over C and D while you're at it?'
If the ones calling for broken encryption were capable of having an adult conversations and accepting 'No' as an answer then this wouldn't be nearly as big of an issue, and my concern is that tech would give concessions and try to be helpful while law enforcement would simply take it as what they were owed... and then demand more, and more, and more.
[ link to this | view in chronology ]
Adult conversations?
[ link to this | view in chronology ]
Re: Adult conversations?
[ link to this | view in chronology ]
Re: Adult conversations?
[ link to this | view in chronology ]
Reality
There is a class of smart, organized and tech savvy criminals. Banning consumer encryption doesn't do much good because criminals tend to break laws. They'll use the many strong encryption products already available or create their own. Isis, for example, developed their own product. You may be able to outlaw the product but math is here to stay.
It wastes a lot of time and effort dwelling on the impossible rather than moving forward with strategies that work around limitations. Just because we can't cure cancer outright doesn't mean we stop moving forward in the interim, treating it successfully by attacking it indirectly.
Law enforcement often doubles down on unsuccessful programs for years and even decades. Maybe it's time to replace ego and self-interest with genuine dedication to the public good. It would be a novel approach at least.
[ link to this | view in chronology ]
Re: Reality
[ link to this | view in chronology ]
Re: Reality
The problem for law enforcement is that that requires that they make connection with the people that they are policing, rather than treating everybody as criminals.
[ link to this | view in chronology ]
Look, you can commit any crime you want without a cell phone. And there are vanishingly-few crimes that you can commit WITH one--it's not heavy enough or sharp enough to be a useful weapon, and anything you say into it is speech to a particular person (which given the U.S. Constitution is hardly ever a crime.) Nobody ever charged into a bank wearing ski masks and wielding cell phones--"Everybody freeze, this thing has a 1.4 f-Stop and I'm not afraid to use it."
They're only looking at the cell phone because they think that the criminal is stupid enough to use it to collect evidence against himself--in other words, it's always and only a fishing expedition.
[ link to this | view in chronology ]
Re:
To be fair, they're usually not wrong. But, the basic protections for the rest of us should remain. In the past, "we think the criminal wrote details of his crime in his diary" wasn't an excuse to raid his home, so modern mistakes shouldn't be an excuse to bypass protections today either.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
It is more than a decade to late to make a difference
[ link to this | view in chronology ]
All intelligence chiefs belong in jail
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Law enforcement is seemingly willfully naive of the fact that the internet has created a huge data set that previously didn't exist. They're not being restricted by the internet, they're being given more opportunities.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Hacking is just as bad if not...
In case you wonder how this approach will play out you may want to turn your attention to Germany, where the parliament just made it legal for law enforcement to gain access to your communications by utilizing Trojans.
All in the name of keeping us safe.
From what I learned over the years in IT however, Trojans never boosted anyone's security or privacy for that matter.
Though they make encryption a non-issue.
[ link to this | view in chronology ]
Re: Hacking is just as bad if not...
Due to the high burden, it isn't like Joe Beat Cop can use his hacking arsenal on his girlfriend... this isn't a Sting Ray you can just throw in your squad car and drive down to her house... it would be way too difficult and costly to implement. They'll have to save this as a 'nuclear' option.
End of the day, it makes us more safe, gives police another tool that will have oversight (compelled due to complexity and security).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: going dark is a myth.
[ link to this | view in chronology ]
"Backdoors" are most useful for snooping on the honest, innocent people
[ link to this | view in chronology ]