FBI Says Device Encryption Is 'Evil' And A Threat To Public Safety
from the thanks,-g-men.-we'll-take-it-under-advisement. dept
The FBI continues its anti-encryption push. It's now expanded past Director Christopher Wray to include statements by other FBI personnel. Not that Chris Wray isn't taking every opportunity he can to portray personal security as a threat to the security of the American public. He still is. But he's no longer the only FBI employee willing to speak up on the issue.
Wray expanded his anti-encryption rhetoric last week at a cybersecurity conference in New York. In short, encryption is inherently dangerous. And the FBI boss will apparently continue to complain about encryption without offering any solutions.
The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency's work, Wray said during a speech at a cyber security conference in New York.
The FBI has been unable to access data in more than half of the devices that it tried to unlock due to encryption, Wray added.
"This is an urgent public safety issue," Wray added, while saying that a solution is "not so clear cut."
The solution is clear cut, even if it's not workable. What Wray wants is breakable encryption. And he wants companies to do the work and shoulder the blame. Wray wants to be able to show up at Apple's door with a warrant and walk away with the contents of someone's phone. How that's accomplished isn't really his problem. And he's not intellectually honest enough to own the collateral damage backdoored encryption would cause. But that's how Wray operates. He disparages companies, claiming encryption is all about profit and the government is all about caring deeply for public safety. Both statements are dishonest.
But Wray isn't the only FBI employee taking the move to default encryption personally. And the others commenting are taking the rhetoric even further, moving towards personal attacks.
On Wednesday, at the the International Conference on Cyber Security in Manhattan, FBI forensic expert Stephen Flatley lashed out at Apple, calling the company “jerks,” and “evil geniuses” for making his and his colleagues' investigative work harder. For example, Flatley complained that Apple recently made password guesses slower, changing the hash iterations from 10,000 to 10,000,000.
That means, he explained, that “password attempts speed went from 45 passwords a second to one every 18 seconds,” referring to the difficulty of cracking a password using a “brute force” method in which every possible permutation is tried.
[...]
“At what point is it just trying to one up things and at what point is it to thwart law enforcement?" he added. "Apple is pretty good at evil genius stuff."
This is great. Apple is now an "evil genius" because it made stolen iPhones pretty much useless to thieves. Sure, the device can be sold but no one's going to be able to drain a bank account or harvest a wealth of personal information. This was arguably in response to law enforcement (like the FBI!) complaining cellphone makers like Apple were assholes because they did so little to protect users from device theft. And why should they, these greedy bastards? Someone's phone gets stolen and the phone manufacturer now has a repeat customer.
Encryption gets better and better, limiting the usefulness of stolen devices and now Apple is an "evil genius" engaged in little more than playing keepaway with device contents. Go figure.
The FBI's phone hacker did have some praise for at least one tech company: Cellebrite. The Israeli hackers were rumored to have helped the FBI get into San Bernardino shooter Syed Farook's phone after a failed courtroom showdown with Apple. The FBI ended up with nothing -- no evidence on the phone and no court precedent forcing companies to hack away at their own devices anytime the government cites the 1789 All Writs Act.
Now we're supposed to believe device makers are the villains and the nation's top law enforcement agency is filled with unsung heroes just trying to protect the public from greedy phone profiteers. I don't think anyone believes that narrative, possibly not even those trying to push it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chris wray, encryption, fbi, going dark, stephen flatley
Companies: apple
Reader Comments
The First Word
“With 'friends' like these...
The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency's work, Wray said during a speech at a cyber security conference in New York.
Meanwhile I feel very safe in assuming that effective, working encryption has protected vastly more than 7,800 devices from various criminals, protecting people from having personal and/or valuable information stolen in addition to having their property stolen, but of course the FBI would rather overlook that little tidbit.
The FBI has been unable to access data in more than half of the devices that it tried to unlock due to encryption, Wray added.
Which completely killed the relevant cases, because the only evidence they had was located on the devices, right? The only thing standing between them and a conviction was access to a particular device, rather than say it possibly making the cases/investigations easier?
"This is an urgent public safety issue," Wray added, while saying that a solution is "not so clear cut."
He's partially correct, but not in the way he means. Having the FBI and other government agencies attacking a critical security feature that millions depend on is most certainly an 'urgent public safety issue', however it's not caused by the tech companies, but rather by him and others like him.
As for the second half the solution is in fact very 'clear cut', and is extremely simple:
Stop attacking the security millions depend on to protect themselves.
Stop trying to vilify an extremely important security measure simply because you don't like the fact that you can't get access to everything simply by demanding it.
Stop trying to hand the public to criminals country-wide by making their personal devices vastly less secure.
In short: Stop trying to make the 'job' of criminals easier just because it would make fulfilling your desires easier too.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
It would be interesting to know how many of those are duplicates. (multiple devices per case), as well as how many resulted in contempt of court citations.
7800 is small enough to collate in a spread sheet. Frankly I think making such a declaration was a mistake. Nationally it really isn't that big of a number. And if they are pissed about 7800 units, they are going to go completely batshit about what is coming down the pike.
Hard crypto is going to be the rule, not the exception.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Encryption for me not for thee
[ link to this | view in chronology ]
Truth is Optional
The only thing that matters to corrupt officials is the wishes of their `owners'.
Just as they're not willing to call a backdoor a backdoor, they're not willing to admit their push for "New Slavery".
[ link to this | view in chronology ]
With 'friends' like these...
The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency's work, Wray said during a speech at a cyber security conference in New York.
Meanwhile I feel very safe in assuming that effective, working encryption has protected vastly more than 7,800 devices from various criminals, protecting people from having personal and/or valuable information stolen in addition to having their property stolen, but of course the FBI would rather overlook that little tidbit.
The FBI has been unable to access data in more than half of the devices that it tried to unlock due to encryption, Wray added.
Which completely killed the relevant cases, because the only evidence they had was located on the devices, right? The only thing standing between them and a conviction was access to a particular device, rather than say it possibly making the cases/investigations easier?
"This is an urgent public safety issue," Wray added, while saying that a solution is "not so clear cut."
He's partially correct, but not in the way he means. Having the FBI and other government agencies attacking a critical security feature that millions depend on is most certainly an 'urgent public safety issue', however it's not caused by the tech companies, but rather by him and others like him.
As for the second half the solution is in fact very 'clear cut', and is extremely simple:
Stop attacking the security millions depend on to protect themselves.
Stop trying to vilify an extremely important security measure simply because you don't like the fact that you can't get access to everything simply by demanding it.
Stop trying to hand the public to criminals country-wide by making their personal devices vastly less secure.
In short: Stop trying to make the 'job' of criminals easier just because it would make fulfilling your desires easier too.
[ link to this | view in chronology ]
Re: With 'friends' like these...
Stop trying to make the 'job' of criminals easier just because it would make fulfilling your desires easier too.
Except that it wouldn't do even that. The existence of secure encryption depends on the laws of mathematics not the policies of Apple. Even if Apple only offered backdoored encryption serious criminals would still be able to deploy their own encryption. Only the low hanging fruit would be affected - and they usually leave plenty of other evidence to work with.
As for San Bernardino - well the two main perpetrators were already dead, and it has been shown time and again that these Islamic plots don't depend on sophisticated support networks. So why bother? There was nothing that the FBI could have "cracked" and this was baltantly obvious from the very start.
These attacks are triggered by information which is propagated in plain sight via the various Islamic scriptures. The way to combat them it to take on the ideology in the public square.
[ link to this | view in chronology ]
Re: Re: With 'friends' like these...
Except that it wouldn't do even that.
Ah, but you see that's where the distinction between 'job' and 'desire' comes into play, and it's why I used the latter rather than the former. Crippling encryption would make their desire to be able to access any device simply by issuing a demand for access vastly easier, however it would make their jobs much harder by causing an absolute explosion of crime thanks to said crippled encryption.
Their desires are in conflict with their jobs, but they are aligned with the desires of enormous amounts of criminals who have got to be positively salivating over the idea of millions of people forced to use broken encryption.
[ link to this | view in chronology ]
Re: Re: Re: With 'friends' like these...
I still think that it wouldn't really satisfy their desires - but I'll concede that it it would satisfy what they currently believe their desires to be.
In other words it's what they currently think that they want - but if they got it they would quickly realise that it isn't what they actually want.
[ link to this | view in chronology ]
Re: Re: Re: Re: With 'friends' like these...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: With 'friends' like these...
[ link to this | view in chronology ]
Re: With 'friends' like these...
The FBI is interested in catching as many criminals as possible, therefore these criminals must have victims, and anything that protects people from being victims leads to no criminals the FBI can arrest.
This only sounds half bad if it's about encryption, but as it happens, the same happens with child abuse -- the FBI is actually interested in children being victims to abuse, just to arrest the perpetrators.
Something has gone very, very wrong with the FBI.
[ link to this | view in chronology ]
Re: With 'friends' like these...
Start... doing your damned job and put the criminal gangs, and their paymasters (who might turn out to be the leaders of certain 3-letter US government agencies) out of business. Millions of taxpayers' private records lost in the last decade with crippling financial consequences for some, and you've got the nerve to whine about encryption? You know, on second thought, why don't you just look for another job?
[ link to this | view in chronology ]
Hmm.. I actually think law enforcement has greatly overstepped its authority and acts generally like a bunch of voyeur thugs in a criminal gang towards citizens that are lucky if they don't come out of the interaction dead.
Sadly.
[ link to this | view in chronology ]
Re:
/s
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
At the point where there are more law enforcement agents blocked than criminals who are stopped by the technology.
Since, at present levels, that would require an astounding number of new federal employees, I think we're safe in saying that we're not at that point just yet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Replace encryption and guns and there would be a revolution.
Wow, just 136 minutes before someone tried to draw a parallel with guns ...
[ link to this | view in chronology ]
Re: Re: Replace encryption and guns and there would be a revolution.
Also guns are tools of destruction yes so is dynamite and chainsaws. Destruction can be useful for certain purposes. Just because one could use a gun or a power drill to hurt someone doesn't mean one will. They are tools and I would think the issue is the people using the tool as apposed to the tool itself.
[ link to this | view in chronology ]
The Parallel between Guns and Encryption
Both are tools that, in the hands of the public, empower it against the state.
The FBI won't say that disarming the public would serve its interest in preserving the current regime, but plenty of law enforcement have said exactly that.
FBI's fear over encryption is that it would facilitate organization of resistance even when that resistance becomes a threat, and while a lone gunman isn't a real threat to law enforcement, a company of militia are. (And yes, some organized militia exist in the US.)
Incidentally, guns occupy the same spot, whether we call them tools or weapons. Our constitutional framers didn't specify guns but general arms that is, weapons, knowing that even firearms may someday become obsolete. The point is the public cannot trust the state to keep something that the public is forbidden from having, including bioagents and nukes.
(Which is a good reason, incidentally, for the military to stop making bioagents and nukes, and yet they still do.)
And yes, you can argue that the people are not mature enough to be trusted with guns. But the same is true for the police and the military. Frankly, we can't be trusted with the responsibility of voting or knowing our best interests, but then who can we trust?
And that's why the people should have full access to guns, even if they're useless.
And this very same argument can be made regarding encryption. And secret communication can be as deadly as guns, if not worse.
[ link to this | view in chronology ]
How very cabal news
Sounds like you should go to these conferences, or watch them on youtube. It would seem you don't grok wise-ass-ease.
While I totally disagree with the FBIs position on the subject, the article appears to conflate a technical discussion with a political one. In a technical context, the comment is a compliment.
Which is to say that you've very likely strayed into the typical misconstrued-quoting practices common to institutions that are generally regarded with contempt in these waters. In the future please check your trim before takeoff.
TIA
[ link to this | view in chronology ]
Re: How very cabal news
Our trim is fine, how's yours?
[ link to this | view in chronology ]
Re: Re: How very cabal news
[ link to this | view in chronology ]
Re: Re: Re: How very cabal news
[ link to this | view in chronology ]
Re: Re: Re: Re: How very cabal news
You skills of deduction exceed mine sir. Perhaps you should like to hire yourself out reading tea leaves?
Again, I totally disagree with the FBI. But I don't presume to posit an opinion on the state of all medical matters after hearing one doctor fart in a coat closet. And the difference between the two, is what makes the difference between real journalism, and cabal news.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: How very cabal news
When that blurb is preceded and followed by statements calling Apple a bunch of jerks for making it even harder to hack their products and praising the company Cellebrite that actively works to hack Apple's and other companies' products, then yes, I think I've got a pretty clear context.
Plus, then there's the full 'evil genius' statement:
He is directly implying that Apple is actively working to thwart law enforcement (good guys) thereby making Apple 'evil geniuses' (bad guys).
What other possible context could there be???????????
[ link to this | view in chronology ]
"despite possessing proper legal authority"
If they are investigating the owner's murder, then he should have left his password with his will. If he didn't then it is his own fault his family might not see justice.
[ link to this | view in chronology ]
Face It
[ link to this | view in chronology ]
Re: Face It
[ link to this | view in chronology ]
Re: Face It
[ link to this | view in chronology ]
Re: Face It
You can ignore Face ID and continue to use a password just like you could with Touch ID.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Let the FBI test this idea
[ link to this | view in chronology ]
Geniuses
[ link to this | view in chronology ]
Next they'll be ...
[ link to this | view in chronology ]
Re: Next they'll be ...
[ link to this | view in chronology ]
Might have to get off their asses
[ link to this | view in chronology ]
Re: Might have to get off their asses
[ link to this | view in chronology ]
what it fails to enumerate is the cumber of convictions they failed to obtain solely and only because they could not gain access
Two very different requirements at work here, . . . . "want" and "need"
[ link to this | view in chronology ]
Re:
Also, the number of devices they were able to access that contained data vital to secure a conviction that they would not have been able to obtain otherwise. Like the arguments about torture, etc., they tend to be very light on those sorts of details, because they know it will not show the result they claim to need these powers for.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
They need help.
The NSA has some smart people. If it were possible to build a secure system that had a Workable access when warranted they should be able to create it. It would need to be vetted by multiple outside parties (any and everybody). Then they wouldn't need to always whine that the tech companies should 'nerd harder'.
If that were to happen all the serious 'bad guys' would simply use another system developed outside the U.S. So sad FBI, it is not happening. There is a word for when the wishes of the government override the will of the people; that word is NAZI.
[ link to this | view in chronology ]
Wonder how Stephen Flatley will feel.....
Or is it OK for him to use encryption to protect himself but not OK for me to do the same?
[ link to this | view in chronology ]
Evil Is As Evil Does
[ link to this | view in chronology ]
He was supposedly speaking to the Pennsylvania legislature over a tax issue at the time, but the quote is still as appropriate for this debate as it is over the ability to tax.
The FBI would have us give up our Fourth and Fifth Amendment rights to gain a little security only to have given up our privacy and security from a government that has no right to invade citizen privacy at will regardless of "having nothing to hide." Down that road lies totalitarianism and that's exactly what Franklin was warning people over.
Apple's also in an unenviable position here. If they start bypassing encryption on their own devices at any government's whim they've destroyed their customer's trust. People will stop buying their phones. Sure enough if Apple can do it, anyone else will know there's a way and will find it. Apple's primary revenue is in their phone business, they don't want to jeopardize that.
[ link to this | view in chronology ]
Re:
The FBI would have us give up our Fourth and Fifth Amendment rights to gain a little security
Except it never provides even a little more security.
(In their universe, however, 10 people die every day for every phone they can't unlock or contents they can't decrypt. Still waiting for that claim...)
[ link to this | view in chronology ]
Possessing proper legal authority to pry open a device is not an authority that entitles you to the existence of devices you can pry open. Sorry Chris, you'll just have to stew in your juice again.
[ link to this | view in chronology ]
Cheap and Sleazy, the FBI has been in the pockets of private businesses and not serving the US for a LONG time.
[ link to this | view in chronology ]
How Bondian, James Bondian
Don't you hate all this fake mutual admiration from an evil, federal, government agency towards an evil, giant, international corporation? We know the evil gov't agency just wants to make itself look better, if it ever finally manages to defeat the evil corporation. Also helps convince legislators (evil and otherwise alike) to provide additional funding for the evil agency to fight the overwhelmingly über-rich, evil corporation.
[ link to this | view in chronology ]
Tax-Feeding Nincompoops, Data Encryption Algorithms and You
“At what point is it just trying to one up things and at what point is it to thwart law enforcement?" he added. "Apple is pretty good at evil genius stuff."
FBI Director Wrong Wray and FBI forensic expert Stephen Flatley are two petty authoritarian tax-feeders blinded by power and hubris.
FBI claims it has 7,800 encrypted devices that can not be accessed.
How many billions of encrypted devices have protected their users from everyday criminal attempts to exploit private/sensitive information?
How many US citizens have had private/sensitive data, that was stored on US government servers, exploited because of improperly secured devices?
Hacking of Government Computers Exposed 21.5 Million People
https://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-mill ions.html
List of hacked government agencies grows: State Department, White House, NOAA & USPS
https://www.computerworld.com/article/2848779/list-of-hacked-government-agencies-grows-state-de partment-white-house-noaa-and-usps.html
Continued Federal Cyber Breaches in 2015
http://www.heritage.org/cybersecurity/report/continued-federal-cyber-breaches-2015
SEC's Hacking Increases Worries About Vulnerabilities Across U.S. Government
http://fortune.com/2017/09/21/sec-hacking-vulnerabilities-u-s-government/
Federal government notifies 21 states of election hacking
https://apnews.com/cb8a753a9b0948589cc372a3c037a567
Federal Reserve Hacked More Than 50 Times In 4 Years
https://www.huffingtonpost.com/entry/hackers-breach-federal-reserve-50-times_us_574ee0d5e4b075 7eaeb1194c
Thales: 34% of U.S. Federal Government Agencies Experienced Data Breach in Last Year
The list of US government data being exploited by hackers is mighty long.
The italicized/bold text examples above show the frequency of US government failures to safe guard data that was entrusted to it's incompetent care.
Dear Wrong Wray when you and your minions continuously make public pronouncements regarding law enforcement's wet dream of weakening of data encryption algorithms while at the same time not being able to secure the data already in the US governments possession makes you sound and look like a tax-feeding know-nothing nincompoop.
Congratulations!
[ link to this | view in chronology ]
You first, fed.
The government (which is to say practically all departments) over classify and intentionally obstruct FOIA requests. They act to prevent public oversight and they like to keep it that way.
Once we establish thorough public oversight of our state's departments at every level, and all things that are not current operational secrets, are transparent and easily accessible to an American citizen Then and not one day sooner should we talking about making private entities more transparent to the government. The government in general and the FBI specifically are completely corrupt, and we have no reason to trust them with private information, even when they threaten to beat it out of us (which they will).
So, no. The feds can have my encryption codes and my private files when it figures out how to pry them from my cold dead brain.
[ link to this | view in chronology ]
Toto toilets are evil
“At what point is it just trying to one up things and at what point is it to thwart law enforcement?"
[ link to this | view in chronology ]
I think the few phones they can't crack is hardly an issue. That they make it one belies their true intents, mainly the grab for more more power (encryption, then the next thing, then the next), and having something to harp on repeatedly to use as an excuse for their next failure to stop some sort of incident (whether it is something reasonably stop-able or not).
Funny i never see complaints about encrypted desktops and laptops.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's DejaVu All Over Again...
Didn't they (the NSA I believe) outlaw certain encryption standards back in the late 90's early Millennium?
That was a completely pointless endeavor and only spurred the creation of better encryption.
[ link to this | view in chronology ]
Right?
[ link to this | view in chronology ]
negligent reporting, or propaganda?
Look it up for christ sakes, don't take my word for it. Then look up Intel IME, AMD PSP, ARM trustzone...
When you understand how this works (please take the time- it's crucial information that TD seams unwilling to provide for whatever reason)- it's plain to see this is mostly distraction and redirection; whether intentional or not articles like this shape public opinion in ways beneficial to the fbi's goals (creating stupid criminals, and increased access to high lvl intelligence gathering tools originally justified by -for use against- genuine terrorism).
These articles serve as great advertising for apple/google, (who have likely provided generous gov access in exchange for turning blind eyes regarding Taxes and Anti-trust) while falsely convincing people their devices are secure. It doesn't matter how perfect your encryption is if you device is hopelessly structurally flawed- which describes 99%+ of devices built in the last 5 years. It's like waxing lyrical on how perfect one finger is while ignoring the necrotic hand it's connected to... Fundamentally dishonest or neglegent omission.
[ link to this | view in chronology ]