New Report Says The Feds' Focus On Device Encryption Is Holding Local Law Enforcement Back
from the get-what-you-can-instead-of-dreaming-about-an-all-access-pass dept
CSIS (Center for Strategic and International Studies) has just released another report [PDF] on device encryption. But there's a difference: this one isn't so much about encryption but what law enforcement isn't doing to access the wealth of digital data available to it. (h/t Robyn Greene)
What CSIS found is there are plenty of powerful tools and options available. The problem -- especially at the local level -- is law enforcement appears to be unsure of how to proceed when seeking digital data. This results in a couple of problems, the latter of which has definite civil liberties implications.
Our survey of federal, state, and local law enforcement officials suggests that challenges in accessing data from service providers—much of which is not encrypted—is the biggest problem that they currently face in terms of their ability to use digital evidence in their cases. Specifically, the inability to effectively identify which service providers have access to relevant data was ranked as the number-one obstacle in being able to effectively use digital evidence in particular cases.
Following closely after that is the difficulty of obtaining data and evidence from service providers if agencies do manage to narrow down where it's located. While there are a variety of federal resources available to train and educate law enforcement investigators about seeking digital evidence, they're underfunded and underutilized.
This lack of education and overall uncertainty is leading to unfortunate results -- both in terms of targeted citizens and the law enforcement agencies hoping to hold onto whatever evidence they may obtain. Overbroad warrants are routine and it's not always the result of a "collect it all" philosophy.
Law enforcement claims... they often lack enough information to know what data is and is not available and make the kind of relevancy determination needed. Put simply, unless law enforcement officials are adequately informed about what kind of data providers have available, they are not in a position to know what there is to ask for—let alone determine if it is relevant. Law enforcement officials also point out that in many cases it is appropriate to ask for “any and all data,” particularly when the universe of available data is sufficiently limited—for example, if the request is directed toward “any and all data” about a particular account and during a specific time horizon.
These broad requests result in pushback from tech company recipients (who, unfortunately, likely understand the law better), which further strains the relationship between service providers and law enforcement agencies. The problem with the law enforcement side is the numbers don't support this perception.
The number of law enforcement requests, at least as directed at the major U.S.-based tech and telecom companies, has significantly increased over time. Yet, the response rates have been remarkably consistent.
The increase in requests has led to an increase in rejected requests as a whole -- which fuels the perception service providers are giving lawmen the figurative finger -- but the percentage of rejected requests (around 20%) has remained constant.
It's not just law enforcement personnel needing more training and info. The lack of training leads to broad warrant requests and subpoenas from law enforcement. These requests should be receiving pushback before they're delivered to service providers. But far too often, they're not receiving enough scrutiny at the judicial level. This is also an education/information problem.
[R]esources should be invested in training judges, in addition to law enforcement officials engaged in the investigative and prosecutorial functions. Judges serve as crucial intermediaries in the request process, ensuring that data requests are lawful and appropriately tailored. Resources should also be expended to train defense attorneys, who also need the ability to access and interpret digital evidence in order to mount an adequate defense.
The broad requests that do make it through post additional issues that are rarely discussed. While FISA court orders authorizing surveillance (including domestic surveillance) stress minimization of non-target info, demands for data from service providers aren't subject to these restrictions. Data/communication dumps can expose a lot of info about non-targets and there's almost zero recourse for non-targets whose privacy has been violated. "Incidental" collection isn't just something the NSA does. It's the inevitable byproduct of overbroad requests and few, if any, rules governing the collection and use of this info.
The report details a large number of deficiencies in the process which has made law enforcement's job far more difficult than it needs to be. Tech advances don't solely benefit crafty criminals. They also aid law enforcement, but there's been no cohesive effort made by the federal government to ensure local agencies can make the most of the tools available. Until this is nailed down, worrying about defeating or bypassing encryption is a waste of time.
That the FBI's director has decided that's how he's going to use his time and energy, suggests the agency -- the most frequent contact for local agencies seeking tech help -- isn't going to prioritize sharing knowledge over seeking legislative mandates. The FBI is hurting itself and others by limiting their ability to do everything they can right now in hopes of getting a law enforcement-sized hole drilled in encryption at some point in the next few decades.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, encryption, fbi, going dark, law enforcement
Companies: csis
Reader Comments
Subscribe: RSS
View by: Time | Thread
HA, HA.
[ link to this | view in thread ]
Re: HA, HA.
[ link to this | view in thread ]
Re: HA, HA.
The same Shiva that had his lawsuit laughed out of court last year?
(Yes, I know he's appealing, but even in the current state of affairs I'm confident that accurately calling a liar and a charlatan exactly what he is will still be protected speech in the land so obsessed by freedom of it).
[ link to this | view in thread ]
Re: HA, HA.
[ link to this | view in thread ]
Re: HA, HA.
Who hated the process of due
Each film that he'd paid
Was DMCAed
And shoved up his ass with a screw
[ link to this | view in thread ]
Re: HA, HA.
What does he have to do with this article?
Are law enforcement working to obtain evidence against him showing how he misled investors with his claims of inventing something he did not invent?
Seems like such things should be a crime but what do I know, my IQ is likely 20 points below his, amazing I can even write this message.
Thanks for the off-topic discussion.
[ link to this | view in thread ]
Re: HA, HA.
2017 called. They want your comment back.
[ link to this | view in thread ]
We paid them to give us the magic bullet!
We paid them more to give us the magic bullet!
They told us the magic bullet will only happen if we force everyone to create the bullet hole only the magic bullet will fit!
We have chased the magic bullet, invested heavily in it, we can't not admit the magic bullet can never be real, we must screw up every other possibility of moving forward to show how much we need the magic bullet that will never come to be.
They keep telling us without the magic bullet billions could die, yet the only threats reported are a few people the FBI lured into made-up plots rather than dealing with actual crimes. There is a terrorist in every pot & a WMD in every garage!!!!!!!!
What you want can not be done, the people telling you it is possible... how much are you paying them... do ya think that might effect their ability to tell you the truth when the real truth means their gravy train stops??
People you aren't paying, who built & develop these systems tell you it can not be done... the people you pay say they are lying... how about you ask the people telling you it is possible to write their own encryption with secret backdoors & encrypt all of your data with it. Let see how long the secret stays secret when a bunch of hobbyists unlock the secret JFK files protected with this super duper good guy secret door encryption.
Or admit you should have stayed in your lane, stop blaming technology for your failures to adapt, and start fighting actual crimes... like ID Theft, State drug labs being run by addicts who convict the innocent, Cop who create evidence to justify the unjustifiable.
[ link to this | view in thread ]
Re: HA, HA.
[ link to this | view in thread ]
Re: HA, HA.
I'm going to say $0.25.
[ link to this | view in thread ]
Fed'sPosition
Now that I've taken that position, it's not enough.
Now I want access to your in-home device that monitors your voice, your health device that monitors your heart rate and perspiration levels and for good measure I want real time tracking on your movement at all times. Let's see, let's see smart devices do all this - good good.
Now, with this I can find the bad people.
Oh, forgot, let's modify a few privacy and property amendments to the constitution to allow physical search from a range, oh let's say 120 miles inland from any border and for extra good measure lets make sure that if you have any money on you or things that looks expensive we can take those from you at any time without going to court. Ya, okay - ready serve.
Oh darn, forgot the device has stuff on it, but can't access it uhhh what to do? Oh I know, devices must have hard coded back doors and encryption that acts as a placebo and doesn't work. Oh darn found out about burner phones, hmm can't keep track of those.
Dang, what if bad people actually write something down and mail it? Oh ya post offices will scan all mail from to lines and keep that data for me... oh, oh another thing what if someone copies or prints something. Gotta have backup drives in public copying machines so we can see that stuff and a secret little print on any document that links to a specific printer id ya, that outta do it.
Ahh crud, didn't think about people actually meeting and discussing their nefarious plans, we should get all stores and localities to place video cameras everywhere just in case. Dang, so many videos, maybe we can partner with a huge company that can create facial recognition software to ID people and gestures and lip movements. Who handles our data storage, they should know how to do it?
Hmm what am I missing, oh ya, what if someone says something we don't like on social media. Ya, we should tap into the data centers and copy all that to some place with a huge data storage and just run searches on all that data to umm fish out the bad people.
Ugh, I disagree with that reporter from CNN, I should just ban them from asking anymore questions and make sure that everyone knows that the only real information comes from the white house.
Fudge, what if voters actually vote for representatives that give a darn? Oh ya easy, ensure no money for election security, get the politicians that I like to work together, what's that word oh 'collude' to gerrymander election districts and purge voter rolls of people that disagree with my view and oh make sure my friends that create the electronic voting machines can switch votes for us.
Hmm people still might be smart enough to do things I disagree with, how to tackle that Oh, I know, why bother providing affordable health care or education or even keep infrastructure up to date - all those could lead to people trying to live better lives and that might lead to bad people, let's keep them dumb, economically burdened and reliant on us.
Dang just remember we have laws against reeducating their minds - ooh, what's that George you'll just sign a bill to let us use propaganda? Hey that might work, we should hook up with a big media company and sell our message to the people.
I think that about does, now I can catch all the bad people.
/s is for Sarcasm...
[ link to this | view in thread ]
Re: Re: HA, HA.
[ link to this | view in thread ]
They need some CSI tech.
[ link to this | view in thread ]