New Report Says The Feds' Focus On Device Encryption Is Holding Local Law Enforcement Back

from the get-what-you-can-instead-of-dreaming-about-an-all-access-pass dept

CSIS (Center for Strategic and International Studies) has just released another report [PDF] on device encryption. But there's a difference: this one isn't so much about encryption but what law enforcement isn't doing to access the wealth of digital data available to it. (h/t Robyn Greene)

What CSIS found is there are plenty of powerful tools and options available. The problem -- especially at the local level -- is law enforcement appears to be unsure of how to proceed when seeking digital data. This results in a couple of problems, the latter of which has definite civil liberties implications.

Our survey of federal, state, and local law enforcement officials suggests that challenges in accessing data from service providers—much of which is not encrypted—is the biggest problem that they currently face in terms of their ability to use digital evidence in their cases. Specifically, the inability to effectively identify which service providers have access to relevant data was ranked as the number-one obstacle in being able to effectively use digital evidence in particular cases.

Following closely after that is the difficulty of obtaining data and evidence from service providers if agencies do manage to narrow down where it's located. While there are a variety of federal resources available to train and educate law enforcement investigators about seeking digital evidence, they're underfunded and underutilized.

This lack of education and overall uncertainty is leading to unfortunate results -- both in terms of targeted citizens and the law enforcement agencies hoping to hold onto whatever evidence they may obtain. Overbroad warrants are routine and it's not always the result of a "collect it all" philosophy.

Law enforcement claims... they often lack enough information to know what data is and is not available and make the kind of relevancy determination needed. Put simply, unless law enforcement officials are adequately informed about what kind of data providers have available, they are not in a position to know what there is to ask for—let alone determine if it is relevant. Law enforcement officials also point out that in many cases it is appropriate to ask for “any and all data,” particularly when the universe of available data is sufficiently limited—for example, if the request is directed toward “any and all data” about a particular account and during a specific time horizon.

These broad requests result in pushback from tech company recipients (who, unfortunately, likely understand the law better), which further strains the relationship between service providers and law enforcement agencies. The problem with the law enforcement side is the numbers don't support this perception.

The number of law enforcement requests, at least as directed at the major U.S.-based tech and telecom companies, has significantly increased over time. Yet, the response rates have been remarkably consistent.

The increase in requests has led to an increase in rejected requests as a whole -- which fuels the perception service providers are giving lawmen the figurative finger -- but the percentage of rejected requests (around 20%) has remained constant.

It's not just law enforcement personnel needing more training and info. The lack of training leads to broad warrant requests and subpoenas from law enforcement. These requests should be receiving pushback before they're delivered to service providers. But far too often, they're not receiving enough scrutiny at the judicial level. This is also an education/information problem.

[R]esources should be invested in training judges, in addition to law enforcement officials engaged in the investigative and prosecutorial functions. Judges serve as crucial intermediaries in the request process, ensuring that data requests are lawful and appropriately tailored. Resources should also be expended to train defense attorneys, who also need the ability to access and interpret digital evidence in order to mount an adequate defense.

The broad requests that do make it through post additional issues that are rarely discussed. While FISA court orders authorizing surveillance (including domestic surveillance) stress minimization of non-target info, demands for data from service providers aren't subject to these restrictions. Data/communication dumps can expose a lot of info about non-targets and there's almost zero recourse for non-targets whose privacy has been violated. "Incidental" collection isn't just something the NSA does. It's the inevitable byproduct of overbroad requests and few, if any, rules governing the collection and use of this info.

The report details a large number of deficiencies in the process which has made law enforcement's job far more difficult than it needs to be. Tech advances don't solely benefit crafty criminals. They also aid law enforcement, but there's been no cohesive effort made by the federal government to ensure local agencies can make the most of the tools available. Until this is nailed down, worrying about defeating or bypassing encryption is a waste of time.

That the FBI's director has decided that's how he's going to use his time and energy, suggests the agency -- the most frequent contact for local agencies seeking tech help -- isn't going to prioritize sharing knowledge over seeking legislative mandates. The FBI is hurting itself and others by limiting their ability to do everything they can right now in hopes of getting a law enforcement-sized hole drilled in encryption at some point in the next few decades.

Filed Under: doj, encryption, fbi, going dark, law enforcement
Companies: csis

New Report On Encryption Confirms There's More Of It, But Still Not Much Of A Problem For Law Enforcement

from the brute-forcing-mountains-out-of-molehills dept

CSIS (Center for Strategic and International Studies) has just released its report on encryption and it comes to the same conclusions many other reports have: encryption is good for everyone and law enforcement fears are overstated and mostly-unrealized. (h/t Kevin Bankston)

The report [PDF] opens up with this statement:

It is in the national interest to encourage the use of strong encryption. No one we interviewed in law enforcement or the intelligence community disagreed with this.

The disagreement comes when law enforcement is prevented from pursuing investigative leads because of encryption. According to FBI Director James Comey and Manhattan DA Cyrus Vance, encryption is already a huge problem for law enforcement and will only get exponentially worse in the next few years. The CSIS report rebuts both of these statements.

While encryption use is growing rapidly, the share of traffic that is both of interest to law enforcement and unrecoverable is still relatively small. Most companies use encryption that allows law enforcement agencies to recover plaintext data. Most e-­mail, if it uses encryption, also allows for recovery. Currently, an estimated 18 ­percent of global communications traffic is end-­to-­end encrypted. It is estimated that 22 ­percent of communications traffic will be end-­to-­end encrypted by 2019.

This is far from the encryption apocalypse promised by Comey and Vance. There's an incremental increase taking place, not an exponential one. What could pose serious problems, though, is encryption-by-default on smartphones. As the report points out, if Android devices go the way of iPhones, 99% of the world's phones would keep law enforcement locked out.

But that's only if law enforcement isn't able to access data and communications through device manufacturer/service provider cooperation, third-party app developers, email providers, and other, more old-fashioned techniques. One sure way to beat device encryption is to obtain the passcode from the user. This won't help much when the phone's owner is dead or can't be located, but compelling the production of a password is still far from settled, constitutionally-speaking. For phones secured with a fingerprint, owners are likely out of luck. A couple of courts have already reached the conclusion that providing a fingerprint isn't testimonial and has no Fifth Amendment implications.

CSIS could have put together a better estimate on how many investigations are thwarted by encryption, but law enforcement agencies -- even those fronted by encryption opponents -- aren't interested in sharing this data with the public. The report points out that the problem remains mostly theoretical. Without data, all we have are assertions from law enforcement officials that something must be done. Failure to legislate backdoors or bans will apparently lead to a sharp uptick in criminal activity… except that's not happening either. The report points out that there's no data linking increased default encryption to increases in criminal activity.

As for the world's terrorism, encryption is seldom a barrier to investigations or surveillance. There's no shortage of access points to intercept communications while they're still decrypted (or post-encryption stripping). According to the CSIS report, 90% of the world's instant messages are still accessible by law enforcement, even without interception. With surveillance data-sharing being the new normal in the US, law enforcement agencies will be able to dip into NSA collections to obtain communications that might otherwise be inaccessible through a suspect's device.

The report notes that there's likely no consensus to be reached on the encryption issue. Because it protects both criminals and the innocent, it's difficult to see a nation's government -- at least those in the Western half of the world -- deciding to eliminate innocents' protections in hopes of nabbing a few more criminals. In the United States -- where certain rights have been long enshrined (if far too frequently ignored) -- the chance of anti-encryption legislation remains lowest. And, as the report's authors note, if the US doesn't make a move to curb encryption, it's unlikely the rest of the free world will do so on their own.

The law enforcement agencies making the most noise about encryption are doing the least to help their own cause. Most of what's offered is anecdotal, rather than data-based. According to the FBI's own testimony, it only has about 120 inaccessible phones in its possession. As for other law enforcement agencies, the numbers are mostly unknown. Those that have chosen to make their numbers public have failed to show anything more than the expected rise in inaccessible phones due to default encryption. While the locked devices may number in the hundreds (Cy Vance's office says 423 locked phones were seized in a two-year span, which -- according to the office's numbers -- is still only a third of the devices in law enforcement custody), they're still in the minority of those obtained.

These numbers will increase as the use of encryption increases, but if law enforcement and intelligence agencies don't like the way the future looks, they really only have themselves to blame. The report notes that the Snowden leaks -- which detailed massive surveillance programs operating under almost-nonexistent oversight -- prompted an encryption revival, both in terms of individuals doing more to ensure their privacy as well as well as device manufacturer encryption implementation.

Filed Under: encryption, going dark, law enforcement
Companies: csis