Last week, the Brookings Institution hosted a discussion with FBI Director James B. Comey, who made the case that steps taken by Apple and Google to protect user privacy were damaging the FBI’s efforts to fight crime and safeguard U.S. national security. The discussion was due to take place hours before Apple launched its latest iPads, which benefit from the updated security features of the new iOS 8 operating system.
Many of the FBI’s arguments have been systematically dismantled by attorneys, technologists, and company executives from OKCupid to Google. But the FBI continues to press its point. Although the Comey event was characterized as a “conversation” on the Brookings Institution website, the description of the talk set the tone by asking: “But are privacy rights trumping public safety interests? And if so, at what cost? Has the post-Snowden pendulum swung too far in one direction?”
It has, but not in the direction the FBI would have the public believe, according to former FBI special agent Mike German, who served as a counterterrorism investigator, covert operations specialist, and counterterrorism instructor in his 16 years with the agency. German contends that the issue “is very much brought on by the government’s excesses in gathering electronic information.”
“It reflects this very dangerous attitude by part of the government that they have a right to any evidence that exists in electronic form, and that people can’t do anything to protect themselves,” German, a fellow with the Liberty and National Security Program at New York University Law School’s Brennan Center for Justice, told CPJ.
An Attitude Shift
According to Christopher Soghoian, principal technologist at the American Civil Liberties Union, attitude may be at play in other ways as well.
“Apple has had this kind of encryption in the hands of regular users turned on by default for some time; it’s just that they’ve expanded the types of data that now receive this protection,” Soghoian told CPJ. “I think in many ways, the technical changes are not as interesting as the fact that the CEO of the largest company in the country is now going around talking about privacy and encryption,” Soghoian said, referring to Apple’s chief executive, Tim Cook.
Comey’s talk was the latest in a series of public statements from current and former FBI and Department of Justice officials decrying tech companies’ implementation of encryption-by-default in mobile operating systems. Speaking to reporters on September 25, Comey said he was concerned about “companies marketing something expressly to allow people to place themselves beyond the law.” Echoing these statements, on September 30 outgoing U.S. Attorney General Eric Holder said in a speech: “When a child is in danger, law enforcement needs to be able to take every legally available step to quickly find and protect the child and to stop those that abuse children. It is worrisome to see companies thwarting our ability to do so.”
But much of this technopanic has been misleading at best. In an op-ed published in the Washington Post on September 23, and later corrected by the paper in response to reader complaints, former FBI assistant director of the Criminal Investigative Division Ronald T. Hosko claimed that encryption such as that built into iOS 8 would have led to the death of a kidnapping victim in North Carolina who was instead rescued “just minutes before his life was to end.” The only problem with this claim — a major premise of the op-ed — was that it was not true. The op-ed was later changed to state that the newly available encryption would not have hindered the case.
“As far as I know there’s never been a case where a kidnapping investigation was frustrated because the kidnappers used encryption,” former federal prosecutor Lee Altschuler, who spent more than 20 years as a managing federal prosecutor and high-tech specialist in the Silicon Valley branch of the U.S. Attorney’s Office, told CPJ.
Encryption or not, Law Enforcement still has access
All of the experts with whom CPJ spoke agree that if the government wants electronic evidence, it is likely to get it. According to Soghoian, the iOS 8 technology “[is] not unbreakable encryption — it’s encryption that’s as strong as your password or PIN number, encryption where the company doesn’t have a skeleton key to open things up. But if you choose a four-digit PIN number, the FBI can still get in.”
Law enforcement agents can also access content stored online, including Apple’s iCloud, with a search warrant (or in some cases, lesser forms of legal authority), and a great deal of other information with fairly weak legal process. Or they can intercept communications that are in transit using a wiretap order, a tactic whose usefulness is supported by statistics maintained by the Administrative Office of the U.S. Courts.
Court figures show how the rise of mobile technology in the past ten years has been matched by rising levels of surveillance. The annual number of total intercepts are now twice what they were in 2003 and, while the figures showed an increase in the use of encryption, it was far from a stumbling block for law enforcement officials. In 2013, for example, court figures showed that of the 2,100 intercept applications authorized in state-level investigations, in only 2 percent of the cases had communications been encrypted, and in just nine instances–or less than half a percent of the 2,100–were they unable to be decrypted.
It is not clear why so-called “over-the-wire” encryption has proved to be so easily decrypted, but federal law requires certain telecommunications carriers to decrypt communications they have provided. An FBI spokesman, speaking on condition of anonymity because he is not authorized to comment publicly on the matter, told CPJ that the extension of such capabilities to new communications technologies should be uncontroversial.
It was the same distinction used by Comey in his remarks last week.
Given the availability of various investigative techniques, Altschuler questioned the sincerity of the FBI’s and Justice Department’s attack on device encryption-by-default.
“Where is the proof that this is going to handicap criminal investigations,” Altschuler asked, rhetorically. “I’m underwhelmed, both as a former federal prosecutor and a current defense lawyer with the wisdom of what’s being claimed to Congress.”
Such law enforcement myopia may actually hamper legitimate investigations, German said.
“It’s almost like a criticism that’s largely made of the intelligence community that they tend to rely too heavily on signals intelligence,” as compared to human-derived intelligence, “and therefore miss a lot of things that they would have easily discovered through other means,” he said. German said this obsession with collecting digital information will generate increasing challenges for the FBI as the agency moves into becoming primarily an intelligence agency.
Although the recent encryption-by-default debate has been framed primarily in criminal justice terms, its use has positive effects felt beyond the courtroom. In a blog published October 2, CPJ Staff Technologist Tom Lowenthal explained how strong encryption by default protects journalists and bloggers. As Lowenthal put it: “[A] journalist’s smartphone contains work in progress, a Rolodex of contacts, and all manner of in-progress conversations and messages. Purloining it would give unparalleled insight into a journalist’s work, including the sort of details a reporter might risk jail time trying to protect.”
According to German, “intelligence agencies … want to operate in the dark, and to the extent that journalists are exposing government wrongdoing, they end up being viewed as potential enemies rather than as essential elements of democratic governance.”
While the risks to journalists are bad enough in the U.S., where the Obama administration has aggressively pursued journalists as witnesses in and eventargets of investigations–which prompted the CPJ Right to Report in the Digital Age campaign — in many countries the consequences of having a mobile device compromised also include the possibility of extrajudicial physical harm, as my predecessor Danny O’Brien detailed in the 2012 edition of CPJ’s Attacks on the Press.
“What is most frustrating to me is the intelligence community’s exploitation of this incredible tool for democratization and the spread of knowledge is extremely short-sighted,” said German, who views the dissemination of strong crypto as furthering U.S. national interests. Instead, U.S. efforts to weaken encryption mean that U.S. journalists now have to contend with threats previously faced only by journalists in repressive regimes,” he said. “[N]ot only do we have to protect ourselves from unnecessary government snooping, but from all the hackers and hostile foreign agents that seek this information using the same weaknesses that the government developed,” German told CPJ.
“There is no encryption system that keeps the Chinese government out, but that lets local law enforcement have access to that data,” Soghoian said. “With encryption, you either keep everyone out, or you keep no one out.”
In other words, encryption works if it isn’t sabotaged. Thomas Jefferson invented an encryption machine used by the U.S. military as late as World War II. And a letter he received in 1801, using an algorithm developed by his friend and University of Pennsylvania mathematics professor Robert Patterson, remained unbroken for more than 200 years — and only then with the aid of a computer.
“Look, the republic has endured since founding, and probably for 200 plus years, without digital evidence, from the earliest counterfeiting [and] piracy cases, to homicides, and kidnappings, and tax evasion and everything else,” Altschuler told CPJ. “We’ve endured, and I think there’s no doubt the Republic will continue to endure.”
Or as Patterson’s letter to Jefferson would read, once finally decrypted, “We hold these truths to be self-evident …”
Geoffrey King coordinates the Committee to Protect Journalists’ Internet and technology policy efforts. King, who is based in San Francisco, protects the rights of journalists through advocacy, public education, and engagement with policymakers worldwide. Prior to joining CPJ, King, an attorney by training, represented U.S.-based individuals in constitutional matters involving the freedoms of speech, press, and petition. King is also a documentary photographer whose work has focused on human rights and social movements. In addition to his work as an advocate and journalist, King teaches courses at UC Berkeley on digital privacy law and policy, as well as the intersection of media and social change. King holds a bachelor’s degree in Mass Communications, Phi Beta Kappa and with Highest Distinction, from UC Berkeley. He earned his law degree from Stanford Law School. His public GPG encryption key can be found here. Follow him on Twitter @CPJInternet.
A version of this post originally appeared on CPJ’s Internet Channel. The Committee to Protect Journalists is a New York-based, independent, non-profit organization that works to safeguard press freedom worldwide. You can learn more at CPJ.org or follow the CPJ on Twitter @pressfreedom or on Facebook here.