“We’re not looking for a ‘back door'” that breaks encryption, the FBI said on Wednesday. Don’t even know what that is, really, said director Christopher Wray: He thinks it’s some type of “secret, insecure means of access” – is that right?
No, that’s not what the FBI is after, he said during a speech (here are his prepared remarks) at the Boston College/FBI Boston Conference on Cyber Security.
Rather, what law enforcement wants is a secure means to access evidence on devices once they’ve shown probable cause and have a warrant, he said. How that gets done is up to you smart people in technology, the “brightest minds doing and creating fantastic things.”
I’m open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens.
You’ve got to hand it to Wray: his tone was far more flattering – “brightest minds?” nice! – than when FBI forensic expert Stephen Flatley called Apple a bunch of “jerks” and “evil geniuses” for encrypting iPhones.
But Wray’s tempered remarks can be read as a velvet glove slipped over an iron fist, and that iron fist has been banging at this door for quite a while. The FBI has been battling encryption ever since Apple made it a default on the iPhone in September 2014.
Apple’s encryption is so strong that even Apple can’t break it. That’s made it all the harder to catch criminals and terrorists, the FBI has stressed both inside and outside of courtrooms.
In his speech, Wray picked up from where he left off in January, when he called unbreakable encryption a “public safety issue,” citing 7,775 devices that the FBI couldn’t crack in 2017 – more than half of those that the agency sought to lawfully access…
…which in turn picked up from where his predecessor, James Comey, left off… which also followed Assistant Attorney General Rod Rosenstein having made the same arguments multiple times last year.
From Wednesday’s speech:
Each one of those nearly 7,800 devices is tied to a specific subject, a specific defendant, a specific victim, a specific threat. Last fall I spoke to a group of CISOs and someone asked about that number. He basically said, ‘What’s the big deal with 7,800? There are millions of devices out there.’
We’re not interested in the millions of devices used by everyday citizens. We’re only interested in those devices that have been used to plan or execute criminal or terrorist activities.
Of course you can give us access to encrypted devices without breaking encryption, Wray said. After all, look what’s been done with cloud platforms that users can access from anywhere:
For one thing, many of us in this room use cloud-based services. You’re able to safely and securely access your email, your files, and your music on your home computer, on your smartphone, or at an internet café in Tokyo… That didn’t happen by accident. It’s only possible because tech companies took seriously the real need for both flexible customer access to data and cybersecurity.
Just as the FBI director has again argued the same thing that the bureau has been arguing for years – the same arguments about somehow being able to get past encryption without breaking it, in some way that the FBI doesn’t know because that’s up to the people who build things – the same logic holds on the other side: unbreakable encryption that doesn’t break encryption is not a thing.
Apple CEO Tim Cook has said that a backdoor wouldn’t be such an issue if it were to be used only for catching “bad people,” but he doubts that crooks couldn’t manage to figure out how to exploit a backdoor even if it were only meant to help law enforcement.
Naked Security still says #nobackdoors
Paul Ducklin put it pretty bluntly: “Tim Cook is right: if you put in cryptographic backdoors, the good guys lose for sure, while the bad guys only lose if they’re careless.”
It’s not as if the US hasn’t tried it. It didn’t turn out well.
In the 1990s, the US required American software companies to use deliberately weakened encryption algorithms in software for export, in an attempt to make it safe to sell cryptographic software even to potential enemies because their traffic would always be crackable.
- International customers simply bought non-US products instead, hurting US encryption vendors.
- EXPORT_GRADE ciphers lived on long after they were no longer legally required, leaving behind backdoors such as FREAK and LOGJAM that potentially put all of us at risk.
As Naked Security and other encryption vendors have repeatedly pointed out, backdoors have a way of being forgotten about, soon end up widely known, often live much longer than anyone imagined, and can be widely misused: all good reasons to avoid them.
SOPHOS STATEMENT ON ENCRYPTION
Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.