FBI Director James Comey gave a speech yesterday reiterating the FBI's nearly twenty-year-old talking points about why it wants to reduce the security in your devices, rather than help you increase it. Here's EFF's response:
The FBI should not be in the business of trying to convince companies to offer less security to their customers. It should be doing just the opposite. But that's what Comey is proposing—undoing a clear legal protection we fought hard for in the 1990s.1 The law specifically ensures that a company is not required to essentially become an agent of the FBI rather than serving your security and privacy interests. Congress rightly decided that companies (and free and open source projects and anyone else building our tools) should be allowed to provide us with the tools to lock our digital information up just as strongly as we can lock up our physical goods. That's what Comey wants to undo.
It's telling that his remarks echo so closely the arguments of that era. Compare them, for example, with this comment from former FBI Director Louis Freeh in May of 1995, now nearly twenty years ago:
[W]e're in favor of strong encryption, robust encryption. The country needs it, industry needs it. We just want to make sure we have a trap door and key under some judge's authority where we can get there if somebody is planning a crime.
Now just as then, the FBI is trying to convince the world that some fantasy version of security is possible—where "good guys" can have a back door or extra key to your home but bad guys could never use it. Anyone with even a rudimentary understanding of security can tell you that's just not true. So the "debate" Comey calls for is phony, and we suspect he knows it. Instead, Comey wants everybody to have weak security, so that when the FBI decides somebody is a "bad guy," it has no problem collecting personal data.
That's bad science, it's bad law, it's bad for companies serving a global marketplace that may not think the FBI is always a "good guy," and it's bad for every person who wants to be sure that their data is as protected as possible—whether from ordinary criminals hacking into their email provider, rogue governments tracking them for politically organizing, or competing companies looking for their trade secrets.
Perhaps Comey's speech is saber rattling. Maybe it's an attempt to persuade the American people that we've undertaken significant reforms in light of the Snowden revelations—the U.S. government has not—and that it's time for the "pendulum" to swing back. Or maybe by putting this issue in play, the FBI may hope to draw our eyes away from, say, its attempt to water down the National Security Letter reform that Congress is considering. It's difficult to tell.
But if the FBI gets its way and convinces Congress to change the law, or even if it convinces companies like Apple that make our tools and hold our data to weaken the security they offer to us, we'll all end up less secure and enjoying less privacy. Or as the Fourth Amendment puts it: we'll be be less "secure in our papers and effects."
For more on EFF's coverage of the "new" Crypto Wars, read this article focusing on the security issues we wrote last week in Vice. And going back even earlier, a broader update to a piece we wrote in 2010, which itself was was based on our fights in the 90s. If the FBI wants to try to resurrect this old debate, EFF will be in strong opposition, just as we were 20 years ago. That's because—just like 20 years ago—the Internet needs more, not less, strong encryption.
- 1. Here's the relevant part of CALEA that Comey wants to effectively undo: "47 USC 1002(b)(3): A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication." Also from the CALEA legislative history: "Finally, telecommunications carriers have no responsibility to decrypt encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. This obligation is consistent with the obligation to furnish all necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access ... Nothing in the bill is intended to limit or otherwise prevent the use of any type of encryption within the United States. Nor does the Committee intend this bill to be in any way a precursor to any kind of ban or limitation on encryption technology. To the contrary, section 2602 protects the right to use encryption." H/T Chris Soghoian: http://paranoia.dubfire.net/2010/09/calea-and-encryption.html