What does the FBI want when it comes to the encryption “debate”?
At an oversight hearing before the Senate Judiciary Committee today, FBI Director James Comey offered what he called the “good news” that it’s not a debate at all. In fact, he said, government and the tech industry all want the same thing—to keep Americans secure. That’s true, but how can Comey reconcile his and other officials’ calls for government access to encrypted communication with the unanimous opinions of technical experts and industry that there’s no secure way to achieve such an “exceptional access” regime?
It turns out that somehow, Comey believes that the question of whether to ban encryption without backdoors is “not a technical issue.” He told the senators that “plenty of companies” provide services online while still maintaining the ability to read their users' data, and that “plenty” of smartphone manufacturers can unlock encrypted phones. Thus, he concluded, “it’s a business model question.” 1
The good news was nice while it lasted, wasn’t it? From Director Comey’s statements, it’s clear that what the FBI wants is what it has always wanted: access to all encrypted data, both secure communications and data at rest. Unfortunately, noting that some business models happen to enable FBI access, while other more secure models cannot, doesn’t reconcile anything.
There are only two ways for a business to offer services that achieve Comey’s goal: (1) Allowing government access to encrypted data through technical means that badly compromise their users’ security (such as key escrow or split keys); or (2) simply not offering their customers robust encryption in the first place.
Perhaps worse, Comey says he wants each company to “figure out on its own” what the right answer is. Rather than seeking legislation mandating backdoors, which would allow involvement, technical review, and criticism by encryption experts and the public, the FBI will rely on backroom pressure to make companies compromise encryption, or even eliminate business models it doesn’t like. Some services—like most flavors of webmail—currently don’t use end-to-end encryption, so they won’t have to change. But for other types of tools (chat or encryption of data at rest), cryptographers are unanimous—designing their tools in the way that Comey wants will have potentially disastrous effects on user security.
Comey’s focus on “business models” also misses the sizable portion of encryption applications that are open-source and/or based outside of the US. A recent survey [pdf] by the Open Technology Institute found that the majority of end-to-end encrypted messaging applications fall into these categories.
Later in the hearing, Senator Dianne Feinstein made it clear that although Comey and the FBI may have disavowed a bill mandating backdoors for now, she plans to push forward on the legislative front. We’ll be watching that closely.
Meanwhile, more than a hundred thousand of you signed a petition telling the White House you didn’t want either approach. Yesterday, the White House responded by asking you what you thought. The only response is to tell them again.
- 1. Comey's comments begin about 26 minutes into the hearing video.