Torture authorizer and current FBI director, James Comey trotted out the latest “bogeyman” to justify unlocking encryption of private digital messages: ISIS. Apparently trying to scare people with kidnappers and child abusers failed.
(In) a preview of his appearance Wednesday before the Senate Intelligence Committee, Comey is playing the ISIS card, saying that it is becoming impossible for the FBI to stop their recruitment and planned attacks. (He uses an alternate acronym, ISIL, for the Islamic State.)
“The current ISIL threat… involves ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people, a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment,” Comey wrote on Monday in a blog post on the pro-surveillance website Lawfare.
While providing no specific, independently confirmable examples, Comey has claimed that FBI agents are currently encountering problems because of encrypted communications as they track potential ISIS sympathizers and radicals.
Comey has long argued that sophisticated encryption technology being implemented by tech giants, including Google and Apple, will make it harder and harder for the FBI to track its targets. Encryption scrambles the contents of digital communications, making it impossible for users without the “key” to read messages in plain language.
The major problem with Comey’s argument, giving law enforcement a backdoor key to private encrypted communications, would be an open door for hackers and criminals.
On Tuesday, the group – 13 of the world’s pre-eminent cryptographers, computer scientists and security specialists – released the paper (pdf), which concludes there is no viable technical solution that would allow the American and British governments to gain “exceptional access” to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger. [..]
The authors of the report said such fears did not justify putting the world’s digital communications at risk. Given the inherent vulnerabilities of the Internet, they argued, reducing encryption is not an option. Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm – most recently at the United States Office of Personnel Management, the State Department and the White House – the security specialists said authorities cannot be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, it would spur China and other governments in foreign markets to do the same.
Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
This was a bad idea in 1997 and still a bad idea today.