FBI chief demands crackable encryption
Federal Bureau of Investigation (FBI) chief James Comey has once more pushed for circumventing encryption so as to uncover the activities of Daesh (ISIS) and other criminal groups. But his latest remarks, which include suggestions Silicon Valley can invent encryption crackable only by spy agencies, have come under fire.
FBI chief demands crackable encryption
Coming just days after leading cryptographers suggested that backdooring encryption would lead to heightened criminal activity, Comey said that denying law enforcement access to encrypted communications would weaken US defences against ISIS, and make the country more vulnerable to attack.
Comey has previously criticised Apple, Google and others for moving to end-to-end encryption, which he says “threatens to lead us all to a very, very dark place", and he continued in a similar vein this week.
"There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption," he said in a post for the Lawfare blog on Tuesday.
"My job is to try to keep people safe. In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job."
On Wednesday, he then told the US Senate Judiciary Committee in Washington that Daesh – otherwise known as ISIS – is recruiting via Twitter and securing its communications, making it hard for law enforcement to intercept and react.
"The tools we are asked to use are increasingly ineffective," said Comey, adding that it is "incredibly difficult" to stop ISIS on its rampage to "go kill". “I cannot see me stopping these indefinitely," he admitted.
Comey and deputy attorney general Sally Yates both rejected the notion that the government seeks backdoor access, preferring instead to solicit better relationships with technology industry.
"We are not seeking a front door, back door, or any kind of door...but we are seeking to work with the industry," said Yates, who went onto urge Congress to work with Silicon Valley on the matter. She added that some technology firms already access users' encrypted information to sell ads, and didn't rule out legislation if agreement with private sector couldn't be reached.
And despite computer scientists this week issuing the “Keys under the doormat” report earlier this week rebutting US and UK government proposals for exceptional access, citing the potential for hacking and other criminal abuse, Comey said a doubtful “really?” when it was suggested during the Washington hearing that there are no workarounds.
Instead, he suggested that Silicon Valley technology companies should be able to invent new models of encryption to work for law enforcement and intelligence agencies…but without introducing security flaws which could be exploited by cyber-criminals.
This was instantly dismissed by one leading cryptography expert, Resilient Systems CTO Bruce Schneier, who told SCMagazineUK.com. “At this point, he seems willfully ignorant about the technology.”
"If this was a good idea - from an infosec point of view - then the NSA and GCHQ would be saying its a good idea - but they have been noticeably silent," Nicko Van Someren, CTO of Good Technology obserbed to SC, adding: "It's a spectacularly dumb idea."
Susan Landau, professor of social science and policy studies at Worcester Polytechnic Institute and previously senior staff privacy analyst at Google, also called Comey's vision of a security flaw which could only be exploited by US government as “magical thinking" when writing on Lawfare.
“The FBI as well as the federal government have taken and continue to show a gross misunderstanding of technology,” said Red Lambda security expert Robert Gonzalez when speaking to SC.
“In the past the government has tried through multiple attempts to cripple encryption as well as to try disable it by taking “the lazy man's approach to intercepting encrypted messages” by a magical key that will give them access to what they need. Much like the proverbial rabbit in a hat, but this rabbit unfortunately is diseased and when it bites you it will give you rabies. All one needs to do to refute the FBI and law enforcement's asinine statements stating that encryption is bad and must be controlled need look no further than the clipper chip (also mentioned in the cryptographers' report – Ed).
“[This was] an absolute disaster meant to act as master key for accessing encryption and was to be held by a government or third party. The chip itself was weak in all aspects and exploited by state actors as well as those in the underground.”
Gonzalez also pointed to government interference, during Clinton's reign, in weakening exported encryption – which consequentially resulted in the LogJam flaw – and dubbed David Cameron's previous suggestions on banning encryption “horribly Orwellian”.
“Government has a wide variety of laws available to them to pursue criminals. They can pick someone up merely on the word of another person, call it a conspiracy and you have a sentence of ten years. They can subpoena Facebook, Apple, Google, and Microsoft and most if not all the time they will get the data they ask. What is encrypted can be solved by actual investigative work. This noise by the government just demonstrates how lazy they truly are.”
But rather than lazy, Storm Guidance director Sarb Sembhi suggested that, when you put Comey's comments with the controversial Wassenaar Agreement, this is about the government trying to gain new powers.
“Right now, things are probably not as bad as they as they are made out to be, however these are probably precautionary measures and much more [power] than they either need or expect to get. People in power often make things appear worse than they are, especially when it's to do with warfare,” he told SC.
“They will find other ways to try to extend as much power as they can.” At the moment agencies are accessing metadata, and content by court order, but Sembhi warned that weakening encryption would put companies at greater risk than they are now.
“At the moment they have a choice of using no encryption or strong encryption. If these proposals go ahead, businesses will have no choice but to use encryption that is known to have weaknesses.”
He said any collaboration between spy and law enforcement agencies and technology companies would need a stringent legal framework, so companies would know where they stood.
“I think most companies are happy to co-operate if there's a framework, but [government] needs to get very specific on what they need and what for.”
He also had a warning to UK, with Snooper's Charter seemingly imminent. “It will get in…one way or another, by this government or the next. There's no two ways about this, and I am not sure what we can do about it.”