We live in a world that is increasingly insecure. Viruses and worms abound on the internet, just waiting for a victim. We hear of massive security breaches like the one that Home Depot recently had on almost a biweekly basis. The private accounts of celebrities are hacked. Exploits and vulnerabilities like Heartbleed are so widespread they warrant national coverage by major news organizations. In a world like this, both security and privacy are more valuable than gold, and there are few places that will offer either, and fewer still that can deliver on those promises.
And yet, the FBI director thinks that you are entirely too secure.
In a speech last week, the FBI director, James B. Comey, decried the rather popular move by Apple to encrypt their latest mobile operating system. This new layer of security is so tough that even Apple can’t crack it. There are no built in back doors that will allow Apple access to your device, which means that if you lose your passcode, you’re out of luck. It also means that the chances that other people would be able to hack your device directly is relatively low. While still possible, it’s far more than most people will ever need for their daily lives. This gives valuable piece of mind when using one of these devices.
That’s not to say it’s perfect. There’s no such thing as a perfect encryption; a skilled enough hacker can work his way into even the most secure systems given enough time. Additionally, this only applies to data that is stored directly on your phone. Anything that you back up to the Cloud can still be accessed by Apple directly as well as being more vulnerable to hackers, as we have seen with the recent leak of celebrities’ photos.
Comey, however, thinks that even this modest step is far too much.
FBI Director’s Statements
In a speech last Thrusday, FBI director James Comey spoke at length on what he perceived to be the potential downfalls of allowing companies to go down the road of encryption, saying, “the post-Snowden pendulum has swung too far in one direction—in a direction of fear and mistrust.” He went on to say that “bad guys” might use the technology for nefarious ends, and that the FBI, on account of outdated legislation, is now ill equipped to deal with the new generation of criminals, as many companies are either incapable of complying with the court orders that the FBI issues to intercept their clients’ communications, or simply refuse to do so. He suggested that as a direct result of the new wave of private encryption, “that homicide cases could be stalled, suspects could walk free, and child exploitation might not be discovered or prosecuted. Justice may be denied, because of a locked phone or an encrypted hard drive.” These “bad guys”, he claimed, are far too wily for law enforcement to effectively track, hopping from Wi-Fi hotspot to Wi-Fi hotspot, using VoIP, and not backing up their data to the Cloud where police and investigators would have an easier time getting at it. Allowing private companies to use encryption when they don’t build in a
back door “front door” that law enforcement to use would only exacerbate this problem, creating a lawless country where everyone was able to hide whatever they wanted from the government.
There were even several horrific cases that Comey included in his speech in which were apparently solved by using data from a smartphone, data that, Comey claims, would have been impossible to retrieve if the data on the devices had been encrypted.
On account of all of these terrible, terrible things, Comey called not only for technology companies to reconsider their marketing strategies, but for Congress to update and expand CALEA, the law which requires telephone companies to have built in interception capabilities that law enforcement can access, for the digital age, requiring all communications companies to have the same requirements.
These all sound like very reasonable ideas, right? I mean, nobody wants the “bad guys” to win, so the obvious solution is to outlaw this form of encryption and let big brother have access to whatever he wants on our devices.
Too bad it’s all bullshit.
Cherry Picked Data
It turns out that the FBI director’s stories were cherry picked, and not very well at that. The Intercept investigated each of the cases and found any cell phone evidence used in the cases had little bearing on catching or convicting any of the suspects.
In the most dramatic case that Comey invoked — the death of a 2-year-old Los Angeles girl — not only was cellphone data a non-issue, but records show the girl’s death could actually have been avoided had government agencies involved in overseeing her and her parents acted on the extensive record they already had before them.
In another case, of a Lousiana sex offender who enticed and then killed a 12-year-old boy, the big break had nothing to do with a phone: The murderer left behind his keys and a trail of muddy footprints, and was stopped nearby after his car ran out of gas.
And in the case of a Sacramento hit-and-run that killed a man and his girlfriend’s four dogs, the driver was arrested a few hours later in a traffic stop because his car was smashed up, and immediately confessed to involvement in the incident.
So it turns out that having reliable encryption won’t actually hamper criminal investigations in any way. In fact, it seems that the evidence that smart phones do provide, like phone calls, emails, and text messages, are already reliably accessed by law enforcement. When Comey was later asked from a member of the audience to provide real world examples where encryption would actually be an issue, he said,
Rescuing someone before they’re harmed? Someone in the trunk of a car or something? I don’t think I know – yet? I’ve asked my folks just to canvas – I’ve asked our state and local partners are there some examples where this – I think I see enough, but I don’t think I’ve found that one yet. I’m not looking. Here’s the thing. When I was preparing the speech, one of the things I was inclined to talk about was — to avoid those kids of sort of ‘edge’ cases because I’m not looking to frighten people. Logic tells me there’re going to be cases just like that, but the theory of the case is the main bulk of law enforcement activity. But that said I don’t know the answer. I haven’t found one yet.
So not even the director of the FBI can name a single case where encryption would actually be an issue to law enforcement.
Beyond lying about the impact that encryption would have on preventing crime and solving criminal cases, Comey doesn’t seem to have any idea about how encryption technology actually works. In most encryptions, programmers will install what are called “back doors,” exploits in the code that allow someone to slip past the encryption and get access to the data on the other side. This is typically used for things like password retrieval and the like, which is why Apple can no longer retrieve a passcode for a device running their new encryptions: these workarounds simply don’t exist. Apple did this because any workaround is a potential vulnerability that hackers can exploit to gain access to the device or the data. No workarounds, no “back doors,” means that the code is harder to break.
Comey apparently doesn’t like the bad connotation that back doors have, and instead calls for “front doors.” Nobody really knows what he meant by this, and even Comey couldn’t explain himself later, but rumor has it that these are magical portals in code that only proper law enforcement can use when they have a proper court order.
In reality such a thing doesn’t exist. The very idea that there is a way to build an exploit or workaround into a system that only certain people can use is preposterous. As has been proven time and time again, if there is a workaround that is built into a system, there will be malicious individuals who will use it and exploit it as best they can. It’s like that spare key that you hide under a fake rock so you don’t get locked out of your house. It may be hard to find or out of the way, but if someone finds it they’ve still got a key to your house.
Another thing that Comey doesn’t seem to understand is international sales. A significant number of iPhones are sold outside the US and, stunningly, people abroad tend to be very suspicious of US government agencies, especially agencies like the FBI. As unreasonable as it may sound, people don’t want to own phones that a foreign entity could hack into at any given moment. It doesn’t matter that the likelihood of the FBI or NSA actually hacking any given phone is impossibly remote, the possibility is there, and that idea is unnerving to no end. Having a built in exploit that US agencies could use to break into phones would hurt the Apple’s sales enormously.
Why He’s Wrong
So we’ve seen that not only is there no evidence supporting the idea that encryption will severely hamper law enforcement, but that the any sort of built in back door will not only severely weaken the security of our devices, but hamper international sales. This means that there is no justifiable reason to weaken or remove this sort of encryption for the sake of law enforcement. In fact, all logic argues against it. Not only are we not helping law enforcement do their jobs to any measurable degree, but we are actively destroying our own security.
However, this isn’t even the most important reason that we should be concerned about Comey’s blatant lies and scare tactics.
The most important reason is that any sort of limitation on encryption for the sake of law enforcement is a direct violation of the 4th Amendment, which guarantees that we have the right to be free from unreasonable searches and seizures. Any sort of built in workaround, be it a back door or a front one, directly undermines this for a number of reasons. First, it puts a condition on an inalienable right. Second, with the recent Snowden disclosures we have seen that the federal government has no interest in preserving this right.
Finally, in this day and age the need for privacy and security is greater than ever. As I mentioned before, we hear about large scale security breaches almost on a biweekly basis, and most of them aren’t even as benign as Celebgate. Many of them, put valuable and vulnerable information at risk, like bank accounts, credit cards, and social security numbers. While a few celebrities may be a little butthurt that some scandalous photos got leaked, cyber attacks can, and do, do much, much worse. Thousands upon thousands of people have had their lives ruined by real cyber crimes like identity theft. The sort of encryption that Apple has implemented is the first line of defense against some of these crimes. If nothing else, it gives a little piece of mind in a hectic world.
All in all, the FBI director’s statements simply don’t stand up to examination; allowing a government workaround, even one that is built in from the very start, provides little, if any, meaningful data to law enforcement. In fact, the only time this kind of data seems to have any relevance at all is in court cases, convicting criminals of crimes committed, rather than actually preventing crime and making us safer. This means that this kind of government intrusion is entirely unjustified. Worse still, it is a dangerous expansion of power for an already untrustworthy agency, one that has time and time again proven that it has no real interest in protecting our civil rights. Finally, it further weakens smart phone users’ security and privacy in an increasingly dangerous digital world.
Lucky for us, it’s unlikely that Congress take Comey’s advice seriously. Let’s hope it stays that way.