FBI director: Ability to unlock encryption is not a ‘fatal’ security flaw

FBI director: Ability to unlock encryption is not a ‘fatal’ security flaw

In the tug-of-war between the government and U.S. companies over whether firms should hold a key to unlock encrypted communications, a frequent argument of technologists and privacy experts is that maintaining such a key poses a security threat.

But on Thursday, FBI Director James B. Comey pointed out that a number of major Internet companies do just that “so they can read our e-mails and send us ads.”

And, he said: “I’ve never heard anybody say those companies are fundamentally insecure and fatally flawed from a security perspective.”

Comey was airing a new line of government argument in the year-old public debate over the desirability of compelling Internet companies to provide a way for law enforcement to have access to decrypted communications.

Although he didn’t name names, he was alluding to major e-mail providers Google and Yahoo, which both encrypt customers’ e-mails as they fly between servers, but decrypt them once they land in order to scan them and serve customers relevant ads.

Comey, who spoke at a cyberthreats hearing held by the House Intelligence Committee, has been a leading voice advancing the concerns of law enforcement that the growing trend of strong encryption — where devices and some communications are encrypted and companies do not hold the keys to decode them — will increasingly leave criminal investigators in the dark.

The current debate, which echoes a bitter argument over encryption in the 1990s, was triggered by Apple’s announcement last September that it would expand the use of a method of encryption on its mobile operating system in which it did not hold a key. That meant Apple could no longer unlock troves of photos and other data stored on iPhones and iPads where the user had turned off the automatic backup to Apple’s servers. Such data “at rest” is useful in criminal investigations.

Of great concern to counterterrorism officials are communications encrypted in transit, such as text and instant messages, where the companies do not hold a key and where users have turned off automatic backups. Such end-to-end encryption is a feature of Apple’s iMessage and FaceTime — a video phone-call system, as well as Open Whisper Systems’ Signal, and WhatsApp — both instant message platforms.

But stored commercial e-mail is largely either unencrypted, or encrypted with a key known to the provider, Christopher Soghoian, principal technologist at the American Civil Liberties Union, said in an interview. And that’s a recipe for insecurity, he said.

“Any data that’s either unencrypted or encrypted with a key known to another party is inherently more vulnerable,” he said. He added that Google and Yahoo have been criticized for their lack of e-mail security, and the Chinese breach of Gmail announced in 2010 was a case in point.

During the hearing, Comey said that the bureau was “having some very healthy discussions” with companies on the issue. “I would imagine there might be many, many solutions depending upon whether you’re an enormous company in this business, or a tiny company in that business. I just think we haven’t given it the shot it deserves.”

Rep. Adam Schiff (D-Calif.) noted that the tech firms have stiff global competition. Other companies are offering encrypted platforms that customers might choose. “So what do we achieve, apart from harming our economic interests, by insisting on a key?” he said.

Comey said he thought that part of the solution would be “an international set of norms” in which other countries join with the United States to establish a rule that companies should be able to provide law enforcement with communications in the clear. “I hear from our allies all the time,” he said. “The French want the same thing. The Germans. The British. So I think that’s something that could be done.”

Soghoian noted, however, that more and more encryption platforms are being made available on the Internet for free by individuals or groups of open-source developers in the United States and Europe, which will make it difficult to regulate them.


It is difficult for the FBI to crack most smartphone encryption

The FBI is struggling to decode private messages on phones and other mobile devices that could contain key criminal evidence, and the agency failed to access data more than half of the times it tried during the last fiscal year, FBI Director Christopher Wray told House lawmakers. Wray will testify at the House Judiciary Committee ...

Texas Church Shooting: More Calls for Encryption Backdoors

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers. The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people. Deceased suspect Devin Kelley’s mobile phone is now in the ...

FBI couldn't retrieve data from nearly 7000 mobile phones due to encryption

The head of the FBI has reignited the debate about technology companies continuing to protect customer privacy despite law enforcement having a search warrant. The FBI says it hasn't been able to retrieve data from nearly 7000 mobile phones in less than one year, as the US agency turns up the heat on the ongoing ...

Wi-Fi's Most Popular Encryption May Have Been Cracked

Your home Wi-Fi might not be as secure as you think. WPA2 -- the de facto standard for Wi-Fi password security worldwide -- may have been compromised, with huge ramifications for almost all of the Wi-Fi networks in our homes and businesses as well as for the networking companies that build them. Details are still ...