The FBI's ongoing effort to
bypass encryption and its warnings about "going
dark" show no signs of letting up -- even as major technology companies,
such as Apple, push back.
public statements airing
concerns about "going dark" -- the bureau's lack of technical ability to access legally intercepted communications
and information. And the crux of the going-dark issue is encryption technology
that protects targeted data and communications from prying eyes.
In the July congressional hearing,
FBI Director James Comey discussed the state of national security in relation
to encryption and the going-dark issue. "We cannot break strong
encryption," Comey said during his testimony to Congress.
"So, even if I get a court order under the Fourth Amendment to intercept
that communication as it travels over the wires, I will get gobbledygook."
Other FBI officials
have also expressed alarm at potentially increased use ofencryption technology. At the recent 2015 IoT
Security Summit in Boston, FBI CISO Arlette Hart said encryption technology
keeps user data safe, but it's also used by "the bad people" to make
sure their communications aren't interdicted by law enforcement. And during his keynote at the Advanced Cyber Security Center
conference in Boston last month, FBI General Counsel James Baker said the
bureau "can't get the fruits of surveillance" because of encryption.
The FBI has searched
for ways to bypass encryption, including law requiring the installation of
backdoor access points in technology products, butComey recently told
Congress that
the FBI and the Obama administration are "not seeking legislation at this
time."
But that game-plan
shift hasn't dimmed the rhetoric of darkness, or the FBI's search to find ways
to bypass encryption. Instead of backdoor access, intelligence agencies, such
as the National Security Agency, have argued for "front-door access"
via key escrow plans or split-key encryption,
where the technology vendor or service provider retains half of a master key
and law enforcement retains the other half -- meaning no one party can access
user data without the other. But those plans have been shot down by security experts who said the technology isn't feasible in
practical use.
Comey said he wants
to encourage technology companies to find solutions to the going-dark problem,
rather than force an approach on them. "We would like to emphasize that
the going-dark problem is, at base, one of technological choices and capability,"
Comey said. "We are not asking to expand the government's surveillance
authority, but rather we are asking to ensure that we can continue to obtain
electronic information and evidence pursuant to the legal authority that
Congress has provided to us to keep America safe."
But with technology
companies increasingly handing encryption keys over to their customers, known
as bring your own key or BYOK, search warrants
compelling a software company or service provider to decrypt user data have
been rendered useless.
Comey said
encryption was always available over the last 20 years, but now it's become the
default option for communications and data protection, accompanied by "an
explosion in apps" that use the Internet. In essence, the FBI claims the
government's ability to intercept communications, such as texts, emails and
photos, is severely waning as encryption adoption grows -- which, Comey argues,
makes it increasingly difficult to obtain critical evidence for court cases.
In a speech
delivered to the Brookings Institute in Washington, D.C. last month, Comey
specifically called out Apple, as well as Google, for creating products that
the companies themselves couldn't unlock or decrypt. "Both companies are
run by good people, responding to what they perceive is a market demand," Comey said of Apple and Google. "But the place
they are leading us is one we shouldn't go to without careful thought and
debate as a country.
The iOS encryption
case
When Apple expanded iPhone
encryption protection on its iOS 8 mobile platform last year,
it caused concern among government officials -- notably, the FBI. This issue at
hand is that devices running iOS 8 or higher can now only be unlocked by the
user, as Apple no longer has the ability to unlock and decrypt devices.
Recently, a case involving an iOS device brewed new
controversy in the going-dark debate. Last month, a federal magistrate judge
questioned an application by the U.S. attorney's office in Brooklyn, N.Y. to
order Apple to disable the security lock on an iOS device. The authorities had
obtained a warrant to search the device, but couldn't access the encrypted data
because it was locked.
In its response, Apple said it would be impossible to decrypt any iPhone running on an iOS 8 or
higher, because the latest encryption in Apple's mobile operating system
prevents anyone but the device's owner from acquiring access. However, the
catch is the device in question was actually running iOS 7, and Apple admitted
that it has the ability to extract "certain categories of unencrypted data
from a passcode-locked iOS device," such as user-generated files for
native iOS applications.
But Apple feels its integrity is on the line with the
Department of Justice's requested order, and argued that forcing the company to
extract data without customer consent would impale Apple's reputation and
damage the trust it has with its loyal customers.
"Apple has taken a leadership role in the protection of
its customers' personal data against any form of improper access," Apple's brief stated. "Forcing Apple to extract data in
this case, absent clear legal authority to do so, could threaten the trust
between Apple and its customers, and substantially tarnish the Apple
brand."
The going dark
tug-of-war
The standoff between technology companies and the U.S.
government is heating up in the post-Snowden era.
A number of leading information security vendors have
preached the value of strong encryption and criticized the government's effort
to weaken it. Pam Kostka, CEO of Bluebox Security, a mobile security startup
based in San Francisco, said government-mandated backdoor access would
undoubtedly introduce vulnerabilities for operating systems, applications and
cloud services that would defeat the purpose of using encryption in the first
place. Even if technology companies gave the government keys to encryption, the
company and its customers would have to give the government an astronomical
degree of trust, which many people are not willing to do.
No comments:
Post a Comment