Going dark: FBI continues effort to bypass encryption

The FBI's ongoing effort to bypass encryption and its warnings about "going dark" show no signs of letting up -- even as major technology companies, such as Apple, push back.

public statements airing concerns about "going dark" -- the bureau's lack of technical ability to access legally intercepted communications and information. And the crux of the going-dark issue is encryption technology that protects targeted data and communications from prying eyes.

In the July congressional hearing, FBI Director James Comey discussed the state of national security in relation to encryption and the going-dark issue. "We cannot break strong encryption," Comey said during his testimony to Congress. "So, even if I get a court order under the Fourth Amendment to intercept that communication as it travels over the wires, I will get gobbledygook."

Other FBI officials have also expressed alarm at potentially increased use ofencryption technology. At the recent 2015 IoT Security Summit in Boston, FBI CISO Arlette Hart said encryption technology keeps user data safe, but it's also used by "the bad people" to make sure their communications aren't interdicted by law enforcement. And during his keynote at the Advanced Cyber Security Center conference in Boston last month, FBI General Counsel James Baker said the bureau "can't get the fruits of surveillance" because of encryption.

The FBI has searched for ways to bypass encryption, including law requiring the installation of backdoor access points in technology products, butComey recently told Congress that the FBI and the Obama administration are "not seeking legislation at this time."

But that game-plan shift hasn't dimmed the rhetoric of darkness, or the FBI's search to find ways to bypass encryption. Instead of backdoor access, intelligence agencies, such as the National Security Agency, have argued for "front-door access" via key escrow plans or split-key encryption, where the technology vendor or service provider retains half of a master key and law enforcement retains the other half -- meaning no one party can access user data without the other. But those plans have been shot down by security experts who said the technology isn't feasible in practical use.

Comey said he wants to encourage technology companies to find solutions to the going-dark problem, rather than force an approach on them. "We would like to emphasize that the going-dark problem is, at base, one of technological choices and capability," Comey said. "We are not asking to expand the government's surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to us to keep America safe."

But with technology companies increasingly handing encryption keys over to their customers, known as bring your own key or BYOK, search warrants compelling a software company or service provider to decrypt user data have been rendered useless.

Comey said encryption was always available over the last 20 years, but now it's become the default option for communications and data protection, accompanied by "an explosion in apps" that use the Internet. In essence, the FBI claims the government's ability to intercept communications, such as texts, emails and photos, is severely waning as encryption adoption grows -- which, Comey argues, makes it increasingly difficult to obtain critical evidence for court cases.

In a speech delivered to the Brookings Institute in Washington, D.C. last month, Comey specifically called out Apple, as well as Google, for creating products that the companies themselves couldn't unlock or decrypt. "Both companies are run by good people, responding to what they perceive is a market demand," Comey said of Apple and Google. "But the place they are leading us is one we shouldn't go to without careful thought and debate as a country.

The iOS encryption case

When Apple expanded iPhone encryption protection on its iOS 8 mobile platform last year, it caused concern among government officials -- notably, the FBI. This issue at hand is that devices running iOS 8 or higher can now only be unlocked by the user, as Apple no longer has the ability to unlock and decrypt devices.

Recently, a case involving an iOS device brewed new controversy in the going-dark debate. Last month, a federal magistrate judge questioned an application by the U.S. attorney's office in Brooklyn, N.Y. to order Apple to disable the security lock on an iOS device. The authorities had obtained a warrant to search the device, but couldn't access the encrypted data because it was locked.

In its response, Apple said it would be impossible to decrypt any iPhone running on an iOS 8 or higher, because the latest encryption in Apple's mobile operating system prevents anyone but the device's owner from acquiring access. However, the catch is the device in question was actually running iOS 7, and Apple admitted that it has the ability to extract "certain categories of unencrypted data from a passcode-locked iOS device," such as user-generated files for native iOS applications.

But Apple feels its integrity is on the line with the Department of Justice's requested order, and argued that forcing the company to extract data without customer consent would impale Apple's reputation and damage the trust it has with its loyal customers.

"Apple has taken a leadership role in the protection of its customers' personal data against any form of improper access," Apple's brief stated. "Forcing Apple to extract data in this case, absent clear legal authority to do so, could threaten the trust between Apple and its customers, and substantially tarnish the Apple brand."

The going dark tug-of-war

The standoff between technology companies and the U.S. government is heating up in the post-Snowden era.

A number of leading information security vendors have preached the value of strong encryption and criticized the government's effort to weaken it. Pam Kostka, CEO of Bluebox Security, a mobile security startup based in San Francisco, said government-mandated backdoor access would undoubtedly introduce vulnerabilities for operating systems, applications and cloud services that would defeat the purpose of using encryption in the first place. Even if technology companies gave the government keys to encryption, the company and its customers would have to give the government an astronomical degree of trust, which many people are not willing to do.