FBI Wants You To Believe in Encryption
Ever since Apple and Google announced last month that the contents of mobile devices running their operating systems will be encrypted by default, Federal Bureau of Investigation director James B. Comey has been waging a campaign against it, complaining that law enforcement agencies cannot keep up with modern technology. The more he says it, the more I'm inclined to believe a conspiracy theory: What if the FBI wants us to believe that technological advances make our data safe -- precisely because they don't?
Yesterday, Comey made a particularly eloquent speech at the Brookings Institution, citing child abuse cases that data from phones helped to solve and referring to the FBI's major case of FOMO (fear of missing out) on technology-savvy criminals. My heart went out to him when he explained that many modern communication services are not equipped to let law enforcement agencies snoop on their users:
"An order from a judge to monitor a suspect’s communication may amount to nothing more than a piece of paper. Some companies fail to comply with the court order. Some can’t comply, because they have not developed interception capabilities. Other providers want to provide assistance, but they have to build interception capabilities, and that takes time and money."
As much as I'd like to believe Comey, evidence suggests he may not be quite as frustrated as he'd like us to believe. Witness the London-based Guardian's story about a social media application called Whisper, which allows its users to communicate anonymously.
The Guardian recently faced harassment from the U.K. authorities because of its role in publishing National Security Agency whistleblower Edward Snowden's revelations of blanket surveillance, and destroyed some computer hard drives rather than hand them over. Its editors apparently considered the possibility of using Whisper for journalistic purposes, and the newspaper sent its representatives to Whisper's Los Angeles headquarters. There, Guardian staffers claimed to discover disturbing practices. The company apparently kept more data than it let on to its users and readily provides it to the FBI and MI5 British intelligence. According to the Guardian, it also cooperated with the U.S. Department of Defense in providing its researchers with certain data on postings that could be tracked to U.S. military bases.
The company's chief technical officer, Chad DePue, tried to refute the Guardian article, calling it "really bad reporting," but his response skirted the issue of cooperation with government agencies. It appears that even a company whose value proposition is based entirely on offering safe, anonymous communication -- Whisper chief executive Michael Heyward claimed it was "safer than Facebook, safer than Twitter, safer than Tumblr" -- has been able to help Comey's people when such help was required.
If that is indeed the case, it's hard for me to believe that Apple, Google and other companies that pitch secure communication and data storage to their customers will refuse help to the FBI, the NSA and other intelligence and law enforcement agencies. "Encryption isn't just a technical feature; it's a marketing pitch," Comey said in his Brookings speech. As such, it can hardly be taken at face value. The mobile operating system developers promise data encryption but they make no promises about the safety of user data.
Comey says the common belief that phone encryption can be broken with a "brute force" attack -- trying keys one after another with the help of a powerful computer -- is a "misconception": "Even a supercomputer would have difficulty with today’s high-level encryption, and some devices have a setting whereby the encryption key is erased if someone makes too many attempts to break the password, meaning no one can access that data." That only holds if the encryption software developers do not leave a backdoor in which the authorities can get in. Big tech companies, however, have no reason to seek confrontation with the government. They are business entities, not revolutionary cells, and they will cooperate when asked to do so.
Knowing that his underlings will get their way with any business-oriented entity -- perhaps as opposed to activist projects like Tor -- Comey should keep complaining as loudly as he can. Tech companies, for their part, should respond with equally loud and sincere-sounding noises about how they value their customers' privacy above everything else. That would help convince people with things to hide -- both criminals and those of us who don't want the authorities to be able to track their every step -- that they're safe with some service providers or vendors.
Nothing could be more useful to the government agencies than that false sense of security. Here's something the government doesn't want you to know: The only way to keep sensitive information safe is not to entrust it to any outside organizations, including tech companies.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org