Dec 23 2015

FBI's Comey Presses Tech Companies to Rethink Encryption 'Business Model'

After recent terrorist attacks, the director of the FBI is renewing the debate about whether tech companies should offer end-to-end encryption for messages.

FBI Director James Comey reignited the debate this month about whether technology companies should provide end-to-end encryption of messages.

Comey has said that the encryption means law enforcement agencies cannot access the communications of suspected terrorists or criminals even if they have warrants. Tech firms like Apple and Google have argued that providing a so-called “backdoor” for law enforcement and federal authorities would thwart the purpose of encryption, undermine privacy protections and leave customers vulnerable to malicious hackers.

Yet the recent terrorist attacks in Paris and San Bernardino, Calif., among others, have given Comey and his allies new ammunition in the debate. Comey testified before Congress this month that the companies’ decision to provide end-to-end encryption is a business decision they are actively making, suggesting that they should think about whether the business model should change.

“Lots of good people have designed their systems and their devices so that judges’ orders cannot be complied with, for reasons that I understand. I’m not questioning their motivations,” Comey testified Dec. 9 before the Senate Judiciary Committee. “The question we have to ask is: Should they change their business model? That is a very, very hard question. Lots of implications to that. We have to wrestle with it because of what’s at stake.”

Tech Companies Embrace Encryption

As Fast Company reported, law enforcement agencies have historically been able to use the Communications Assistance for Law Enforcement Act to get phone companies to cooperate with court-ordered wiretaps. Law enforcement agencies also have been able to access unencrypted messages in the country’s communications systems when they have had court orders granting access. However, starting last year, especially in the wake of revelations about eavesdropping conducted by the National Security Agency, many tech companies moved to encrypt communications services. Without encryption keys, even law enforcement agencies cannot decipher communications that are encrypted end-to-end within applications and on smartphones.

"On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode," Apple tells customers. "For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess."

According to Ars Technica, Google in March was “strongly recommending” that devices running Android 5.0 feature full-device encryption, but in October, the company said that new devices running Android 6.0 must feature it out of the box.

This year Apple, Cisco, Google, Microsoft and a host of other tech companies and civil liberties groups urged President Barack Obama not to pursue policies that would bar companies from encrypting their customers' data.

Grappling with Encryption Amid Terrorism

Comey testified that both the FBI and tech companies care about security on the Internet and public safety.

“We also all see a collision between those things right now. We see that encryption is getting in the way of our ability to have court orders effective to gather information we need in our most important work. And we all agree we have to figure out whether we can maximize both of those values — safety and security on the Internet and public safety. That’s good news. We’re not at war, we care about the same things.”

Additionally, Comey said the discussions the FBI has had with tech companies have convinced him that the problem is not a technical one. He also said “the government doesn’t want a backdoor.”

“The government hopes to get to a place where if a judge issues an order, the company figures out a way to supply that information to the judge and figures out on its own what would be the best way to do that," Comey said. "The government shouldn’t be telling people how to operate their systems."

“It is a business model question,” he added.

Comey noted that in the aftermath of a shooting this year in Garland, Texas, where two terrorists attacked an anti-Islam gathering, the FBI found that one of the attackers “exchanged 109 messages with an overseas terrorist” the morning of the attack. “We have no idea what he said because those messages were encrypted,” Mr. Comey said. “And to this day, I can’t tell you what he said with that terrorist 109 times the morning of that attack. That is a big problem. We have to grapple with it.”

Although Comey has in the past called for legislation to address the issue, ProPublica reports that he told the committee “the administration has decided not to seek a legislative remedy at this time.” However, Sen. Dianne Feinstein (D-Calif.) indicated that she might introduce a bill. “If there is conspiracy going on over the Internet, that encryption ought to be able to be pierced,” she said at the hearing.