Encryption Involves Trade-offs, Safety Implications Understated, DOJ Official Says
Law enforcement is seeing real problems as advanced encrypted technologies prevent the government from gaining access to people's communications devices during investigations, and trade-offs do need to be made, a top DOJ official said Thursday. David Bitkower, principal deputy assistant attorney general, spoke during an Information Technology and Innovation Foundation (ITIF) panel discussion on the encryption issue that pitted him against five others, whom he described jokingly as ranging from "extremely opposed to the government's position to really extremely opposed to the government's position."
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
ITIF recently released a paper (see 1603140023) that provided an overview of the encryption debate and concluded that Congress should ban government efforts to install back doors. DOJ and the FBI abandoned their fight Monday against Apple over getting access to an iPhone used by one of the San Bernardino, California, mass shooters, after the government said it found another way to get into the phone (see 1603290059). The FBI, particularly Director James Comey, has often called the encryption problem for law enforcement "going dark." Bitkower described the problem repeatedly during the discussion as "warrant-proof encryption."
Bitkower, who didn't talk about the Apple court case, said trade-offs need to be made when it comes to encryption. "There's a certain wishful thinking that we can have it every which way and there is no trade-off to be had when you implement a certain type of encryption or other certain measures to protect data security," he said. "I think it's very important to recognize that there are trade-offs to be had." He also said that the ITIF's paper, like many others, understates the security and safety problem.
Ryan Hagemann, technology and civil liberties policy analyst at the Niskanen Center, pushed back on Bitkower's assessment. Hagemann said the FBI seems to be overstating the risks to public safety. Citing the 2014 U.S. Courts wiretap report, he said a total 3,554 federal and state wiretaps were issued, of which encryption was encountered in 22 cases and it was unbreakable in four cases. But he said law enforcement needs to prove its case and provide supporting data. "Until we see it, all I'm hearing is a lot of PR nonsense that isn't really getting to the heart of debate at hand here, which is whether or not that law enforcement has the tools it needs in the digital age ... to conduct investigations and see through the administration of justice."
Bitkower said that wiretap report that shows how many times law enforcement encounters encryption "is not a particularly good measure of the barriers that encryption has to live intercept because agents typically will not go through this ... effort as required under the law to establish a predication to seek and obtain a wiretap if they knew ahead of time that the provider's not likely going to be able to comply." He said a few years ago law enforcement may have been able to investigate and solve a case, but that it may not be able to do so now due to encryption. He dismissed the argument that terrorists and other criminals would use other encryption technologies if government weakens access to U.S. companies' encryption technologies. But he said many still use choose the same communications services because they are accessible, convenient and effective.
The problem isn't "going dark so much as going blindingly bright," said Bruce Heiman, a lead partner in K&L Gates' policy and regulatory practice. Law enforcement is "awash in information" but can't process it well, he explained. A lot of unencrypted information is available and Heiman suggested that the government should expand its crypto-analytic capabilities, build up a cyber forensic center, provide more training at the federal, state and local levels and make NSA's technological capabilities available for domestic crimes.
Heiman also said that he found it "hard to believe" that the NSA couldn't help the FBI crack the San Bernardino shooter's iPhone even though Comey had said that the agency used all available government resources to get access to the device. Heiman said that suggests "either the FBI asked the wrong part of NSA, maybe the NSA didn't tell them what they wanted to hear, or the FBI sort of equivocated at best with Congress. And the question is, why would they do that? Personally, I think because they had an exceedingly attractive legal case in this situation to establish a legal precedent that, in fact, companies had to do something at the government's insistence to go after and weaken security."
Morgan Reed, executive director of ACT|The App Association, said what most concerned him in the case was rather than DOJ "upping" its own game, it was requiring companies to alter their products. In DOJ's motion, he said the agency "lays out the case that it is not an undue burden for any company who is in the business of writing software to be requested to and have to modify their software. It doesn't say it's not an undue burden for Apple or exigent circumstances or anything else, it says it's not an undue burden."
This forces app makers -- many of which have fewer than 10 employees and lack significant in-house legal resources -- to go to court and possibly have to expose their software to third parties, putting an undue economic and business burden on them, said Reed. He added that the federal government's requirements wouldn't affect businesses outside the United States and would do nothing to alter the landscape.