In the wake of the Paris and San Bernardino terror attacks, a long-simmering debate over the security risks of terrorists using encryption has come to a boil. Speaking before Congress last week, FBI Director James Comey reiterated warnings that popular encrypted communication apps are making it difficult for law enforcement officials to monitor suspected criminals and terrorists.
“There’s no doubt that the use of encryption is part of terrorist tradecraft now because they understand the problems we have getting court orders to be effective when they’re using these mobile messaging apps that are end-to-end encrypted,” Comey told the Senate Judiciary Committee on Wednesday. “We see them talking about it all over the world—it is a feature, especially, of ISIL’s tradecraft.”
One suspect in the May shooting in Garland, Tex., where two men opened fire outside a controversial exhibit featuring cartoons of the Prophet Muhammad, had exchanged encrypted messages with a suspected terrorist overseas prior to the shooting, Comey told the committee. The Islamic State, also known as ISIL or ISIS, has reportedly taken credit for the shooting.
“He exchanged 109 messages with an overseas terrorist,” Comey said of the alleged gunman. “We have no idea what he said, because those messages were encrypted.”
The FBI director stopped short of calling for legislation to mandate that creators of encryption software provide ways for the government to decode data as it’s stored on disk or transmitted across the Internet, citing a decision by the Obama Administration this fall not to seek such a law.
But Comey did reiterate calls for the software industry to work with law enforcement on solutions to the problem, the latest in a continual back-and-forth between officials and tech companies like Apple and Google, as well as specialized security firms, who’ve said any government backdoor to decode encrypted data will leave their customers vulnerable to hackers.
“The government doesn’t want a backdoor—the government hopes to get to a point where if a judge issues an order, the company figures out a way to supply that information to the judge, and figures out on its own what would be the best way to do that,” Comey said. “The government shouldn’t be telling people how to operate their systems.”
Historically, authorities have been able to get court orders letting them access suspects’ communications. The Communications Assistance for Law Enforcement Act requires phone companies, including voice-over-IP providers, to cooperate with court-ordered wiretaps, and other laws govern other media, like postal mail and email. And when messages are sent unencrypted, as they historically have been, officials can simply copy them as they pass through the communications system.
But when messages are sent with software providing end-to-end encryption, or files are stored on a hard disk or cloud system after being encrypted with a password, ordinary eavesdropping isn’t enough, since the data looks like random noise without a valid decryption key. And the app makers and Internet providers involved simply don’t have access to the keys.
“On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode,” Apple tells customers. “For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”
While software makers might be able to provide the government with backdoor-access to encrypted data, they’ve generally argued that doing so is a bad idea: it would defeat the purpose of the encryption software and leave their customers and their private information vulnerable to hackers who discover the backdoor.
“Encryption is really part of everyone’s daily life whether or not they know it, and creating backdoors in something that protects everybody from bad actors is not a good idea,” says Chris Hopfensperger, policy director at BSA – The Software Alliance, an industry group formerly called the Business Software Alliance.
Any backdoors would themselves be another tool for terrorists and criminals to exploit to gain access to sensitive information, argues Miller Newton, the CEO of data encryption firm PKWARE.
“I think that we have to strengthen our national security and one way to actually strengthen our security is to strengthen encryption and actually make its use more widespread, so that we do actually protect our national assets and infrastructure and commerce and everything that comes with it,” he says. “When I talk about strengthening encryption, it’s really about giving control of the sensitive information to the people and companies and agencies that own it, so that if they encrypt it at the source and they maintain the encryption key, it’s up to them whether or not it makes sense to turn that key over to anybody.”
In some cases courts have ordered users to turn over their encryption passwords, though such requests wouldn’t work in a traditional wiretap scenario, since they’d naturally let the targets know they’re being monitored.
And even if the government were to require backdoors in commercial encryption software, there’s no reason criminals and terrorists wouldn’t simply switch to using alternatives developed overseas or existing open source tools, experts argue.
“If you say let’s weaken it, then the criminals won’t use it—they’ll use something else,” says Newton, citing reports the Islamic State may be developing its own encrypted messaging app. “If you outlaw encryption, I promise you, only outlaws will have encryption.”
Still, some members of Congress have hinted they may push for limits on encryption tools, even in the absence of pressure from the Obama Administration.
“I’m going to seek legislation if nobody else is,” Sen. Dianne Feinstein, D-Calif., said in Wednesday’s hearing. Feinstein and Sen. Richard Burr, R-N.C., have previously said they’re exploring options for such legislation, though both their representatives declined to comment on specifics this week.
In the meantime, Comey told the Senate committee that law enforcement officials are gathering more data on how encryption has hampered their investigations and have been having productive conversations with tech companies about the situation.
Still, privacy groups like the Electronic Frontier Foundation have argued any compromise that allows government access to data will inevitably weaken privacy and data security. Neither law enforcement nor industry officials have been forthcoming about the nature of their discussions, citing the need for security.
“Law enforcement doesn’t want to divulge what they are doing to keep us safe, and companies don’t want their systems targeted, so it’s better to have those talks out of the spotlight,” says Hopfensperger.