Encrypted communications that law enforcement can’t break are a “threat to public safety” and simply negotiating with tech companies for a solution to the issue is “unlikely to work,” Deputy Attorney General Rod Rosenstein said Tuesday.
Rosenstein’s speech, effectively calling for a legal mandate ending what he called “warrant-proof encryption” seemed likely to escalate tensions with the tech industry and privacy advocates, who have pushed back against previous government efforts to preserve access to encrypted data.
“A requirement to implement a solution could be applied thoughtfully, in the places where it is needed most,” Rosenstein said in a speech at the U.S. Naval Academy in Annapolis, Maryland. “Encrypted communications and devices pose the greatest threat to public safety when they are part of mass-market consumer devices and services that enable warrant-proof encryption by default.”
During his campaign, President Trump lashed out at Apple for refusing to help break into an encrypted iPhone owned by a suspect in the 2015 San Bernardino shooting, at one point even suggesting supporters boycott the company. The Federal Bureau of Investigation ultimately found another company that could get access to the phone. Tech companies have long said that enabling access to encrypted communications is too dangerous, since hackers looking to steal data could use any “back door” opened for government officials.
“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers–including tens of millions of American citizens–from sophisticated hackers and cybercriminals,” Apple CEO Tim Cook in a statement said at the time. “The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.”
Apple didn’t immediately respond to a request for comment Tuesday.
Speaking to Fast Company, Tommy Ross, senior director for policy at BSA – The Software Alliance, expressed the industry group’s concerns about Rosenstein’s statements.
“Encryption is one of the real, rapidly evolving and increasingly important tools by which we keep our data secure,” he says. “Regulations that would mandate measures to in some way weaken that encryption cannot help but risk weakening the security of the data that the encryption is used to protect.”
In his speech, Rosenstein said tech companies will be unlikely to voluntarily provide access to data, since doing so would be unlikely to win them business.
“Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption,” Rosenstein said Tuesday, appearing to reject the idea that voluntary compliance would be possible. “Of course they do. They are in the business of selling products and making money.”
Rosenstein’s remarks went further than previous comments he has made on the subject. Less than a week ago at the Cambridge Cyber Summit, a Boston area conference, he called simply for a “candid public debate about the pros and cons of allowing companies to create lock boxes that cannot be opened by police and judges.” In an August speech, too, he still held out “hope that technology companies will work with us to stop criminals from defeating law enforcement” so a legal mandate would not be needed.
Ross disputed the idea that tech companies are unwilling to assist law enforcement.
“Law enforcement gets assistance from technology companies every day across a wide variety of investigations for a wide variety of evidence,” he says. “To me, it’s almost offensive to suggest that technology companies are holding out in terms of cooperating with law enforcement and that they don’t have a sense of civic duty–that’s ridiculous.”
The Justice Department isn’t currently offering a proposal for legislation on the subject and does remain open to discussions with tech companies, a spokeswoman said in an email to Fast Company.
The tech industry has previously critiqued proposals to require access to encrypted data. Last year, a coalition of industry groups wrote to the leaders of the Senate Intelligence Committee, warning that such proposals would endanger user security. They could also harm U.S. competitiveness, since they would drive customers to overseas software makers not bound by U.S. law, the groups warned.
“It is a global industry, and there are a lot of companies and individuals around the world developing encryption solutions that those types of mandates are unlikely to contain,” Ross says.
Rosenstein seemed to respond to that line of criticism in his Tuesday speech, saying even if restrictions don’t affect all software available worldwide, they could still help catch criminals using the most common digital tools.
“If only major providers refrain from making their products safe for terrorists and criminals, some sophisticated criminals may migrate to less-used platforms,” he said. “But any progress in preserving access to communications methods used by most criminals and terrorists would still be a major step forward.”
Tech companies have also made concessions to foreign governments, including those that censor internet access or infringe on human rights, he said.
“American technology providers sell products and services in foreign markets where the governments have questionable human rights records and enforce laws affording them access to customer data, without American due process or legal protections,” he said. “Surely those same companies and their engineers could help American law enforcement officers enforce court orders issued by American judges, pursuant to American rule of law principles.”