FBI Director James Comey on Wednesday called for tech companies currently offering end-to-end encryption to reconsider their business model, and instead adopt encryption techniques that allow them to intercept and turn over communications to law enforcement when necessary.
End-to-end encryption, which is the state of the art in providing secure communications on the internet, has become increasingly common and desirable in the wake of NSA whistleblower Edward Snowden’s revelations about mass surveillance by the government.
Comey had previously argued that tech companies could somehow come up with a “solution” that allowed for government access but didn’t weaken security. Tech experts called this a “magic pony” and mocked him for his naivete.
Now, Comey said at a Senate Judiciary Committee hearing Wednesday morning, extensive conversations with tech companies have persuaded him that “it’s not a technical issue.”
“It is a business model question,” he said. “The question we have to ask is: Should they change their business model?”
Comey’s clear implication was that companies that think it’s a good business model to offer end-to-end encryption — or, like Apple, allow users to fully encrypt their iPhones — should roll those services back.
Comey and other government representatives have been pressuringcompanies like Apple and Google for many months in public hearings to find a way to provide law enforcement access to decrypted communications whenever there’s a lawful request. Deputy Attorney General Sally Quillian Yates said in a July hearing that some sort of mandate or legislation “may ultimately be necessary” to compel companies to comply, but insisted that wasn’t the DOJ’s desire. Now, there’s little pussyfooting about it.
“There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he said. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.”
Comey indicated that these companies should be satisfied providing customers with encryption that allows for interception by the providers, who can then turn over the information to law enforcement.
Privacy experts say that the same holes in encryption that allow for authorized interception also allow for unauthorized interception — and therefore provide insufficient security.
Comey called on customers, who he said are becoming more aware of the “dangers” of encryption, to “speak to” phone companies and insist they’ll “keep using [their] phones” if they stopped offering the technology.
Comey acknowledged that encrypted apps would still exist. But, he said, encryption “by default” is the real problem. He told Sen. Mike Lee, R-Utah, that “I think there’s no way we solve this entire problem. … The sophisticated user could still find a way.”
That didn’t stop him from calling for an international standard for encryption technologies, however. Many popular encrypted applications are not U.S. based. Any action imposed on American companies would likely handicap them and lead customers to turn to overseas options.
“We have to remember limits of what we can do legislatively,” said Lee. “If we’re going to mandate that legislatively” — force companies to stop offering strong encryption — “it wouldn’t necessarily fix the problem,” he said.
For the first time, Comey made a specific allegation about encryption having interfered with an FBI terror investigation.
“In May, when two terrorists attempted to kill a whole lot of people in Garland, Texas, and were stopped by the action of great local law enforcement … that morning, before one of those terrorists left to try to commit mass murder, he exchanged 109 messages with an overseas terrorist. We have no idea what he said, because those messages were encrypted.”
“That is a big problem,” Comey said.
But in the Garland case, the FBI had been tracking one of the would-be attackers for months — and had alerted local police that he might be headed to a controversial anti-Muslim exhibition. But FBI surveillance didn’t stop Elton Simpson — the Garland Police Department did. The local police never got the FBI’s email.
Comey did not request specific legislation to compel companies to abandon end-to-end encryption, but told Sen. Dianne Feinstein, D-Calif., that he would like to see all companies responding to lawful requests for data. Feinstein offered to pursue legislation herself, citing fear that her grandchildren might start communicating with terrorists over encrypted PlayStation systems.
Toward the end of the hearing, Comey seemed to contradict his earlier comments urging companies to reconsider their business models. “I don’t want to tell them how to do their business,” he said. Then, moments later, he added that “there are costs to being an American business — you can’t pollute.” The implication there was that American businesses might need to comply with new standards regardless of what the rest of the world does — as if providing end-to-end encryption to protect the average person’s communications is the same as destroying the environment.
Technologists, privacy advocates, and journalists reacted on Twitter with confusion and frustration.