The FBI’s Anti‐Encryption Campaign
/p
div class=paragraph paragraph--type--text paragraph--view-mode--default paragraph--229728 fs-sm
pOn April 24, the FBI’s war against public key encryption technology—the kind many of us use for texting, emailing, and online banking—entered anbsp;new phase. The FBI published anbsp;a href=https://www.federalregister.gov/documents/2023/04/24/2023-08561/agency-information-collection-activities-proposed-ecollection-ecomments-requested-request-for-a-newnotice/a in the Federal Register seeking public comment on its proposal to “collect data on the volume of law enforcement investigations that are negatively impacted by device and software encryption.”/p
/div
,
div class=paragraph paragraph--type--text paragraph--view-mode--default paragraph--229729 fs-sm
pTellingly, the bureau is not asking state and local law enforcement agencies how many times they emwere/em able to get into cell phones, tablets, or computers despite the presence of encryption technology. This new, skewed “data collection” rule is designed to further the FBI’s longstanding “a href=https://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-coursegoing dark/a” narrative: that encryption is making the bureau’s job next to impossible in terms of fighting crime./p
pBut that’s anbsp;false narrative. And senior FBI officials will frequently say or do something that proves it so./p
pAt anbsp;public meeting held in 2016 at the National Academy of Sciences, then‐FBI General Counsel James Baker acknowledged that the bureau was able to get into locked mobile devices in its possession a href=https://www.vice.com/en/article/aekaqp/feds-can-unlock-most-devices-they-need-to-get-into-fbi-admits87 percent of the time/a./p
/div
,
aside class=aside--right aside--large paragraph paragraph--type--aside paragraph--view-mode--default paragraph--229731 aside
div class=paragraph paragraph--type--pullquote paragraph--view-mode--aside-nested paragraph--229730 pullquote p-mb-last-child-0
pThe loss of public key encryption service providers would make us all more vulnerable, both physically and financially./p
/div
/aside
,
div class=paragraph paragraph--type--text paragraph--view-mode--default paragraph--229732 fs-sm
pIn December 2020, the Department of Justice (DOJ) announced the international takedown of anbsp;criminal‐focused virtual private network in what the department dubbed “a href=https://www.justice.gov/usao-edmi/pr/us-law-enforcement-joins-international-partners-disrupt-vpn-service-used-facilitateOperation Nova/a.” The FBI worked withGermany, France, Switzerland, the Netherlands, and European Union’s police agency (Europol) in the operation./p
pIn June 2021, the FBI’s international a href=https://www.justice.gov/usao-sdca/pr/fbi-s-encrypted-phone-platform-infiltrated-hundreds-criminal-syndicates-result-massiveTrojan Shield/a operation, in which the bureau ran emits own/em encrypted device company called ANOM, resulted in more than 500 arrests globally and involved partners in Australia, New Zealand, Sweden, Lithuania, and the Netherlands, among others./p
pEven the FBI’s overseas partners are having success in cracking encryption and targeting encryption service providers. In February of this year, Dutch authorities announced they had a href=https://www.vice.com/en/article/wxnve9/dutch-police-read-messages-of-exclupenetrated and shut down/a another encrypted phone provider, Exclu./p
pMany major tech companies actually collude with the FBI and other law enforcement agencies, despite ritualistic pronouncements from them about their commitment to user privacy. In anbsp;December 2021 a href=https://www.justsecurity.org/79549/we-now-know-what-information-the-fbi-can-obtain-from-encrypted-messaging-apps/?utm_source=pocket_readerpiece/a on emJust Security/em, longtime security researcher Riana Pfefferkorn put it bluntly:/p
/div
,
blockquote class=paragraph paragraph--type--blockquote paragraph--view-mode--default paragraph--229733
div class=fs-lg
p“Given the FBI’s years‐long campaign against encryption, it makes anbsp;strange bedfellow to the encrypted service providers it has condemned by name in a href=https://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-coursepublic/a a href=https://www.fbi.gov/news/speeches/finding-a-way-forward-on-lawful-accessspeeches/a. But service providers and the FBI both benefit from anbsp;popular misconception that underestimates the user data available to investigators from certain [end‐to‐end encryption] services. That misapprehension simultaneously maintains the providers’ image in the eyes of privacy‐conscious users while upholding the FBI’s narrative that it’s “going dark” in criminal investigations due to encryption.”/p
/div
/blockquote
,
div class=paragraph paragraph--type--text paragraph--view-mode--default paragraph--229734 fs-sm
pThe phone‐cracking company Cellebrite actively a href=https://cellebrite.com/en/ufed/advertises/a its success in cracking encryption on Apple and Android devices,citing worldwide law enforcement partners. The very existence of such services undermines the entire rationale for a href=https://reason.com/2016/02/18/4-reasons-to-fear-encryption-back-doors/encryption “backdoors”/a—and the FBI’s new and misleading buzzword, “a href=https://www.justice.gov/olp/lawful-accesslawful access/a.”/p
pFurther, the FBI’s obsession with undermining public key encryption has the potential to put its own agents and staff at risk./p
pAs Moxie Marlinspike, the founder of the encrypted messenger app a href=https://signal.org/en/Signal/a, a href=https://signal.org/blog/cellebrite-vulnerabilities/noted/a in April 2021, Cellebrite’s own software is vulnerable to exploitation. Hostile intelligence services or drug cartels could manipulate the software to ensure any phones captured by Cellebrite’s law enforcement partners will, in turn, infect partners’ devices. The hunters would then become the prey./p
pThe bureau also faces fundamental legal and constitutional problems with trying to get Congress to help it compromise public key encryption./p
pIn its 1999 decision in a href=https://caselaw.findlaw.com/court/us-9th-circuit/1317290.htmlemBernstein v. DOJ et al/em/aem,/em the 9th Circuit Court of Appeals upheld district court rulings that said attempts by the Departments of State and Commerce to require licensing of encryption software represented an unconstitutional prior restraint on anbsp;professor’s speech—in effect ruling that “code equals speech.” The ruling referred specifically to the source code underpinning encryption software./p
pFurther, government attempts to statutorily mandate encryption “backdoors” involves forcing encryption service providers to build products that are, by definition, defective—creating an inherent liability risk that would be borne not by the government, but the encryption product/service providers. Setting aside questions of the legality of such legislation, if it were passed and actually upheld by federal courts, an encryption product company/service provider might elect to cease operations rather than run the risk of unwinnable consumer lawsuits under prevailing product liability laws./p
pThe loss of public key encryption service providers would make us all more vulnerable, both physically and financially. The notion that such “backdoors” could be kept safe in government or even corporate hands doesn’t pass the laugh test./p
pIndeed, there are only two kinds of I.T. systems on this planet: those that have been breached, and those that will be breached. It is difficult enough to write secure code or otherwise keep cyberattackers at bay without deliberately injecting vulnerabilities into the coding process. See the breaches of the a href=https://www.opm.gov/cybersecurity/cybersecurity-incidents/U.S. Office of Personnel Management/a, a href=https://www.energy.gov/ig/articles/special-report-ig-0900the Department of Energy/a, and a href=https://www.google.com/aclk?sa=lamp;ai=DChcSEwjPiemPv9n-AhV5J7MAHTnzCNwYABAAGgJ5bQamp;sig=AOD64_2yRQ_AVXxSDE6YdCJY5ZS90kfGFwamp;qamp;adurlamp;ved=2ahUKEwjIyeCPv9n-AhVEM1kFHQpDA5cQ0Qx6BAgIEAELastPass/a as examples./p
pThe American Founders a href=https://govbooktalk.gpo.gov/2010/11/05/secret-codes-and-the-founding-fathers/used encryption/a, sending secret messages incorporating codes only they knew. If the Founders thought public use of encryption was at odds with other principles of the Constitution, they would’ve included anbsp;ban on it or a “lawful access” provision in the Fourth Amendment. They didn’t./p
pIf Congress abets the FBI’s quest to destroy public key encryption in an effort to solve anbsp;discreet number of crimes, it will only make us all—including law enforcement officers and their families —more vulnerable to anbsp;vastly greater range of crimes in the future. That’s anbsp;tradeoff none of us can afford./p
/div