FBI director warns data encryption will take U.S. to 'very dark place'

FBI Director James Comey said he is concerned that law enforcement agencies will be increasingly stymied in their efforts to conduct lawful, court-ordered surveillance as mobile devices and online communications services allow users to decide who may and may not access their data.

Comey acknowledged that Americans are justifiably surprised about "the extent and nature of the surveillance being conducted in the name of the United States," as revealed in classified documents leaked by Edward Snowden. But Comey asserted that the "post-Snowden pendulum has swung too far in one direction," toward privacy protection and away from legitimate law enforcement requirements.

"Are we so mistrustful of government -- and of law enforcement -- that we are willing to let bad guys walk away, willing to leave victims in search of justice?" Comey asked in an Oct. 16 speech at the Brookings Institution in Washington.

Although federal law enforcement officials have long-standing concerns about encryption, Comey said he decided to speak out after recent announcements that Apple and Google are including end-to-end encryption as the default setting on mobile operating systems. Users of encrypted Apple iOS and Google Android devices can control access to data on their devices via encryption keys that the companies do not have access to and cannot override.

In his speech, Comey characterized that kind of ubiquitous encryption as "going dark" and said FBI agents and other law enforcement officials "have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so."

"If the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place," he said.

Data at rest and in motion

Law enforcement faces two challenges.

First, the FBI wants to maintain its ability to acquire the content of live communications, or "data in motion." That includes conversations and exchanges of data as they take place across networks between surveillance targets, even as targets shift devices.

Second, investigators want to be able to obtain information stored on devices, or "data at rest." That category of data becomes unobtainable on an encrypted device if the manufacturer does not build in access for law enforcement and if the user does not back up that device to a cloud service that is subject to law enforcement subpoenas and warrants.

Comey sees two paths to solving the problem.

One method is to update the 1994 Communications Assistance for Law Enforcement Act (CALEA) -- which obliges telecommunications network providers to build in wiretap access for lawful surveillance orders -- to cover mobile operating systems and communications applications such as instant messaging, Skype, WhatsApp and others.

Comey also wants to see industry leaders such as Apple and Google retreat from their positions on user privacy and institute a method of access for law enforcement.

"There is a misconception that building a lawful intercept solution into a system requires a so-called back door, one that foreign adversaries and hackers may try to exploit," Comey said. "It makes more sense to address any security risks by developing intercept solutions during the design phase rather than resorting to a patchwork solution when law enforcement comes knocking after the fact."

"Ideally, I'd like to see CALEA written so that a communications provider has an obligation to build a lawful intercept capability into the product that they provide, not that we hold some universal key," he added.

Front door, back door

Privacy advocates and security experts argue that granting law enforcement access to encryption keys renders communications less secure.

"Whether the FBI calls it a front door or a back door, any effort by the FBI to weaken encryption leaves our highly personal information and our business information vulnerable to hacking by foreign governments and criminals," said Laura Murphy, director of the Washington legislative office of the American Civil Liberties Union. She noted that CALEA specifically permits companies to market encryption devices and services.

Although Comey professed a lack of technical knowledge during a question-and-answer period after his speech, he said, "I think there's risk with what I'm suggesting," but "it makes sense" given the risks that are heightened when bad actors have access to unbreakable or nearly unbreakable data encryption.

Those risks include potentially letting terrorist plots go undetected and allowing criminals to walk free because of an inability to access communications or data that establishes guilt. Comey also raised the specter that people might be successfully prosecuted for crimes they did not commit because information that could confirm their innocence was unobtainable.

Legislative action might be tough to come by, especially as Congress considers bills to build more transparency into the way intelligence agencies collect data on communications among U.S. citizens and others inside the country.

During Comey's speech, Sen. Ron Wyden (D-Ore.), a leading data privacy advocate, tweeted, "I oppose requiring companies to build back doors into their products."