Former FBI cyber official cautions against weakening encryption laws

A former top cyber official at the FBI says weaker laws around encryption won't help law enforcement and could result in unacceptable collateral damage to industry and data security.

Letters of word encryption highlighted on text background
 

A former top cyber official at the FBI involved in the 2015 San Bernadino shooter investigation said he does not believe the Department of Justice needs weaker laws around encryption to do its job and that doing so would result in unacceptable collateral damage to industry and data security.

Robert Anderson, former executive assistant director for the criminal, cyber, response and services branch, said that when he was initially working on the San Bernardino shooting case, he could not understand why Apple was refusing to grant access to the shooter's iPhone. The FBI and intelligence community were worried that more attacks could be on the immediate horizon and faced intense pressure to gain access to the shooter's phone to mine it for leads on future threats.

In hindsight, Anderson, currently a principal at the Chertoff Group, called that viewpoint "myopic." After running global information security operations for a number of private-sector companies and dealing with the fallout from countless data breaches, he said he is now convinced that the economic and societal collateral damage from weakening encryption laws would far outweigh any benefits.

"The one thing that struck me immediately was the fiduciary responsibility for those companies that are being entrusted by the clients who have given them information," Anderson said at a Nov. 27 event hosted by think tank New America. "They were entrusted by those clients, whether it was a cell phone, whether it was a computer, whether it was an encrypted app … into a contract that says, 'I'm going to keep your data safe.'"

Further, he questioned whether the bureau even needed access to the shooter's phone in the first place, saying law enforcement has a number of other tools, such as subpoena power, to achieve the same goals without weakening the overall cybersecurity of devices and apps.

"When I step back and look at it three years later, I'm not sure that we couldn't have gotten that information from some other venue," Anderson said.

That argument is largely bolstered by a March 2018 report from the Department of Justice inspector general, which found that the FBI was in communication with vendors about a technical workaround to access the shooter's phone at the same time then-director Jim Comey was telling Congress that compelling Apple to provide access was the only viable option. The report also quotes Executive Assistant Director Amy Hess expressing concern that the head of the unit responsible for gaining access to the shooter's phone "did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple."

Meanwhile, high-level officials for the FBI and DOJ continue to insist that a compromise solution, wherein law enforcement can gain access to a suspect's data when needed without building backdoors into devices and software, is possible.

"We will continue to work closely with technology companies to establish responsible practices that consider both privacy concerns and public safety imperatives," said Deputy Attorney General Rod Rosenstein in a Nov. 18 speech to the Interpol general assembly.

In January, FBI Director Christopher Wray said he doesn't "buy the claim that it's impossible" to achieve a compromise. However, cryptographers and sympathetic members of Congress have repeatedly questioned those claims. In a February hearing, Sen. Ron Wyden (D-Ore.) asked Wray for a list of cryptography experts the bureau consulted when arriving at its position. Wray declined to answer, both then and following the hearing, according to Wyden's office.

Critics of the government's push for a legislative mandate around encryption cite the need for greater education in Congress around the technical obstacles presented by DOJ's proposals. Some have called for reviving the Office of Technology Assessment, shuttered since 1995, to provide lawmakers with the kind of independent, authoritative analysis needed to cut through what has become a highly contentious debate.

A staffer for a Democratic member of the House speaking on background specifically cited the encryption debate as an area where OTA could help, telling FCW that FBI and DOJ officials tend to avoid diving into the technical details when talking to Congress or the public about the issue, leaving less technically inclined lawmakers and staffers with the impression that a compromise between government and industry is simply a matter of all sides working harder, rather than a mathematical impossibility.

"That's playing the politics, that's fine, it's a political town, that's what they're supposed to do," said the staffer. "But members don't have a way to evaluate the veracity" of competing claims from law enforcement and cryptographers, a role OTA was specifically created to fulfill.

Others caution about blowback, arguing that whatever rules a large nation like the United States establishes around encryption will have global consequences, potentially opening the door for other, more repressive governments around the world to insist on similar solutions.

"If you undermine encryption in Apple phones or in WhatsApp, every single other government is going to want to demand the same," said Cynthia Wong, senior researcher at Human Rights Watch. "And if companies have acquiesced to that [and] they've already re-engineered their systems, there's not that much they can do to really push back against those other requests."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.