NEW YORK — Newly installed FBI Director Christopher A. Wray laid out a forceful case for giving law enforcement agencies privileged access to encrypted devices and communications at the 2018 International Conference on Cyber Security at Fordham University Law School today (Jan. 9).
"In fiscal year 2017, we were unable to access the content of 7,775 devices" that were relevant to criminal cases, Wray said. "That's more than half of all the devices we attempted to access in that timeframe."
He called on technology companies to sit down with law enforcement to devise a workable solution, urging them to "come to the table with an idea of trying to find a solution — as opposed to trying to find a way to build systems to prevent a solution."
Law-enforcement access to U.S. residents' personal property is routinely and legally granted by court orders or warrants, and has been standard practice in American law for centuries. Likewise, the ability of law enforcement to open mail and listen to conversations, with narrowly targeted warrants, has long been legally sound.
But both practices have become very difficult in the past few years thanks to the virtually unbreakable encryption found in today's smartphones, computers and digital communications.
The FBI calls this sudden lack of access to vital evidence "going dark," and Wray's predecessor as FBI director, James B. Comey, personally stressed the issue during his tenure. Comey oversaw the best-known example of "going dark" when Apple refused to help the FBI in creating software that would break into the San Bernardino terrorist shooter's workplace iPhone.
Many information-security advocates argue that criminals could exploit law-enforcement "backdoors" into encryption standards, and others argue that the math involved rules out the possibility of selectively weakened encryption techniques, but Wray doesn't accept those explanations.
The FBI and other law-enforcement agencies, both in the U.S. and abroad, claim that this lack of access protects drug dealers, kidnappers, murderers and terrorists.
"As horrifying as 7,800 devices in one year sounds, it's going to be a lot worse in a couple of years if we don't find a responsible solution," Wray said. "We need to work fast [and] we need and want the private sector's help.
"We need to have companies comply with lawfully issued court orders," he added. "I just do not buy the claim that it's impossible."
Wray points out that American technology companies have routinely succeeded at overcoming barriers that seemed insurmountable — as long as the will was there.
"If we can develop driverless cars," he said, "surely we should be able to devise devices that both provide data security and permit lawful access with a court order. ... I reject the notion that there could be such a place that no matter what kind of lawful authority we have, we can't protect innocent citizens."
Even though Apple stonewalled the FBI in the San Bernardino shooter's case and others related to encrypted iPhones and iPads, the company has given the Chinese government access to Apple's new data center in that country. Apple has also removed some VPN apps from the iOS App Store in mainland China at government request.
Other tech companies have complied with similarly heavy-handed government demands in India, Russia and the Middle East. Yet those companies resist far less intrusive and more transparent U.S. government requests.
Such governments "operate a little differently than ours, to put it diplomatically," Wray said. "It strikes me as odd that American technology providers would grant broad access to user data to foreign governments that may lack all sorts of fundamental process and rule of law protections, while at the same time denying access to specific user data in countries like ours."
Wray offered an example of a successful compromise in a similar situation. He explained that Symphony, a heavily encrypted secure-messaging platform created and used by large investment banks and financial firms, caused concern for New York state regulators when it debuted in 2015. Symphony guaranteed that messages and data deleted by users would truly be erased from the entire system — and leave nothing for authorities to find.
"The four banks [subject to New York regulations] reached an agreement ... to keep a copy of all communications sent to or from them through Symphony for seven years," Wray said, and to also retain decryption keys for every message in case authorities might need them.
"Let me be clear: The FBI supports information security measures, including strong encryption," Wray said. "But information security programs need to be thoughtfully designed so they don't undermine the lawful tools we need to keep this country safe."
Best Identity Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
LifeLock Ultimate Plus
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Identity Guard Platinum
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.