FBI Director James Comey gave a strong speech today (Oct. 16) explaining why law enforcement should have access to data on encrypted smartphones. But he failed to cite any examples in which such law-enforcement access could have made the difference between life and death.
"Technology has become the tool of choice for some very dangerous people," Comey told the audience at the Brookings Institution in Washington, D.C., in a speech entitled "Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course?"
"Those charged with protecting our people aren't always able to access the evidence we need to prosecute crime and prevent terrorism," Comey said. "We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so."
For those reasons, Comey explained, the FBI is seriously concerned about the encryption features in Apple's and Google's latest mobile operating systems, both of which would render data on a phone inaccessible to anyone but the phone's authorized user. In law-enforcement slang, the data would "go dark."
"The information stored on many iPhones and other Apple devices will be encrypted by default," Comey said. "Google announced plans to follow suit with its Android operating system. This means the companies themselves won't be able to unlock phones, laptops and tablets to reveal photos, documents, e-mail and recordings stored within."
"Both companies are run by good people, responding to what they perceive is a market demand," he said. "But the place they are leading us is one we shouldn’t go to without careful thought and debate.
"If the challenges of real-time interception threaten to leave us in the dark," Comey said, "encryption threatens to lead all of us to a very dark place."
The Communications Assistance for Law Enforcement Act (CALEA) of 1994 mandates that telecommunications companies must give police the ability to listen in on telephone conversations. CALEA covers landlines and cellular carriers, and was expanded in 2004 to cover Voice over Internet Protocol (VoIP) providers and broadband Internet service providers.
For the past few years, the FBI has sought another expansion of CALEA, this time to gain access to encrypted Internet-based communications such as instant messaging and social networking. The White House has refused to act on the FBI's requests.
"If a suspected criminal is in his car, and he switches from cellular coverage to Wi-Fi, we may be out of luck," Comey said in his speech. "If he switches from one app to another, or from cellular voice service to a voice or messaging app, we may lose him."
"There will come a day — and it comes every day in this business," Comey said, "where it will matter a great deal to innocent people that we in law enforcement can't access certain types of data or information, even with legal authorization."
Comey made a distinction between monitoring "data in motion," which he defined as "real-time court-ordered interception of phone calls, e-mail and text messages and chat sessions," and examining "data at rest," or "court-ordered access to data stored on our devices, such as e-mail, text messages, photos and videos."
Accessing data in motion involves intercepting communications as they are made, similar to a wiretap, and would be clearly covered by an expansion of CALEA. Accessing data at rest involves examining archives of communications that have already taken place; such examinations are covered by search warrants and require no legal expansion.
Comey made clear that losing access to communications archived on cellphones was a primary concern. He cited four cases in which examination of data stored on cellphones was instrumental in winning convictions. Yet each example was far from ideal.
One case concerned the murder of a 12-year-old Louisiana boy, in which evidence on both the victim's and perpetrator's phones helped convict the killer. Comey didn't explain how decryption could have prevented the murder.
In another, GPS location data on a suspect's smartphone tied him to a fatal hit-and-run accident in Sacramento — but Comey didn't mention that cellular-tower triangulation and tower logs could have also put the suspect in the right time and place.
The two other cases involved archived text messages, which are not retained by cellular carriers for long, if at all. (The FBI has pushed for legislation that would compel carriers to retain text messages for two years.)
One involved a Los Angeles toddler beaten to death by her mother; text-message archives established that both parents knew of the crime and tried to cover it up. The other involved a Kansas City heroin ring whose organization was revealed from archived text messages on searched phones.
Comey did not say, however, that cellphone data had cracked cold cases or led to new suspects — it simply added to evidence against existing suspects.
Comey cited a fifth case, this one in Kansas, where a deleted cellphone video helped exonerate several men facing rape charges. He didn't make clear whether the phone in question belonged to one of the suspects -- who would have reason to unlock encrypted devices that could prove their innocence — or to someone else who might have been implicated instead.
In a question-and-answer session following his speech, Comey was asked if he could cite a specific case in which someone would not have been rescued as a result of cellphone encryption. He could not.
"It's time that the post-Snowden pendulum be seen as having swung too far in one direction," Comey said. "Have we become so suspicious of government, and of law enforcement, that we will let bad guys walk away?"
- 12 Mobile Privacy and Security Apps
- Can You Hide Anything from the NSA?
- 12 Computer-Security Mistakes You're Probably Making