Photo Credit: McAfee Blogs

FBI Director Chris Wray is following in predecessor James Comey's footsteps in joining the anti-encryption crusade. Though the FBI has admitted to distorting the number of encrypted devices it can't get into, in an interview at the Aspen Security Forum, Wray "hinted he was moving towards an anti-encryption legislative mandate," if a compromise couldn't be reached with tech companies:

"I think there should be [room for compromise]. I don't want to characterize private conversations we're having with people in the industry. We're not there yet for sure. And if we can't get there, there may be other remedies, like legislation, that would have to come to bear."

Techdirt wrote a  response to Director Wray’s statement:

"The 'compromise' Wray wants is simple: if law enforcement has a warrant, it gets access. The solution isn't. To weaken or backdoor encryption to serve law enforcement's needs makes everyone -- not just criminal suspects -- less safe. If a hole can be used by good guys, it can be used by bad guys. And even the best guys can't prevent their tech tools from making their way into the public domain. Just ask the NSA and CIA. In the case of the NSA, leaked exploits resulted in worldwide ransomware attacks.

Wray pitches an impossibility by portraying it as a lack of effort by the tech industry. The tech industry -- the one with all the 'brightest minds' -- have been consistent in their stance. A hole for one is a hole for all. There's no such thing as securely-compromised encryption. Wray's response has also been consistent: they're just not thinking hard enough. The only 'compromise' pitched by members of the tech sector is basically re-skinned key escrow -- the thing that went out of fashion with the death of the Clipper Chip.”

Director Wray also offered up the following non sequitur:

"We're a country that has unbelievable innovation. We put a man on the moon. We have the power of flight. We have autonomous vehicles… [T]he idea that we can't solve this problem as a society -- I just don't buy it."

Bob Anderson, who served for more than 30 years with the FBI, and is now a principal at The Chertoff Group , wrote in an article published in The Hill:

"The reality is that solid and technologically sound encryption systems are needed more than ever for data protection, data integrity, and confidentiality. At a time, for example, when voter databases are under assault from foreign actors, we need to be enhancing the integrity of our data systems, not reducing it. I have worked across the private and public sectors to strengthen cyber protections, responded to breaches, and understand how difficult it is to build secure and resilient systems—introducing new vulnerabilities only exacerbates these challenges. So, it is time to ask whether instead of engineering backdoors into encryption systems, are there other reasonable technological solutions available?"  

According to a recent study by The Center for Strategic and International Studies (CSIS) encryption is not the most critical issue facing law enforcement in the digital realm. CSIS's study includes a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups. They also commissioned a nationwide survey of law enforcement to better comprehend the full range of challenges they face in accessing and using digital evidence for their cases.

The CSIS study states: "Survey results indicate that accessing data from service providers -- much of which is not encrypted -- is the biggest problem that law enforcement currently faces in leveraging digital evidence."

Low-hanging fruit

Some of the findings in CSIS's report, Low-Hanging Fruit - Evidence-Based Solutions to the Digital Evidence Challenge:

  • Law enforcement officials reported having received barely any digital evidence training. Federal officials received the most training, but not all that much more than state police officers. Only 16 percent said their organizations scheduled training sessions at least twice per year.
  • "Law enforcement officials across federal, state, and local entities encounter difficulties in effectively accessing, analyzing, and utilizing digital evidence in over one-third of their cases that involve digital evidence—a problem that is likely to grow over time absent national attention to this problem."
  • The obstacles posed by encryption are just one aspect of the overall challenge in obtaining digital evidence.
  • "Our survey of federal, state, and local law enforcement officials suggests that challenges in accessing data from service providers—much of which is not encrypted—is the biggest problem that they currently face in terms of their ability to use digital evidence in their cases."
  • "Specifically, the inability to effectively identify which service providers have access to relevant data was ranked as the number-one obstacle in being able to effectively use digital evidence in particular cases."
Photo Credit:
  • "Difficulties in obtaining sought-after data from these providers was ranked as a close second. These challenges ranked significantly higher than any other challenges—including challenges associated with accessing data from devices or interpreting the data that has been obtained."
  • According to the survey, "only 58 percent of respondents felt their department has access to the resources, either internally or externally, needed to meet their digital evidence needs."
  • "The problems are particularly acute among local law enforcement. Just 45 percent of local law enforcement has, according to our survey, access to adequate digital evidence resources, whether within their own department or through larger state and federal departments and forensic labs."
  • "There are, to be sure, a number of resources and groups that provide advice and expertise on an ad hoc basis, many of which do exemplary work. But even just figuring out where to find this investigative, legal and technical expertise is an enormous challenge for investigators and prosecutors."
  • CSIS interviews "indicated a deep credibility gap on the part of both law enforcement and service providers that significantly undercut the ability of both sides to work with one another to facilitate lawful and legitimate access to data."
  • "Providers, for their part, described deep-seated frustration with what they viewed as overbroad and boilerplate requests from law enforcement. They argued that law enforcement does not appreciate their dual responsibility to provide lawful access to data for law enforcement and protect their users’ privacy."

Applying fixes to these issues will require a lot of effort and the employment of additional resources on the parts of law enforcement and providers. But, it is possible for law enforcement to gain and maintain the technical skills needed while also protecting civil liberties.

Bruce Schneier sums this up succinctly, saying "the FBI needs technical expertise, not backdoors."

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

Tech Support Scams Using Multiple Obfuscation Methods to Bypass Detection

Microsoft Releases Info on Protecting BitLocker From DMA Attacks

Flaws in Popular SSD Drives Bypass Hardware Disk Encryption

Signal Upgrade Process Leaves Unencrypted Messages on Disk