Marshall Erwin on the FBI's "Going Slowly"

Over at Just Security, Marshall Erwin has an excellent article entitled, "The FBI’s Problem Isn’t 'Going Dark.' Its Problem is Going Slowly." I'm not sure how much of Erwin's argument I agree with—definitely some, but not all—but his piece is thoughtful and informative and makes a number of good points.

Some highlights:

The data available for collection by law enforcement authorities (LEAs) has expanded steadily over the last decade. One might therefore think that the growing use of encryption means LEAs are losing what they have only recently gained. iPhones are a good example; we now store masses of data about ourselves on these devices that weren’t available to the FBI as recently as 2007, when they were first introduced. In cases like this, new technology has an additive quality; it presents additional surveillance opportunities not available previously. And for these cases, a loss of access might in fact represent a return to an earlier status quo.

This argument doesn’t always hold up, however, because surveillance targets’ communications methods have not remained static. Law enforcement and the intelligence community have moved to take advantage of the golden age of surveillance at a time when their targets have also taken advantage of the benefits of modern technologies to self-organize, communicate, and plan their activities.

To use a simple example, imagine that a terrorist group is using text messages to plan their attacks and that those texts generate huge amounts of data for the FBI. Before they began using text messages, that group planned its attacks over voice calls that could be tapped by the FBI. In this case, the collection of huge numbers of text messages doesn’t represent an expansion of surveillance. Rather, it is the same surveillance facilitated by very different technology. Now, imagine that the group begins to use an end-to-end encrypted messaging service to plan its attacks. In that case, the FBI will experience a net loss of capabilities compared to when it could tap voice calls, rather than a return to an earlier status quo.

. . .

Cybersecurity experts often remark that the attack surface — the sum of points from which an attacker can gain unauthorized entry — for modern computing systems is very large. In the context of surveillance, each point on the attack surface is a point from which the attacker might collect data about its target. The golden age will benefit those agencies with the resources, capabilities, and time necessary to attack multiple points on that attack surface. That’s basically the NSA.

The FBI, by comparison, doesn’t have those resources, capabilities, or time. To its own detriment, the Bureau remains focused on a single point on the attack surface — the point from which data and communications are available through requests to companies. That approach will provide access to a large amount of data but will also leave the Bureau out of luck whenever that single point on the attack surface closes.

Further, the golden age will increasingly favor access to metadata and other forms of data at rest over data in transit and access to real-time communications content. So if the Bureau wants to know who called whom, it will be in good shape. But it won’t always be able to figure out who said what. It might be able to map out an Islamic State network using WhatsApp metadata but it won’t know what those members are saying to one another.

For an agency whose bread and butter is probably still its ability to intercept real-time communications, the growing use of encryption for data in transit represents a big loss.

. . . third, the golden age of surveillance will likely favor breadth of access over speed of access.

If you speak to law enforcement officials about the challenges they are facing, the term that comes up over and over again is “scale.” By that, those officials mean they lack plug-and-play surveillance tools that can be utilized quickly against a standard set of targets. This gets to the crux of the Bureau’s challenges. It is time, rather than access, that is in shorter supply because every target requires a more tailored solution. Thus, the FBI isn’t really going dark. Rather, it is going slowly.

It takes time to figure out how to exploit other points on the attack surface — to identify vulnerabilities on a target’s device and develop sophisticated, tailored access capabilities to exploit those vulnerabilities. It takes time to deploy tactical surveillance teams once a target has been identified. Whenever the Bureau encounters a new app, it takes time to understand that app’s privacy and security properties and to understand what data it should request from the relevant company. That company might very well be run by a few people in their garage, so it will take time for them to process the FBI’s request and figure out what data, if any, they should turn over.

The challenge for the FBI is not that it lacks the means to gather sufficient information about its targets. With time, the FBI today should be able to gather far more information about its targets than it ever could before. That’s how the golden age of surveillance works in practice. The challenge is that it lacks the means to gather that information on a consistently short timescale.

Very worth reading in full.