Thoughts on Encryption and Going Dark: Part I

FBI Director James Comey has been on a public offensive of late, arguing against end-to-end encryption that prevents law enforcement access to communications even when authorities have appropriate legal process to capture those communications. The offensive began with a speech at Brookings some months ago. More recently, Comey made these comments on CNN, these comments in a private conversation with me, and wrote this piece for Lawfare.

Yesterday, he was on Capitol Hill, testifying both before the Senate Judiciary Committee (video at this link, prepared statement here) and before the Senate Select Committee on Intelligence (video below):

Comey made some news yesterday. For one thing, he stated very clearly to the Judiciary Committee—and with evident reluctance—that some of the encryption the bureau is now facing is beyond its capacity to crack:

[I]f we intercept data in motion between two encrypted devices or across an encrypted mobile messaging app and it's strongly encrypted, we can't break it.

Now, this is sometimes—I hate that I'm here saying this, but I actually think the problem is severe enough that I need to let the bad guys know that. That's the risk in what we're talking about here. The bad—I'm just confirming something for the bad guys.

Sometimes people watch TV and think, "Well, the FBI must have some way to break that strong encryption." We do not, which is why this is such an important issue.

At another point, he stated that while some companies have designed systems that they lack the capacity to decrypt, in other instances, some companies have simply declined to assist investigators in decrypting signal even where decryption was possible—a matter on which at least one senator fought further information. (See Comey's comments at 1:17:00 and his subsequent exchange with Senator Sheldon Whitehouse at 1:20:00 of the Judiciary Committee hearing.)

All in all, Comey's reception on the Hill was significantly warmer than I expected. The Bureau has clearly done a lot of quiet behind-the-scenes work with members to familiarize them with the problem as the FBI sees it, and many members yesterday seemed to require little persuasion.

But Comey has a very heavy lift ahead of him if he is to make progress on the "Going Dark" problem. For one thing, it's not entirely clear what constitutes progress from the Bureau's perspective. The administration is, at this stage, not asking for legislation, after all. It's merely describing an emergent problem.

But this is a bit of a feint. The core of that emergent problem, at least as Comey's joint statement with Deputy Attorney General Sally Yates frames it, is that CALEA—which mandates that telecommunications providers retain the capacity for law enforcement to get access to signal for lawful wiretapping—does not reach internet companies. So even if Apple and Google were to voluntarily retain encryption keys, some other actor would very likely not do so. Absent a legal requirement that companies refrain from making true end-to-end encrypted services available without a CALEA-like stop-gap, some entity will see a market hole and provide those services. And it's fair to assume that ISIS and the most sophisticated bad actors will gravitate in the direction of that service provider.

In other words, I think Comey and Yates inevitably are asking for legislation, at least in the longer term. The administration has decided not to seek it now, so the conversation is taking place at a somewhat higher level of abstraction than it would if there were a specific legislative proposal on the table. But the current discussion should be understood as an effort to begin building a legislative coalition for some sort of mandate that internet platform companies retain (or build) the ability to permit, with appropriate legal process, the capture and delivery to law enforcement and intelligence authorities of decrypted versions of the signals they carry.

This coalition does not exist yet, particularly not in the House of Representatives. But yesterday's hearings were striking in showing how successful Comey has been in the early phases of building it. A lot of members are clearly concerned already. That concern will likely grow if Comey is correct about the speed with which major investigative tools are weakening in their utility. And it could become a powerful force in the event an attack swings the pendulum away from civil libertarian orthodoxy.

In my next post, I'm going to turn to the very complicated merits of the question: How should we think about the Going Dark problem? Is Comey right to be building a coalition for legal changes that the civil liberties and tech communities so viscerally oppose? Or should investigators simply suck it up and accept the fact that some investigative tools don't last forever? And is there any middle ground here?