As the Director of the National Counterterrorism Center, Matthew Olsen oversaw the integration and analysis of all intelligence related to terrorism. He recently co-authored a report for Harvard’s Berkman Center for Internet and Society about the ongoing encryption debate, and discussed the report with The Cipher Brief.
The Cipher Brief: Your report concluded that the “going dark” problem may be overstated. Can you tell us a little more about the report and its findings?
Matthew Olsen: First of all, the “going dark” problem is a real problem – the report makes that point clear. The FBI and other intelligence agencies have definitely lost access to communications and other sources of information because that information is now encrypted. There’s really no debate about that fact. And the trend towards increased encryption has made the FBI’s job more difficult. This is especially true for monitoring terrorists, like ISIS, but it’s also true for criminal investigations, like kidnappings. At Harvard, we generally agreed on that point.
What we tried to do in the paper was bring together a diverse group of people and to look at the problem a bit more broadly. We weren’t going to agree on a solution to the going dark problem or encryption, but we did agree on a couple of points that I think are helpful in putting the debate in perspective.
One is that there are general economic and technological trends that will help alleviate the challenge of encryption. First, we make the point that Internet companies depend on access to data for their business models, so these companies are not going to adopt encryption across the board. The key here is for these companies to step up, in my view, and to work with the government to provide access to the data they already have.
The second point we tried to make is that the explosion in network sensors, and the Internet of Things provides new channels for the government to collect information – both from a law enforcement and an intelligence perspective. As we looked ahead, we agreed that the proliferation of networked devices would open up new opportunities for the government to collect the information it needs. These new channels will help to mitigate the real loss of access due to encryption.
Our goal with this paper was not take sides in the debate over encryption. It was, rather, to look at the challenge that encryption creates, to think about the problem more broadly, and to find points of consensus among a very diverse set of perspectives.
TCB: You mentioned the profusion of sensor and network enabled objects that are coming about as a result of the Internet of Things (IoT), could you tell us a little more about that, and how it provides opportunities for surveillance?
MO: As a federal prosecutor, I worked for over a decade handling homicide and terrorism cases. Looking at the opportunities to collect information that would be useful in a criminal case or in terrorism investigations, it strikes me that there are a multitude of channels of information, particularly from networked sensors, that weren’t available 20 or 10 years ago. You can just think about the ways in which the devices like smart phones and the internet of things—whether it’s appliances or products, televisions, door locks, all the wearables that people use now—are all linked to the Internet. These all are potential sources of data that could be quite valuable in either an intelligence or a law enforcement investigation.
TCB: What’s the takeaway for the FBI here? Director James Comey has been very vocal about his concerns about encryption. How should law enforcement use the findings of this report to more effectively combat terrorism domestically?
MO: From my perspective, the first take away for the FBI is to keep pressing the argument that they’ve been making. Director Comey and officials at the Department of Justice are right to raise the encryption issue and put it front and center for public debate. I saw, firsthand, the same problem when I was the director at the National Counterterrorism Center (NCTC). We are losing access to terrorist communications because of encryption. ISIS is aggressively taking advantage of encrypted platforms to communicate and even just released a how-to manual on using encryption which included a 24/7 help desk capability. So there’s no doubt that ISIS is using encrypted channels to protect their communications and keep them out of the hands of law enforcement.
I think the FBI should continue to advance the argument and to work, as they have been, with the technology community to address this problem. I think that’s the right approach, and it’s what we’ve seen happening more recently, with the technology community. This engagement should enable the FBI and the rest of law enforcement to establish ways to gain effective access with lawful process to information in the possession of these companies. That’s been the FBI’s strategy, and I think it’s the right one.
The second take away is to be creative in thinking about new ways to obtain evidence and intelligence. If one channel goes dark because of encryption, what other channels are open? Again, because of the proliferation of network sensors and the Internet of Things, there are new opportunities for collection to mitigate the loss that is the result of encryption.
TCB: What about privacy concerns as they relate to the Internet of Things? Do you think private companies will push back against the government’s use of IoT information as they did over the encryption issue?
MO: I’ve been very encouraged by what I’ve observed over the last several months with the level of collaboration and discourse between the government and the technology community. It strikes me that we have crossed over into an environment where these important conversations are occurring. What do these companies collect? What can the government lawfully obtain? How can we work together to address the common problem that terrorists use these platforms to recruit, radicalize, and advance terrorist operations inside the United States? I think the trajectory is a positive one in terms of the level of cooperation.
I think at the same time, there are privacy concerns that are raised by the Internet of Things, just as there have been privacy concerns historically about the government’s ability to access telephone communications. And we have processes in place to help address those privacy concerns and to balance the privacy interests with the national security and law enforcement interests on the other side. Those processes will work for new technologies in the same way that they’ve worked for existing technologies, like the telephone. My view is that what we have in place to reconcile competing interests should be up to the task of dealing with those issues as they arise with new technologies.
TCB: Do you foresee that some of these technology companies associated with the Internet of Things will seek to get encryption on those devices, as telephones have now been encrypted?
MO: As we point out in the paper, there is a limit to what these companies will actually subject to encryption, because the business models for many of the companies depend on having access to clear text. I don’t think that encryption will be ubiquitous with the new ways in which they are collecting data. I think that will create opportunities for those companies to work with the government.