“Are we so mistrustful of government—and of law enforcement—that we are willing to let bad guys walk away...willing to leave victims in search of justice?” – FBI Director James Comey, Brookings, October 16, 2014
Strong encryption appears to be safe – for now. In Congressional testimony on Thursday, FBI Director James Comey told lawmakers that the Obama administration has decided not to push for legislation that would require companies to build intercept capabilities into their networks. The potential for a law mandating such capabilities, which are essentially backdoors into encrypted communications networks, caused significant outcry from industry leaders, academics, and civil liberties groups. While the debate between security and privacy appears to have quieted for the moment, this issue is far from resolved.
Comey has appeared before several Senate committees to explain exactly why strong encryption that lacks intercept capabilities is creating such a dire situation for law enforcement. Most recently, he told the Senate Committee on Homeland Security and Governmental Affairs that “changing forms of Internet communication and the use of encryption are posing real challenges to the FBI’s ability to fulfill its public safety and national security missions.” This is because information on systems that are strongly encrypted can only be decoded by the sender and receiver of the information. Law enforcement fears if criminals and terrorists are able to hide their activities using encryption, it would become difficult or impossible to disrupt their activities and keep people safe. In order to maintain the security of the American people, Comey advocated for forcing companies to create access points for the government to use in the course of lawful investigations so that encrypted data would remain available.
On the other side of this debate are many experts from the tech industry, the cyber-security industry, privacy advocacy groups, and academia. Their arguments focus on four key themes. First, allowing the government access to encrypted networks creates vulnerabilities that other hackers– both state-sponsored and criminal – can exploit as well. According to the critics, requiring lawful intercept capabilities would make all communications less secure. Second, if U.S. companies started building in backdoors, then the bad actors would just switch to other communications platforms that didn’t have them. Third, the legislation advocated by Comey would make it more difficult for the U.S. to credibly resist attempts from other nations to do the same, an outcome which would also harm the security of American commercial networks. Finally, the critics believe creating backdoors are an invasion of privacy. These groups feel law enforcement has other means of acquiring the information it needs, and that the trade-off between privacy and security was not worth it.
So is the problem solved? In short, no. With Comey’s announcement, the debate has calmed down, but the core problem has not been settled. Comey has said that if intercept capabilities aren’t feasible, he would accept an alternative so long as it provided law enforcement with the same degree of access. While legislative actions will not be moving forward at this time, the tension between security and privacy remains as strong as ever, and it is unclear how law enforcement will get the type of access it says it needs. The Cipher Brief asked for an interview with Director Comey to discuss these issues in greater depth, but the FBI declined our request.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
