Show sidebar

James Comey’s Default-Encryption Bogeyman

FBI Director James Comey recently told the Senate Judiciary Committee that encryption routinely poses a problem for law enforcement. He stated that encryption has “moved from being available [only] to the sophisticated bad guy to being the default. So it’s now affecting every criminal investigation that folks engage in.”

This assertion may reflect a shift in the Director’s approach to trying to convince lawmakers to regulate the commercial availability of strong encryption. To date, the principal argument has been that encryption interferes with counterterrorism efforts. Federal officials asking for legislative intervention, or seeking to shame companies into maintaining security architectures that would not interfere with surveillance, generally invoke the fear of terrorist attacks. Such attacks, or the threat of them, can provoke cooperation or legislative action that would otherwise be difficult to effectuate. In August, for example, the intelligence community’s top lawyer suggested that a terror attack could be exploited to turn legislative opinion against strong encryption. And Comey’s testimony last month raised the specter of ISIL. He and other members of the intelligence community immediately mounted a full-court press against strong crypto following the tragedies in Paris and San Bernardino, even before investigators could conclude whether encrypted communications or devices played any role in either attack.

Proponents of strong encryption have long been suspicious of the claim that encryption interferes with counterterrorism investigations. Terrorism is quite rare in the US and encryption has never yet been shown to have thwarted investigations into any terrorist attacks that have taken place on US soil. This includes the May 2015 shooting in Garland, Texas that Comey has invoked. Comey points to the fact that one shooter exchanged encrypted text messages with “an overseas terrorist” shortly before the attack, but the FBI had already been monitoring one of the perpetrators for years and warned local authorities about him before the shooting. Plus, the FBI’s powerful ability to collect (unencrypted) metadata is the reason Comey knows the shooter sent those text messages.

Comey may be starting to recognize that his rationale for weakening encryption needs to hit closer to home if he hopes to persuade lawmakers and the American public. To that end, it looks like he, along with Manhattan District Attorney Cyrus Vance, is ready to argue that regular criminals — the kind more likely to predate on the general population — are getting away because of encryption.

What crimes, then, are law enforcement officials invoking in their latest calls for weakening encryption? If encryption affects “every” criminal investigation as Comey claims, you’d think that law enforcement would encounter encryption in investigations of the crimes it spends the most time and money working on. If so, then the majority of cases in which law enforcement encounters encryption should be drug cases. Statistically, the War on Drugs, not the War on Terror, would likely be the principal context in which mandatory encryption access for law enforcement would be used.

However, law enforcement’s anti-crypto advocacy hasn’t been focused on the War on Drugs. Much like Comey’s invocation of ISIL, other law enforcement leaders have asserted that the worst of the worst are the beneficiaries of strong security, focusing on murderers and sex offenders. Vance’s recent whitepaper, which calls for federal legislation mandating law enforcement access to encrypted devices, claims that iPhone device encryption using iOS 8 (which Apple cannot bypass) stymied the execution of around 111 search warrants in the space of a year. According to the report, those cases involved offenses including “homicide, attempted murder, sexual abuse of a child, sex trafficking, assault, and robbery.”

Vance’s list (which may or may not be comprehensive) is surprising. There is little overlap between the types of crimes where Vance claims Manhattan prosecutors encountered encryption, and the crimes which local and state law enforcement probably deal with most frequently. According to a newly-released FBI report, larceny, theft, assault, and drug offenses are the crimes most commonly reported by state and local law enforcement. Of those, only assault is on the Manhattan DA’s list. Drug crimes are not, even though drug arrests alone accounted for nearly a quarter of all arrests in Manhattan last year. By comparison, the other offenses on his list — homicide, robbery, sex crimes, and trafficking offenses — account for only a small fraction of reported crimes, according to the FBI report.

Not only are drug crimes common in the state and local context, they dominate the federal courts. Drug defendants are often arrested by local police, but prosecuted federally (which might help account for the absence from Vance’s list). Drug offenses top the federal courts’ most recent 12-month report on numbers of federal criminal defendants charged, by offense, which covers 17 offense categories. (The report doesn’t reflect investigations that are closed without a prosecution.) Similarly, the 2014 wiretap report, also issued by the federal courts, notes that a whopping 89 percent of all wiretaps (including 91 percent of federal wiretaps and 88 percent of state wiretaps) were for drug offenses. Homicide and assault (a combined category in the wiretap report) came in a distant second, at four percent. So one would expect that if there’s widespread use of encryption, it would proportionately impact drug crimes, and the homicide, assault, and other cases would be far behind.

State and federal wiretap statistics, combined with federal prosecution statistics, demonstrate that drug offenses are very high on law enforcement’s agenda — even as homicide clearance rates languish. And according to the FBI crime statistics report, drug offenses are one of the most commonly reported types of crime.

As more and more people carry smartphones that are encrypted by default, encountering device encryption becomes more likely to affect investigations where the crime is both common and a top law enforcement priority. That means drug offenses — and yet they are absent from Vance’s list. If you have concerns about the War on Drugs — and many people do because it is expensive, ineffectual, and disproportionately affects minorities, among other reasons — the War on Crypto is likely to make it worse.

We need more information about the facts underpinning the Manhattan DA’s report before we can say whether Vance has established a pressing law enforcement need for legislation. The report said that the office “was unable to execute” around 111 search warrants due to iOS 8 encryption. While 111 frustrated warrants may sound like a lot, that number doesn’t tell the full story. The report conspicuously fails to mention several important facts, such as whether prosecutors successfully pursued those cases using other evidence; the total number of search warrants issued for smartphones during the period cited; how many of those devices turned out to be encrypted; and of those, how many warrants were successfully executed nevertheless. If criminal investigations can succeed despite encryption, then device encryption’s detrimental impact on the public is marginal.

That’s already true for encryption of communications. 2014’s statistics for judicially-authorized wiretaps (which collect the contents of unencrypted phone calls and text messages in transit) show almost no adverse impact from encryption. Officials encountered encryption in 22 state court wiretaps out of a total of 2,275 — a sharp drop from 2013, when states came across 41 encrypted phones — and were unable to decipher plaintext in only two of the 22. For federal wiretaps, investigators encountered encryption in three wiretaps out of 1,279 total, of which two could not be decrypted.

When it comes to communications, Comey’s claim that encryption “affects every criminal investigation” is plainly an exaggeration. He and his colleagues have yet to show that the situation for devices is any different. So long as encryption has a negligible effect on law enforcement’s ability to do their jobs, their proposals to regulate encryption amount to a “solution” for a problem that doesn’t exist.

In the end, it’s the War on Drugs and other routine criminal investigations, not counterterrorism or “worst of the worst” criminal cases, that stand to benefit the most if Director Comey gets his wish for guaranteed access to the data on Americans’ encrypted smartphones. Yet officials cannily highlight ISIL recruitment, sex trafficking, and murder to promote their demands for weaker crypto, obscuring the lack of evidence that strong crypto in fact poses a significant problem for them.

This post draws a number of inferences from imperfect information, because comprehensive data about device encryption’s impact on law enforcement are simply not available. We don’t have the full picture of how law enforcement and intelligence agencies seek to compel or persuade tech companies to decrypt information for them (and on what legal authority), influence encryption standards, cooperate to share tools for bypassing crypto, or investigate crime by other means, including hacking tools. I’m researching these issues as part of the Stanford Center for Internet and Society’s Crypto Policy Project, and maybe they’ll also be considered by the crypto commission Congress plans to convene.

As Director Comey himself recently said, “without information, every single conversation in this country about policing and reform and justice is uninformed, and that is a very bad place to be.” Those words apply with equal force to the national conversation about encryption and law enforcement.

Tags: , , , , , , ,

About the Author

is the Cryptography Fellow at the Stanford Center for Internet and Society. You can follow her on Twitter (@riana_crypto).