Whether you believe law enforcement is “going dark” or we are in a “golden age of surveillance,” law enforcement faces serious challenges in identifying and accessing digital evidence that is available and important to their criminal investigations. Some of these problems are, no doubt, related to encryption and ephemerality of data – the two issues that have absorbed most of the national attention to date. But, in fact, the problems with digital evidence and digital technologies go far beyond those issues, as we detail in a new CSIS-issued report released today, Low-Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge. (See also coverage of the report at the Washington Post.)
Over the past year, we conducted a series of interviews with federal, state and local law enforcement officials, attorneys, service providers, and civil society groups. We also commissioned a survey of law enforcement officers from across the country to better understand the full range of difficulties they are facing in accessing and using digital evidence in their cases.
We found that difficulties accessing and utilizing digital evidence affect more than a third of law enforcement cases – a percentage that we expect only to grow over time absent national attention to the issue. Accessing data from service providers – much of which is not encrypted – was described as the biggest problem that law enforcement currently faces in leveraging digital evidence. Specifically, more than 50% of our survey respondents reported that the biggest problem they face is identifying what data is available through service providers or getting the service providers to disclose that data.
These challenges ranked significantly higher than the challenge of accessing data from devices or interpreting and analyzing data that has been obtained.
This is a problem that has not received adequate attention or resources, particularly relative to the need. An array of federal and state training centers, crime labs, and other efforts have arisen to help fill the gaps, but they are able to fill only a fraction of the need. And there is no central entity responsible for monitoring these efforts, taking stock of the demand, and providing the assistance needed. The key federal entity with an explicit mission to assist state and local law enforcement officials in their use of digital evidence—the National Domestic Communications Assistance Center (NDCAC)—has a budget of $11.4 million, spread among several different programs designed to distribute knowledge about service providers policies and products, develop and share technical tools, and train law enforcement on new services and technologies, among other initiatives.
The good news is that these are problems that can be solved, or at the very least much better managed than they are now. Any workable solution will require renewed efforts from both law enforcement and service providers. It will require a national commitment, adequate resourcing, and a shift in policy. The costs are moderate and the payoffs likely large.
Specifically, we call for a new National Digital Evidence Policy, to be spearheaded by a National Digital Evidence Office, that will work with federal, state, and local law enforcement to track and respond trends and challenges, facilitate improved cooperation with service providers, and help disseminate knowledge and analytical tools that can assist in deciphering data that has been disclosed. This Office should also serve to promote transparency and accountability and ensure the protection of privacy and civil liberties, particularly with respect to new policies and novel uses of existing law. NDCAC or an equivalent entity should serve as a national training and technical support center within that Office – one that law enforcement agents from around the country can turn to for assistance and advice.
As we uncovered, the current model—pursuant to which each and every office is largely expected to develop and maintain its own expertise—is not sustainable. Even with an extraordinary increase in funding and training, it is not practical or possible for every one of the thousands of federal, state, and local law enforcement agencies across the country to have, within their own department, adequate access to all of the resources and expertise needed. It is possible, however, to effectively train agents and other relevant officials as to when expert advice or technical assistance is needed and where to go to seek it—so long as the training and expert assistance is widely available.
The report also calls on service providers to do more to support law enforcement. Specifically, the tech companies should commit to maintaining up-to-date law enforcement guidance and educating law enforcement on the kinds of data available, so as to avoid situations in which law enforcement has to guess what to request. This will in turn facilitate the submission of better and more tailored data requests from law enforcement, eliminating a major source of tension. These are steps that tech companies can and should take immediately. Several already have committed to doing so.
These are ideas that have received widespread support, including from former CIA Director John Brennan; former Deputy Attorney Generals, Larry Thompson and Jamie Gorelick; former FBI General Counsel Ken Wainstein; and former Boston Police Chief, Ed Davis. Former Deputy and Acting Director of the CIA Mike Morell describes the report as presenting “the real possibility of significant win-win solutions advancing both security and privacy.”
Difficult debates about encryption, data retention, and lawful hacking will continue, as they must. But there is much work that can and should be done in the interim, even as these discussions continue. Increased training, dissemination of technical tools, and better communication between law enforcement and service providers is needed no matter the outcome of the separate debates around encryption and related issues. So is a National Digital Policy Office that will elevate these discussions, ensure that policy is developed based on a full and fair assessment of the needs, and promote and protect privacy and civil liberties in the process.
This is what we call the low hanging fruit.