Data-access tools still on wish list
Agencies reportedly pushing to mandate unlocking of devices
WASHINGTON — Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools into smartphones and other devices that would allow access to encrypted data in criminal investigations.
FBI and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such “extraordinary access” to encrypted devices, according to people familiar with the talks.
Based on that research, Justice Department officials are convinced that mechanisms allowing access to the data can be engineered without intolerably weakening the devices’ security against hacking.
Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms. The White House circulated a memo last month among security and economic agencies outlining ways to think about solving the problem, officials said.
The FBI has been agitating for versions of such a mandate since 2010, complaining that the spreading use of encryption is eroding investigators’ ability to carry out wiretap orders and search warrants — a problem it calls “going dark.”
The issue repeatedly flared without resolution under former President Barack Obama’s administration, peaking in 2016, when the government tried to force Apple to help it break into the iPhone of one of the attackers in the terrorist assault in San Bernardino, Calif.
The debate receded when President Donald Trump’s administration took office, but in recent months, top officials like Rod Rosenstein, the deputy attorney general, and Christopher Wray, the FBI director, have begun talking publicly about the “going dark” problem.
The National Security Council and the Justice Department declined to comment about the internal deliberations. The people familiar with the talks spoke on the condition of anonymity, cautioning that they were at a preliminary stage and that no request for legislation was imminent.
But the renewed push is certain to be met with resistance.
“Building an exceptional access system is a complicated engineering problem with many parts that all have to work perfectly in order for it to be secure, and no one has a solution to it,” said Susan Landau, a Tufts University computer-security professor. “Any of the options people are talking about now would heighten the danger that your phone or your laptop could be hacked and data taken off of it.”
Craig Federighi, the senior vice president of software engineering at Apple, stressed the importance of strengthening — not weakening — security protections for products like the iPhone, saying threats to data security were increasing every day and arguing that it was a question of “security versus security” rather than security versus privacy.
“Proposals that involve giving the keys to customers’ device data to anyone but the customer inject new and dangerous weaknesses into product security,” he said in a statement. “Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems.”
But some computer-security researchers believe the problem might be solvable with an acceptable level of new risks.
A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches.
They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer-science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.
According to several people familiar with the new round of deliberations, those three men have been participating in a series of workshops convened at the Massachusetts Institute of Technology by Daniel Weitzner, a computer-science professor. They have discussed their research with government officials, including Valerie Cofield, a senior FBI science and technology official working on “going dark” issues.
The researchers, Ozzie said, recognized that “this issue is not going away,” and were trying to foster “constructive dialogue” rather than declaring that no solution is possible.
The deliberations shed new light on public remarks by Trump administration officials in recent months. In October, Rosenstein argued in a speech that permitting technology companies to create “warrant-proof encryption” was endangering society.
“Technology companies almost certainly will not develop responsible encryption if left to their own devices,” he said. “Competition will fuel a mindset that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.”
And Wray has twice given speeches this year in which he pointed to Symphony, an encrypted messaging system for banks. Pushed by a state regulator, several banks agreed to give copies of their Symphony keys to law firms. Because Symphony keeps a copy of encrypted data on its servers, that arrangement created a backup means for investigators to gain access to the messages if necessary. “At the end, the data in Symphony was still secure, still encrypted, but also accessible to the regulators so they could do their jobs,” Wray said at a cybersecurity conference in Boston this month. “I’m confident that by working together and finding similar areas to agree and compromise, we can come up with solutions to the ‘going dark’ problem.”