FBI Director James Comey on Wednesday called for tech companies currently offering end-to-end encryption to reconsider their business model, and instead adopt encryption techniques that allow them to intercept and turn over communications to law enforcement when necessary.
End-to-end encryption, which is the state of the art in providing secure communications on the internet, has become increasingly common and desirable in the wake of NSA whistleblower Edward Snowden’s revelations about mass surveillance by the government.
Comey had previously argued that tech companies could somehow come up with a “solution” that allowed for government access but didn’t weaken security. Tech experts called this a “magic pony” and mocked him for his naivete.
Now, Comey said at a Senate Judiciary Committee hearing Wednesday morning, extensive conversations with tech companies have persuaded him that “it’s not a technical issue.”
“It is a business model question,” he said. “The question we have to ask is: Should they change their business model?”
Watch the video:
Comey’s clear implication was that companies that think it’s a good business model to offer end-to-end encryption — or, like Apple, allow users to fully encrypt their iPhones — should roll those services back.
Comey and other government representatives have been pressuring companies like Apple and Google for many months in public hearings to find a way to provide law enforcement access to decrypted communications whenever there’s a lawful request. Deputy Attorney General Sally Quillian Yates said in a July hearing that some sort of mandate or legislation “may ultimately be necessary” to compel companies to comply, but insisted that wasn’t the DOJ’s desire. Now, there’s little pussyfooting about it.
“There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he said. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.”
Comey indicated that these companies should be satisfied providing customers with encryption that allows for interception by the providers, who can then turn over the information to law enforcement.
Privacy experts say that the same holes in encryption that allow for authorized interception also allow for unauthorized interception — and therefore provide insufficient security.
Comey called on customers, who he said are becoming more aware of the “dangers” of encryption, to “speak to” phone companies and insist they’ll “keep using [their] phones” if they stopped offering the technology.
Comey acknowledged that encrypted apps would still exist. But, he said, encryption “by default” is the real problem. He told Sen. Mike Lee, R-Utah, that “I think there’s no way we solve this entire problem. … The sophisticated user could still find a way.”
That didn’t stop him from calling for an international standard for encryption technologies, however. Many popular encrypted applications are not U.S. based. Any action imposed on American companies would likely handicap them and lead customers to turn to overseas options.
“We have to remember limits of what we can do legislatively,” said Lee. “If we’re going to mandate that legislatively” — force companies to stop offering strong encryption — “it wouldn’t necessarily fix the problem,” he said.
Here is Comey’s exchange with Lee:
For the first time, Comey made a specific allegation about encryption having interfered with an FBI terror investigation.
“In May, when two terrorists attempted to kill a whole lot of people in Garland, Texas, and were stopped by the action of great local law enforcement … that morning, before one of those terrorists left to try to commit mass murder, he exchanged 109 messages with an overseas terrorist. We have no idea what he said, because those messages were encrypted.”
“That is a big problem,” Comey said.
But in the Garland case, the FBI had been tracking one of the would-be attackers for months — and had alerted local police that he might be headed to a controversial anti-Muslim exhibition. But FBI surveillance didn’t stop Elton Simpson — the Garland Police Department did. The local police never got the FBI’s email.
Comey did not request specific legislation to compel companies to abandon end-to-end encryption, but told Sen. Dianne Feinstein, D-Calif., that he would like to see all companies responding to lawful requests for data. Feinstein offered to pursue legislation herself, citing fear that her grandchildren might start communicating with terrorists over encrypted PlayStation systems.
Toward the end of the hearing, Comey seemed to contradict his earlier comments urging companies to reconsider their business models. “I don’t want to tell them how to do their business,” he said. Then, moments later, he added that “there are costs to being an American business — you can’t pollute.” The implication there was that American businesses might need to comply with new standards regardless of what the rest of the world does — as if providing end-to-end encryption to protect the average person’s communications is the same as destroying the environment.
Technologists, privacy advocates, and journalists reacted on Twitter with confusion and frustration.
As more and more information emerges concerning the couple responsible for last week’s attack in California, it becomes increasingly evident that once again the FBI failed to use publicly available information to prevent this massacre from happening. You don’t need to hack into encoded communications to read a Facebook post or a Tweet, and the woman involved was posting about her radicalization and plans for more than a year before the two conducted their attack.
The FBI and their sister stooges of the so-called intelligence [sic[] community [sic] continue to fail to understand what motivates people to commit these awful acts, and continue to play their silly cloak and dagger games, asking for more and more information when all they need is already available to them. This is partially an occupational hazard of spying: one has to wonder always whether the information obtained was deliberately planted, whether the other side knows that you know that they know that you know (ad infinitum), and partly by a combination of astounding technical ignorance by the people in charge coupled with a large measure of hubris and naive belief that technology can solve any problem.
They maintain, for instance, that given enough data and a powerful enough network of computers, they can find patterns that will enable them to unambiguously identify the world’s terrorists and enable timely intervention. This belief can only be explained by assuming that they know nothing about the potential pitfalls of the algorithms they use, which in no case involve exhaustion of all the possibilities, but rather seek locally optimum solutions which generally are not globally optimum. Not only that, but the very criteria that are programmed into these algorithms are necessarily qualitative; a small misjudgement or error results in false associations. I could go on but I hope you get the point. These people are idiots who fail to even understand the very first principle of computer science: garbage in, garbage out.
It’s time *somebody* told the fed police to quit whining and do their damn job. The more tech toys they get, the more distracted they become from doing basic, groundwork policing. At least the local police have people who still know how to do that effectively with no fed “assistance”.
We’ve seen cases where there was clear and plain notice that specific persons were up to no good and that information got “lost” somehow in the vast puzzle palace of competing federal police agencies which are proliferating like spring daisies in accordance with Parkinson’s Law. The bigger they get, the more incompetent and — therefore — the more dangerous.
For example, the feds were warned by the Russians that the elder of the Boston boys was up to no good — and nobody even bothered to ask them for more information. Presumably staff were too busy cruising social media sites seeking “evidence” (of something or other) to pay any attention to incoming international police warnings. Too low-tech. Boring.
Every federal agency now has to have it’s own police force to help blow out a bigger budget to do “more”. And with it, they manage to do less. The magic of bureaucracy. And they assure us they will do better with more money. Concrete results argue the contrary. They need fewer resources better focused on core competencies which can be better managed to a useful and lawful result.
Agents of the FBI, CIA, NSA, and every other three-letter bully organization paid for by taxpayers should be required to re-read the constitution in detail and explain precisely what they were thinking when they swore to defend it. This isn’t a village which can be saved by destroying it.
Yes!
If all they care about is metadata, what’s the big deal about encryption?
Nothing but distrust for FBI STASI.
Oh god, he doesn’t understand how device manufacturers could “unlock” devices “a year ago”, and can’t now?
But how can he then mention TrueCrypt, which clearly is not a hardware, or even an OS feature, as something users can employ for encryption?
I think he’s lying.
Coney is the same jackass who denied the slaughter at the Emanuel African Methodist Episcopal Church was terrorism.
Comey/Feinstein: two very ignorant individuals when it comes to topics such as encryption. These two do not know what the hell they are talking about. What the idiot doesn’t understand is if apple, google etc., decide to cave in most freedom loving people will simply use different technology not aligned with apple google, etc., making his entire premise bogus. Listen, yeah, in a free society, bad things are going to happen and bad people will get away. Does he not think our founders knew this? The founders knew very well but they feared more a tyrannical government with unlimited powers over the majority of the good people; kind of like what Comey and Feinstein want. Sorry Comey, i’ll take my chances with Liberty than false security.
And how much do you want to bet that Comey and friends will also demand an exception to the backdoor rule for themselves?
I call on Comey to kiss my pucker.
This whole things smacks of Comey pretending to be the daddy figure telling everyone, “Do as I say, not as I do.” It seems the ‘youngsters’ are “getting woke”, as they say, and he is now compelled to offer semi-veiled threats to the business community as well as wafting half-kneeling pleas in the general vicinity of Congress.
Time for us to get involved as much as humanly possible. To that end, a regular reader/commenter here forwarded an email received from We the People urging folks to add a comment at Whitehouse.gov. I know folks don’t think these things work, but I’d remind you that CISPA and other odious legislative efforts aimed at curbing our online rights and privacy were, in fact, defeated previously by public outcry. Here’s the link to the site:
https://www.whitehouse.gov/webform/share-your-thoughts-onstrong-encryption
And here is the comment that s/he offered others to use themselves and/or crib from in composing their own:
As usual, emptywheel proves Feinstein/Comey et al are buffoons…
https://twitter.com/emptywheel
The Comey specific takedown here:
https://www.emptywheel.net/2015/12/10/jim-comey-makes-bogus-claims-about-privacy-impact-of-electronic-communications-trasaction-record-requests/
The Feinstein specific takedown here:
https://www.emptywheel.net/2015/12/09/dianne-feinsteins-encrypted-playstation-nightmare/
In support of hellfire’s comment above, Marcy Wheeler is one of the best at getting down into the weeds on all things related to these issues (as well as much more). Her website is one I follow almost as closely as this one.
We tried that in the 90’s, and even though we use stronger encryption methods today, the fact that we offer backward compatibility to older systems means that we’ll be dealing with criminal fallout of export ciphers for decades. You see, not every device which uses encryption is a desktop computer. Some cannot have their firmware updated, because there is either no means to do so, or no business unit possessing the skills or desire to do it. So, if you mandate backdoor’ed encryption, that weak cipher gets put on embedded devices which linger for 30 years in some cases. Once the backdoor gets leaked, you simply cannot recall every possible device which has the backdoor, because often people simply don’t know which version of a cipher a product uses. So, congratulations; one legislative screw-up and Russians are pwning your wire transfers, industrial secrets, police databases, cellular communications, etc., for one generation’s entire adult life. That’s why Comey doesn’t want to “recommend” anything. He doesn’t want to be blamed for the fallout when it inevitably happens.
Comey knows full well the real problem based on his time as “Acting Attorney General” – we don’t trust our Government.
WRT infosec, the entire #USGOV is completely clueless. As a practitioner for over 20 years, I know that the value of a certification is worth more or less the paper on which it is written, but just for grins and giggles, I propose that anyone in Washington who is allowed to comment or vote on anything related to “cyber” must have a CISSP and a CISM and must justify their positions by describing the risk assessment process they used and the data they obtained that led them to their decision about why they are taking the position they are.
I’m confident that the certification requirement will serve to disqualify 90% of the pool. They are not capable of any response to any challenge other than a knee-jerk reaction. Requiring that they actually understand the problems and processes, and they are actually capable of actually conducting a risk assessment will disqualify all but a few.
And, IMHO, those who succeed deserve all of the support and backing they deserve . . .
Around 10-15 times as many American infants are killed by their impoverished parents each year as all Americans killed in terrorist attacks. Imagine what $53 billion could do to alleviate poverty and improve parenting.
And this amusing fact: you are about as likely to be crushed by your TV or furniture as to be killed in a terrorist attack.
There is no way no how I am ever going to believe these FBI/NSA/CIA/ETC. voyeurs are interested in saving lives.
I think the FBI is blowing smoke. They had the data, but it wasn’t an encryption problem. It’s a human problem. Too much data equals too much to sift through.
SNOWDEN: ARMED CITIZEN IN GARLAND DID WHAT SURVEILLANCE STATE COULDN’T
“One citizen with a gun protected what $53b spy budget did not”
https://twitter.com/Snowden/status/674625945660207104?ref_src=twsrc%5Etfw
Meanwhile, one of the “anti-gun” collectivists ..a State Senator no less.. reveals the hypocrisy inherent in all anti-gun collectivists…
http://wizbangblog.com/2015/07/26/anti-gun-senator-shoots-intruder-defends-himself-with-second-amendment/
And now……HE FACES PRISON TIME!!
Bwahahahahahahahahahahahahahahahahahahahahaha!
http://www.starnewsonline.com/article/20100107/ARTICLES/100109828
Irony of ironies
Maybe its time for the Executive Branch to reconsider its own business model.
No, that Business Model is time tested , its origins are older than the pyramids in Egypt
What I think that the companies are saying is that if we don’t offer end to end encryption, a foreign competitor will. Expect to see the US working behind the scenes with foreign security services and governments to erect laws in the US and our competing countries to outlaw this. When competitors of US companies can no longer offer encrypted services, there will be no competitive necessity for US companies to offer it. Sad but true. It will take them a while, I think, to make that happen. Hopefully I will be dead by then.
Why if this goes on and if future generations of lawmakers and judges were actually educated enough to be able to use personal computers without assistance then it’s possible that even lawmakers and judges might make themselves immune to spook spying and blackmail and then where would we be?
2016 is coming, folks. Comey is a fool we won’t have to endure much longer. Then it will be some other fool. I wish Comey were the last ‘enlightened’ bureaucratic asshat we had to deal with.
“Top Democratic senator will seek legislation to ‘pierce’ through encryption” = Sen. Feinstein
http://www.dailydot.com/politics/fbi-encryption-james-comey-tech-companies/
All of these people, Clinton, Feinstein, they all have a lot of money and private lives. Why the hell do they want to pare that away from people just like them and people not like them at all? Who do they believe they represent? People who *don’t* have privacy protections or human rights? Or do they represent a dot of 5 people who just really suck at the long game. People who have unprosecuted criminal records. People who would “destabilize continuity of government” by ..voting for someone who isn’t a Democrat or simply not them?
They may simply be mad at our ability, en masse, to knock them off the top of their greasy pole. Knocked down by people who barely read the news and who don’t really care about them, but the moment they speak up in a note of rational common sense or vote against them… well that’s a credible threat.
2016 is coming. Don’t give your power away to someone who will defeat you for cheap reasons. Thanks.
The FBI doesn’t make laptops.
When the FBI puts their guts and business ingenuity on the manufacturing line (foreign or domestic) to produce and make something like a laptop, a desktop or software or security preferences bent to consumers willing to pay large sums of cash for it, we consumers will consider it.
So far they don’t offer me any good laptop. They seek to take so much more away from people who have done nothing to them with no legal writ of substance.
I would not buy a laptop manufactured to the interests of the FBI. I would buy a laptop manufactured to my preferences.
Bull. What you’ll buy is a laptop made in China, because they’re all made in China. And presumably the Chinese, being better businessmen than Trump, have made a deal with the FBI. In Washington they’d say sloppy seconds are better than nothing.
It’s a shame what happened to Sony with that data dump fiasco earlier this year. Imagine what those North Koreans could do if someone gave them a computer. If that happens, the FBI may be only thing preventing the critical business secrets of American companies from being exposed online. It would be unfortunate if those companies were to make the FBI’s job more difficult by encouraging the use of encrypted data. However, I’m an optimist and believe the companies will, upon reflection, see the good sense of Mr. Comey’s suggestion.
I just watched CNN where Michael McCaul ,Homeland Security Chair was being interviewed by Blitzer.
He told Blitzer that ISIS has its own encryption app. That admission technically destroys Commie’s case for companies to allow for backdoor entries in their encryption software.
They can’t even coordinate the argument for the case against encryption.
So, this is one of those, “That’s a nice little business model you got there. You wouldn’t want something to happen to it, eh?”
From the same hearing.
http://www.dailydot.com/politics/fbi-encryption-james-comey-tech-companies/
Well, golly gee, DiFi, wouldn’t it be easier for you or the parents to just take a look at the kids’ PlayStation?
It’s not encrypted when it’s displayed on the screen there, you know — or, if it is, you probably shouldn’t worry; I promise you that strong encryption is not human-readable.
If we can’t have literacy tests for voters, would requiring them for senators be permitted?
@Doug Salzmann
It sounds like the rants of a madwoman, but it really is a wonderfully crafted metaphor.
The idea is that this predator has put her grandchildren under a spell–think ISIS recruiting–so the predator and child are both using encryption to hide from the parents.
This is not just about eliminating encryption, but also censoring the internet.
As her statement clearly documents, Diane Feinstein is totally clueless. A tool of the IC and MIC, she is. A limousine liberal, neo-lib, fascist war profiteer. But otherwise, probably a swell grandma.
There is noway to regulate end to end cryptographic solutions. Its use promotes free speech, the software code itself is free speech, you either have free speech or you don’t.
This (there’s no other way to say it) FUCKING JACKASS James Comey just doesn’t get it! And he is the “Director” of the FBI!!!
The latest assault on encryption by the police (and secret police) agencies of the U.S. would have done nothing to prevent the San Bernardino attack or anything similar.
“But in the Garland case, the FBI had been tracking one of the would-be attackers for months — and had alerted local police that he might be headed to a controversial anti-Muslim exhibition. But FBI surveillance didn’t stop Elton Simpson — the Garland Police Department did. The local police never got the FBI’s email.”
Really? The FBI doesn’t know how to use email? The entire FBI is just as stupid as Comey? Talk about knowing -just enough to be dangerous!
Time to quote the “Things you’d love to say at work but can’t” directed at the Director of the FBI:
#1 I can see your point, but I think you’re still full of shit.
#2 I don’t know what your problem is, but I’ll bet it’s hard to pronounce.
#8 Ahhhh..I see the screw-up fairy has visited us again.
#9 I like you. You remind me of when I was young and stupid.
#10 You are validating my inherent mistrust of strangers.
#11 I’m already visualizing the duct tape over your mouth.
#13 Thank you. We’re all refreshed and challenged by your unique
point of view.
#22 If I throw a stick, will you leave?
And my favorite:
#4 I see you’ve set aside this special time to humiliate yourself
in public.
The only thing (or things) that giving a backdoor to the FBI would accomplish would be to allow the secret police to monitor your every thought by prying into your e-mails, your internet searches (whatever you might spontaneously decide to search -at any given moment), and allow Romanian hackers (or any other hacker for that matter) to easily exploit your computer and your bank accounts (because they understand software and hacking much better than this novice James Comey or the Idiot FBI).
This moron is just the Donald Trump of the Majestic FBI! Knows nothing and spews out stupid bullshit, and gets paid for it with tax dollars!
I’ve said it before and I’ll say it again: The F.B.I. couldn’t find their ass crack with both hands! UNBELIEVABLE!
Since when is it law-enforcement’s job to lecture companies on their business model? As long as companies are operating ethically and within the law, it’s none of Comey’s business.
The U.S. government, including the FBI waltzed around the law of the land with jaw dropping agility leading up to the Snowden revelations. The FBI specifically participated in a scheme that was rooted in a parallel governance structure, unanswerable to the public and their elected representatives through ‘secrecy’, that had judicial warrants for access to communications issued in secret by a secret court, and with no adversarial process to represent an opposing view. These ‘rubber-stamp’ warrants or Letters as the majority of them were termed, were presented by FBI agents to individuals that could tell no one of the occurance or even the existence of the Letter or face years in jail, thereby ensuring that the matter could never be challenged in court.
And now the head of the FBI has the brass to come before the nation and claim that a system of judicial warrants will protect the American public from abuse. They just don’t get how badly their reputation has been damaged by their patently duplicitous behavior and their efforts to move their agency out from under meaningful public control.
Next they’ll want to put a damn probe up everybody’s ass. A warrant should suffice, besides they probably can do it anyway, they’re just f***ing lazy. So how many more “freedoms” will I lose in my life? I, myself don’t need encryption, but if needed should be available for anyone in a “free” state. The new govt is so far to the right it just might go the cliff to a state only alluded to in my youth. I don’t know how to fight it, I’m getting older and can’t join protests as in the day, but I hope some youth’s do start a movement before it’s too late, but I’m not holding my breath.
Comey…the Gerald Ford of police.
The business model Comey wants to fix is the notion that the individual making the message is a customer. The individual is the product; the government is the customer; and for the proper lapdog, they may even pay the money.
But the real error in their business model is that they’re in the U.S. to start with. Instead of trying to catch up to the model above, which is what Facebook (the paragon of paragons) used to use, they need to queue up behind Zuckerman begging Xi Jinping to name their babies for them. Any HR person who suggests an American needs to be fired. They need to get their floating servers and their drones and take off for China. Everything legal in the U.S. will get you arrested in the U.S., but anything legal in China will be the standard for the rest of the world. Throw out their statues of Jefferson, put up pictures of Mao, work out a deal to let their U.S.-based merchandise disseminate their silly irredentist propaganda about random Chinese provinces among themselves (at least in English) to convince themselves they’re free.
I think this is all smokescreen.
Post Snowden, I have to wonder if encryption techniques that allow the Feds to intercept and turn over communications to law enforcement are already in existence, and enjoying heavy usage.
What, just because the federal government is snapping up those quantum computing thingies that are designed to handle the travelling salesman problem (i.e. NP-complete) at 100,000 times faster than a normal computer? http://www.pcworld.com/article/3013214/hardware/nasa-google-reveal-quantum-computing-leap.html
Science being what it is in the U.S., I’m sure they would have funded such a thing if it didn’t have direct application to surveillance. Not.
“Similar problems exist on space missions and in air traffic control modeling — both areas to which NASA devotes significant computing resources.” Hahaha! Yeah, and also on DE-ENCRYPTING BULK DATA!!!
Them sciency types call it the D-Wave 2X, but down here at the pointy end we call it the Wham-Jangler!
Geez. I only use a computer now because I am a) no longer and alcoholic who lives in a bar; and b) see a).
And they say drinking is bad for you…
It comes down to this: Cirrhosis and the occasional fistfight, or married life and being spied upon by fucking Yanks…?
Sorry for the confusion… this is a bit confusing. Basically, the D-Wave has been shown to be good at cracking the travelling salesman problem. That is a classic case of an “NP-complete” problem. Now if you read https://en.wikipedia.org/wiki/NP_%28complexity%29 maybe you can pick out that solving any one NP problem quickly is equivalent to solving them all quickly. And if you look up public key cryptography and then integer factorization … that’s an NP problem. So if the thing is optimized to solve NP problems… I’m guessing it’s not to figure out where to send salesmen.
Commie is manna from heaven to ha ckers and criminals alike.
I hope he remembers not to start wailing when hackers break into every govt and company’s data if his wishes of leaving the doors wide open ever come true.
You don’t protect large data sets through encryption (not primarily).
Comey’s being disingenuous again.
For almost all the companies and open-source projects that offer end-to-end encryption, the business model is *precisely* that they offer end-to-end encryption, since the alternatives have been shown to be insecure and have been exploited by criminals, advertisers, governments, leaks like Sony’s, leaks like Snowden’s, companies with good privacy policies getting bought by companies without them, etc.
Um, Comey: since you’re going to be losing your gig fairly soon, maybe it would be a good idea for you to start pushing your resume around to prospective employers – Hacking Team, for example.
“That’s a nice company you got there.
It’d be a shame if something were to uh…happen to it.”
No, what I think he meant to say was, “The question we have to ask is: Should they change their business model? Before they find a new business campus in a detention camp in Nevada somewhere?”
I like yours better!
FU usa_naziland & your ever increasing ‘need’ to control every single piece of information on this planet. It’s certainly not planet-america nor will it ever be! Jaybus they are just frenzied manics in the american government. Always dishing out fear & hatred whilst scooping up more funds to do the same catch-22 scenario of …wanting more funds & dishing out lies!
Don’t depend upon equipment or service providers, if you need/want end-to-end encryption; they cannot be trusted.
Do it yourself; the software is free, effective, endlessly scrutinized by experts for weaknesses and flaws (and promptly updated) and easily available. Start here:
GnuPG
Almost forgot: It’s much easier for the government and the bad guys (if there’s a difference) to steal your data in plain text format from a user or device at one end of a transmission or the other than it is to decrypt the encrypted message. So learn a bit about secure communications practices as well as encryption.
>endlessly scrutinized
Maybe by the NSA, but not by everyone else. OpenSSL, to use an example, didn’t get audited until after Heartbleed in 2014.
I don’t mean to discourage anyone from using encryption technologies as they do work effectively if properly used, but we must be aware that even free (as in libre) software can have bugs and flaws that can go unnoticed for a long time, possibly forever.
That being said, if you are serious about being secure against government adversaries, then free software is your only choice as most tech companies that make/use security software are either in bed with the governments of the territories in which they operate or can be compelled to hand over data.
“OpenSSL, to use an example, didn’t get audited until after Heartbleed in 2014.”
Not really true. It just wasn’t adequately audited and nor was it properly implemented by many developers.
I don’t mean to reject your note of caution, but, as you and I both say, free/open-source software and good operational security are the only sensible choices for people who need or want encrypted communications.
To put it simply and bluntly: If you trust Apple, Microsoft, any carrier, or any device manufacturer with your security, you’re a patsy.