masterzphotofo - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Going dark: FBI continues effort to bypass encryption

The FBI's effort to gain access to encrypted devices and data has led to a standoff with technology companies, such as Apple. Here's where the 'going-dark' debate stands.

The FBI's ongoing effort to bypass encryption and its warnings about "going dark" show no signs of letting up -- even as major technology companies, such as Apple, push back.

Over the last year, FBI officials have made numerous public statements airing concerns about "going dark" -- the bureau's lack of technical ability to access legally intercepted communications and information. And the crux of the going-dark issue is encryption technology that protects targeted data and communications from prying eyes.

In the July congressional hearing, FBI Director James Comey discussed the state of national security in relation to encryption and the going-dark issue. "We cannot break strong encryption," Comey said during his testimony to Congress. "So, even if I get a court order under the Fourth Amendment to intercept that communication as it travels over the wires, I will get gobbledygook."

Other FBI officials have also expressed alarm at potentially increased use of encryption technology. At the recent 2015 IoT Security Summit in Boston, FBI CISO Arlette Hart said encryption technology keeps user data safe, but it's also used by "the bad people" to make sure their communications aren't interdicted by law enforcement. And during his keynote at the Advanced Cyber Security Center conference in Boston last month, FBI General Counsel James Baker said the bureau "can't get the fruits of surveillance" because of encryption.

The FBI has searched for ways to bypass encryption, including law requiring the installation of backdoor access points in technology products, but Comey recently told Congress that the FBI and the Obama administration are "not seeking legislation at this time."

But that game-plan shift hasn't dimmed the rhetoric of darkness, or the FBI's search to find ways to bypass encryption. Instead of backdoor access, intelligence agencies, such as the National Security Agency, have argued for "front-door access" via key escrow plans or split-key encryption, where the technology vendor or service provider retains half of a master key and law enforcement retains the other half -- meaning no one party can access user data without the other. But those plans have been shot down by security experts who said the technology isn't feasible in practical use.

Comey said he wants to encourage technology companies to find solutions to the going-dark problem, rather than force an approach on them. "We would like to emphasize that the going-dark problem is, at base, one of technological choices and capability," Comey said. "We are not asking to expand the government's surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to us to keep America safe."

But with technology companies increasingly handing encryption keys over to their customers, known as bring your own key or BYOK, search warrants compelling a software company or service provider to decrypt user data have been rendered useless.

Comey said encryption was always available over the last 20 years, but now it's become the default option for communications and data protection, accompanied by "an explosion in apps" that use the Internet. In essence, the FBI claims the government's ability to intercept communications, such as texts, emails and photos, is severely waning as encryption adoption grows -- which, Comey argues, makes it increasingly difficult to obtain critical evidence for court cases.

In a speech delivered to the Brookings Institute in Washington, D.C. last month, Comey specifically called out Apple, as well as Google, for creating products that the companies themselves couldn't unlock or decrypt. "Both companies are run by good people, responding to what they perceive is a market demand," Comey said of Apple and Google. "But the place they are leading us is one we shouldn't go to without careful thought and debate as a country."

The iOS encryption case

When Apple expanded iPhone encryption protection on its iOS 8 mobile platform last year, it caused concern among government officials -- notably, the FBI. This issue at hand is that devices running iOS 8 or higher can now only be unlocked by the user, as Apple no longer has the ability to unlock and decrypt devices.

Recently, a case involving an iOS device brewed new controversy in the going-dark debate. Last month, a federal magistrate judge questioned an application by the U.S. attorney's office in Brooklyn, N.Y. to order Apple to disable the security lock on an iOS device. The authorities had obtained a warrant to search the device, but couldn't access the encrypted data because it was locked.

In its response, Apple said it would be impossible to decrypt any iPhone running on an iOS 8 or higher, because the latest encryption in Apple's mobile operating system prevents anyone but the device's owner from acquiring access. However, the catch is the device in question was actually running iOS 7, and Apple admitted that it has the ability to extract "certain categories of unencrypted data from a passcode-locked iOS device," such as user-generated files for native iOS applications.

But Apple feels its integrity is on the line with the Department of Justice's requested order, and argued that forcing the company to extract data without customer consent would impale Apple's reputation and damage the trust it has with its loyal customers.

"Apple has taken a leadership role in the protection of its customers' personal data against any form of improper access," Apple's brief stated. "Forcing Apple to extract data in this case, absent clear legal authority to do so, could threaten the trust between Apple and its customers, and substantially tarnish the Apple brand."

The going dark tug-of-war

The standoff between technology companies and the U.S. government is heating up in the post-Snowden era.

A number of leading information security vendors have preached the value of strong encryption and criticized the government's effort to weaken it. Pam Kostka, CEO of Bluebox Security, a mobile security startup based in San Francisco, said government-mandated backdoor access would undoubtedly introduce vulnerabilities for operating systems, applications and cloud services that would defeat the purpose of using encryption in the first place. Even if technology companies gave the government keys to encryption, the company and its customers would have to give the government an astronomical degree of trust, which many people are not willing to do.

"The government shouldn't have backdoor access because then it's a backdoor for everyone," Kostka said. "I don't think encryption is going away anytime soon, despite [the government's efforts]."

The government shouldn't have backdoor access because then it's a backdoor for everyone.
Pam KostkaCEO of Bluebox Security

Along with security vendors and experts, technology giants, such as Apple and Google, have helped bring the issue to light by introducing stronger encryption measures for their mobile platforms and promoting their efforts to protect customer data and privacy. Apple CEO Tim Cook last year posted an open letter to customers on the company's website addressing privacy concerns. "I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services," Cook wrote. "We have also never allowed access to our servers. And we never will. Our commitment to protecting your privacy comes from a deep respect for our customers."

Cook also gave a speech during the Electronic Privacy Information Center's (EPIC) Champions of Freedom Awards event in June that sharply criticized the government's effort to weaken or bypass encryption and encouraged technology companies to do more to protect customer privacy. "Weakening encryption, or taking it away, harms good people that are using it for the right reasons," Cook said. "And ultimately, I believe it has a chilling effect on our First Amendment rights and undermines our country's founding principles."

But the technology industry's growing opposition poses a problem for law enforcement investigations. Recently, 16 prosecutors sent letters to the U.S. Senate Judiciary Committee requesting backdoor access to computing devices in order to obtain critical evidence for their investigations. And while the FBI has stepped back from its request for legislative action, it continues to talk up the potential threat of allowing citizens access to encryption tools that haven't been hobbled. Comey, for example, gave three separate congressional testimonies and one speech in the month of October alone that addressed the going-dark issue and encryption concerns. Comey has spoken at length about how terrorism has evolved with technology, and foes like ISIS can issue terrorist propaganda and communications at the speed of light via social media in order to recruit followers, radicalize unlawful citizens, plan attacks and execute acts of violence on U.S. soil. With access to encrypted devices and data, he has said, the government would be able to prevent terrorist attacks and protect U.S. citizens.

Not everyone in the federal government shares Comey's views, however. Following a cybersecurity-focused event held by the Council on Foreign Relations last month, Michael Hayden, the former director of the NSA, said he did not support Comey's demands for access to encrypted data and devices.

Although backdoor access would be used under strict supervision, it's always possible that the government's access could be abused. At least in mainstream media, not one security expert or computer engineer has stepped forward in support of government backdoor access.

In addition, a group of renowned computer scientists published a paper titled Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications. It predicts a gloomy outcome if the government is able to bypass encryption protect. "The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard-to-detect security flaws," the scientists argued. "Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law."

Ryan Hagemann, a civil liberties policy analyst at the Niskanen Center in Washington, D.C., spoke about the economic benefits of encryption at the 2015 Cato Surveillance Conference last month. He argued that encryption protects Internet transactions and communications, and efforts to bypass encryption -- such as introducing backdoors and vulnerabilities in encryption protocols -- will jeopardize the trust people place in the digital economy.

"The Internet is the lifeblood of the modern digital economy," Hagemann said. "And if you accept that statement, then it goes almost without saying that encryption protocols are the white blood cells that essentially keep the system free from infection."

With the public's trust in the government on shaky ground after revelations about the NSA in 2013, granting access to encrypted data to agencies such as the FBI could prove to be a step too far. In a statement before the U.S. House of Representatives, Kevin S. Bankston, a policy director of New America's Open Technology Institute and co-director of New America's Cybersecurity Initiative, put the digital debate in physical, real-world terms. "The law has never prohibited the creation of unbreakable locks," he wrote, "nor required us to hand our keys over to the government just in case it might need them for an investigation, whether those keys are physical or digital."

Next Steps

The FBI has been accused of paying Carnegie Mellon $1 million to hack Tor network.

Find out why cloud services growth and government surveillance as in conflict.

Dig Deeper on Disk and file encryption tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about the government's effort to bypass encryption?

Going dark may lead us to the Dark Ages.

When most are only thinking about now and about making money, I understand pretty well the reluctance to create backdoor keys and trust with them governments that have systematically given us reasons not to. After all Governments are people and we all know what people are like.

Especially in a world where the obsession with making money by any means is paramount and encryption does facilitate the making of money by a multitude of means, I can see how a great lot of people will be against law enforcement agencies requests for access to encrypted data.

It would seem that for many, the amount of suffering and damage caused (mostly to others) by terrorist acts, increasingly enabled by the same solid encryption, in the wrong hands, is a price worth paying … today.

But when the time will come when increasing numbers of increasingly devastating terrorist attacks will be planned and delivered under the protection of this unbreakable encryption, people may change their minds but it will most certainly be too late with the Genie well and truly out of the bottle and Pandora's Box thrown wide open.

It will be just as futile as “not only crying over split milk but trying to put it back into the cow”…. (as some inspired person wrote somewhere and I wish I knew their name and could them with it).

If God forbid, the strongest advocates of unbreakable encryption were to have their interests threatened or, worse, their loved ones held hostages and the information key to freeing them would be protected by that same unbreakable encryption they now support, they would certainly wish they had seen the light before it was too late.

Unbreakable encryption is NOT something that should be indiscriminately given to just anybody, just because some companies want to be more admired by their customers and to sell more products (thus delivering better value to their share holders, which nowadays seems to be all that matters).
The Government is the LAST organization I would ever tolerate intruding into my Private Papers, devices, or communications. I now support encryption from end to end, including propriety.

I support the Katzin technique, which I know will make it impossible to intrude into data.
The FBI should be allowed to do WHATEVER they can to break encryption used in committing crimes.

It is not fair that I, as a normal citizen, can have my life totally invaded by hackers who have no problem stealing all my private information, listening to my phone calls, using my laptop and phone microphone to listen to all my conversations, hack my car gps, etc. WITHOUT ANY PROBLEM.......yet the FBI must go through tons of red tape to try to do the same is just not right!!!!!!!!!!
There was a time when I promoted unbreakable encryption. I was wrong, as Paris has proven. We have to trust someone with the key because our lives are quite literally at stake.

Perhaps there could be an exception of some sort for those rare corporations that must be dark for some exceptional reason. All the rest, however, must understand that everyone already knows they're fleecing their customers and screwing their competition.
Tough call. You need to give the law enforcement the tools to stop illegal activity. It's getting easier for crime and terrorists to go dark. On the flip side if you give them the key, they better protect them. We have seen government agencies get hacked. That would be all we need. Some hack them and get everyone's keys. Just another thing to lose sleep over.
There’s certainly a need, as the article points out. Still, they shouldn’t be given carte blanche.
In war, secure communications are a must for both sides, would the Government want backdoors in military, FBI, CIA and NSA applications too? I doubt it. If a specific group is the target, I would think the intelligence services should "spy" their way into obtaining the keys for that group of interest.

I think another concern is that if Government legislates access to keys or applications, then we will find technology off-shored in the same way the manufacturing moved from the country based on environmental laws and other increasing costs.
Apple and others are making a fundamental error in failing to distinguish broad surveillance activities from warrants. Privacy is not absolute and the Constitution makes that abundantly obvious. Warrants are the Fourth Amendment demand to hand over the keys.
Well, the NSA has shown just how untrustworthy government information gathering agencies are in reality. Mr. Snowden's revelations have resulted in strenuous push-back by manufacturers and individuals to protect their information from mass collection and analysis by the government. The obtaining of warrants to seize the information of specific individuals can be a perfectly legal process, but individuals are protected against self-incriminating, which means not handing over decryption keys to the government. The FBI needs to think harder about what it wants to find out about specific individuals without having having the ability to decrypt everyone's information.
The problem is that when the government obtains access to a person's private information "to combat terrorism" invariably we find other branches of government that access the same information for less lofty aims, i.e. for solving local petty crimes or serving civil warrants for breaches of law that do not have anything to do with fighting terrorism. The general public is afraid of this "mission creep" and does not trust the government.
2 General Reader

The FBI and other authorities have already admitted that when terror attacks occurred, they had the information in their possession to stop such attacks - they were just overwhelmed by the amount of information they have, and are unable to "connect the dots" in time to stop the attacks. Yet, they appear to believe that collecting more information is the answer to this problem.

My belief is that they should stop trying to collect all the information in the world, and instead spend their time analyzing that they have, and obtain a warrant when they need to collect new information.

The reason people do not trust the government is that they appear to believe laws and procedures do not apply to them - all they have to do is say, "national security" and they can operate outside the law.
death by data
Sounds like the same problem that governments have been facing, only now they publicly recognize that they need help from the industry.
Same story as IPv6

So we give the government keys to our private world...purchases, movies, literature.  And we trust that they will uphold the constitution...which by the way says "government if for the people", which they have eroded to people is for the government.  What's to keep the bad guys from breaking the weak encryption government wants.  After all didn't bitcoin just get breached?