masterzphotofo - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Going dark: FBI continues effort to bypass encryption

The FBI's effort to gain access to encrypted devices and data has led to a standoff with technology companies, such as Apple. Here's where the 'going-dark' debate stands.

The FBI's ongoing effort to bypass encryption and its warnings about "going dark" show no signs of letting up -- even as major technology companies, such as Apple, push back.

Over the last year, FBI officials have made numerous public statements airing concerns about "going dark" -- the bureau's lack of technical ability to access legally intercepted communications and information. And the crux of the going-dark issue is encryption technology that protects targeted data and communications from prying eyes.

In the July congressional hearing, FBI Director James Comey discussed the state of national security in relation to encryption and the going-dark issue. "We cannot break strong encryption," Comey said during his testimony to Congress. "So, even if I get a court order under the Fourth Amendment to intercept that communication as it travels over the wires, I will get gobbledygook."

Other FBI officials have also expressed alarm at potentially increased use of encryption technology. At the recent 2015 IoT Security Summit in Boston, FBI CISO Arlette Hart said encryption technology keeps user data safe, but it's also used by "the bad people" to make sure their communications aren't interdicted by law enforcement. And during his keynote at the Advanced Cyber Security Center conference in Boston last month, FBI General Counsel James Baker said the bureau "can't get the fruits of surveillance" because of encryption.

The FBI has searched for ways to bypass encryption, including law requiring the installation of backdoor access points in technology products, but Comey recently told Congress that the FBI and the Obama administration are "not seeking legislation at this time."

But that game-plan shift hasn't dimmed the rhetoric of darkness, or the FBI's search to find ways to bypass encryption. Instead of backdoor access, intelligence agencies, such as the National Security Agency, have argued for "front-door access" via key escrow plans or split-key encryption, where the technology vendor or service provider retains half of a master key and law enforcement retains the other half -- meaning no one party can access user data without the other. But those plans have been shot down by security experts who said the technology isn't feasible in practical use.

Comey said he wants to encourage technology companies to find solutions to the going-dark problem, rather than force an approach on them. "We would like to emphasize that the going-dark problem is, at base, one of technological choices and capability," Comey said. "We are not asking to expand the government's surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to us to keep America safe."

But with technology companies increasingly handing encryption keys over to their customers, known as bring your own key or BYOK, search warrants compelling a software company or service provider to decrypt user data have been rendered useless.

Comey said encryption was always available over the last 20 years, but now it's become the default option for communications and data protection, accompanied by "an explosion in apps" that use the Internet. In essence, the FBI claims the government's ability to intercept communications, such as texts, emails and photos, is severely waning as encryption adoption grows -- which, Comey argues, makes it increasingly difficult to obtain critical evidence for court cases.

In a speech delivered to the Brookings Institute in Washington, D.C. last month, Comey specifically called out Apple, as well as Google, for creating products that the companies themselves couldn't unlock or decrypt. "Both companies are run by good people, responding to what they perceive is a market demand," Comey said of Apple and Google. "But the place they are leading us is one we shouldn't go to without careful thought and debate as a country."

The iOS encryption case

When Apple expanded iPhone encryption protection on its iOS 8 mobile platform last year, it caused concern among government officials -- notably, the FBI. This issue at hand is that devices running iOS 8 or higher can now only be unlocked by the user, as Apple no longer has the ability to unlock and decrypt devices.

Recently, a case involving an iOS device brewed new controversy in the going-dark debate. Last month, a federal magistrate judge questioned an application by the U.S. attorney's office in Brooklyn, N.Y. to order Apple to disable the security lock on an iOS device. The authorities had obtained a warrant to search the device, but couldn't access the encrypted data because it was locked.

In its response, Apple said it would be impossible to decrypt any iPhone running on an iOS 8 or higher, because the latest encryption in Apple's mobile operating system prevents anyone but the device's owner from acquiring access. However, the catch is the device in question was actually running iOS 7, and Apple admitted that it has the ability to extract "certain categories of unencrypted data from a passcode-locked iOS device," such as user-generated files for native iOS applications.

But Apple feels its integrity is on the line with the Department of Justice's requested order, and argued that forcing the company to extract data without customer consent would impale Apple's reputation and damage the trust it has with its loyal customers.

"Apple has taken a leadership role in the protection of its customers' personal data against any form of improper access," Apple's brief stated. "Forcing Apple to extract data in this case, absent clear legal authority to do so, could threaten the trust between Apple and its customers, and substantially tarnish the Apple brand."

The going dark tug-of-war

The standoff between technology companies and the U.S. government is heating up in the post-Snowden era.

A number of leading information security vendors have preached the value of strong encryption and criticized the government's effort to weaken it. Pam Kostka, CEO of Bluebox Security, a mobile security startup based in San Francisco, said government-mandated backdoor access would undoubtedly introduce vulnerabilities for operating systems, applications and cloud services that would defeat the purpose of using encryption in the first place. Even if technology companies gave the government keys to encryption, the company and its customers would have to give the government an astronomical degree of trust, which many people are not willing to do.

"The government shouldn't have backdoor access because then it's a backdoor for everyone," Kostka said. "I don't think encryption is going away anytime soon, despite [the government's efforts]."

The government shouldn't have backdoor access because then it's a backdoor for everyone.
Pam KostkaCEO of Bluebox Security

Along with security vendors and experts, technology giants, such as Apple and Google, have helped bring the issue to light by introducing stronger encryption measures for their mobile platforms and promoting their efforts to protect customer data and privacy. Apple CEO Tim Cook last year posted an open letter to customers on the company's website addressing privacy concerns. "I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services," Cook wrote. "We have also never allowed access to our servers. And we never will. Our commitment to protecting your privacy comes from a deep respect for our customers."

Cook also gave a speech during the Electronic Privacy Information Center's (Epic) Champions of Freedom Awards event in June that sharply criticized the government's effort to weaken or bypass encryption and encouraged technology companies to do more to protect customer privacy. "Weakening encryption, or taking it away, harms good people that are using it for the right reasons," Cook said. "And ultimately, I believe it has a chilling effect on our First Amendment rights and undermines our country's founding principles."

But the technology industry's growing opposition poses a problem for law enforcement investigations. Recently, 16 prosecutors sent letters to the U.S. Senate Judiciary Committee requesting backdoor access to computing devices in order to obtain critical evidence for their investigations. And while the FBI has stepped back from its request for legislative action, it continues to talk up the potential threat of allowing citizens access to encryption tools that haven't been hobbled. Comey, for example, gave three separate congressional testimonies and one speech in the month of October alone that addressed the going-dark issue and encryption concerns. Comey has spoken at length about how terrorism has evolved with technology, and foes like ISIS can issue terrorist propaganda and communications at the speed of light via social media in order to recruit followers, radicalize unlawful citizens, plan attacks and execute acts of violence on U.S. soil. With access to encrypted devices and data, he has said, the government would be able to prevent terrorist attacks and protect U.S. citizens.

Not everyone in the federal government shares Comey's views, however. Following a cybersecurity-focused event held by the Council on Foreign Relations last month, Michael Hayden, the former director of the NSA, said he did not support Comey's demands for access to encrypted data and devices.

Although backdoor access would be used under strict supervision, it's always possible that the government's access could be abused. At least in mainstream media, not one security expert or computer engineer has stepped forward in support of government backdoor access.

In addition, a group of renowned computer scientists published a paper titled Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications. It predicts a gloomy outcome if the government is able to bypass encryption protect. "The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard-to-detect security flaws," the scientists argued. "Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law."

Ryan Hagemann, a civil liberties policy analyst at the Niskanen Center in Washington, D.C., spoke about the economic benefits of encryption at the 2015 Cato Surveillance Conference last month. He argued that encryption protects Internet transactions and communications, and efforts to bypass encryption -- such as introducing backdoors and vulnerabilities in encryption protocols -- will jeopardize the trust people place in the digital economy.

"The Internet is the lifeblood of the modern digital economy," Hagemann said. "And if you accept that statement, then it goes almost without saying that encryption protocols are the white blood cells that essentially keep the system free from infection."

With the public's trust in the government on shaky ground after revelations about the NSA in 2013, granting access to encrypted data to agencies such as the FBI could prove to be a step too far. In a statement before the U.S. House of Representatives, Kevin S. Bankston, a policy director of New America's Open Technology Institute and co-director of New America's Cybersecurity Initiative, put the digital debate in physical, real-world terms. "The law has never prohibited the creation of unbreakable locks," he wrote, "nor required us to hand our keys over to the government just in case it might need them for an investigation, whether those keys are physical or digital."

Next Steps

The FBI has been accused of paying Carnegie Mellon $1 million to hack Tor network.

Find out why cloud services growth and government surveillance as in conflict.

Dig Deeper on Disk and file encryption tools