Andrea Danti - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Harvard report: Metadata means there is no 'going dark' for the FBI

A new report from Harvard said data 'going dark' in the face of strong encryption shouldn't be a problem for law enforcement and intelligence agencies.

Since 2014, FBI officials, including director James Comey, have frequently claimed that data is "going dark" because...

of the increased use of encryption on digital communications, but a new report published by Harvard's Berkman Center for Internet and Society casts doubt on those assertions.

The FBI's stance has been that strong, end-to-end encryption and encryption of smartphones makes it more difficult for intelligence agencies to run surveillance operations on terrorists and criminals. The FBI has claimed it doesn't want Congress to legislate backdoors to circumvent encryption, but would rather companies willingly find a way to comply with legal requests for data. However, senators have begun working on drafting a bill to require access to encrypted data through "special access," which critics called mandatory backdoors. And both New York and California have seen bills proposed to ban the sale of fully encrypted smartphones.

In Don't Panic, the report authored by "a diverse group of security and policy experts from academia, civil society and the U.S. intelligence community," they not only agreed that weakening encryption offers more risk of harming innocent users than it does in catching terrorists, but they went beyond that argument to note that "going dark" may not be a real fear, because there will be other avenues for intelligence agencies to gain data.

The report authors said the issue may not be as bad as advertised for a number of reasons. First, the experts don't believe end-to-end encryption will be "adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality." Additionally, encryption ubiquity will be hampered by software fragmentation, and the lack of coordination and standardization between digital services right now.

The report authors also wrote that the Internet of Things (IoT) "has the potential to drastically change surveillance." Their theory is that IoT is expected to become widespread, and those devices could enable real-time capture of images, audio or video. "Thus, an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel."

Jeff Schilling, chief security officer for Armor, based in Richardson, Texas, said it is still too early to predict this, because many people still don't have a solid definition for IoT and it is still possible that previous cybersecurity lessons can keep IoT secure.

"If we transition correctly between our current network-centric model, created by the advent of TCP/IP, to a data-centric model or Internet of Things, I think there are lots of opportunities to make surveillance harder for both the good and bad guys," Schilling said. "At the end of the day, just about everything eventually ends up as a database -- email, social media sites. If you can clearly identify who has access to it and encrypt it at rest, then that is a pretty hard bar to get over for someone to exploit."

The Harvard report also noted that even with fully encrypted communications, there is a lot of metadata available that can be used by law enforcement for surveillance. The reasoning stated is that metadata "needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in email and so on."

This means that the "going dark" argument is somewhat overblown, because the report said this metadata "information provides an enormous amount of surveillance data that was unavailable before these systems became widespread."

Rebecca Herold, CEO of Privacy Professor, said "lawmakers and politicians have seemed to have a deaf ear to these facts." Though, she did note that former NSA Director General Michael Hayden famously said about the agency, "We kill people based on metadata."

Herold said that this metadata can often be more valuable than the encrypted messages being sent.

"Keep in mind, messages crooks and terrorists send are often not explicitly detailing what they are doing; they often are using code words," Herold said. "So, yes, the metadata is very valuable and often provides more insights than the coded message itself."

Herold said that the claims by FBI Director James Comey about "going dark" might be due to his not understanding how encryption works.

"It might be that they want to see everything involved and are not interested in the value of the metadata that they can access," Herold said. "It is like receiving a wrapped gift; the recipient looks at it and often thinks of all the wonderful things it is holding inside. But then, when it is unwrapped and the actual gift is revealed, there is no longer mystery, and often there is disappointment."

Next Steps

Learn why experts say lawmakers don't understand encryption backdoors.

Learn how metadata management relates to data governance.

Learn about weighing public safety costs against the benefits of end-to-end encryption.

Dig Deeper on Government information security management