EFF Response to FBI Director Comey’s Speech on Encryption

Print Friendly, PDF & Email

EFF.orgFBI Direc­tor James Comey gave a speech yes­ter­day (Oct. 16, 2014)reiterating the FBI’s near­ly twen­ty-year-old talk­ing points about why it wants to reduce the secu­ri­ty in your devices, rather than help you increase it. Here’s EFF’s response:

The FBI should not be in the busi­ness of try­ing to con­vince com­pa­nies to offer less secu­ri­ty to their cus­tomers. It should be doing just the oppo­site. But that’s what Comey is proposing—undoing a clear legal pro­tec­tion we fought hard for in the 1990s.1 The law specif­i­cal­ly ensures that a com­pa­ny is not required to essen­tial­ly become an agent of the FBI rather than serv­ing your secu­ri­ty and pri­va­cy inter­ests. Con­gress right­ly decid­ed that com­pa­nies (and free and open source projects and any­one else build­ing our tools) should be allowed to pro­vide us with the tools to lock our dig­i­tal infor­ma­tion up just as strong­ly as we can lock up our phys­i­cal goods. That’s what Comey wants to undo.

It’s telling that his remarks echo so close­ly the argu­ments of that era. Com­pare them, for exam­ple, with this com­ment from for­mer FBI Direc­tor Louis Freeh in May of 1995, now near­ly twen­ty years ago:

[W]e’re in favor of strong encryp­tion, robust encryp­tion. The coun­try needs it, indus­try needs it. We just want to make sure we have a trap door and key under some judge’s author­i­ty where we can get there if some­body is plan­ning a crime.

Now just as then, the FBI is try­ing to con­vince the world that some fan­ta­sy ver­sion of secu­ri­ty is possible—where “good guys” can have a back door or extra key to your home but bad guys could nev­er use it. Any­one with even a rudi­men­ta­ry under­stand­ing of secu­ri­ty can tell you that’s just not true. So the “debate” Comey calls for is pho­ny, and we sus­pect he knows it. Instead, Comey wants every­body to have weak secu­ri­ty, so that when the FBI decides some­body is a “bad guy,” it has no prob­lem col­lect­ing per­son­al data.

That’s bad sci­ence, it’s bad law, it’s bad for com­pa­nies serv­ing a glob­al mar­ket­place that may not think the FBI is always a “good guy,” and it’s bad for every per­son who wants to be sure that their data is as pro­tect­ed as possible—whether from ordi­nary crim­i­nals hack­ing into their email provider, rogue gov­ern­ments track­ing them for polit­i­cal­ly orga­niz­ing, or com­pet­ing com­pa­nies look­ing for their trade secrets.

Per­haps Comey’s speech is saber rat­tling. Maybe it’s an attempt to per­suade the Amer­i­can peo­ple that we’ve under­tak­en sig­nif­i­cant reforms in light of the Snow­den revelations—the U.S. gov­ern­ment has not—and that it’s time for the “pen­du­lum” to swing back. Or maybe by putting this issue in play, the FBI may hope to draw our eyes away from, say, its attempt to water down the Nation­al Secu­ri­ty Let­ter reform that Con­gress is con­sid­er­ing. It’s dif­fi­cult to tell.

But if the FBI gets its way and con­vinces Con­gress to change the law, or even if it con­vinces com­pa­nies like Apple that make our tools and hold our data to weak­en the secu­ri­ty they offer to us, we’ll all end up less secure and enjoy­ing less pri­va­cy. Or as the Fourth Amend­ment puts it: we’ll be be less “secure in our papers and effects.”

For more on EFF’s cov­er­age of the “new” Cryp­to Wars, read this arti­cle focus­ing on the secu­ri­ty issues we wrote last week in Vice. And going back even ear­li­er, a broad­er update to a piece we wrote in 2010, which itself was was based on our fights in the 90s. If the FBI wants to try to res­ur­rect this old debate, EFF will be in strong oppo­si­tion, just as we were 20 years ago. That’s because—just like 20 years ago—the Inter­net needs more, not less, strong encryp­tion.

1.Here’s the rel­e­vant part of CALEA that Comey wants to effec­tive­ly undo: “47 USC 1002(b)(3): A telecom­mu­ni­ca­tions car­ri­er shall not be respon­si­ble for decrypt­ing, or ensur­ing the government’s abil­i­ty to decrypt, any com­mu­ni­ca­tion encrypt­ed by a sub­scriber or cus­tomer, unless the encryp­tion was pro­vid­ed by the car­ri­er and the car­ri­er pos­sess­es the infor­ma­tion nec­es­sary to decrypt the com­mu­ni­ca­tion.” Also from the CALEA leg­isla­tive his­to­ry: “Final­ly, telecom­mu­ni­ca­tions car­ri­ers have no respon­si­bil­i­ty to decrypt encrypt­ed com­mu­ni­ca­tions that are the sub­ject of court-ordered wire­taps, unless the car­ri­er pro­vid­ed the encryp­tion and can decrypt it. This oblig­a­tion is con­sis­tent with the oblig­a­tion to fur­nish all nec­es­sary assis­tance under 18 U.S.C. Sec­tion 2518(4). Noth­ing in this para­graph would pro­hib­it a car­ri­er from deploy­ing an encryp­tion ser­vice for which it does not retain the abil­i­ty to decrypt com­mu­ni­ca­tions for law enforce­ment access … Noth­ing in the bill is intend­ed to lim­it or oth­er­wise pre­vent the use of any type of encryp­tion with­in the Unit­ed States. Nor does the Com­mit­tee intend this bill to be in any way a pre­cur­sor to any kind of ban or lim­i­ta­tion on encryp­tion tech­nol­o­gy. To the con­trary, sec­tion 2602 pro­tects the right to use encryp­tion.” H/T Chris Soghoian: http://paranoia.dubfire.net/2010/09/calea-and-encryption.html