California Democratic Sen. Dianne Feinstein is working on legislation to “pierce” encryption products, according to statements she made during a Wednesday hearing with FBI Director James Comey on the agency’s efforts to stop criminals and terrorists from “going dark” online.
“Lots of companies do it today — provide secure services and comply with court orders,” Comey told the Senate Judiciary Committee. “There are others who built their business models so that they say, ‘even if we want to, we can’t.’ The question of whether the answer is compelling them to do that by legislation is one that I can’t answer sitting here.”
Comey told Congress earlier this fall the Obama administration had decided against seeking legislation from Congress compelling tech companies to give law enforcement and intelligence agencies access to encrypted communications services, but added Wednesday “there’s continuing to be conversations inside the administration.”
“Well, I’m going to seek legislation if nobody else is, and I know Senator Burr thinks somewhat similarly,” Feinstein said.
The ranking Democrat on the Senate Intelligence Committee, chaired by Burr, said in her talks with Silicon Valley, companies she offered to name for Comey informed her they can’t decrypt communications.
Last fall, companies including Apple announced end-to-end encryption would be a default feature of all ongoing mobile software, which in the Cupertino-based company’s case, not even Apple can unlock without a user’s password.
“I have concern about a PlayStation, which my grandchildren might use, and a predator getting on the other end, talking to them, and it’s all encrypted,” Feinstein said, adding she thinks the tide of anti-surveillance public sentiment, spawned by the Snowden disclosures, is receding in the aftermath of recent Islamic State-inspired attacks in Paris and San Bernardino.
“If there is conspiracy going on over the Internet, that encryption ought to be able to be pierced,” Feinstein said.
Talks within the administration have taken on a new urgency in recent weeks, according to Rhode Island Democratic Sen. Sheldon Whitehouse, who told Comey White House Chief of Staff Denis McDonough recently told him the encryption issue “keeps him up nights.”
“I don’t want a government back door, nobody wants a government back door,” Whitehouse said. “But when it’s the business model of a particular company to disable its own ability to comply with a properly authorized subpoena or search warrant under our laws, that’s a very different proposition.”
Comey began his testimony by telling lawmakers after his most recent talks with the tech sector, he doesn’t believe it’s a “technical issue” for companies to facilitate access to encrypted communications, since they were able to do so previously, and routinely do so for the purpose of gleaning data from users to sell targeted advertisements.
Despite cryptologists’ insistence any means of accessing encryption fundamentally undermines the security of services, the director said the decision not to cooperate with law enforcement is based on a business model of advertising zero government access. Tech firms, he said, are seeking to take advantage of the market for users concerned over privacy after the revelations of Edward Snowden, the former U.S. intelligence work-turned-whistleblower who leaked documents detailing the scope of government surveillance.
“There’s no doubt that the use of encryption is part of terrorist tradecraft now,” Comey said in response to a question about whether the Paris or San Bernardino suspects used encrypted services to plan their attacks.
The director said he couldn’t comment specifically due to the ongoing nature of the investigations, but gave senators the recent example of the attack planned by two would-be shooters in Garland, Texas, in May, one of whom exchanged 109 encrypted messages with a terrorist overseas on the morning he and his accomplice were apprehended by local law enforcement.
“We have no idea what he said, because those messages were encrypted,” Comey explained. “And to this day, I can’t tell you what he said with that terrorist 109 times the morning of that attack. That is a big problem. We have to grapple with it.”
Comey reiterated he isn’t seeking a technical back door for agencies to directly access encrypted services, but rather a way for companies to respond to a court order for information and produce it. The director said he recognized companies’ economic concerns and the potential to drive business overseas, but added he found it hard to believe American consumers would walk away from popular products solely because of their manufacturers’ compliance with law enforcement.
He repeated his argument that doing business in America carries the cost of American values — whether it be environmentally, ethically or securely, but submitted a complete solution should include a set of international standards with allies.
Utah Republican Sen. Mike Lee pointed out users determined to hide their communications have more avenues than default services provided by popular U.S. companies like Google and Apple, including third party applications capable of encrypting a device, and encryption technology available overseas, beyond the reach of U.S. law enforcement.
“The sophisticated user could still figure out how to use something like TrueCrypt to protect other content on that device,” Comey said. “I think there’s no way we solve this entire problem. Encryption’s always going to be available to the sophisticated user.”
“The problem we face post-Snowden is, it’s moved from being available to the sophisticated bad guy, to being the default, and so its now affecting every criminal investigation.”
Lee also pointed out requiring companies like Apple, which uses end-to-end encryption, to comply with a court order for data would still necessitate building a back door within the software for the company itself to use.
In response Comey appeared to counter his previous statement on the lack of a “technical issue,” and essentially admitted he doesn’t know how companies would comply with the order, but it would be their burden to figure it out.
“I don’t know in that context what the term back door means,” Comey said. “They’d have to figure out how, consistent with their security requirements, they could comply with the judge’s order, as a lot of companies do today.”