Questions for the FBI on Encryption Mandates – Freedom to Tinker

admin on March 29, 2017 Leave a Comment

I wrote on Monday about how to analyze a proposal to mandate access to encrypted data. FBI Director James Comey, at the University of Texas last week, talked about encryption policy and his hope that some kind of exceptional access for law enforcement will become available. (Heres a video.) Lets look at what Director Comey said about how a mandate might work.

Here is an extended quote from Director Comeys answer to an audience question (starting at 51:02 in the video, emphasis added):

The technical thing, look, I really do think we havent given this the shot it deserves. President Obama commissioned some work at the end of his Administration because hed heard a lot from people on device encryption, [that] its too hard. [No], its not too hard. Its not too hard. It requires a change in business model but it is, according to experts inside the U.S. government and a lot of people who will meet with us privately in the private sector, no one actually wants to be seen with us but we meet them out behind the 7/11, they tell us, look, its a business model decision.

Take the FBIs business model. We equip our agents with mobile devices that I think are great mobile devices and weve worked hard to make them secure. We have designed it so that we have the ability to access the content. And so I dont think we have a fatally flawed mobile system in the FBI, and I think nearly every enterprise that is represented here probably has the same. You retain the ability to access the content. So look, one of the worlds I could imagine, I dont know whether this makes sense, one of the worlds I could imagine is a requirement that if youre going to sell a device or market a device in the United States, you must be able to comply with judicial process. You figure out how to do it.

And maybe that doesnt make sense, absent an international component to it, but I just dont think we, and look, I get it, the makers of devices and the makers of fabulous apps that are riding on top of our devices, on top of our networks, really dont have an incentive to deal with, to internalize the public safety harm. And I get that. My job is to worry about public safety. Their job is to worry about innovating and selling more units, I totally get that. Somehow we have to bring together, and see if we cant optimize those two things. And really, given my role, I should not be the one to say, heres what the technology should look like, nor should they say, no I dont really care about that public safety aspect.

And what I dont want to have happen, and I know you agree with me no matter what you think about this, now I think youre going to agree with what Im about to say, is we cant have this conversation after something really bad happens. And look, I dont want to be a pessimist, but bad things are going to happen. And even I, the Director of the FBI, do not believe that we can have thoughtful conversations about optimizing things we care about in the wake of a serious, serious attack of any kind.

The bolded text is the closest Director Comeycame to describing how he imagines a mandate working.He doesnt suggest that its anything like a complete proposaland anyway that would be too much to ask from an off-the-cuff answer to an audience question. But lets look at what would be required to turn it into a proposal that can be analyzed. In other words, lets extrapolate from Director Comeys answerand try to figure out how he and his team might try to build out a specific proposal based onwhat he suggested.

The notional mandate would apply at least to retailers (if youre going to sell or market a device) who sell smartphones to the public in the United States. That would include Apple (for sales in Apple Stores), big box retailers like Best Buy, mobile phone carriers shops, online retailers like Amazon, and the smaller convenience stores and kiosks that sell cheap smartphones.

Retailers would be required comply with judicial process. At a minimum, that would presumably mean that if presented with a smartphone that they had sold, they could extract from it any data encrypted by the user. Whichdata, and under what circumstances? That would have to be specified, but its worth noting that there is a limited amount the retailer can do to control how auserencrypts data on the device. So unless we require retailers to prevent the installation of new software onto the device (and thereby put app stores, and most app sellers, out of business), there would need to be major carve-outs to limit the mandates reachto include only cases where the retailer had some control. For example, the mandate might apply only to data encrypted by the software present on the device at the time of sale. That could create an easy loophole for users who wanted to prevent extraction of their encrypted data (by installing encryption software post-sale), but at least it would avoid imposing an impossible requirement on the retailer. (Veterans of the 1990s crypto wars will remember how U.S. software products oftenshipped without strong crypto, to comply with export controls, but post-sale plug-ins adding crypto were widely available.)

Other classes of devices, such as laptops, tablets, smart devices, and server computers, would either have to be covered, with careful consideration of how they are sold and configured, or they would be excluded, limiting the coverage of the rule. There would need to be rules about devices brought into the United States by their user-owners, or if those devices were not covered, then some law enforcement value would be lost. And the treatment of used devices would have to be specified, including both devices made before the mandate took effect (which would probably need to be exempted, creating another loophole) and post-mandate devices re-sold by a user of merchant: would the original seller or the re-seller be responsible, and what if the reseller is an individual?

Notice that we had to make all of these decisions, and face the attendant unpleasant tradeoffs, before we even reached the question of how to design the technical mechanism to implement key escrow, and how that would affect the security and privacy interests of law-abiding users. The crypto policy discussion often gets hung up on this one issuethe security implications of key escrowbut it is far from the only challenge that needs to be addressed, and the security implications of a key escrow mechanism are far from the only potential drawbacks to be considered.

Director Comey didnt go to Austin to present an encryption mandate proposal. But if he or others do decideto push seriouslyfor a mandate, they ought to be ableto lay outthe details of how they would do it.

Here is the original post:
Questions for the FBI on Encryption Mandates - Freedom to Tinker

Related Posts
Posted in Encryption

Comments are closed.