FBI Director James Comey told a Boston audience this morning that “ubiquitous strong encryption” – the kind now available on most smartphones and other digital devices – is threatening to undermine the “bargain” that he said has balanced privacy and security in the US since its founding.
Actually, he went further, declaring that such default encryption “shatters” the bargain.
“This is a big deal, and I urge you to continue to engage in a hard conversation about it. I love privacy, but I also love the bargain,” he said, noting that the FBI’s inability to crack encrypted devices means the investigative “room” where the agency works is increasingly growing dark, and therefore undermining security.
Comey, who delivered the keynote address at the Boston Conference on Cyber Security, held at Boston College and cosponsored by the FBI and BC’s Masters in Cybersecurity Policy & Governance Program, spoke at length about the overall cyber threat landscape and the critical importance of the public and private sectors sharing threat information.
But he saved his most impassioned firepower for the end, when he warned that today’s level of default encryption was increasingly blinding his agency’s investigative capability.
“There has always been a corner of the room that was dark – that was where sophisticated actors like nation states operated,” he said. “But what’s happened since (Edward) Snowden (the NSA contractor who made public classified documents that showed the agency was spying on US citizens) is that more and more of the room is dark. It’s not just sophisticated actors. Now it’s drug dealers, pedophiles and other bad actors. That shadow is spreading.
“Last fall we received 2,800 devices that we had lawful authority to open. And there were 1,200 we couldn’t open with any technology tool. These were devices recovered in criminal, gang, terror and pedophile investigations.”
Comey stressed multiple times that he “loves privacy. We all have a reasonable expectation of privacy in our homes, cars and devices. Government can’t invade them without good reason reviewable in court.”
But he said with probable cause and a warrant approved by a court, “government can invade – that’s the bargain. If government has probable cause, it can can search and seize – take whatever the judge said it could. Even our memories aren’t totally private. The general principle is that there is no such thing as absolute privacy.”
James Comey, FBI director
Comey said he is not seeking a “back door” into devices – the description of the famous 2015 conflict between the agency and Apple over unlocking the iPhone of a terrorist. But he argued that, “user control of data is not a requirement.” He said the FBI issues devices to its employees that, “by design don’t require weak encryption,” but still allow the employer to have access to the data. “It’s a business model that frames it in a way that makes more sense,” he said.
He acknowledged that this would likely not convince Apple, or many privacy advocates, but urged that the debate be substantive and civil.
“We need to stop the bumper stickers. We need to stop tweeting,” he said. “There are no evil people in this discussion, so we need to stop trying to pit people against one another. We share the same values, so we need to find the space to have really hard conversation about how we want to live. What can we do that would optimize both (privacy and security)?”
Comey’s second most impassioned plea was for more cooperation between government and the private sector in sharing threat information.
“We have to get better at it,” he said.
“What is depressing is that the majority of intrusions are not reported to us,” he said. “They are kept from us by companies who think they just need to take care of it and get on with business.
“They think reporting the threat will be such a hassle. And that’s a terrible place to be,” he said, adding that while he supports hiring private-sector security companies to help respond to breaches, companies should still share what happened with the FBI.
“If you’re not sharing information with us, you’ll be sorry,” he said, “because the threat will never go away. It’s short sighted to conclude that our interests are not aligned.”
He acknowledged that a big reason for reluctance by private companies to share is that they believe information they expose could be used to launch criminal or regulatory sanctions against them, or that their proprietary information will be shared with others.
He contended that won’t happen. “We will yammer at you constantly to explain how we operate and how we will help you not to be re-victimized,” he said. “We think we have compelling track record that we will protect your privacy.”
He said the agency is not interested in proprietary information or intellectual property – that it just needs to know the “contours” of a network so that, “we will know how to help you in difficult circumstances.
“If you don’t know us, you’re not doing your job,” he said.