[Cryptography] Terror fears don't budge Obama on encryption

[Henry Baker]

FYI -- I would place "politico.com" more in the anti-encryption camp than not.  Still no signs of intelligence in the press corps; these guys are just as clueless as the politicians that they cover.

http://www.politico.com/story/2015/12/obama-resists-calls-for-encryption-shift-216920

Terror fears don't budge Obama on encryption

The White House has sided with privacy groups despite law enforcement warnings about terrorists "going dark."  And Congress is unlikely to act soon to change federal policy either.

By David Perera

12/17/15 08:35 PM EST

Updated 12/17/15 09:42 PM EST

President Barack Obama's FBI director says encrypted smartphones and online messaging systems are making it harder to prevent terror attacks such as the slaughter in Paris and San Bernardino, California.  His CIA chief echoes the concern.  And so does the Senate Intelligence Committee's top Democrat, who warns that "evil monsters" are using the technology to communicate without fear of detection.

But the White House is resisting calls to revisit a decision it made in October, when it sided with privacy advocates and cybersecurity experts who warned against forcing technology companies to weaken the electronic safeguards they offer on products like the iPhone and social media sites like Facebook.  The Obama administration shows every sign of sticking with that stance, which followed a debate influenced by technical obstacles, Silicon Valley's political muscle and miscues by national security officials -- as well as doubts that making it easier to unscramble consumers' communications --would do much to aid the fight against terrorism.

Congress is also unlikely to rewrite federal encryption policy anytime soon, thanks to divisions among lawmakers about the balance between privacy and security, even though Senate Majority Leader Mitch McConnell, the chairmen of the Senate intelligence and armed services committees and some prominent Democrats suggest Obama should change course.

"I just don't think it's going to happen" said former Rep. Mike Rogers (R-Mich.), an advocate of encryption limits who headed the House Intelligence Committee until January.  "I am not optimistic we're going to get anything."

Rep. Jim Langevin, a Rhode Island Democrat and co-chair of the House Cybersecurity Caucus, agreed.  "I don't believe there's any appetite in Congress right now, just broadly speaking, for taking up that type of legislation," he said.  "There's no broad agreement, no readily apparent solution."

The upshot: Even after the murders of 130 people in the French capital and 14 more deaths in California, as fears of domestic terrorism reach the highest level since the attacks of Sept. 11, 2001, a more-than-two-decade clash between privacy concerns and the government's surveillance powers remains stalemated.  The absence of action on encryption comes despite lawmakers' rapid moves to block Syrian refugees and tighten visa requirements after the recent attacks.

Police and intelligence officials find this state of affairs alarming.  FBI Director James Comey told senators last week that "the use of encryption is part of terrorist tradecraft now," while New York Police Commissioner Bill Bratton warns that the authorities have "gone blind."

But even some critics of widespread encryption aren't sure a simple solution exists.

"Initially, lawmakers thought there was an easy legislative fix ... until we found out that providing a back door into everyone's iPhone was not going to be a very good strategy," said Rep. Mike McCaul (R-Texas), chairman of the Homeland Security Committee.

The White House has offered no new legislative proposal to unscramble encoded communications following the attacks in France and California, and it isn't planning any, a senior administration official confirmed.

Investigators haven't offered any evidence that encryption played a significant role in plotting or executing the Paris or San Bernardino attacks, despite news reports indicating that some of the Paris attackers had used encrypted apps on their cellphones.  (Those terrorists had also used unencrypted text messages to communicate.)  But the proliferation of encryption tools available to ordinary consumers has sparked escalating anxiety among law enforcement professionals.

http://www.cnn.com/2015/12/17/politics/paris-attacks-terrorists-encryption/index.html

http://arstechnica.com/tech-policy/2015/11/paris-police-find-phone-with-unencrypted-sms-saying-lets-go-were-starting/

One reason for the disquiet: Even when armed with a warrant, the authorities cannot read the texts, photos and contacts stored in the latest Apple and Google smartphones, thanks to encryption tools that even the companies who developed them say they cannot crack.  Tech companies have also resisted suggestions that they weaken encryption, either by building in "back doors" that government agencies could access or by retaining the ability to unscramble the messages themselves.

Tech companies defend these tools partly as protections for consumers against hackers and cybercriminals.  But the results have been dire for law enforcement, said Manhattan District Attorney Cyrus Vance, who says prosecutors in New York City had 111 warrants rendered useless by such encryption since September 2014 in cases involving alleged murders, sex trafficking, assault and robbery.  "It's hard to overstate the impact on our ability to conduct criminal investigations," he said on Nov. 18.

One former federal prosecutor offered an even starker warning.  "I don't know how many dead people it's going to take for people to wake up and realize that you can't not have access to these devices," the ex-prosecutor said.  "Slowly but surely, these communications are going dark to law enforcement and you're just going to end up with more and more and more bodies in the street."

Cybersecurity and privacy advocates scoff at such claims, arguing that the authorities have never had more tools available for tracking people in what some label a golden age of surveillance.  "You have to take intelligence officials' statements with a certain grain of salt, given that the more loudly that they're proclaiming that the users are using encryption, the more loudly they're saying, 'Don't throw me into the briar patch,'" said Matt Blaze, a University of Pennsylvania computer scientist who in 1994 discovered flaws in a proposed federal backdoor scheme.

Indeed, privacy advocates worry that the Obama administration will eventually cave in and weaken consumers' electronic safeguards amid intensifying fears of another terror attack.  A coalition of privacy groups met with White House officials last week to urge the president to affirm his support for encryption.

Fears of cybercrime led developers in recent years to start encrypting text, a push aided by the move to increasingly powerful and ubiquitous mobile devices.  Consumer demand for greater electronic privacy also mushroomed in 2013 after former National Security Agency contractor Edward Snowden revealed the agency's massive global surveillance program.

Not everyone on Capitol Hill is giving up on Congress jumping into the debate: The chairmen of the Senate intelligence and armed services committees both promise legislation, and McConnell told a POLITICO breakfast on Tuesday that lawmakers may revisit the issue next year.  "I think we can't put blinders on here," the Kentucky Republican told POLITICO's Mike Allen.  "This is a growing and serious problem."

Yet Silicon Valley's best and brightest insist there is no technological fix for encryption that wouldn't leave consumers vulnerable, and that any attempt to design in a back door for police and intelligence agencies would inevitably be used by hackers and criminals.  'If you put a key under the mat for the cops, a burglar can find it, too,' Apple CEO Tim Cook said in June.

Some of the biggest corporate stars of the U.S. technology industry, such as Apple, Google and Cisco, also fear that overseas customers will shun their products if they include weak encryption mandated by the U.S. government.  Surrendering to government demands "would not be good for our business," said Matthew Prince, CEO of CloudFlare, a San Francisco-based Internet infrastructure company.  About half of the company's $100 million annual revenue comes from foreign customers, who might buy elsewhere if they knew the U.S. government could monitor them.

"It's obvious why there's not political will to do it," said Stewart Baker, a former National Security Agency official.  "Industry has lined up very aggressively against it."

Even if police and intelligence agencies secured a way into American encryption systems, terrorists could still shield their communications using applications from companies beyond the reach of U.S. law.  A security guide that the Islamic State uses to educate recruits advises using applications such as Berlin, Germany-based Telegram, whose website boasts that its "messages are heavily encrypted and can self-destruct," rather than products from U.S. companies such as Facebook.  Telegram was one of the apps that investigators found on the phones of the terrorists who committed the Nov. 13 bombing and shooting attacks in Paris, CNN reported Thursday.

Two years after Snowden's NSA revelations, the political climate also remains hostile to expanding government surveillance programs.  The Obama administration earlier this year sided with privacy advocates and the technology industry in writing into law new restrictions on NSA record-gathering.  "We're still in that hangover," Rogers said.  "They're always going to err on the side of the privacy groups."

Law enforcement and intelligence officials pushing for a policy change also have done themselves no favors with their approach.  After warning in 2014 that encryption was hamstringing the FBI, Comey launched a yearlong campaign to persuade Congress to act.  Even after being warned off earlier this year by the White House, FBI officials continued meeting with lawmakers and congressional staffers, according to a former White House official.

"They were pushing hard," said a tech industry lobbyist, who said the effort continued until October, when the White House ruled out new encryption legislation.  Administration officials have said since then that they're continuing to talk to technology companies about how to cooperate in fighting extremism.

The tech lobbyist said the FBI failed to make a compelling case for its back-door proposals.  The bureau couldn't point to a "specific example where a back door was the only way to get information," especially given the richness of digital information sources in an always-connected world.  FBI officials also were vague on what alternative encryption schemes they'd favor, said observers.

Though the FBI refrained from floating any draft legislation, multiple sources said bureau officials suggested they would welcome revisions to the 1994 Communications Assistance for Law Enforcement Act.  That law, which requires the telecommunications industry to build wiretap access into its systems, is silent about online communications software.

Opening up CALEA "would be a very difficult thing to do," said McCaul, predicting a firestorm over efforts to compromise consumers' smartphone security.

The lack of a specific proposal from Comey left some frustrated.  "When you ask specifically what the technology is, he says: 'We should have a conversation about that,'" said Ari Schwartz, until October the top White House cybersecurity policy adviser.  "You tell me -- what does the FBI actually want the tech companies to do?"

In recent days, Comey has floated a new answer, arguing that the encryption dilemma is "a business model question" rather than a technological puzzle.

The FBI refused to clarify what Comey meant in last week's Senate Judiciary Committee testimony, though industry executives interpret it as a suggestion to abandon the "end-to-end" encryption that only consumers can unscramble.  That's the encryption found on newer models of the iPhone and on some Android smartphones, the reason why Apple tells law enforcement it can't unlock suspected criminals' devices.

For all the official warnings, it's not yet clear how much of a handicap encryption has been.

Comey said earlier this month that one of the shooters who wounded a security guard in May at a Prophet Muhammad cartoon contest in Garland, Texas, had sent 109 encrypted texts to "an overseas terrorist" the morning of the attack.  But the Paris attackers used unencrypted channels including text messages at least part of the time, and suspected San Bernardino shooter Tashfeen Malik reportedly expressed her support for the Islamic State on Facebook.

"Some in this debate seem to be looking for the next tragedy to jump on to prove their case whether the facts fit or not," Schwartz said.

On Capitol Hill, meanwhile, McCaul has fallen back on a standard Washington remedy.  Last week, he called for a new government commission composed of technology specialists, law enforcement officials and privacy advocates to develop a solution.

For now, lawmakers' final word on the issue remains a House vote in June that approved a bipartisan amendment to a defense spending bill that prohibited spy agencies from seeking back doors in digital products.  The vote was 255-174.

Authors:

David Perera
    dperera at politico.com 
    @daveperera