DON'T LOSE ACCESS:
Your IP access to ForeignPolicy.com will expire on June 15.
To ensure uninterrupted reading, please contact Rachel Mines, sales director, at firstname.lastname@example.org.
Comey: FBI Becoming ‘Prolific Hacker’ Won’t End Encryption Crisis
James Comey says the FBI "paid a ton of dough" for the San Bernardino exploit, but that it doesn't work for other devices.
Faced with increasingly sophisticated ways for criminals to scramble communications and cover their tracks online, the FBI has broadly embraced government hacking to track down suspects. But on Tuesday, FBI Director James Comey cautioned that hacking tools won’t solve the challenges law enforcement faces while carrying out investigations in the digital age.
Comey has repeatedly warned that his agents’ inquiries are “going dark” as suspects embrace encryption and other security tools. According to Comey, that shift has made it harder for the government to solve and prevent crimes, including murder and terrorism cases.
Hacking has in some cases allowed the FBI to circumvent such technology, but is at best a partial solution, Comey said during remarks at a Georgetown University conference.
“I don’t see us becoming a prolific hacker being the answer to our public safety problem,” he said. Hacking, Comey argued, has helped the FBI make breakthroughs in certain cases, but lacks what he called “scalability.”
The dispute over government access to encrypted data came to a head in recent months when FBI agents tried and failed to access an iPhone 5c belonging to Syed Rizwan Farook, one of the suspects in the San Bernardino shootings last December that killed 14.
The Justice Department first sought and received a court order compelling Apple to undermine the security features of that phone, but then retreated after a still unidentified third-party approached the FBI with an exploit to hack it. Comey has said the bureau paid at least $1.3 million for that tool.
That case should serve as a cautionary tale for FBI reliance on hacking as an investigatory tool, Comey argued. “San Bernardino is a great example,” he said. “We paid a ton of dough for the tool because it mattered so much for that investigation, but it works on a 5c running iOS 9 so it’s not scalable to other devices.”
The FBI, Comey said, doesn’t want to find itself “in an arms race with every device that’s made.” In testimony before Congress last week, the FBI’s top scientist, Amy Hess, said the bureau lacks the resources to be able to consistently break into suspect devices.
Relying on hacking raises difficult ethical problems for the government about when and whether it should disclose vulnerabilities in software and devices to their manufacturers. The Obama administration has set up what it calls a “vulnerabilities equities process” to make such decisions. That body weighs whether the intelligence or law enforcement uses of a computer vulnerability outweigh the public interest in building more secure digital systems.
On Tuesday, Comey said the FBI hadn’t decided if it will submit the San Bernardino exploit to that process, which in turn would determine whether to share it with Apple. The question, Comey said, is whether the bureau is aware of the vulnerability exploited by the tool it purchased, adding that the FBI is “close to a resolution” on the issue.
Shortly after Comey’s remarks, the Wall Street Journal reported the FBI will not submit the exploit because of a lack of information about it. The FBI “knows so little about the hacking tool that was used to open a terrorist’s iPhone that it doesn’t make sense to launch an internal government review about whether to share the hacking method with Apple,” the paper wrote. The FBI did not immediately respond to questions from Foreign Policy about the report.
Rather than rely on hacking, Comey said he would like to find a compromise to the seemingly opposing values of security and privacy — but offered no concrete proposal for how to do so.
Proposed Senate legislation would require companies to be able to turn over and decrypt customer data when presented with a court order. But security experts say doing so would introduce fatal flaws into encryption technology used not just by criminal groups, but also by banks, doctors, companies, and individuals to secure data.
Photo credit: ALEX WONG/Getty Images