FBI chief urges tech firms to turn over terrorists' encrypted info

Comey says solution should be a voluntary business decision, not a technical one

FBI director James Comey on Wednesday called on tech companies providing smartphone encryption tools to voluntarily find ways to turn over to a judge those messages suspected of being terrorist-related.

"The government doesn't want a back door," Comey told the U.S. Senate Judiciary Committee. (See video, below.) "The government hopes to get to a place where if a judge issues an order, the company figures out how to supply that information to the judge and figures out on its own what would be the best way to do that. The government shouldn't be telling people how to operate their systems."

Comey said that some companies have designed their smartphones to provide terrorists' and crime-related communications to law enforcement, but others have not.

"It's actually not a technical issue; it's a business model question," Comey said. "A lot of people have designed systems so that judges' orders can't be complied with...The question we have to ask is: Should they change their business model?"

Comey's encryption comments were made as part of a long review of the FBI's activities by the Senate committee; they start at minute 41 and last for about three minutes on the Senate hearing's video link. Comey's written testimony to the committee also confirms that the Obama Administration is not currently seeking a legislative remedy to deal with encrypted communications that could be used by criminals and terrorists.

Comey didn't directly tie the use of encrypted messages to the recent terrorist attacks in Paris or San Bernardino, although those attacks have renewed discussions about how to gain access to encrypted terrorist communications. However, he did say that 109 encrypted messages were detected by one of two terrorists in the attack on the Curtis Culwell Center on May 3 in Garland, Texas. A security officer was injured in that attack at an exhibit of cartoon images of Muhammad, but a local police officer shot and killed both attackers.

"In May, two terrorists attempted to kill a lot of people," Comey said. One of the terrorists "exchanged 109 messages with an overseas terrorist. We have no idea what he said because it was encrypted...That is a big problem. We have to grapple with it."

Comey didn't name specific tech companies in his remarks, but said he has met with many tech leaders in recent weeks about the need to free up encrypted data. Some law enforcement experts are especially concerned that recent Apple iPhones and many Android phones can provide end-to-end encryption. By contrast, BlackBerry devices offer high-level encrypted security, but encrypted data can still be accessed for law enforcement.

In addition, hundreds of smartphone apps offer encryption for various kinds of text, email and voice messages. The U.S. government has even financed some encryption smartphone apps -- including Signal, RedPhone and TextSecure -- through the federal Open Technology Fund.

When the encryption debate was reopened just after the Paris attacks, privacy advocates and industry groups issued concerns about weakening encryption. The Information Technology Industry Council, which represents large companies like Google, Apple and Microsoft, issued a statement on Nov. 19 that said "weakening security with the aim of advancing security simply does not make sense."

The practical problems with working around encrypted communications are manifold, privacy advocates have argued. In the case of recent Apple iPhones and some other smartphones, it would require a re-working of the operating system to gain access to decryption keys, which reside on an iPhone itself. Another difficulty is that tech companies could be forced to turn over data to law enforcement without knowing if the correct communications and smartphone users have been targeted, and not an innocent party.

Comey's testimony brought a variety of reactions from lawmakers on Wednesday. Many of the comments showed the ambiguity involved in creating legislation that can help the FBI and law enforcement agencies combat terrorism without infringing on privacy of individuals who want and already widely use encryption software.

"I think banning encryption is a little bit like banning guns," said presidential candidate and U.S. Sen. Rand Paul (R-Kentucky) in an interview on CNN. "If you ban encryption, the law-abiding people won't use it and the terrorists will still continue to use it," he said. Technical attempts to somehow open encrypted code to share data with law enforcement would actually weaken the code, making it vulnerable to terrorists and others, he argued.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple ComputerBlackBerryCNNFBIGoogleInc.MicrosoftRandTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place