Answering questions at a Senate oversight committee hearing this morning, FBI Director James Comey has hinted at growing consensus between technology companies and intelligence agencies over the controversial issue of how to access encrypted data.
He also supported what appears to be a fresh push by Senator Dianne Feinstein to introduce legislation to enable courts to order access to encrypted devices.
In a written statement to the Judiciary committee, Comey said the FBI had been unable to access the contents of more than 3,000 mobile devices in the first half of the fiscal year, using what he described as “appropriate and available technical tools, even though there was the legal authority to do so.”
He said that represented “nearly half” of all the mobile devices it had attempted to access in that time frame. In the statement he also argued that case-by-case investigative workarounds to gain access to encrypted devices are “difficult to scale” and “may be perishable due to a short technical lifecycle” or else as a consequence of an exploit being disclosed via legal proceedings.
Feinstein asked him how many of those devices had related to counterterrorism enquiries — and Comey committed to letting her know, though he did not give the figure in the public meeting.
“None of us want backdoors”
“We’ve had very good open and productive conversations with the private sector over the last 18 months about this issue, because everybody realizes we care about the same things. We all love privacy, we all care about public safety and none of us want backdoors — we don’t want access to devices built in in some way. What we want to work with the manufacturers on is to figure out how can we accommodate both interests in a sensible way,” said Comey in response to a question from Senator Hatch about the security risks of backdoors being built in to enable access to encrypted data.
“How can we optimize the privacy, security features of their devices and allow court orders to be complied with. We’re having some good conversations — I don’t know where they’re going to end up, frankly. I could imagine a world that ends up with legislation saying that if you’re going to make devices in the U.S. you figure out how to comply with court orders. Or maybe we don’t go there. But we are having productive conversations right now I think.”
In February last year a California judge ordered Apple to unlock an iPhone for the FBI, after the bureau took legal action to try to gain access to encrypted data on the device, which had been used by one of the San Bernadino shooters. The FBI asked Apple to alter the device’s security system to enable the passcode to be brute-forced. Apple refused, and framed this as a demand it build a backdoor. The high-profile court battle ultimately ended after the FBI paid a third-party company to gain access to the device via an exploit in the security system.
During today’s hearing, Feinstein raised the San Bernadino incident, suggesting she intends to reintroduce a bill to require tech companies decrypt customers’ data at a court’s request. Her prior attempt failed to garner enough support and the bill was withdrawn last year. But it looks like Feinstein is ready to wage crypto war again this year.
“We had looked at legislation that would take into consideration events of national security and provide that devices — there must be some way of even going before a judge and getting a court order to be able to open a device,” said Feinstein, asking if Comey thought the approach would work.
He responded affirmatively — saying such legislation would be “better from a public safety perspective.” “We’ve had a lot of conversations [with tech companies],” he reiterated. ‘”And in my sense they’ve been getting more productive because I think the tech companies have come to see the darkness a little bit more — my concern was privacy’s really important but they didn’t see the public safety cost. I think they’re starting to see that better.
“What nobody wants to have happen is something terrible happen in the United States and it be connected to our inability to access information with lawful authority. We ought to have the conversations before that happens. And the companies more and more get that, I think in the last year and a half. But it’s vital.”
We have to figure out a way to optimize those two things: privacy and public safety. FBI Director James Comey
“We weren’t picking on Apple in the San Bernadino case,” he added. “There were real reasons why we needed to get into that device — and that is true in case after case after case. And that is why we have to figure out a way to optimize those two things: privacy and public safety.”
Feinstein also said she intends to push legislation to require tech companies to report terrorist-related and other illegal activity on their platforms — flagging similar recommendations published by a U.K. parliamentary committee this week. And Comey was, of course, also fully behind this proposal, agreeing with Feinstein the FBI would benefit from knowing about such activity — albeit adding in the caveat that it be “with a judge’s permission.”
During the session, Comey also made repeat plays for expanding the scope of national security letters (NSL) — arguing that these administrative subpoenas were always intended to be able to acquire information from internet companies, not just from telcos.
“Because of what I believe is a typo in the law — and if I’m wrong Congress will tell me that they intended this — companies that provide the same services but on the internet resist,” he told the hearing. “And say we don’t have the statutory authority to serve an NSL to find out the subscriber to a particular email handle or what addresses were in contact with what addresses.
“I don’t think Congress intended that distinction, but what it does do is in our most important investigations it requires us that if we want to find out the subscriber info to a particular email to go and get an order from a federal judge in Washington as part of the FISA court. An incredibly long and difficult process. And I’m worried about that slowing us down — and I’m also worried about it being a disincentive for our investigators to do it at all.”
FISA: Section 702
On the issue of whether Section 702 of the Foreign Intelligence Services Act (FISA) should be reauthorized, Comey mounted a robust defense of intelligence agencies’ need for the provision — describing it as “a critical tool to protect this country.”
The contentious portion of FISA effectively creates a loophole allowing for warrantless surveillance of U.S. citizens via so-called “incidental collection” of their communications. It is also controversial in Europe for effectively enabling the trampling of EU citizens’ fundamental rights — a factor that helped derail a long-standing transatlantic data transfer arrangement, and continues to cause trouble for its replacement agreement (the EU-US Privacy Shield).
Section 702 of FISA is due to expire at the end of this year unless it is actively renewed by Congress — and the possibility of it being sunsetted entirely appeared to be of most concern to Comey.
Asked to explain why the provision is so vital for U.S. intelligence efforts, he said: “Really bad people around the world, because of the genius of American innovation, use our products and infrastructure for their emails, for their communications. And what 702 allows us to do is quickly target terrorists, weapons of mass destruction proliferators, spies, cyberhackers, who are using our infrastructure to communicate, to target them quickly and collect information on them. And it is vital to all parts of the intelligence community, because of its agility, its speed and its effectiveness.
“If we were required to establish the normal warrant process for these non-Americans who aren’t in our country just because the photons they’re using to plan attacks cross our country’s lands, we’d be tasked for reasons that make no sense at all and the courts have said are unnecessary under the fourth amendment.”
He added that another intelligence gathering tool — the telephony metadata database — “does not compare in importance to 702,” arguing baldly that: “We can’t lose 702.”
Comey also faced a few less soft-ball questions on the provision — including being questioned about the practice of unmasking (i.e. identifying) American citizens whose communications have been harvested “accidentally” via Section 702.
Asked whether the bureau has ever requested the unmasking of a U.S. citizen, he suggested this is commonplace, responding: “Oh yes. I did it this week in connection with an intelligence report.” Comey was then grilled on the process for making unmasking requests, how many people are authorized to make them, and where records of such requests would be stored.
Later in the session he was also asked whether a narrowing of the definition of Section 702 to exclude using it to gather intelligence on “foreign affairs” — which clearly allows for a very wide range of data to be sucked up — would still enable the core intent to function. Perhaps surprisingly the FBI chief agreed that limiting it to information relevant for national security purposes would not undermine its core intelligence utility, although “national security” can still be a pretty broad umbrella for catching data.
“It would seem so, logically,” he told Senator Lee. “To me the value of 702 is exactly that: where the rubber hits the road in the national security context. Especially counterterrorism, counter proliferation.”
Clinton, Trump, Assange…
During the hearing, Comey inevitably faced a barrage of questions about the FBI’s investigation into Hillary Clinton’s use of a private email server, with the FBI chief defending when and how he reported the conclusion of the probe, and the subsequent letter sent to Congress at a key moment of the 2016 presidential campaign — potentially contributing to swinging votes to Trump.
“It was an incredibly difficult choice,” he said on this at one point, after senators had again returned to the topic. “The desire was to act independently, credibly and honestly… We made judgments trying to do the right thing, and I believe even with hindsight we made the right decision.”
He was also repeatedly asked about potential links between the Trump campaign and the Russian government. But on this theme Comey generally declined to answer — saying he did not wish to make public comments that might prejudice the ongoing investigation.
Concerns were also raised about the security of election infrastructure in the light of Russian efforts to hack or otherwise influence U.S. politics, and Comey was asked what the FBI is doing specifically to help defend against such foreign cybersecurity threats.
On this he said the bureau shares intelligence on hackers’ “tools, tactics and techniques” with the department of homeland security and with state and local election officials so they can “harden their networks.” “One of the most important things we can do is equip them with the information to make their systems tighter,” he said, noting that voter registration databases have been one election-related hacking target.
The Yahoo email hack also briefly came up, with Comey describing Russian government organizations as having “a relationship that’s often difficult to define with criminals.” “The Yahoo hack is an example of that,” he noted. “You had some of Russia’s greatest criminal hackers and intelligence agency hackers working together.”
Questioned by senators on WikiLeaks, Comey would not confirm whether or not the FBI has any charges pending against Julian Assange — but did say that in his view the organization has endangered “both” U.S. lives and U.S. interests.
Asked to explain the difference between WikiLeaks and journalism, he added: “To my mind it crosses a line when it moves from being about trying to educate a public and instead just become about ‘intelligence porn,’ frankly, just pushing out information about sources and methods without regard to interest, without regard to the First Amendment values that normally underlie press reporting — and simply becomes a conduit for the Russian intelligence services or some other adversary of the U.S. just to push out information to damage the U.S.”
Comment