FBI Director James B. Comey on Thursday called for the law to be changed to require technology companies to provide investigators with a way to gain access to encrypted communications, warning that without reform, Americans would see cases in which murderers, rapists and terrorists could more easily elude justice.
“I’m hoping we can now start a dialogue with Congress on updating” the law, said Comey, who has been increasingly vocal on the issue following last month’s announcement that Apple and Google are encrypting data on smartphones in a form that the companies cannot decrypt.
“We are not seeking to expand our authority to intercept communications,” Comey said, speaking at the Brookings Institution. “We are struggling to keep up with changing technology and to maintain our ability to actually collect the communications we are authorized to collect.”
Earlier attempts to revise the laws have met with fierce opposition from industry and privacy advocates, and a recent effort died on the vine following revelations last year by former National Security Agency contractor Edward Snowden of widespread NSA surveillance programs.
The FBI calls the dilemma “Going Dark” because of a lack of visibility into suspects’ communications.
Comey said Thursday that he understood that tech firms, in encrypting more communications, were responding to market pressures.
But, he said, “the post-Snowden pendulum” has “swung too far in one direction — toward fear and mistrust.” He called for a “national conversation” about the proper balance between liberty and security and about whether law enforcement agents armed with a warrant should be able to intercept a suspect’s communications — including phone calls and text messages — or obtain data such as photos and videos stored on smartphones.
“Have we become so mistrustful of government and law enforcement in particular that we’re willing to let bad guys walk away?” he said.
Comey described several cases in which access to text messages and other evidence obtained from cellphones enabled successful prosecutions, including of a sex offender who killed a young boy in Louisiana.
The FBI director said he wanted to see changes made to a 1994 law known as CALEA — for the Communications Assistance for Law Enforcement Act — so that companies such as Apple and Google have “an obligation to build a lawful intercept” capability into their phones or devices.
Currently only land-line and cellphone companies, broadband services and Internet phone services that connect with traditional phones are covered by CALEA. That leaves out online and peer-to-peer services, and a host of applications that provide text messages and chat services over the Internet.
Comey said he was not seeking a “universal” encryption key, which is a proposal that in the 1990s engendered fierce debate and was killed. Nor, he said, was he seeking a “back door” to allow authorities access.
The bureau wants providers to be required to build a capability in to their products or services, rather than retroactively creating means of access. “We want to approach the front door,” he said. That, he said, should minimize risks of vulnerabilities being introduced that can be exploited by hackers or foreign governments.
A renewed effort to revise the law will face strong headwinds. But, he said, “I think now it’s an opportunity to . . . stand in that wind a little bit and have that conversation.”
Laura W. Murphy, director of the Washington legislative office of the American Civil Liberties Union, said: “Whether the FBI calls it a front door or a back door, any effort by the FBI to weaken encryption leaves our highly personal information and our business information vulnerable to hacking by foreign governments and criminals.”
Altering CALEA to address Comey’s concern, tech experts say, would mean gutting a provision that permits companies to offer services that are encrypted with a key that they do not hold, and thus cannot decrypt. Experts say that such systems are far more secure.
If a company holds the keys, someone other than law enforcement could steal them, said Phil Zimmermann, who created Pretty Good Privacy encryption in 1991 and was nearly prosecuted for it. “Someone could break into that server and get millions of those keys,” said Zimmermann, who co-founded Silent Circle, a company that provides encrypted voice calls and text messages and does not hold a decryption key. “They become an attractive nuisance.”
Albert Gidari Jr., a partner at the law firm Perkins Coie who represents tech firms, said it isn’t the job of any company to make surveillance easier. “When we accept the premise that full access to everyone’s communications is required,” he said, “there will be no end to access government can demand to your smart home, smart car, and so on, just because a bad guy somewhere might use such a device in furtherance of a crime.”
The bureau, officials said, does not have any legislative proposal drawn up.