FBI Director Christopher Wray did something Wednesday few of his recent predecessors have done: He provided what the bureau believes is a model for how private tech companies could turn over encrypted data.
Wray, who spoke at a FBI conference in Boston, claimed that it’s still possible to develop a workaround for law enforcement to collect evidence on encrypted systems that is “consistent with both the rule of law and strong cybersecurity.”
In prepared remarks, the FBI director specifically named Palo Alto, California-based Symphony, the creator of an encrypted messaging platform that’s popular in the banking industry, as an example for how other technology companies could one day work with the FBI.
“Some of you may know about the chat and messaging platform called Symphony,” Wray said Wednesday. “This was used by a group of major banks, and marketed as offering something called ‘guaranteed data deletion,’ among other things. Maybe the labeling, maybe the content didn’t sit too well with the friendly regulator down the street – the New York Department of Financial Services,” or DFS.
Wray went onto highlight that DFS was concerned that Symphony’s data deletion feature could be used to avoid investigations. In order to placate DFS, the company’s customers agreed to store copies of all communications sent through Symphony for seven years. In addition, banks using Symphony also agreed to let a third party store encryption key duplicates.
“So at the end, the data in Symphony was still secure, still encrypted, but also accessible to the regulators so they could do their jobs,” Wray said. “I’m confident that by working together and finding similar areas to agree and compromise, we can come up with solutions to the ‘going dark’ problem.”
Some journalists, lawmakers and technology experts have criticized the FBI in recent years for not being upfront about what they viewed as a feasible technological solution to accessing encrypted data. The Trump administration, like the Obama administration before it, refers to “going dark” as a problem in which criminals can hide from law enforcement by communicating and storing records in encrypted channels.
Designed to comply
In an interview with CyberScoop, a Symphony representative went into further detail on the DFS arrangement Wray highlighted.
“Customers fully control their own encryption keys on-premise, and Symphony does not have access to these keys. This provides strong cybersecurity protection, and also ensures that the vendor can’t misuse the contents of customer data, which in financial services is highly sensitive,” a spokesperson said. “The DFS agreements are between the customer and their regulator. Customers can deposit their keys with custodians whom they choose and protect and store them on hardware cryptographic devices. Following due process, the custodians could be required to disclose the encryption key to the regulator, allowing the regulator to decrypt the data stored on Symphony.”
The encrypted messaging app maker said that it chose to give the option for encrypted key exchange so that clients could adhere to financial industry regulations.
“Symphony did not change the security model of the platform to facilitate this [DFS agreement], since the platform was designed to allow customers to comply with financial record retention and compliance rules, and the process leverages aspects of this design,” the spokesperson said.
In practice, the arrangement means that a large enterprise using Symphony would typically place its unique encryption key inside a physical security module onsite; a box usually within a data center protected by armed guards. The hardware itself isn’t made by Symphony; the module market is largely dominated by Thales and Gemalto.
Some modules are air-gapped while others are not, but they generally tend to be very secure. A third-party custodian, based on the DFS agreement, would usually facilitate a key exchange with a regulator or in Wray’s example, an FBI agent. In most cases today, the custodian tends to be a general law firm that already represents the Symphony client who is granted special access to the key box.
Experts say that newer hardware security modules (HSMs) are difficult to crack because of physical and digital anti-tampering measures, but it’s not impossible. While the cryptographic processor inside the HSM will allow the key to be used, it makes it tough to otherwise extract.
Calling it a backdoor
Privacy and civil rights groups aren’t sold on the idea.
“A system that provides unnecessary paths to access private data is more likely to be breached than one that doesn’t,” said Amie Stepanovich, U.S. policy manager at Access Now. “In the corporate or government spheres there may be reasons — like the need to comply with open government laws — to ensure third-party access to content. But it would be erroneous to call any steps taken to provide that access anything but a backdoor, and backdoors make products less secure than they could be, or in the case of services used by the global public, should be.”
Others agreed with Stepanovich’s concerns.
“Look at what happens to people who handle unencrypted copies of communications these days, they become a massive target. Google was hacked by China, the NSA was intercepting stuff going over Google’s cables, Yahoo hacked by Russia, etc.,” said Bill Marczak, a security researcher with digital human rights and privacy research institute Citizen Lab. “If a single firm has the keys to unlock the world’s communications, it becomes a massive target. And you need the best of the best in computer security to defend it.”
Camille Fischer, a fellow at the Electronic Frontier Foundation, said that although Wray’s comments may be unique when compared to prior statements, the Symphony example does not safely scale for consumer communications.
“The Symphony messaging service Wray is pointing to is an example of a key escrow system, just like the Clipper Chip that law enforcement tried to push in the ’90s and has tried to support in various fashions since,” Fischer told CyberScoop. “A push by the government for companies to create a backdoor system or even pushing consumers to use a backdoor system will undoubtedly open ordinary people up to security vulnerabilities while encouraging criminal and terrorist actors to use different devices or messaging applications that don’t have this backdoor capability.”
Symphony was formerly known as Perzo before it was purchased in 2014 by Goldman Sachs. Backers of the company include Bank of America, BNY Mellon, BlackRock, Citadel, Citi, Credit Suisse, Deutsche Bank, Goldman Sachs, HSBC, Jefferies, JPMorgan, Maverick, Morgan Stanley, Nomura and Wells Fargo.
Last year, 7,775 encrypted devices sat in evidence lockers at law enforcement facilities across the U.S., according to Wray. These unpenetrated systems led to holes in some criminal investigations.