In the dark about ‘going dark’

We can now add “a growing lack of trustworthiness on encryption-related topics” to the FBI’s list of problems.

Recent reports have shown the FBI’s encryption argument is not only wrong, but greatly exaggerates the problem’s magnitude. This comes on the heels of a shocking report by the Department of Justice’s Inspector General, suggesting that some FBI staff purposely slowed efforts to unlock Syed Rizwan Farook’s iPhone in the aftermath of the San Bernardino shooting to pressure Apple to build a backdoor. These two episodes are troubling; lawmakers should demand a thorough accounting of the FBI’s actions and the public deserves full transparency about the true nature of the FBI’s encryption problem.

The FBI and DOJ have long argued that the proliferation of end-to-end encryption — whereby only the user can access the plain text of their data — allows criminals to “go dark,” operating beyond law enforcement’s reach. Cybersecurity experts and technology companies have countered that strong encryption not only protects customers, but is also a critical factor in economic and national security.

This dispute reached a boiling point after the San Bernardino attack. At the time, the FBI claimed that they had exhausted every effort to unlock the phone and needed Apple to design special software to bypass security protections. Though the FBI eventually dropped their litigation after successfully unlocking the device without Apple’s assistance, we now know that, according to the DOJ Inspector General, senior investigators intentionally did not pursue all avenues because they wanted to set new legal precedent with their suit against Apple.

Perhaps most shockingly, the Inspector General’s report suggests that the FBI’s lead forensic investigator chose not to consult with his colleagues, nor sought assistance from third party vendors because the case was considered the “poster child” for “going dark.” Only when another forensic unit discovered that it couldn’t unlock the device did an official take it upon himself to contact a vendor known to have almost completed work on an unlocking solution. The IG found that when the lead investigator learned that an outside vendor had been consulted, the investigator was “frustrated that the case against Apple could no longer go forward.”

Though the FBI ultimately unlocked the San Bernardino shooter’s phone, the bureau described the ordeal as a rare exception to the “going dark” problem. On Jan. 9, 2018, FBI Director Christopher Wray sought to backup the bureau’s encryption rhetoric with a powerful new statistic: the FBI had encountered 7,775 devices in fiscal year 2017 that they were unable to access because of encryption. At the time, this number struck many of us as unbelievable. The FBI had said there were only 880 such cases in 2016.

When I heard the number, I immediately called some law enforcement contacts who told me that it included many phones that couldn’t be opened immediately, but eventually were unlocked. Even as law enforcement was getting past the security measures, it didn’t diminish the fact that the problem was just getting much worse.

Many assumed that the FBI’s new statistic was evidence that the “going dark” prophecy had finally come true. The FBI seized on this, continuously repeating the number, warning that each device was “tied to a specific subject, a specific defendant, a specific victim, a specific threat.” Just a few weeks ago, Attorney General Jeff Sessions cited these figures, adding that each device the FBI couldn’t unlock “was tied to a threat to the American people.”

However, those of us that questioned this statistic and the protestations around it had good reason to. It seems the FBI was keeping three distinct data bases leading to inflation of up to 700 percent from the original figure, provided or somewhere “between 1000 and 2000” phones.

How could such an important detail — cited repeatedly by the nation’s top law enforcement officials — be so wrong for so long? Whether the FBI knowingly or inadvertently inflated this key metric is a necessary question after the troubling findings in the DOJ Inspector General’s report.

We don’t really know how significant the impact of end-to-end encryption is on law enforcement. What we do know is that lawmakers must scrutinize all of law enforcement’s “going dark” claims, just as they should intensely scrutinize all of the tech industry’s claims. Our elected officials need to better understand the true nature and extent of the problem before making sweeping changes to the law that could adversely impact the public’s ability to secure their information from prying eyes of malicious hackers.

Ari Schwartz is Managing Director for Cybersecurity Services at Venable. Schwartz is a former Special Assistant to the President for Cybersecurity on the National Security Council under President Barack Obama.