Published by The Lawfare Institute
in Cooperation With
Prior to the release of the new Berkman Center report, which included input from both current and former national security officials, recent attention had been focusing on NSA Director Rogers’ comments last month at the Atlantic Council. His remarks prompted a bit of a fuss.
Here’s what Rogers said, in part:
“Encryption is foundational to the future.”
“So spending time arguing about, hey, encryption is bad and we ought to do away with it…that’s a waste of time to me.”
He went on to say:
“...given that foundation, what’s the best way for us to deal with it?”
“...how do we meet those very legitimate concerns from multiple perspectives?”
Meanwhile, FBI Director Comey said this about the going dark debate; a public debate he encouraged over a year ago:
“My sense is the venom has been drained out of the conversation, that people understand that we are not some kind of maniacs who are ideologues against encryption..."
“We support encryption, but we have a problem that encryption is crashing into public safety and we have to figure out, as people who care about both, [how] to resolve it...”
Conclusions that Rogers and Comey conflict with each other on the issue are overstated. But, their roles do call for looking at the issue from slightly different perspectives, as I think Rogers was gently acknowledging. And so even if there is not much daylight between their respective public statements, it is not unreasonable to think that there is perhaps some daylight between national security and law enforcement in this debate. And if there is, it is not at all surprising. Here’s why:
The reason it might sound like Rogers is hedging, and why other former national security officials have come out in one way or another as arguably unsupportive of the FBI Director, is that the law enforcement and national security equities are not aligned 100% on this issue. Rogers and the other former officials are, of course, thinking with their national security hats on. In other words, they know or at least have a high degree of confidence in NSA’s technical sophistication and capabilities. They may know or believe that NSA has or could develop the ability to access communications or devices, without the assistance of the providers.
But local, state and even federal law enforcement agencies have neither the technical sophistication, nor comparable resources, and so they are more at risk of failing to fulfill their responsibilities. Law enforcement also faces a different (not less or more important, just different) kind of risk than the one posed by terrorism: the risk that a kidnapped child will not be found in time; that a violent domestic partner will reach his intended before police; or that a pedophile will go unfound or unpunished because the evidence of the crime is on a phone that can’t be unlocked or a message that cannot be deciphered. The type of case I’m describing is more similar to the one discussed in Petula Dvorak’s column in the Metro section of today’s Washington Post, than to a terrorist plot. Her column pleads with parents to be responsible overseers of their children’s use of the Internet, mobile devices and apps, and uses as its tragic example the recent news of the murder of a 13-year-old Virginian girl who was apparently lured by individuals she met online. The column quotes the head of Fairfax County Police Department’s child exploitation unit describing Kik, an app created by a Canadian company that enables a user to remain anonymous. According to its law enforcement policy, Kik does not appear to retain the content of texts, messages or photos that have been shared or exchanged.
As readers more familiar with this app or technology will point out, there are a few things, even on quick scan, that do not neatly frame the Kik example as an “encryption” issue. First, the company is in Canada, indicating that the reach of U.S. law enforcement would be limited. Depending on the circumstances, U.S. authorities might need to rely on the MLAT process; a process I suspect there is substantial agreement would benefit from reform. Second, according to this analysis in Re/Code, Kik does not employ end-to-end encryption, but instead deletes messages. The practical effect from a law enforcement perspective is the same; but the technical difference highlights that this is not a debate about encryption, alone. Instead, it is about lawful government access to data to protect public safety, one aspect of which is the mass deployment of encryption in the consumer market.
The Berkman Center report briefly notes the distinction between the national security and law enforcement equities this way:
The government is not a monolithic organization, and the encryption debate is not viewed the same way across governmental organizations or among the individuals within these organizations. The needs and resources of government organizations differ, as do their jurisdictional ambits. For instance, the resources available to the FBI for defeating encryption may be fewer than those available to the NSA. Likewise, state and local authorities have access to fewer resources than law enforcement operating at the federal level. However, while the degree of concern and operational value may not be shared across different agencies and levels of government, there is a general sense by actors within both the intelligence and law enforcement communities that, were all else equal, they would benefit if technological architectures did not present a barrier to investigations.
To be clear, I am not underselling the potential risk to public safety as a result of an act of terrorism that is facilitated by terrorists use of encrypted communications. But for the public to better understand that risk, it would be helpful for U.S. and French government authorities to provide more information demonstrating whether the assailants involved in the San Bernardino, and Paris attacks, respectively, used encrypted communications as a method of planning or carrying out their activities.
Similarly, the continued lack of comprehensive data that spans the law enforcement community on a national level outlining how frequently and to what degree efforts have been thwarted by encrypted communications or devices has made it difficult to accurately incorporate the law enforcement equities into the public policy debate. The Justice Department is probably in the best position to commission and coordinate this data call. And yet, despite anecdotal examples and even the Manhattan District Attorney’s white paper we still do not have a good enough picture of the national scope of the law enforcement challenge.
Director Comey, of course, wears two hats. He wears a national security one under which he leads FBI’s counterterrorism and counterintelligence function. He also leads the FBI’s criminal investigative activities, which include cybercrime, including child cyber exploitation, white collar crime, public corruption, and others. He also fills a role as the most visible thought leader in the law enforcement community. And so my sense is that while many of the public examples he has given on the going dark issue pertain to ISIS, he may/may be equally concerned about the risk of not being able to investigate and prosecute the most heinous domestic crimes involving the most innocent of victims. As the debate over lawful government access to data continues, it might be useful to acknowledge more fully that the public policy issues are greater than national security ones, alone.