Real security requires strong encryption – even if investigators get blocked

This was a time when NSA itself was facing a new reality. Encrypted communications had become the norm in government work – and not just for technologically sophisticated nations. NSA adapted. Details are shrouded in secrecy, but we know that just like hackers, NSA takes advantage of unpatched vulnerabilities to break in to targets. NSA also relies heavily on communications metadata, the when, where, how long – and sometimes who – of a communication. And NSA apparently uses stealthy techniques, such as intercepting communication equipment while being shipped, to install eavesdropping tools. The result? Despite widespread use of encryption by its targets, NSA is largely able to obtain the information it seeks.

Adapting to an encrypted world
Today, the FBI is facing a similar situation to the NSA’s two decades ago. Consumer products and apps like WhatsApp regularly use strong encryption to protect communications and devices. And sometimes that prevents investigators from viewing potential evidence – as it did in San Bernardino, for a time. The bureau can keep fighting the battle to weaken encryption, which it has been losing for decades, or it can follow the NSA’s lead and adapt.

Police without a back door into encryption systems have several options. Since at least the early 2000s, the FBI has been getting court orders letting agents hack into criminals’ computer and communication systems to install recording and surveillance software. But that’s not the only possibility for investigators.

Other kinds of nonencrypted data may provide valuable information that can serve as an alternative, and computer systems can be enormously helpful in finding and analyzing that data. In the wake of the 1993 World Trade Center bombing, investigators had to wade through paper copies of phone company records to discover who talked to whom when, and from there draw connections between members of the bombing conspiracy. Modern software – and digital phone, financial and other records available with a warrant – can make that analysis immeasurably faster.

The “internet of things” provides another potential treasure trove for investigators: In one instance, for example, the history of a person’s heart rate as measured by his data-collecting pacemaker led to his indictment for arson when his story of his actions during the fire didn’t hold up. In another case, a woman’s activity level, as tracked by her Fitbit, contradicted her husband’s account of her death – and led to murder charges against him.

Following suspects is a third area where technology really helps police: Using a team of trackers cost approximately US$275 an hour – but tracking a suspect’s phone as it travels drops the price to $5.21 an hour.

Such technological advances aren’t used as easily by state and local investigators, who conduct more than half of law enforcement wiretaps in the U.S. Sometimes state and local police are stymied by relatively simple issues, such as the wide variety of phones, internet providers and data formats. In 2013, the FBI stepped up to help, creating training programs through its National Domestic Communications Assistance Center to help police gather digital evidence without needing to break encryption.

Even as these varied investigatory techniques will help, sometimes encryption will simply prevent investigators from getting the goods – or getting them quickly enough to prevent a crime. But law enforcement has always had to deal with blocks to obtaining evidence; the exclusionary rule, for example, means that evidence collected in violation of a citizen’s constitutional protections is often inadmissible in court.

Facing new threats
The importance of strong cryptography in protecting people’s privacy has become clearer in recent years. Attackers are more sophisticated – as shown in the 2015 Russian hack of the Democratic National Committee emails and the 2017 Equifax data breach, among others. And any groups “viewed as likely to shape future U.S. policies” were targets of Russian hacking efforts, according to the Office of the Director of National Intelligence. That could include almost any organization – activist groups, church associations, community foundations, professional societies, nongovernmental organizations and more – that forms the underpinning of democratic societies.

This broad threat to fundamental parts of American society poses a serious danger to national security as well as individual privacy. Increasingly, a number of former senior law enforcement and national security officials have come out strongly in support of end-to-end encryption and strong device protection (much like the kind Apple has been developing), which can protect against hacking and other data theft incidents.

As technology changes, the jobs of police and intelligence workers must also change; in some ways, it will be harder, in others, easier. But the basic need for security supports the call for wide use of strong encryption – and without modifications that make it easy for Russians, or others, to break in.

Susan Landau is Professor of Computer Science, Law and Diplomacy and Cybersecurity, Tufts University. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).