The FBI Can Already Crack Terrorists' Phones—So Why Does It Want a Back Door?

U.S. Attorney General William Barr and FBI Deputy Director David Bowdich announce the findings of the criminal investigation into the Dec. 6, 2019, shootings at the Pensacola Naval Air Station in Florida during a news conference at the Justice Department
May 31, 2020 Topic: Politics Region: Americas Blog Brand: The Reboot Tags: PrivacyBig TechIPhoneTerrorismFBI

The FBI Can Already Crack Terrorists' Phones—So Why Does It Want a Back Door?

The FBI has announced it has cracked the encryption on the Pensacola shooter's phone—but Barr is still attacking Apple for the encryption on iPhones.

Four months ago, we wrote on Attorney General Bill Barr’s complaint that Apple would not assist the FBI in cracking the encryption on two iPhones owned by the Pensacola shooter. At the time, we noted that there were essentially two possibilities: If these were phones with known vulnerabilities, the FBI could pay as little as $15,000 to have an external firm break the encryption; or if they were newer models, then even Apple would likely be unable to help.

Now the FBI has announced it has cracked the encryption on the phones itself — but Barr is still attacking Apple for the encryption on iPhones. One would think that the FBI successfully gaining access to the phones would undermine its argument that Apple’s help was a necessity to access the phones’ data, but Barr and FBI Director Christopher Wray say the time it took them to hack the phones was excessively costly and delayed the investigation. Perhaps they could have simply paid an outside firm to provide the necessary tools, as they have before?

This possibility went unmentioned at Barr’s press conference, but the Attorney General did attack Apple. He argued that Apple not only failed to assist the investigation, but also believed they could “unilaterally . . . make decisions based on their business interest and regardless of the dangers to the public.”

Set aside for a moment that Apple claims to have provided all files it had access to, as well as “continuous and ongoing technical and investigative support to FBI offices in Jacksonville, Pensacola and New York.” Barr once again fails to recognize the public safety value of strong encryption, yet still insists on calling for legislation forcing tech companies to weaken their encryption.

A recent report from the Carnegie Endowment for International Peace stands in stark contrast to the Attorney General’s blind spot. The report, put forth by a working group of former policymakers and public officials, members of the business community, and legal and technology experts, focused on achieving common ground for a more productive debate over encryption. The report explicitly rejects two “absolutist positions”: that law enforcement should not attempt to access encrypted information, and that law enforcement cannot do its job without access to any encrypted data.

The latter position, by all appearances, seems to be the one staked out by Barr. While the group did not reach a consensus on any firm policy proposal, it did lay out several principles that should guide this debate, including a focus on policy useful to law enforcement and limiting cyber vulnerabilities to the public at large. While Barr has emphasized the first principle, it is not clear that he appreciates the latter, or the other principles outlined in this report.

A panel discussion on the report raised two additional points worth mentioning in this context. First, while the working group acknowledged that creating a secure means for law enforcement to access data at rest is theoretically possible, they all agreed that no acceptable solution currently exists, undermining Barr’s assertion that Apple could safely enable backdoors for law enforcement if it wanted to. Second, one working group member raised serious concerns about current legislation aimed at undermining encryption. The act is focused on curbing online child abuse — which all involved in this debate agree is a worthy goal — and would create a panel chaired by the Attorney General to determine best practices to which internet service providers must adhere in order to retain liability protections under Section 230 of the Communications Decency Act. Jim Baker, who served as FBI general counsel from 2014 to 2017 and was formerly a strong proponent of enabling law enforcement to access encrypted data, noted that a panel focused solely on combatting child abuse could easily overlook the value of strong encryption. Baker has noted elsewhere that cyberattacks increasingly pose a “profound and overarching threat” to our national security, joining former CIA and NSA director Michael Hayden in voicing such concerns.

Combatting terrorism, child abuse, and other heinous crimes is a cornerstone of the criminal justice system and fundamental to protecting Americans’ safety. Strong encryption is also crucial to ensuring Americans are safe from foreign hackers, identity thieves, and even stalkers and domestic abusers. A solution to this debate must acknowledge both of these truths as well as the fundamental technical challenges to granting law enforcement access to encrypted data. Until Attorney General Barr displays an understanding of all these factors, policymakers should be wary of taking his recommendations to heart.

This article by Claude Barfield first appeared in AEIdeas on May 29, 2020.

Image: Reuters.