Commentary

Not ‘Going Dark’: The FBI’s Misguided War on Encryption

The public war of words over Americans’ right to encrypt their communications and transactions will resume July 8 when the Senate Judiciary Committee holds a hearing featuring the federal government’s most outspoken opponent of public encryption: FBI Director James Comey.

In his testimony, Comey will claim — as he has repeatedly over the last 18 months — that wide-scale public adoption of encryption technology will cripple the FBI’s ability to find and catch terrorists. The public record to date shows otherwise.

Last year, Comey blasted Apple and Google for moving to make their own products more secure by cleaning up existing software vulnerabilities and, in Apple’s case, implementing end-to-end encryption for its iMessage instant messaging app and Facetime video chat app.

In May 2015, Comey again attacked technology companies and civil liberties groups for sending a letter to President Obama calling for a halt to executive branch efforts to compromise private sector encryption standards and products.

“I read this letter and I think that these folks don’t see what I see, or they’re not fair minded,” Comey said.

The notion that encryption imperils all law enforcement operations is ludicrous.

A review of federal terrorism-related court cases since 2013 involving home-grown Islamic radicals suggests Comey is the one not being fair minded.

A recent study by the Fordham Law School’s Center for National Security provided some fresh insights into the demographics of would-be ISIS recruits in the United States, particularly the centrality of social media and messaging apps for ISIS’s recruiting efforts. Left unexamined by the Fordham report was the use of encrypted communications apps and services by ISIS and its U.S.-based recruits — the subject of FBI Director Comey’s public angst.

Of the 56 cases examined by the Fordham researchers, I found two that involved messaging services like Surespot (which offers end-to-end encryption) and Kik (which allows users to avoid exposing their mobile numbers to establish an identity). In two other cases, FBI agents used generic phrases like “private online communications” to describe communications between conspirators in court documents without revealing the specific communication modality involved. Most of the cases involved would-be ISIS terrorists employing unencrypted platforms like Twitter or Facebook to communicate.

In none of the cases did FBI or Department of Justice officials assert that an encrypted or otherwise ostensibly more secure communications app or service inhibited their prosecutions.

Indeed, the recent plea agreement involving a 17-year-old from Manassas, Va., explicitly mentioned the defendants use of Surespot as a means of communication with an ISIS supporter located outside of the United States. According to the plea agreement, the young Virginian, Ali Shukri Amin, put a co-conspirator

…in touch with an ISIL supporter located outside of the United States via Surespot in order to facilitate [co-conspirator] RN’s travel to Syria to join and fight with ISIL. The defendant arranged for this ISIL supporter located overseas to send RN a package containing a phone for RN’s use during his travel to Syria, an encrypted thumb drive, and a letter. On or about January 7, 2015, FBI agents took possession of a package addressed to the defendant that contained an un-activated smart phone with international capability, a USB thumb drive, and a hand written letter containing both Arabic and English writing.

Clearly, the use of Surespot did not inhibit the ability of the FBI to monitor the conspiracy, much less to intercept (and, if necessary, modify for surveillance purposes) communications technology sent to a would-be terrorist here in America to facilitate the conspiracy. Surespot itself may be under a federal court order to cooperate in counterterrorism investigations.

More evidence that Comey’s “sky is falling” claim about criminals escaping justice by using encryption is nonsense comes from a just-released report by the Administrative Office of the United States Courts.

Titled “Wiretap Report for 2014,” the report had this to say about encryption:

Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the [Administrative Office] for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.

The report offered no evidence that encryption prevented prosecutions or derailed investigations — and in 80 percent of cases prior to 2014 where the bureau encountered encrypted communications, they were able to decipher the messages anyway. Given the large number of investigative tools available to the FBI — from physical surveillance, covert physical searches, cooperation from telecommunications companies, the use of informants, and so on — the notion that encryption imperils all law enforcement operations is ludicrous.

Earlier this year, the House passed two amendments to separate appropriations bills baring federal funds from being used to undermine private sector encryption — specifically, the Department of Justice and Department of Defense spending bills. Those actions have not deterred Director Comey from continuing his dangerous and misguided anti-encryption campaign. If the private communications and transactions of Americans are going to remain secure from hackers and foreign spies, Congress is going to have to send Comey a much stronger “cease and desist” message.

Patrick G. Eddington is a policy analyst in Homeland Security and Civil Liberties at the Cato Institute, and an assistant professor in the Security Studies Program at Georgetown University.