FBI Director Says It's 'Not Impossible' To Create Compromised Encryption That's Still Secure

FBI Director Chris Wray was back on the "going dark" stump this week. In a speech [PDF] at Boston College, Wray again stated, without evidence, that it wasn't impossible to create weakened encryption that isn't weakened. (via Cyrus Farivar at Ars Technica)

We have a whole bunch of folks at FBI Headquarters devoted to explaining this challenge and working with stakeholders to find a way forward. But we need and want the private sector's help. We need them to respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both. I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available. But I just don't buy the claim that it's impossible.

It really doesn't matter whether or not Wray "buys" this claim. If you deliberately weaken encryption -- either through key escrow or by making it easier to bypass -- the encryption no longer offers the protection it did before it was compromised. That's the thing about facts. They're not like cult leaders. They don't need a bunch of true believers hanging around to retain their strength.

Yet Wray continues to believe this can be done. He has yet to provide Senator Ron Wyden with a list of tech experts who feel the same way. The "going dark" part of his remarks is filled with incongruity and non sequiturs. Like this, in which Wray says he doesn't want backdoors, but rather instant access to encrypted data and communications" almost like a backdoor of some sort.

We're not looking for a "back door" - which I understand to mean some type of secret, insecure means of access. What we're asking for is the ability to access the device once we've obtained a warrant from an independent judge, who has said we have probable cause.

If by "backdoor," he means insecure exploit, then he's technically correct. If by "not a backdoor," he means another door located on the front or side or connected to the basement or whatever, then what difference does the door's location really make? A door is door and it provides an opening where there wasn't one previously.

Solutions have been provided. There's no shortage of people suggesting workarounds. Metadata is valuable even if Wray continues to downplay it. It's a weird position for him to take considering the agency's long reliance on metadata swept up by the NSA. Devices can be hacked, but Wray continues to assert this isn't a solution either, even after Cellebrite made the stunning announcement it could crack any iPhone, including the latest models. There are a variety of third parties hosting communications in cloud services, all of which could be approached to gain access to at least some evidence. Even public enemy #1, Apple, stores encryption keys for its iCloud services, which would give law enforcement much of what can't be obtained from a locked device.

Wray doesn't want a solution that isn't forced subservience of tech companies. That's become plainly apparent as he continues his anti-encryption crusade. Tech experts are ignored. Hacking breakthroughs like Cellebrite's aren't even cited. Legislators, for the most part, have offered no support for anti-encryption legislation, and yet Wray continues to push for technical access he can't define and proclaim his rightness despite having no expertise in the subject matter.

He also mentioned the stack of cellphones the agency claims it can't access -- 7,800 devices or more than half of those the FBI tried to access last year. But the number is meaningless. Wray claims they're all tied to investigations in one way or another, but does not describe what efforts were made to access their contents. Were the phones owners approached and asked for passcodes? Were the phones owners presented with the option of unlocking the devices or facing contempt charges? Were phones sent to Cellebrite or its competitors? Or has the FBI simply shrugged its shoulders, thrown them in a big pile, and decided to let the problem go unaddressed until it has enough legislators on its side?

In this discussion of The 7,800 Phones That Couldn't Be Broken, Wray mentioned something that shows the FBI won't be happy until it has mandated access to all encrypted data -- not just data at rest on locked devices.

Being unable to access nearly 78-hundred devices is a major public safety issue. That's more than half of all the devices we attempted to access in that timeframe. And that's just at the FBI. That's not even counting devices sought by other law enforcement agencies - our state, local, and foreign counterparts. It also doesn't count important situations outside of accessing a specific device, like when terrorists, spies, and criminals use encrypted messaging apps to communicate, which is an increasingly widespread problem.

Wray ended his speech as he always does -- with emotional appeals meant to throw shade on the tech experts who've told him his safely-broken encryption dreams are impossible.

After all, America leads the world in innovation. We have the brightest minds doing and creating fantastic things. A responsible solution will incorporate the best of two great American traditions - the rule of law and innovation. But for this to work, the private sector needs to recognize that it's part of the solution. Again, I'm open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it's utterly beyond reach to protect innocent citizens. I also can't accept that anyone out there reasonably thinks the state of play as it exists now - much less the direction it's going - is acceptable.

Broken down, his final thoughts on "going dark" run like this:

1. Smart people refuse to help us.

2. They are irresponsible.

3. They are part of the problem.

4. They are making America unsafe.

Christ, what an asshole. The private sector is doing far more to "protect innocent citizens" than the FBI is. Encryption makes communications and data transfer much, much safer. Wray wants this weakened for one reason: to give law enforcement immediate access. Will this make America safer? The answer is no. Default encryption has been available for years now and there's been no corresponding spike in criminal activity and no loud chorus of united law enforcement officials lamenting their inability to close cases or prosecute people. America's jails are as full as they've ever been and crime rates remain far lower than they were prior to the advent of smartphones and encryption-by-default. It's only a very small number of law enforcement officials that seem to have a problem with this, but they're by far the loudest and most visible.