The deployment of default strong encryption on mobile devices and U.S. companies storing user data in foreign countries is hampering the ability of law enforcement to protect Americans from cyber crime and other threats, a top U.S. prosecutor said.
In a speech Wednesday, Assistant Attorney General Leslie Caldwell said prosecutors and law enforcement agencies across the country are running into difficulty extracting evidence from mobile devices, email, and other systems that are protected by strong encryption. Device manufacturers, including Apple and Google, have implemented strong encryption by default on their phones in the last couple of years, a change that has put them into public and private conflicts with law enforcement. Caldwell said these changes have prevented law enforcement agencies from being able to search protected devices in many cases, even with a warrant.
“Certain implementations of encryption pose an undeniable and growing threat to our ability to protect the American people.”
“This is because, in an attempt to market products and services as protective of personal privacy and data security, companies increasingly are offering products with built-in encryption technologies that preclude access to data even when a court has issued a search warrant. Service providers with more than a billion user accounts, that transmit tens of billions of messages per day around the world, now advertise themselves as unable to comply with warrants. And device manufacturers that have placed hundreds of millions of products in the market have embraced the same principle,” Caldwell said in a speech at the Center for Strategic and International Studies Wednesday.
“Let me be clear: the Criminal Division is on the front lines of the fight against cybercrime. We recognize that the development and adoption of strong encryption is essential to counteracting cyber threats and to promote our overall safety and privacy. But certain implementations of encryption pose an undeniable and growing threat to our ability to protect the American people. Our inability to access such data can stop our investigations and prosecutions in their tracks.”
The protracted fight between Apple and the FBI earlier this year over an encrypted iPhone highlighted this issue, but the conflict has been going on for many years. Since the advent widely available of strong encryption software in the 1990s, law enforcement and prosecutors have clashed with privacy advocates and security experts over its use. This has led to many attempts to implement back doors, key escrow, or other access methods, which largely have been defeated. Caldwell said the law enforcement community has to depend upon technology vendors for help in many cases, help which the companies aren’t always in a position to provide.
“Our ability to protect Americans from crime has become dependent, in thousands of cases, on the business decisions of for-profit corporations. More troublingly, even when companies have the technical ability to reasonably assist us in accessing encrypted information, they have refused to do so for fear of ‘tarnishing’ their image. Regardless of which side of this issue you are on, we can all agree that market-driven decisions are not and have never been a substitute for sound public safety policies,” she said.
Caldwell also pointed to off-shore data storage as a major challenge for police. She said many companies specifically store user data in foreign countries to keep it out of reach of U.S. authorities and some providers can’t pinpoint which country specific data is stored in. That makes it difficult for law enforcement officials to gain access to data during investigations, she said.
“Data held by major Internet service providers can be crucial to identifying and holding accountable the perpetrators of virtually every federal crime we handle. Increasingly, however, American providers and other providers subject to the jurisdiction of the United States are storing such information outside the United States, and not always at rest and in the same location. The data can be partitioned and stored in multiple locations, or moved about on an ongoing basis, and some providers may not even know where all data relating to a particular user is at a given time,” Caldwell said.
Image: U.S. Attorneys, public domain.