FBI director floats international framework on encrypted data access

Credit to Author: Michael Kan| Date: Thu, 23 Mar 2017 15:21:00 -0700

FBI director James Comey has suggested that an international agreement between governments could ease fears about IT products with government-mandated backdoors, but privacy advocates are doubtful.

Speaking on Thursday, Comey suggested that the U.S. might work with other countries on a “framework” for creating legal access to encrypted tech devices.

“I could imagine a community of nations committed to the rule of law developing a set of norms, a framework, for when government access is appropriate,” he said on Thursday.

Comey made his comments at the University of Texas at Austin, when trying to address a key concern facing U.S. tech firms in the encryption debate: the fear that providing government access to their products might dampen their business abroad.

Critics have said this government access amounts to a “backdoor” into tech products that essentially weakens a device’s security, putting consumers at risk.

But another worry is the business impact. Customers might prefer non-U.S. products that don’t have law enforcement access.

On Thursday, Comey said: “I don’t want to be any part of chasing the innovation from this great country to other places.”

However, he said that other nations such as France, Germany and the U.K. are also trying to solve the problem faced by law enforcement access to encrypted data. That might result in “inconsistent standards” that hurt the U.S. companies, when it comes to their international business.

“There’s a danger that we, the mother and father of all this innovation, will be the last to solve it (the encryption problem),” he said.

Comey didn’t elaborate further on his idea, but privacy experts are calling it unrealistic.

“I don’t think it makes sense,” said Nicholas Weaver, a researcher at the International Computer Science Institute at the University of California Berkeley.

Comey’s idea means that all countries will essentially agree to weaken the security in their vendors’ tech products, Weaver said. However, other countries will balk, fearing that the U.S. might exploit the cooperation for spying purposes.

“Would you still use a U.S. product, even if you know the NSA (National Security Agency) could have the rights to it?” he said.

Others think any mandated government access to tech devices risks cyberespionage from U.S. rivals.    

“Once you build that backdoor good luck trying to keep the Russians and Chinese out,” said Nate Cardozo, an attorney with the privacy advocate the Electronic Frontier Foundation.

Nevertheless, the FBI director has been more vocal in recent weeks about reigniting the encryption debate.

On Thursday, he said the FBI had been trying to unlock 2,800 electronic devices, collected from federal agents and local police in criminal investigations. However, the FBI has failed to open 43 percent of them, even with classified techniques.

Although private companies are generating today’s technology, Comey said: “their job is not to decide how the American people should live. The American people should decide how they live.”

Last year, the FBI publicly feuded with Apple over gaining access to a locked iPhone from the San Bernardino shooter. But on Thursday, Comey said the tech industry can find an approach that creates government access, while keeping malicious actors out.

“I reject the, ‘it’s impossible’ response,” he said. “I just think we haven’t actually tried it.”

Cardozo said he doesn’t think Comey’s comments did much to convince anyone in Silicon Valley.

“It’s childish to stomp your foot, and say, ‘nerds you have to try harder,’” Cardozo said.

Weaver said that both the tech industry and FBI have valid arguments in the encryption debate, but both sides are “talking past each other.”

However, unlike Comey, he doesn’t see any middle ground in the encryption debate. “They (the FBI) are asking for something that cannot be done, without significantly weakening the systems,” he said. 

http://www.computerworld.com/category/security/index.rss