James B. Comey, Director of the Federal Bureau of Investigation (FBI), spoke recently about government surveillance and privacy. You can read Director Comey's full speech online. He proposed a national conversation about privacy and safety:
"... I think it’s important to talk about the work we do in the FBI, and what we need to do the job you have entrusted us to do. There are a lot of misconceptions in the public eye about what we in the government collect and the capabilities we have for collecting information.... My job is to explain and clarify where I can with regard to the work of the FBI.... My goal today isn’t to tell people what to do. My goal is to urge our fellow citizens to participate in a conversation as a country about where we are, and where we want to be, with respect to the authority of law enforcement."
A conversation is good. Some discussion has happened with protests focused on the National Security Agency (NSA). Any urging about discussions should come from members of Congress since that is the body that discusses new laws. When that discussion failed to happen, Mr Snowden urged discussions by the public with the document disclosures. Then, Mr. Comey proceeds to frame the discussion in a way that benefits the FBI:
"... the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it “Going Dark,” and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so."
Safety problem? Is that all? I think not. It has been pretty well documented in the news media that extensive NSA government spying program could cost U.S.-based cloud-services vendors $35 billion in lost revenues. In simpler terms:
Lost revenues by U.S. high-tech companies = lost American jobs = lost tax revenues to U.S. federal, state, and local governments
Yet, Mr. Comey would have us believe that the discussion is simply about safety versus privacy. To ignore the implications (e.g., lost jobs) is not an honest, full discussion.
Lack the technical capability to do so? I find it hard to believe Mr. Comey's claims. His claims imply that the NSA has not kept pace technically with other agencies, such as the NSA. If so, this needs to be explained to citizens. If so, then maybe the FBI needs better leadership to keep pace technically with other agencies.
While most of the documents disclosed by Mr. Snowden focused upon spy programs by the NSA, we also know that other agencies (e.g., CIA, DHS, FBI, IRS) already wanted access to data collected by the NSA. (By now, they may have some access.) Mr. Comey never acknowledged this in his speech.
When Mr. Comey says they have the legal capability, this is worrisome since there seem to be secrtet laws, scret courts, and secret processes besides the FISA Court. The lack of disclosure means citizens really don't know what is happening. And, in some instances government agencies use Executive Orders, not law.
Mr. Comey's speech gave the impression that the FBI is in a weak position and NSA government surveillance and data collection programs have been rolled back. While there is some proposed legislation, the privacy threatening surveillance programs are still operating. Mr. Comey's comments also gave the impression that the only productive technique is surveillance, data collection, and tracking of mobile devices and phones. I find this difficult to believe, as there are multiple surveillance techniques.
Mr. Comey also said:
"Some believe that the FBI has these phenomenal capabilities to access any information at any time—that we can get what we want, when we want it..."
We citizens have learned that spy programs collect data mostly about ordinary, innocent people. We have larned that photos have been collecting with facial-recognition techniques. Yes, many citizens understand fully how much metadata collection reveals. We are not fooled any more when government officials and politicians claim otherwise. We now understand the concept practice of incidental data collection.
Then, Mr. Comey proceeded to attack encryption:
"We face two overlapping challenges. The first concerns real-time court-ordered interception of what we call “data in motion,” such as phone calls, e-mail, and live chat sessions. The second challenge concerns court-ordered access to data stored on our devices, such as e-mail, text messages, photos, and videos—or what we call “data at rest.” And both real-time communication and stored data are increasingly encrypted... Current law governing the interception of communications requires telecommunication carriers and broadband providers to build interception capabilities into their networks for court-ordered surveillance... The issue is whether companies not currently subject to the Communications Assistance for Law Enforcement Act (CALEA) should be required to build lawful intercept capabilities for law enforcement. We aren’t seeking to expand our authority to intercept communications."
That sounds like an expansion to me... suggesting more companies be required to build interception capabilities into their systems. Mr. Comey is attacking Apple's recently privacy improvements. He is suggesting that "back doors" be required legally, so that spy agencies can access information. In his speech, Mr. Comey didn't address a key security issue: the bad guys access the same back doors. This makes software less secure.
Sadly, this isn't the first time that spy agencies have attempted to weaken encryption. In his speech, Mr. Comey added:
"And if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place."
That implies the government's (e.g., FBI) surveillance needs which target a few terrorism suspects trump or outweigh the secure software. Supposedly, the government's spy needs outweigh your choices about what you choose to keep private: health issues, topics related to your minor children, proprietary business secrets, and more.
We live in a country that values freedom. One freedom includes the choice about what personal information we keep private or choose to share, with whom, and when. Another freedom is the choice to keep private with encryption. information to protect ourselves, our businesses, and proprietary information our employers entrust us with. It is a huge loss of freedoms for consumers to lose these freedoms.
We live in a capitalist society where jobs are important. The lost business and lost jobs consequences from government spying programs can't be ignored by framing the discussion simplistically as "safety versus privacy."
The Electronic Frontier Foundation (EFF) replied to Mr. Comey's speech:
"The FBI should not be in the business of trying to convince companies to offer less security to their customers. It should be doing just the opposite. But that's what Comey is proposing—undoing a clear legal protection we fought hard for in the 1990s. The law specifically ensures that a company is not required to essentially become an agent of the FBI rather than serving your security and privacy interests. Congress rightly decided that companies (and free and open source projects and anyone else building our tools) should be allowed to provide us with the tools to lock our digital information up just as strongly as we can lock up our physical goods. That's what Comey wants to undo."
The EFF also explained the law:
"Here's the relevant part of CALEA that Comey wants to effectively undo: "47 USC 1002(b)(3): A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication." Also from the CALEA legislative history: "Finally, telecommunications carriers have no responsibility to decrypt encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. This obligation is consistent with the obligation to furnish all necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access ... Nothing in the bill is intended to limit or otherwise prevent the use of any type of encryption within the United States. Nor does the Committee intend this bill to be in any way a precursor to any kind of ban or limitation on encryption technology. To the contrary, section 2602 protects the right to use encryption." H/T Chris Soghoian: http://paranoia.dubfire.net/2010/09/calea-and-encryption.html"
What are your opinions of Mr. Comey's speech? Of the EFF response?