Activists: US overstates encryption threat, underreports wiretap figures

National security and law enforcement officials have frequently warned that the use of encryption software represents a real threat to their core responsibilities preventing attacks and combating serious crime.

Among them, FBI Director James Comey has warned that “encryption threatens to lead all of us to a very dark place.” Encryption scrambles the content of emails and phone calls and other electronic communications, such as mobile phone apps, pagers and fax machines. Comey added that its use “will have very serious consequences for law enforcement and national security agencies at all levels.”

Deputy Attorney General Sally Quillian Yates echoed those thoughts, saying encryption could hamper access to information considered vital for national security. “Crucial information becomes, in effect, ‘warrant proof,’” she said.

But earlier this month the United States government released the Wiretap Report for 2014, in which it was stated that 3,554 wiretaps were authorized last year. However, only 25 times were messages encrypted, and only four times were officials unable to decipher those exchanges. The report covers intercepted wire, oral and electronic surveillance.

Some politicians and civil liberties experts have asked for explanations as to the true seriousness of the threat from encryption and also accused officials of exaggerating the problem in order to increase – or preserve – their ability to conduct surveillance. When Comey and Yates were asked on Capitol Hill to provide specifics regarding how many times encryption has thwarted investigations, they could not. Senator Al Franken commented that that he had not seen any “real data” on the encryption threat and asked the two if they might “shed any light” on the matter.

“Being able to give you hard numbers on the number of cases that have been impacted is really impossible for us,” Yates said in response.

That does not impress some privacy campaigners. “It is kind of surprising for them to be throwing out all these scary hypotheticals, but when they are asked for hard evidence they don’t have any,” said Jeremy Gillula, a staff technologist at the Electronic Frontier Foundation (EFF), a non-profit digital rights group. “For people whose jobs depend on the ability to present hard evidence to a judge in order to put ‘bad guys’ away, you’d think they would have some better evidence.”

Michael German, a former FBI special agent now with the Brennan Center for Justice, said that the FBI might feel that encryption is a “problem on the horizon,” as better protections by commercial companies are put in place – which are in part a reaction to public pressure due to the government’s overreach in “grabbing data.” Former NSA contractor Edward Snowden leaked information about the expansive surveillance by U.S. intelligence, which sparked a backlash.   

German has also criticized the extent of government surveillance: “There deserves to be some privacy for people to have a discussion unfettered by the fear of government surveillance.”

Law enforcement has argued that they “don’t apply for wiretaps on devices they know are using encryption because it would be futile,” said Albert Gidari, a partner in Perkins Coie’s Privacy and Security practice. But "how do they know devices are using encryption until they get a wiretap?" It’s a “chicken or egg” argument, Gidari added.

Separately Comey has warned about the importance of using surveillance to prevent attacks by armed groups. “It is imperative the FBI and all law enforcement organizations understand the latest communication tools and are positioned to identify and prevent terror attacks in the homeland,” he said in recent testimony to the Senate.

But the most “prevalent type of criminal offense investigated using wiretaps” – 89 percent – was drug offenses. Four percent were related to homicide and the others included smuggling and money laundering, according to the Wiretap Report.

“They are conflating two different sets of issues and they are doing it intentionally,” said Gidari.

Gillula from EFF agreed. “It is certainly possible that, sometime in the future, some terrorists might use encryption, but I don’t think it’s worth sacrificing everybody’s security across the entire Internet – especially when they are so many other ways for law enforcement to get data.”

The Communications Assistance for Law Enforcement Act (CALEA) requires carriers and broadband providers to build interception capability to assist with court orders, but the FBI says it doesn’t do enough to cover “new means of communications.”

Comey is correct that newer communication tools do not have built-in wiretap capabilities, Gidari said. But the law (18 USC 2518) requires companies like WhatsApp and Skype that are served with a wiretap order to provide the assistance required to carry it out, he added.

Law enforcement in the U.S. and the U.K. have also asked for exceptional access – a digital key of sorts – to get at information, including encrypted material. But a group of technical experts has advised that these proposals – to engineer products – “are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.” 

Some experts question whether exceptional access should be granted if only four messages – by the government’s own account – were unreadable last year. The FBI is definitely “hyperventilating” over encryption, according to German.

However, the numbers in the U.S. Wiretap Report – 3,554 wiretaps authorized in 2014 – do not match those provided by the telecommunication companies themselves, who reported much higher numbers.

In their transparency reports covering the same period, four companies – AT&T, Verizon, Sprint and T-Mobile – said they implemented a combined 10,712 wiretaps for which they had received court orders legally compelling them to provide the content of the communication.

That number is three times what the government reported, as Gidari pointed out for Just Security, an online legal forum. But the true discrepancy is likely even higher, as the 10,712 number counts just the four big providers.

Charles W. Hall, a Public Affairs Officer at the Administrative Office of the U.S. Courts, which released the Wiretap Report, said there is a good reason why the company numbers are higher. Hall said it was probably a situation where “we are all tabulating a related event in different ways.” A wiretap order can cover multiple devices for the same person, and cases are only reported when they have come to a conclusion, including in cases in which an extension was issued, Hall said.

But Gidari said the data show that U.S. wiretap numbers are consistently underreported and not down to a double-counting of devices. The government failure to provide accurate numbers is a serious public policy issue, he added. Both Congress and the public should be able to know “how many actual wiretaps are conducted, and what’s the cost of those wiretaps and how much incriminating evidence do they actually yield?”

The EFF’s Gillula could also not explain the divergent wiretap numbers, but said he found the discrepancy very concerning. “I wish Director Comey would spend more time explaining why there is this huge discrepancy than trying to advocate for a magical unicorn backdoor encryption solution that will never exist,” Gillula said.