(HRW) – The Justice Department’s inspector general should investigate the Federal Bureau of Investigation’s exaggerated and flawed claims about the challenges strong encryption poses to investigations, Human Rights Watch said today. On May 22, 2018, the Washington Post reported that the FBI repeatedly cited inflated statistics about the number of cellphones whose data it could not access because of encryption.
“The FBI has been pressuring Congress and tech companies to undermine everyone’s cybersecurity based on faulty facts and bad math,” said Cynthia Wong, senior internet researcher at Human Rights Watch. “The report shows that law enforcement claims of ‘going dark’ should be met with a healthy dose of skepticism.”
In a joint letter released on June 4, 21 human rights and civil liberties organizations including Human Rights Watch urged the Justice Department’s inspector general to investigate how these inaccurate representations came about, along with officials’ use of the flawed numbers even after the FBI discovered the miscalculation.
In the last year, top officials at the Justice Department and the FBI have claimed in congressional testimony and public statements that the FBI was unable to access data stored on 7,775 locked and encrypted devices. Mobile phone makers employ encryption as a security measure to protect data stored on the device from cybercriminals and other threats.
The FBI has now disclosed that the number of inaccessible phones is closer to 1,200, though that estimate is still expected to change as the agency reviews its methodology. It has blamed “programming errors” that “resulted in significant over-counting of mobile devices reported.” Though the problem was discovered in April, Attorney General Jeff Sessions continued to cite the flawed figure in a May 7 speech.
FBI Director Christopher Wray and other officials repeatedly used the inaccurate statistic as evidence that investigations are “going dark” – the idea that strong encryption prevents law enforcement from accessing digital data. To address the problem, officials have pressed policymakers to force companies to build “back doors” – deliberate weaknesses – into encrypted devices or services, or for companies to do so voluntarily.
Yet such an approach would undermine human rights and the security of digital devices used every day by hundreds of millions of people, the vast majority of whom will never be suspected of wrongdoing, because cyberthieves, malicious hackers, abusive governments, and others could exploit those same back doors. As cybersecurity experts and former intelligence and homeland security heads have pointed out, encryption back doors would undermine security, not promote it. Most recently, even the nominee for National Counterintelligence and Security Center director, William Evanina, recommended during his confirmation hearing that policymakers encrypt unclassified phone communications for security purposes.
This is not the first time the FBI’s arguments against encryption have been called into question. In February 2016, authorities sought a court order to force Apple to build a back door into an iPhone that was used by one of those involved in a 2015 shooting in San Bernardino. Apple challenged the order, and authorities eventually withdrew it because they were able to access the phone’s data without Apple’s help through a third-party contractor.
In court filings, the FBI claimed it was necessary to compel the company’s assistance because the officials were technically unable to access the San Bernardino phone. However, a Justice Department inspector general inquiry found that the FBI had not exhausted all possible avenues to unlock the phone before pursuing the extraordinary court order.
A March 2018 inspector general report suggests that the FBI’s lead investigator chose not to consult with colleagues or seek help from external FBI vendors. The report stated that FBI officials in charge of the case expressed “frustration” that other officials found an outside vendor that could access the data on the iPhone, since this meant the case against Apple could not proceed – disrupting the agency’s “‘poster child’ case for the Going Dark challenge.”
Still other recent media reports should cast more doubt on FBI claims of technical infeasibility in accessing encrypted data on devices. The Israeli company Cellebrite now claims it can unlock likely any iPhone available on the market, as well as other devices running Apple operating systems, without the phone owner’s assistance. Cellebrite is a vendor that sells to the US government and, media reports say, has contracts with the FBI, Immigration and Customs Enforcement, and Customs and Border Protection, as well as state law enforcement agencies.
Another vendor, Grayshift, has, media reports say, provided solutions to unlock an unlimited number of encrypted iPhones to state and local police departments for as little as US$30,000. The FBI is purportedly seeking to acquire Grayshift’s GrayKey systems.
The availability of these tools raises separate and significant questions about whether adequate safeguards are in place to ensure their lawful use and protections for rights. It also illustrates the cybersecurity challenges and the cat-and-mouse game between security engineers who want to protect users and criminals who seek to profit from user data or stolen phones. The security weaknesses Cellebrite and Grayshift exploit to unlock phones can also be used by bad actors if they are not disclosed to Apple so the company can fix them.
Cell phone makers will never be able to secure their phones 100 percent, but the US government shouldn’t be in the business of hamstringing efforts to protect users from cybercriminals by demanding encryption backdoors, Human Rights Watch said.
“The stakes are high for the hundreds of millions of people who rely on encryption to protect them from wrongdoers every day,” Wong said. “The FBI needs to remember that what it does to break encryption will be copied by countless others who have nefarious intent. Unfounded scare tactics have no place in this debate and the roots of the FBI’s flawed claims should be scrutinized.”