It’s possible for companies to design their encryption systems to allow law enforcement agencies to access customer data with court-ordered warrants while still offering solid security, U.S. Department of Justice officials said.
When DOJ and FBI officials raised recent concerns over end-to-end encryption on Android and iOS mobile phones, some security experts suggested it was difficult or unsafe to build in provider access to encrypted consumer data. But many companies already offer encryption while retaining some access to user information, two senior DOJ officials said Wednesday.
Many email service providers offer encryption but retain access to the content of users’ email to deliver advertising based on keywords in email text, to filter out spam or malware or to enforce terms of service, one DOJ official said on background during a press briefing. Many U.S. companies also encrypt employee mobile phones or laptops, while retaining the ability to access the content on those devices, he added.
Some of the same companies offering end-to-end encryption also retain access to customers’ email in other services, one DOJ official said.
The DOJ sees encryption deployed “where companies and providers strike an appropriate balance between data security and the ability to access data when they need to,” the official said. Most of the large email providers in the U.S. encrypt data “but retain the ability to access that data for their own business purposes,” the official added.
Beginning in late 2014, FBI and DOJ officials have sounded alarms about encryption, saying law enforcement agencies are increasingly “going dark” in criminal and terrorism investigations because subjects’ data unavailable, even after a court-issued warrant. Apple and Google both announced new end-to-end encryption services on their mobile operating systems, in part as a response to leaks about massive surveillance programs at the National Security Agency.
One recent criminal defendant described end-to-end encryption as “another gift from God,” Deputy Attorney General Sally Quillian Yates said during a speech last month. “But we all know this is no gift—it is a risk to public safety,” she said then.
Several encryption and security experts, as well as digital rights groups, have criticized the DOJ and FBI calls for encryption workarounds. “If it’s easier for the FBI to break in, then it’s easier for Chinese hackers to break in,” Senator Ron Wyden, an Oregon Democrat, said last month. “It’s not possible to give the FBI special access to Americans’ technology without making security weaker for everyone.”
Nearly all of the DOJ’s criminal cases now include digital evidence, one DOJ official said during Wednesday’s press briefing. The DOJ doesn’t yet have statistics on the number of criminal cases affected by encryption, but the agency is working on compiling that information, one official said.
The DOJ is not asking companies to stop offering encryption, a second official said, but to balance the cybersecurity benefits of end-to-end encryption with the risks of losing valuable evidence in child pornography, terrorism, organized crime and other cases.
There may be “theoretical risks” with companies retaining access to customers’ encrypted data, one official said. “Are there costs and benefits associated with certain implementations of encryption, and are there costs and benefits associated with lack of law enforcement and national security access to communications in crucial cases?” the official added.
With hundreds of millions of email users already allowing their providers access, there needs to be a bigger debate about law enforcement access, the official said. “If it’s worth it to have a cheaper product or a more appealing interface, if it’s worth it for malware detection, then the question we’re asking is, ‘Is it not also worth it for protection against terrorism and for public safety?’”
President Barack Obama’s administration has not yet made a decision on whether to seek new legislation to deal with end-to-end encryption and law enforcement access, the DOJ officials said. The agency does not believe it should tell companies how to design their encryption systems to allow law enforcement access, because companies know best how to deal with the issue, they said.
The DOJ supports the use of encryption to protect against cyberthreats, but it believes that purpose can coexist with law enforcement access, the officials said.
“The Department of Justice supports strong encryption,” the second official said. “It’s very important for a global economy and our national security to have strong encryption standards.”
The officials, asked if mandated law enforcement access in the U.S. would drive some criminals to overseas services, acknowledged it might, in limited cases.
“If we’re talking about a few bad guys, then we have a much different problem than if we’re talking about an entire market for smartphones,” the second official said. “We’re just talking about different problem sets.”