March 2, 2021

No Surprises Here: Presidential Commission On Law Enforcement Repeats Calls For Anti-Encryption Legislation

By Tim Cushing
[Note: this is one of multiple posts covering the Commission’s 332-page report.]

The Presidential Commission on Law Enforcement — ushered into existence by a 2019 Executive Order — has released its report [PDF], just in time for the man who ordered it to move out of the White House. President Trump spent his four years defending and praising law enforcement, no matter how often law enforcement’s actions provoked criticism elsewhere. This report does the same thing, even as it pretends to offer an objective opinion on the challenges facing the law enforcement community.

The Commission is composed solely of law enforcement officials and officers, which makes its findings one-sided and, of course, suspect. The report calls for an end to the “disrespect” shown to law enforcement. But it does little to address the roots of this perceived disrespect. At best, the report suggests the public is just “misinformed” about law enforcement’s role in society and posits it’s “progressive prosecutors” and opportunistic legislators causing most of the reputational damage, rather than the things cops do when their leash is long enough.

The report also has nothing good to say about device encryption. Using lingo provided to it by consecutive FBI directors and former AG Bill Barr, the report claims something called “warrant-proof encryption” (a.k.a., regular encryption) should have backdoors legislated into it.

The lack of lawful access to encrypted information controlled by technology companies is presently one of the greatest obstacles to law enforcement in its efforts to combat crime. The rule of law cannot exist in a space—digital or otherwise—that deliberately insulates criminals from law enforcement investigation. The substantial danger to individual victims and general safety posed by warrant-proof encryption demands a prompt and decisive policy action. Because the prominent technology companies have increasingly elected to implement data systems that prevent law enforcement access, the Commission has concluded that a legislative solution may be necessary to optimally balance the interests of personal privacy and public safety.

Ah, but the rule of law can exist in such a space. It’s doing it right now. The FBI may have claimed it had nearly 8,000 devices “insulated” from “investigation” in its possession, but after being questioned by Congress about its struggles with encryption, it revealed it couldn’t accurately count physical items. We’re still waiting for an updated number — one promised to us nearly three years ago.

At least the Commission recognizes law enforcement has never had more tech options at its disposal. But it suggests law enforcement make use of some of its most questionable options more frequently.

New methods of electronic surveillance and digital investigation hold considerable promise, and the Commission recommends that law enforcement take a proactive approach to developing and innovating technologies to combat crime instead of reactively catching up to the technological innovations of the day. Accordingly, the Commission encourages law enforcement to specifically consider—with appropriate contemplation of competing policy interests— developing and adapting crime reduction technologies, such as unmanned aerial systems (quadcopters), acoustic gunshot detection technologies, real time crime centers, and facial recognition software, to add to their crime-fighting arsenal.

Shot spotters. Predictive policing. Facial recognition. This is a list of things that don’t work well and, in the latter two cases, are made worse by the inclusion of biases the tech is supposed to be removing.

Heading back to encryption, the report contains testimonial statements from an agency that shouldn’t be allowed to bitch about encryption until it can be honest about how many encrypted devices are in its possession. Here’s another call for legislated backdoors by Darrin Jones, the FBI’s Assistant Director for Science and Technology:

“The impact and magnitude of the lawful access crisis in the United States has grown to a point where the public safety trade-off to the citizens of this country can and should no longer be made privately and independently in the corporate boardrooms of tech companies. It must, instead, be returned to the halls of the people’s democratically elected and publicly accountable representatives.”

But we don’t know the “impact” or the “magnitude.” The FBI says both are enormous. But the FBI has also overstated the number of locked devices in its possession — something it routinely leveraged to push claims of a looming criminal apocalypse that has completely failed to materialize. Until it can provide an accurate count, it really shouldn’t opine about the “impact” of device encryption. And its testimony shouldn’t be the basis for legislation seeking to weaken encryption.

The report goes on to complain about Facebook adding encryption to its Messenger service and Zoom (sort of…) doing the same for its users. Then it claims this is pretty much the first time law enforcement hasn’t been able to obtain evidence when it has a warrant.

Companies that have chosen to adopt end-to-end user encryption have effectively upended more than 200 years of jurisprudence by placing evidence beyond the reach of a court-ordered search warrant.

Right. Because no one’s destroyed or hidden evidence prior to this point in history. No one held conversations in person to assure no record remained of criminal conspiracies. Just because phones now contain a wealth of potential evidence does not mean the tables have been turned because something more than a physical door separates cops from the stuff they want to take. Any number of third parties store communications and other data in unencrypted form. And no one in law enforcement feels like honestly discussing the phone-cracking tools that are available or how often suspects consent to searches.

The Commission asks for backdoors:

Congress should require providers of communications services and electronic data storage manufacturers to implement strong, managed encryption for stored data and data in motion while ensuring lawful access to evidence pursuant to court orders.

Then it claims it doesn’t want backdoors:

The Commission considered but rejected the idea that lawful access equates to back-door access. Almost all mobile device manufacturers, operating system vendors, and app providers maintain their own “upgrade” back doors, which enables providers to routinely change functions and settings of a device or service. Law enforcement does not seek such direct access, nor does it wish to hold any encryption “keys.” Instead, law enforcement seeks to have tech companies develop and manage for themselves the capability to respond to a lawful court order. Having tech companies themselves remain in control of this process is actually privacy enhancing, ensuring law enforcement is afforded only specific, limited access to data as defined in each case by a specific warrant.

The government won’t be honest about the challenges encryption actually poses — beginning with its refusal to tell Americans how many devices it can’t crack open. And it’s not honest about its desires. A door is a door — a hole in encryption that doesn’t exist until it’s mandated. Refusing to call it a “backdoor” doesn’t change what it is.

Then there’s this, which implies legislators should look into stripping tech companies of protections they currently enjoy… solely to make it easier for law enforcement to access device contents.

Civil liability immunity statutes that were adopted during the infancy of many tech companies may unintentionally encourage such companies to pursue and market user-only access and end-to-end encryption models. Absent any risk of financial liability, the routine cost–benefit analysis— which most companies use to determine whether to dedicate resources to harm-mitigation strategies—may not influence some of these technology companies into a willingness to facilitate lawful access.

According to the Commission, the only way out of this mess is to strip companies of this liability shield… unless they agree to undermine the protections they give to their customers.

As long as tech companies are immune from liability, the Commission assumes that these companies perceive any development or maintenance of lawful access capabilities to be a drain on profits, which allows the tech companies to hide their financial motivations under the guise of a desire to enhance users’ privacy. Ultimately, this behavior enables plausible corporate ignorance and allows criminals to use these systems for illegal purposes. If corporations are to continue to benefit from civil immunity, Congress should mandate that these companies develop and maintain a lawful access solution capable of producing clear text data in response to court-ordered search warrants.

The Commission also says legislators should implement regulations that allow it to wiretap real-time communications that are currently encrypted. Somehow this proposal starts with stored communications and ends with ordained MITM attacks.

The Stored Communications Act of 1986 requires data to be stored for up to 180 days upon request by the government. Providers must also disclose private information in emergency cases where individuals or groups may be in danger. In addition, a “court order is required for access to digital information. An administrative subpoena may be issued to gain access to specific data such as usernames, addresses, telephone numbers, and call transcripts.”

Recently, the FBI investigated a gang task force case where it was revealed that the primary suspect of a homicide case used FaceTime to orchestrate the crime. Because Apple uses end-to-end encryption, it allows criminals to coordinate their crimes through this avenue. If law enforcement is given lawful access, they can then intercept the plans of criminals and gain evidence to prosecute those who break the law.

The government appears to hate tech companies. Combined with the recent attacks on Section 230, Trump and his law enforcement buddies are apparently still entertaining any option that might let them score a win over Big Tech and its supposed anti-conservative/anti-law enforcement bias.

These are dangerous suggestions. Fortunately, they’re being offered up by a lame duck Commission that will presumably expire along with a lot of other Trump mandates following his exit from office. Bill Barr has already resigned. Whoever replaces him presumably can’t be as terrible as he was.

Law enforcement faces a lot of challenges. But it also has access to more tools, data, and information than it’s ever had before. Undermining user security in exchange for law enforcement convenience isn’t the way forward. It’s a step backwards — one that places the government’s wants over the needs of the people it’s supposed to be serving.