This is a reposting from Just Security.
It should be clear to even casual observers today that the “golden age of surveillance” thesis is fundamentally correct. We live in a time when far more data and surveillance opportunities are available to law enforcement and intelligence agencies than ever before. Even the National Security Agency has conceded the point. This fact colors opposition to the FBI’s requests for exceptional access to encrypted data and communications. Many opponents of recent proposals believe the FBI doesn’t really have a problem. Its capabilities are already “exceptional” historically speaking because of the amount of data we all generate about ourselves.
If this is true, what explains the FBI’s rhetoric about “going dark”? Explanations have fallen into two categories: 1) hyperbole, and 2) loss aversion — the idea that the FBI feels the pain of an immediate loss of access more acutely than it feels the benefits of a longer term expansion of its surveillance capabilities. While both of those explanations have some truth, neither sufficiently explains the Bureau’s claim that it is “going dark.”
It’s instead worth considering a few reasons why the FBI might be encountering a gap in its surveillance capabilities during the golden age of surveillance.
First, a recent loss of access to user data and communications to encryption is not necessarily a return to an earlier surveillance status quo, as some would suggest.
The data available for collection by law enforcement authorities (LEAs) has expanded steadily over the last decade. One might therefore think that the growing use of encryption means LEAs are losing what they have only recently gained. iPhones are a good example; we now store masses of data about ourselves on these devices that weren’t available to the FBI as recently as 2007, medical when they were first introduced. In cases like this, new technology has an additive quality; it presents additional surveillance opportunities not available previously. And for these cases, a loss of access might in fact represent a return to an earlier status quo.
This argument doesn’t always hold up, however, because surveillance targets’ communications methods have not remained static. Law enforcement and the intelligence community have moved to take advantage of the golden age of surveillance at a time when their targets have also taken advantage of the benefits of modern technologies to self-organize, communicate, and plan their activities.
To use a simple example, imagine that a terrorist group is using text messages to plan their attacks and that those texts generate huge amounts of data for the FBI. Before they began using text messages, decease that group planned its attacks over voice calls that could be tapped by the FBI. In this case, the collection of huge numbers of text messages doesn’t represent an expansion of surveillance. Rather, it is the same surveillance facilitated by very different technology. Now, imagine that the group begins to use an end-to-end encrypted messaging service to plan its attacks. In that case, the FBI will experience a net loss of capabilities compared to when it could tap voice calls, rather than a return to an earlier status quo.
Second, the golden age of surveillance likely bestows its gifts unevenly, benefiting some agencies more than others and favoring some surveillance capabilities over others.
Cybersecurity experts often remark that the attack surface — the sum of points from which an attacker can gain unauthorized entry — for modern computing systems is very large. In the context of surveillance, each point on the attack surface is a point from which the attacker might collect data about its target. The golden age will benefit those agencies with the resources, capabilities, and time necessary to attack multiple points on that attack surface. That’s basically the NSA.
The FBI, by comparison, doesn’t have those resources, capabilities, or time. To its own detriment, the Bureau remains focused on a single point on the attack surface — the point from which data and communications are available through requests to companies. That approach will provide access to a large amount of data but will also leave the Bureau out of luck whenever that single point on the attack surface closes.
Further, the golden age will increasingly favor access to metadata and other forms of data at rest over data in transit and access to real-time communications content. So if the Bureau wants to know who called whom, it will be in good shape. But it won’t always be able to figure out who said what. It might be able to map out an Islamic State network using WhatsApp metadata but it won’t know what those members are saying to one another.
For an agency whose bread and butter is probably still its ability to intercept real-time communications, the growing use of encryption for data in transit represents a big loss. And let’s be honest here — despite the role that Apple’s and Google’s default device encryption has played in catalyzing this debate and providing talking points to encryption opponents, it has become clear from Director Comey’s recent writing and testimony that what the FBI is actually after is access to end-to-end encrypted communications.
And third, the golden age of surveillance will likely favor breadth of access over speed of access.
If you speak to law enforcement officials about the challenges they are facing, the term that comes up over and over again is “scale.” By that, those officials mean they lack plug-and-play surveillance tools that can be utilized quickly against a standard set of targets. This gets to the crux of the Bureau’s challenges. It is time, rather than access, that is in shorter supply because every target requires a more tailored solution. Thus, the FBI isn’t really going dark. Rather, it is going slowly.
It takes time to figure out how to exploit other points on the attack surface — to identify vulnerabilities on a target’s device and develop sophisticated, tailored access capabilities to exploit those vulnerabilities. It takes time to deploy tactical surveillance teams once a target has been identified. Whenever the Bureau encounters a new app, it takes time to understand that app’s privacy and security properties and to understand what data it should request from the relevant company. That company might very well be run by a few people in their garage, so it will take time for them to process the FBI’s request and figure out what data, if any, they should turn over.
The challenge for the FBI is not that it lacks the means to gather sufficient information about its targets. With time, the FBI today should be able to gather far more information about its targets than it ever could before. That’s how the golden age of surveillance works in practice. The challenge is that it lacks the means to gather that information on a consistently short timescale.
Solutions to the “Going Slowly” Problem
The FBI’s proposal for some form of exceptional access is a pretty bad idea. According to some of the country’s most respected technical experts, allowing exceptional access to encrypted systems would create far more security problems than it would solve. But that doesn’t mean the challenges confronting the FBI should be dismissed easily. Understanding those challenges is a first step towards identifying a set of solutions that might help the Bureau fulfill its mission without making life much worse for the rest of us.
To combat the going slowly problem, we should search for policy options that increase the FBI’s velocity, rather than increasing its access. Policymakers should thus work to ensure the FBI has the capabilities, resources, and processes in place to get what it requires more quickly:
Capabilities: Policymakers and the FBI should focus their efforts on ensuring that the Bureau has the capability to attack multiple points on an attack surface. The FBI should have a suite of surveillance options at its disposal so that it can respond quickly and flexibly when the need arises. Along with this, policymakers should build a durable legal framework that would provide the FBI with authority, under appropriate oversight, to exploit vulnerabilities and to use data collected through surreptitious means in the course of investigations and prosecutions. This is where Congress, instead of considering exceptional access proposals, could play a more productive role.
Resources: Where capabilities exist, policymakers should ensure that the FBI has the resources and manpower to utilize them, in accordance with the law, whenever they are needed. This means asking questions like: Do FBI field offices have their own technical encryption experts and suite of tools at their disposal? If not, are there sufficient headquarters elements that can quickly provide such a capacity? Do they have sufficient tactical surveillance teams? Is the budget of the National Domestic Communications Assistance Center (NDCAC) — established by the Justice Department to share technical knowledge across the country’s law enforcement agencies — sufficient? Is the NDCAC serving as an effective resource that local law enforcement can turn to quickly when it encounters challenges with modern communications systems?
Processes: Policymakers should work to eliminate the friction the FBI encounters in the course of requesting access to data and communications. This means, among other things, reauthorizing roving wiretap authorities whenever they are about to expire and reforming judicial processes so that the FBI is not required to negotiate a procedural maze as complex as our modern communications environment. Of note, reforms such as the recent one to Rule 41 of the Federal Rules of Criminal Procedure are a good example of policy options that might help the FBI increase its velocity without introducing the massive security problems associated with exceptional access proposals. There are also probably a number of opportunities to streamline processes, such as creating more standardized data request and response formats, so that, when the appropriate legal standard has been met and when data is already collected by and available from companies, the FBI can gain access to that data more quickly.
These proposals don’t require expanding FBI access, changing the evidentiary standards it must meet, or creating any security vulnerabilities. They wouldn’t place Internet users’ security at greater risk or increase the data footprint of those users. What they would do instead is increase the FBI’s ability to execute on the exceptional access it already has.