This is a reposting from Just Security.
Since the November 13 terrorist attacks in Paris set off another around of debate about exceptional access, a lot of ink has been spilled on the subject of whether or not there is evidence indicating the perpetrators used encrypted devices and communications tools. This week on Lawfare, for example, Carrie Cordero argues that US and French authorities should provide more information about whether attackers in San Bernardino and Paris used encryption tools.
This back and forth about “evidence” has ignored the reality that most people in the modern world now use encryption technologies in one way or another. At this point, it is safe to assume that whenever a terrorist attack occurs or a crime is committed, encryption will often be implicated, whether through the use of encrypted iPhones and Android devices or through the use of encrypted messaging apps.
In the encryption debate, we need to understand the degree to which encryption is a real impediment to law enforcement’s ability to satisfy its public safety mission. But the fact alone that encryption was used during the commission of a crime or in planning a terrorist attack doesn’t provide us with any insight. Examples in which terrorists use encryption only tell us what we already should know to be true — that encryption is becoming more popular.
This does, however, raise another question: If the evidence mentioned above doesn’t suffice, how would we know if law enforcement really has a problem?
The FBI and the recent report from Manhattan District Attorney Cyrus Vance have cited examples in which evidence recovered from unencrypted iPhones was used in rape, homicide, and sex trafficking cases. These are cases in which that evidence may not have been available if the perpetrators had used encrypted devices. In those cases cited by the Vance report, the recovered evidence was “helpful in either prosecuting or exonerating a defendant.”
Of course, a Manhattan DA is going to want all the available information that can be helpful to his case. But helpful isn’t the standard we should be looking to apply as a matter of public policy. What we want to know is whether the information was necessary for a successful prosecution or whether alternative sources of information would have been sufficient for that prosecution. This is a much harder question to answer, but, if we want to do the risk analysis and to understand any societal cost associated with encryption use, this is the question that actually matters. It is quite reasonable to think that, as the use of encryption tools grows, helpful information will no longer be available to law enforcement. It is much less clear whether law enforcement will lose access to the information it really needs to successfully prosecute its cases.
Thus, to help us understand whether law enforcement is “going dark,” the types of examples that are typically put forth to prove the point are pretty useless. We don’t have the counterfactuals to know how law enforcement would have fared without access to the device data. These examples don’t refute the core argument made by the recent Berkman Center report and by others that alternative sources of data have and will make up for any loss.
Some of the useful evidence we do have covers the extent to which law enforcement is encountering encryption in the course of its investigations. This can at least give us some sense of the challenges organizations like the FBI are confronting on a day to day basis.
For example, there is the often-cited data from the Administrative Office of the US Courts about whether law enforcement encounters encryption when executing wiretaps. In 2014, encryption was encountered in 25 of 3,554 cases. FBI critics argue that this data shows law enforcement can still execute wiretap orders. Others contend that this data understates the problem because law enforcement authorities don’t bother to make wiretap requests for end-to-end encrypted services. I suspect the latter argument is correct. But regardless, we should assume that these numbers will change overtime and that law enforcement will increasingly encounter encryption when executing wiretap orders.
Similarly, the Vance report, which focuses on device encryption (e.g., a phone’s passcode), states that the District Attorney’s Office was unable to execute 111 search warrants for smartphones because the phones were encrypted. “Because information stored on devices is so often probative, it is reasonable to believe that in many of these cases the data that is out of the reach of law enforcement would have been relevant to the case and to the investigation of additional crimes or perpetrators.”
But again, both of these data sources suffer from the same problem mentioned above; they are only going to show us what we already know to be true — that communications and device encryption are becoming more popular. And as that occurs, relevant information is likely to be lost to investigators. Relevance, like helpfulness, isn’t the standard we should be looking to apply. Rather, what matters is whether the District Attorney’s Office had the information necessary to do the job.
Here is the paradox at the heart of this debate: Because the data in question is encrypted, we will never know what necessary information has been lost to analysts and investigators. Critics often press the FBI to more clearly specify the problem it is trying to solve. Indeed, I’ve done this myself in conversations with law enforcement colleagues. The Bureau has done a horrible job articulating what that problem is. But I’ve also come to realize that, if that problem is real, the FBI will never be able to furnish evidence of that fact. It will not be able to say what information it is lacking.
So, where does that leave us? It leaves us stuck with deductive reasoning (see here for my effort at this) and with highly qualitative, case-by-case, context-dependent analyses. We should stop looking for “evidence” showing that terrorists and criminals use encryption and should instead look at the evidence that is available to analysts and investigators.
For example, we might ask how many cases implicated by those 111 search warrants cited by the DA resulted in successful prosecutions. If all cases resulted in successful prosecutions, that would be a strong indication that the DA’s office is still swimming in evidence. If, on the other hand, those cases went unprosecuted, that would be an indication that the DA might be lacking the information he needs. And we can look at the data available to European services and ask whether we think it should have been sufficient to disrupt the November 13 and Charlie Hebdo attacks.
Those analyses will leave both opponents and proponents of exceptional access exceptionally dissatisfied. They won’t provide the smoking gun to prove or refute their respective arguments. But they would at least represent a step forward in this debate.