Encryption

Deputy Attorney General Rod Rosenstein Remarks on Encryption

By Matthew Kahn
Tuesday, October 10, 2017, 2:06 PM

Deputy Attorney General Rod Rosenstein delivered the following  about encryption on Tuesday at the U.S. Naval Academy. The following is his speech as prepared for delivery:

Thank you, Professor Kosseff, for that kind introduction.  I am honored to be here today with some of our nation’s finest public servants.

We meet today just over a mile from Navy-Marine Corps Memorial Stadium, where the Navy pulled off an epic victory three days ago against the Air Force.  After the highest-scoring game in the rivalry’s 50-year history, the Midshipmen scored a go-ahead touchdown just seconds before the final whistle.  The Navy’s commandant, Robert B. Chadwick II, said that “when you play someone with the same DNA as you, you know they aren’t going to quit either.”

The game is a reminder that victory frequently requires ceaseless determination.

The Navy has a long history of determination, and of fearless exploration.  The Center for Cyber Security Studies stands well within that tradition of embracing the unknown in defense of the nation.  But for all its dynamism, the Navy is built on continuity.  Our Navy traces its history to the Continental Navy established during the Revolutionary War.  The core mission of defending liberty has remained constant across generations. 

Each Midshipman swears to “support and defend the Constitution of the United States against all enemies, foreign and domestic.”  Our federal prosecutors take the same oath. 

An oath is meant to be serious business. The oath-taker promises to live by certain rules in return for a privilege bestowed by the government.

There was a time when taking an oath was a matter of life and death.  Sir Thomas More was an Englishman who was executed in 1534 because he refused to swear an oath to King Henry VIII.  In Robert Bolt’s play based on More’s life, More tells his daughter, “When a man takes an oath … he’s holding his own self in his hands.  Like water.  And if he opens his fingers then — he needn’t hope to find himself again.”

Your oath carries a solemn obligation. It obliges you to preserve our nation’s commitment to the rule of law.

The words require you to honor that commitment not only when it is easy, but when it is difficult.

In 1776, during the Revolutionary War, Thomas Paine wrote, “The summer soldier and the sunshine patriot will, in … crisis, shrink from the service of [their] country.”  Paine recognized that it is easy to claim the mantle of patriotism when the winds are peaceful and the seas are calm.  True patriots are the ones who remain at their posts during the storm.

In 1864, almost a century after the founding of our nation, Admiral David Farragut watched his fleet pause as it approached Mobile Bay, Alabama.  Farragut asked why the ships were hesitating.  The answer came back, “Torpedoes!”  Farragut then uttered the immortal reply, recorded by history as “Damn the torpedoes, full speed ahead!”

Sometimes we face real torpedoes.  And sometimes, in the cyber world, we face virtual torpedoes.  Whatever the challenges ahead, we are duty-bound to sustain our timeless rule of law values in an era of disruptive technological change. 

Defending the rule of law is essential because the rule of law is not just a feature of the United States.  It is the foundation of the United States. To use a technological metaphor, the rule of law is our nation’s operating system.

The rule of law means that our nation is governed by principles that are agreed to in advance.  Government officials are required to obey and enforce the rules, and restricted from making arbitrary decisions unsupported by the rules.

We should never take the rule of law for granted.  We learned this spring about the tragic experience of Otto Warmbier, the University of Virginia college student who allegedly took a poster off a hotel wall in North Korea and was sentenced to 15 years of hard labor.  North Korea sent Otto home 17 months later.  They sent him home with brain damage.  He died a few days later.

North Korea will not hold anyone accountable for Otto’s injuries and death.  It is a totalitarian government with no concept of the rule of law.  No civil rights.  No due process.  No justice.  

The North Korean government offered no explanation and no apology for prohibiting all communication and concealing Otto’s condition from his family.

My teenage daughter could not believe that such an evil place exists in the 21st century.

Sometimes people get so caught up complaining about the imperfections in our own system that they fail to appreciate how fortunate we are to live in a country blessed with officials who obey the rules and protect the innocent.  People who sail towards danger so the rest of us can stay safe.  People like you.

Protecting people from abuse by the government is an important aspect of the rule of law.  But the rule of law also protects people from being victimized by other people.

The preamble to the United States Constitution explains that it aims to “establish justice, insure domestic tranquility, provide for the common defence, promote the general welfare, and secure the blessings of liberty….”

Our social contract empowers the government to protect society from criminals. The Congress defines federal crimes and authorizes tools for investigating them, such as subpoenas, search warrants, and wiretaps. 

Those legal authorities enable investigators and prosecutors to gather the evidence needed to enforce the laws.  Evidence is essential because our legal system protects criminal defendants by requiring the prosecution to produce admissible evidence that establishes their guilt beyond any reasonable doubt.

But increasingly, the tools we use to collect evidence run up against technology that is designed to defeat them.

Technological dynamism has profoundly transformed our society in recent years.  Ninety-five percent of Americans own a cell phone and more than three-quarters of us own a smartphone. Nearly seven in ten Americans use social media.  In 2014, the Internet sector was responsible for an estimated $922 billion, or six percent of the U.S. real GDP — and that figure is rising.

Our lives are increasingly dependent on a growing digital infrastructure.  But much of that infrastructure is being targeted by criminals and foreign adversaries. Since 2012, the U.S. Intelligence Community’s Worldwide Threat Assessment has frequently listed the cyber threat as a major danger to our nation’s security.

In May, medical facilities around the world were attacked with ransomware, resulting in the cancellation of medical procedures, the unavailability of patient records, and the diversion of ambulances.  In March 2016, hospitals here in Maryland were hit by a ransomware attack, forcing patients to be turned away or treated without updated computer records.  Another alarming incident occurred in 2013, when a foreign adversary gained access to the control and data acquisition system for a dam in New York.  Fortunately, the dam’s sluice gate, which controls water levels and flow rates, had been disconnected for maintenance.  Otherwise, our adversary might have been able to remotely operate the gate.

At the Department of Justice, we take such threats extremely seriously and view countering them as one of our highest priorities.  We aggressively investigate, indict, and — when possible —prosecute the cybercriminals and foreign state hackers behind such attacks.  We create novel partnerships within the federal government to use an “all tools” approach.  If prosecution is not the most appropriate course of action, we work with partners in other agencies to pursue the most effective alternatives.

Private sector entities are crucial partners in this fight.  We engage in formal and informal information sharing, promote cybersecurity best practices, and make clear that private sector cyber victims will be treated with respect and concern.

But our effectiveness, and those of our governmental partners, has limits. The digital infrastructure is not always constructed with adequate regard for public safety, cybersecurity, and consumer privacy. 

Unless we overcome those complications, we will remain vulnerable.

In 2016, an attack launched against domain name servers illustrated a significant problem.  The attack made it effectively impossible for many users to access certain web sites for several hours.  The attackers took control of multiple computers on the Internet and used them to conduct a distributed denial of service attack.  What made the attack especially worrisome was that it used simple internet-connected devices, such as cameras and digital video recorders.  Those so-called “Internet of Things” devices surround us, and they are easily susceptible to control by hackers because of the widespread use of default passwords and other failures to secure them.

That incident vividly illustrates that our digital infrastructure is not just a target in a traditional sense.  It can be hijacked and used against us as an attack vector.  The possibilities for such attacks will grow.  Estimates reveal that 6.3 billion internet-connected devices were used in 2016.  The total may reach 20.4 billion by 2020.  Imagine the possible attack vectors if all of those devices employed default passwords.

One of our principal challenges today is the threat that new technologies pose to our individual and collective security.  Those technologies can play a critical role in creating jobs, promoting commerce, and enhancing our lives.  But new technologies will pose new dangers if innovations develop so quickly that the laws cannot keep up with them.

Our challenge extends far beyond the new technologies that our adversaries use to conduct new types of attacks.  Our investigators and prosecutors already face a range of cyber issues that undermine the rule of law.

Consider, for instance, how the “dark web” facilitates child exploitation and promotes trade in illicit goods.  Or consider how criminals take advantage of new technology that conceals their identities to commit crimes such as trading child pornography and making bomb threats.

Our investigators face challenges because data can be dispersed and evanescent.  Communications providers often choose to store data overseas, which sometimes results in American law enforcement being unable to access evidence involving American perpetrators who violate American laws and harm American victims.  We also face lengthy delays because some domestic technology providers do not design their systems to facilitate responses to court orders, and some do not adequately staff their legal compliance departments.

That brings me to one of our greatest challenges, encryption.  Encryption is a foundational element of data security and authentication.  It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.

But the advent of “warrant-proof” encryption is a serious problem.  Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement.  The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant.  But that is the world that technology companies are creating. 

Those companies create jobs, design valuable products, and innovate in amazing ways.  But there has never been a right to absolute privacy. Courts weigh privacy against other values, including the need to solve and prevent crimes. Under the Fourth Amendment, communications may be intercepted and locked devices may be opened if they are used to commit crimes, provided that the government demonstrates showing of probable cause.

Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.  Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.

When encryption is designed with no means of lawful access, it allows terrorists, drug dealers, child molesters, fraudsters, and other criminals to hide incriminating evidence.  Mass-market products and services incorporating warrant-proof encryption are now the norm.  Many instant-messaging services employ default encryption designs that offer police no way to read them, even if an impartial judge issues a court order.  The makers of smart phones previously kept the ability to access some data on phones, when ordered by a court to do so.  Now they engineer away even that capability.

We refer to this problem as “Going Dark” –  the threat to public safety that occurs when service providers, device manufacturers, and application developers deprive law enforcement and national security investigators of crucial investigative tools.

The issue caught the public’s attention in February 2016, when the government obtained an iPhone used by a terrorist who shot and killed 14 people and injured 22 others at an office Christmas party in San Bernardino, California.  The FBI wanted to find out if the phone contained evidence of other attack plans, or information about other people who might launch attacks.  So, the FBI obtained the consent of the phone’s legal owner—the San Bernardino county government—and also obtained a search warrant.  The data on the phone was encrypted, but Apple had the ability to assist the government in obtaining that data.  The government sought Apple’s voluntary assistance. 

Apple rejected the government’s request, although it had the technical capability to help.  The government then obtained a court order requiring Apple to assist, but Apple immediately announced it would appeal the order. Fortunately, the government was able to access data on that iPhone without Apple’s assistance.

But the problem persists.  Today, thousands of seized devices sit in storage, impervious to search warrants.  Over the past year, the FBI was unable to access about 7,500 mobile devices submitted to its Computer Analysis and Response Team, even though there was legal authority to do so.

In May 2015, terrorists targeted people attending an event in Garland, Texas.  On the morning of the attack, one of the terrorists exchanged 109 instant messages with an overseas terrorist.  He used an app employing end-to-end encryption, so that law enforcement could not decode the messages.

Billions of instant messages are sent and received each day using mainstream apps employing default end-to-end encryption.  The app creators do something that the law does not allow telephone carriers to do:  they exempt themselves from complying with court orders.

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.  Such encryption already exists.  Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.  

No one calls any of those functions a “back door.”  In fact, those capabilities are marketed and sought out by many users.

The proposal that providers retain the capability to make sure evidence of crime can be accessed when appropriate is not an unprecedented idea.

Such a proposal would not require every company to implement the same type of solution.  The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow.  The law need not mandate any particular means in order to achieve the crucial end: when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help.

No law can guarantee that every single product that offers encryption will also come with an adequate capability to prevent that product from being used to hide evidence of crime. 

A requirement to implement a solution could be applied thoughtfully, in the places where it is needed most.  Encrypted communications and devices pose the greatest threat to public safety when they are part of mass-market consumer devices and services that enable warrant-proof encryption by default. 

No solution will be perfect.  If only major providers refrain from making their products safe for terrorists and criminals, some sophisticated criminals may migrate to less-used platforms. But any progress in preserving access to communications methods used by most criminals and terrorists would still be a major step forward.

The approach taken in the recent past — negotiating with technology companies and hoping that they eventually will assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate in a highly competitive environment. Even companies that really want to help must consider the consequences. Competitors will always try to attract customers by promising stronger encryption.

That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit.  Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.  

Of course they do. They are in the business of selling products and making money.  

We use a different measure of success. We are in the business of preventing crime and saving lives.  

Companies are willing to make accommodations when required by the government. Recent media reports suggest that a major American technology company developed a tool to suppress online posts in certain geographic areas in order to embrace a foreign government’s censorship policies.  Another major American tech company recently acquiesced to a foreign partner’s request that local customers stop using software to circumvent a foreign government’s censorship restrictions.  A third major American corporation recently stopped supporting virtual private network apps at the behest of a foreign government, to prevent internet users from overcoming censorship policies.

American technology providers sell products and services in foreign markets where the governments have questionable human rights records and enforce laws affording them access to customer data, without American due process or legal protections. 

Surely those same companies and their engineers could help American law enforcement officers enforce court orders issued by American judges, pursuant to American rule of law principles.

Some critics argue that the evidence concealed by encryption can be offset by new sources of data.  They claim we live in a “Golden Age of Surveillance” because law enforcement may access new sources of information such as location data, or data derived from internet-connected devices.

That argument misunderstands what sort of evidence law enforcement needs in order to prevent and punish crime.  We need to assemble powerful evidence that proves a defendant’s guilt beyond a reasonable doubt.  Sometimes a communication is a crime in itself, or provides conclusive proof.  There is no substitute for introducing the original communication in court. 

Location data may demonstrate that a suspect was near the scene of crime, but it does not necessarily prove that the person committed a crime.  Nor does it show what the suspect was thinking or intending — both of which are important elements of proof in many prosecutions.  

It is notable that all of the new data is generated for, and in the hands of, private companies.  Companies collect increasing volumes of personal information about individuals in order to predict human behavior and produce revenue. Databases are built for marketers, who are comfortable making decisions based on far less information and far less assurance of accuracy than we require before prosecuting someone for a crime. 

We may be awash in data, but it is not always the kind of evidence that our rule of law tradition establishes as sufficient to establish guilt beyond any reasonable doubt.

Police and prosecutors were the first to recognize the danger posed by the “going dark” trend.  But the public bears the cost.  When investigations of violent criminal organizations come to a halt because we cannot access a phone, lives may be lost.  When child molesters can operate anonymously over the internet, children may be exploited.  When terrorists can communicate covertly without fear of detection, chaos may follow.

It is important to recognize that our concern about the harm caused by “going dark” is not inconsistent with our support for cybersecurity.  We at the Department of Justice understand and encourage strong cybersecurity to protect our citizens.

We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety.  A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices.  That would present a huge potential security problem, if those keys were to leak.  But they do not leak, because the company knows how to protect what is important.  Companies can protect their ability to respond to lawful court orders with equal diligence.

Technology providers are working to build a world with armies of drones and fleets of driverless cars, a future of artificial intelligence and augmented reality.  Surely such companies could design consumer products that provide data security while permitting lawful access with court approval.

As the “going dark” trend grows, local, state, and federal law enforcement officials need to be candid about how criminals use encrypted services and devices for illegal purposes. 

In an era of dramatic and rapid change, we have a duty to maintain our commitment to the rule of law. That requires us to be forthcoming about the dangers posed by emerging threats.

If companies are permitted to create law-free zones for their customers, citizens should understand the consequences.  When police cannot access evidence, crime cannot be solved.  Criminals cannot be stopped and punished.

There is an alternative.  Responsible encryption can protect privacy and promote security without forfeiting access for legitimate law enforcement needs supported by judicial approval.

Technology companies almost certainly will not develop responsible encryption if left to their own devices.  Competition will fuel a mindset that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.

Sounding the alarm about the dark side of technology is not popular.  Everyone who speaks candidly about “going dark” faces attacks by advocates of absolute privacy.  

Some advocates are motivated by profit.  Others demonstrate sincere concern about the benefits of privacy. They are not concerned about preserving law enforcement capabilities.

Those of us who swear to protect the rule of law have a different motivation.  We are obliged to speak the truth.

The truth is that “going dark” threatens to disable law enforcement and enable criminals and terrorists to operate with impunity.

Allow me to conclude with this thought: There is no constitutional right to sell warrant-proof encryption.  If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision.

Thank you for your attention, and thank you for your devoted service to our great nation.  I look forward to your questions.