US Dept of Justice calls for encryption balance that includes law enforcement needs

Companies encrypting customer data should weigh the benefits to cybersecurity against needs of law enforcement, officials say

Apple, Google urge Obama to reject encryption back doors

Apple, Google urge Obama to reject encryption back doors

It's possible for companies to design their encryption systems to allow law enforcement agencies to access customer data with court-ordered warrants while still offering solid security, U.S. Department of Justice officials said.

When DOJ and FBI officials raised recent concerns over end-to-end encryption on Android and iOS mobile phones, some security experts suggested it was difficult or unsafe to build in provider access to encrypted consumer data. But many companies already offer encryption while retaining some access to user information, two senior DOJ officials said Wednesday.

Many email service providers offer encryption but retain access to the content of users' email to deliver advertising based on keywords in email text, to filter out spam or malware or to enforce terms of service, one DOJ official said on background during a press briefing. Many U.S. companies also encrypt employee mobile phones or laptops, while retaining the ability to access the content on those devices, he added.

Some of the same companies offering end-to-end encryption also retain access to customers' email in other services, one DOJ official said.

The DOJ sees encryption deployed "where companies and providers strike an appropriate balance between data security and the ability to access data when they need to," the official said. Most of the large email providers in the U.S. encrypt data "but retain the ability to access that data for their own business purposes," the official added.

Beginning in late 2014, FBI and DOJ officials have sounded alarms about encryption, saying law enforcement agencies are increasingly "going dark" in criminal and terrorism investigations because subjects' data unavailable, even after a court-issued warrant. Apple and Google both announced new end-to-end encryption services on their mobile operating systems, in part as a response to leaks about massive surveillance programs at the National Security Agency.

One recent criminal defendant described end-to-end encryption as "another gift from God," Deputy Attorney General Sally Quillian Yates said during a speech last month. "But we all know this is no gift -- it is a risk to public safety," she said then.

Several encryption and security experts, as well as digital rights groups, have criticized the DOJ and FBI calls for encryption workarounds. "If it's easier for the FBI to break in, then it's easier for Chinese hackers to break in," Senator Ron Wyden, an Oregon Democrat, said last month. "It's not possible to give the FBI special access to Americans' technology without making security weaker for everyone."

Nearly all of the DOJ's criminal cases now include digital evidence, one DOJ official said during Wednesday's press briefing. The DOJ doesn't yet have statistics on the number of criminal cases affected by encryption, but the agency is working on compiling that information, one official said.

The DOJ is not asking companies to stop offering encryption, a second official said, but to balance the cybersecurity benefits of end-to-end encryption with the risks of losing valuable evidence in child pornography, terrorism, organized crime and other cases.

There may be "theoretical risks" with companies retaining access to customers' encrypted data, one official said. "Are there costs and benefits associated with certain implementations of encryption, and are there costs and benefits associated with lack of law enforcement and national security access to communications in crucial cases?" the official added.

With hundreds of millions of email users already allowing their providers access, there needs to be a bigger debate about law enforcement access, the official said. "If it's worth it to have a cheaper product or a more appealing interface, if it's worth it for malware detection, then the question we're asking is, 'Is it not also worth it for protection against terrorism and for public safety?'"

President Barack Obama's administration has not yet made a decision on whether to seek new legislation to deal with end-to-end encryption and law enforcement access, the DOJ officials said. The agency does not believe it should tell companies how to design their encryption systems to allow law enforcement access, because companies know best how to deal with the issue, they said.

The DOJ supports the use of encryption to protect against cyberthreats, but it believes that purpose can coexist with law enforcement access, the officials said.

"The Department of Justice supports strong encryption," the second official said. "It's very important for a global economy and our national security to have strong encryption standards."

The officials, asked if mandated law enforcement access in the U.S. would drive some criminals to overseas services, acknowledged it might, in limited cases.

"If we're talking about a few bad guys, then we have a much different problem than if we're talking about an entire market for smartphones," the second official said. "We're just talking about different problem sets."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags U.S. Department of JusticesecurityRon WydenregulationU.S. National Security AgencygovernmentprivacySally Quillian YatesU.S. FBI

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?