Let’s agree that FBI Director James Comey’s speech on the difficulties new encryption technologies present to law enforcement was unnervingly inadequate. Opening with a joke about how he feels “incarcerated” by the length of his term and throwing in unserious references to “bad guys,” Comey’s effort was unsuited to its subject matter. And that’s disappointing, because the subject is deadly serious.
The FBI director was attempting to argue that moves by technology companies including Apple and Google to grant users near-perfect privacy on their devices — complete with encrypted codes that the companies themselves may not be able to crack — could leave law enforcement impaired in efforts to keep us safe from harm.
It’s a fair worry. The new iPhone 6, for instance, is powered by encryption so complex that, by Apple’s own admission, it would take five and a half years to test all the possible alphanumeric combinations to break the code. Google’s Android phones will soon follow suit. In other words, a court order for information from such phones is functionally useless.
Comey added that the law governing this issue is hopelessly outdated. The Communications Assistance for Law Enforcement Act, passed in 1994, requires broadband providers and telecom companies to build wiretapping ability into their technology. Two decades later, the reality of electronic surveillance has expanded dramatically beyond wiretaps, and the number of companies in the “communications” business has mushroomed.
The result? The law excludes many companies — such as Facebook or Twitter — that clearly would have fallen under its scope had it been written today. Even many of the companies bound by the law are unwilling or unable to build intercept capabilities into their products.
It’s tough to think of a less fashionable argument than the one Comey was tasked with making. After all, Apple and Google are popular; Big Brother is not. Privacy is all the rage; surveillance gives us the jitters.
Many of the responses to the director’s remarks, then, were predictably panicked. Vice.com accused the director of going “ballistic.” Time Magazine anticipated punishing regulations against the likes of Apple and Google, and Business Insider charged that Comey “hates encryption.”
Tech companies, on the other hand, effectively shrugged their shoulders — a show of confidence in their economic and political power. “I’d be fundamentally surprised if anybody takes the foot off the pedal of building encryption into their products,” said Facebook General Counsel Colin Stretch, echoing the conviction among technology leaders that stepped-up encryption measures are simply a response to market demand.
But it’s worth considering Comey’s point more carefully. He wasn’t calling for a vast and dangerous expansion of the government dragnet. He wasn’t issuing any threats. In fact, he was confessing that the government hasn’t kept up with the Digital Age. And perhaps most importantly, the remedies he offered were more nuanced and more precise than his critics suggested.
To the leaders of the tech industry, he was saying this: Your technological predecessors were required by law to build in safeguards to enable law enforcement agencies to access vital information. That was their obligation to the public; it should be yours, too.
He told a do-nothing Congress that essential laws regulating surveillance were built for comparatively ancient times. Those laws require an upgrade to respond to new technology. With tech companies sitting on information of inestimable value to law enforcement, we need an open debate about the trade-offs between privacy and security in the age of Facebook.
And he reminded the rest of us of what our Congress and our judges have affirmed time and again: Fourth Amendment protections against unreasonable search and seizure have appropriate limits. It’s fair and reasonable to keep a tight rein on government’s power to snoop. But it is unfair and unreasonable to curtail that ability entirely. New encryption technologies threaten to do just that.
Then there was the argument Comey didn’t make. Law enforcement’s surveillance tools were built for a world in which the people, acting through the government, were the arbiter of privacy and its limits — a world in which the privacy-security trade-off was hashed out in the public sphere. There were failures and abuses, and even corruption, but at least the people responsible could be held to account. The new era of encryption changes the locus of this power. Unaccountable technology executives will now be able to decide what information law enforcement can access, and when. And it shouldn’t surprise us that the same companies protecting our private information one day sell it to advertisers the next.
Many of us who have followed the past few years’ troubling revelations of government spying have come to the same conclusion: This is what happens when surveillance power becomes too concentrated and far too unchecked. But when decisions on privacy become the exclusive province of shareholders and executives, not elected officials and judges, we move toward a surveillance regime in which power is even more opaque and uncheckable. Tech’s unilateralism should worry us at least as much as government overreach — an argument the FBI director would have been wise to make.