William P. Barr International Conference on Cyber Security Keynote delivered 23 July 2019, Fordham University, New York, NY
[AUTHENTICITY CERTIFIED: Text version below transcribed directly from audio and lightly edited for continuity] Good morning everyone, and -- and thank you for being here this morning, especially those of you who sat on the tarmac waiting to get into New York last night through all the heavy weather. And I'd like to -- to thank particularly Fordham University for hosting this Conference and this opening ceremony. And I would like to thank the New York division of the FBI for their work in putting on this conference together. As was said, I'm a New Yorker and it's great to get back to New York. This is my first trip to New York since becoming Attorney General in the Trump Administration. In fact, I grew up on the Upper West Side and then when I came back into New York to work for Verizon, I actually lived right here around Columbus Circle. And one of my daughters -- my oldest daughter, Mary, went to Fordham Law School, and then has had a career in the -- in the Department of Justice as a narcotics prosecutor for the last 14 years. Now, when I was at Verizon, we were dealing with the issue of new digital switches being deployed, and wireless switches being deployed, and the fact that they there were not accommodating our law enforcement needs so that we could continue wire-tapping with these switches. And I spent a lot of the time when I was at the Department of Justice beating up on the phone companies. And I want you to know -- I want to give you an indication of my insights into the technological field and my ability as a prognosticator in -- in this arena. I remember distinctly a meeting we had in the Attorney General's conference room where Jim Kallstrom, who some of you may know -- at the time he was Assistance Director and later became Director of Public Safety in New York. Anyway, Jim was trying to explain to me what he thought -- or what the FBI was thinking -- the trajectory of the wireless industry would be.
Now, in those days, you know, our phones, the wireless phones, were like World War II, you know, field phones, and my detail carried around one, which rarely had reception. We had no Internet. I mean this was 28, 29, 30 years ago.
So, in any event, he was showing me these sketches and artist renditions of what the world would look like, and I vividly remember these little cartoons of businessmen walking down the street like this with a little thing...a personal communicator in their hand, and then there were like these lightening bolts going up to towers, you know, spread out throughout the city. And I was looking at this, and he was explaining why it was so important to get access to these new switches. I said, "Jim, that looks very Dick Tracy1 to me." In any event, it didn't turn out to be Dick Tracy. But that "insight" was enough to get me hired as the General Counsel of Verizon. And I would say over the last 30 years, cyber-related issues, cyber security, may well be the most significant differences between my first tenure as Attorney General and -- and this one. And I've have spent a significant amount of time, since February when I took office, trying to get up to speed on -- on all the developments in this arena. And I've been very impressed and reassured as I've learned about all the investment and the effort that makes the FBI a leader in this sphere. Now, as I already said, as individuals and -- and as a nation we've become dependent on a vast and expanding digital infrastructure. That, in turn, has made us vulnerable to cybercriminals and foreign adversaries that target that infrastructure. And that danger cannot be overstated. Enhancing cyber security is a national imperative. Among the most critical advances in cyber security has been the development of advanced encryption techniques and their deployment in a range of important applications. Encryption provides enormous benefits to society by enabling secure communications, data storage, and online transactions. Because of advances in encryption, we can now better protect our personal information, more securely engage in e-commerce and -- and Internet communications, obtain software updates, and limit access to sensitive computers, devices, and networks. As the Federal Government, we welcome these improvements to privacy and security, and we will work to preserve and strengthen them. But at the same time, we must recognize that our citizens face an array of threats to their safety far broader than just cyber threats, as severe as that threat is. Hackers are the -- are a great danger, but so are violent criminals, terrorists, drug traffickers, human traffickers, fraudsters, sexual predators -- you name it. While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society’s ability to defend itself against all these other types of criminals. In other words, making our virtual world more secure should not come at the expense of making us more vulnerable in the real world. But, unfortunately, this is where we appear to be heading. Service providers, device manufacturers, application developers are developing and deploying encryption that can only be decrypted by the end user or customer; and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances. As a result, law enforcement agencies are increasingly prevented from accessing communications in transit, or data stored on cell phones or computers, even with a warrant based on probable cause to believe that criminal activity is underway. Because in the digital age the bulk of evidence is becoming digital, this form of "warrant proof" encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to the detection and investigation of crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy. As you know, some refer to this eclipsing of the Government’s investigative capabilities as "going dark." While encryption protects against cyberattacks, deploying it in warrant-proof form jeopardizes public safety more generally. The net effect is to reduce the overall security of society. I am here today to tell you that, as we use encryption to improve cyber security, we must also ensure that we retain society’s ability to gain lawful access to data and communications when needed to respond to criminal activity. This proposition should not be controversial. It simply reflects the balance struck in the Constitution itself and maintained since the Founding. The Fourth Amendment strikes a balance between the individual citizen's interest in conducting certain affairs in private and the general public's interest in subjecting possible criminal activity to investigation. It does so, on the one hand, by securing for each individual a private enclave around his "person, house, papers, and effects" -- a "zone" bounded by the person's own reasonable expectations of privacy. So long as the individual acts within this "zone of privacy," their activities are shielded from unreasonable Government investigation. On the other hand, the Fourth Amendment establishes that, under certain circumstances, the public has a legitimate need to gain access to the individual’s zone of privacy in pursuit of public safety; and it defines the terms under which the Government may obtain that access. When the Government has probable cause to believe that evidence of a crime is within an individual’s zone of privacy, the Government is entitled to search [for] and seize the evidence. And the search usually must be preceded by a judicial determination that "probable cause" exists and be authorized by a warrant. The key point is that the individual’s right to privacy and the public right of access are two sides of the same coin. The reason we are able -- The reason we are able, as part of our basic social compact, to guarantee individuals a certain zone of privacy is precisely because the public has reserved the right to access that zone when public safety requires. If the public right of access is blocked, then these zones of personal privacy are converted into "law-free zones," insulated from legitimate scrutiny. Since the Founding, advances in technology have disrupted this balance in different ways. Sometimes, technology creates new spheres of potential privacy that the drafters of the Fourth Amendment could never have envisioned, such as the advent of the telephone. Sometimes, technology gives law enforcement new means to invade privacy that were previously unimaginable, such as thermal imaging technology. And sometimes, technology makes it easier for suspects to -- to evade law enforcement even when there is a lawful basis to investigate, such as the automobile, or, to bring us back today’s topic, encryption. With each of these earlier examples, our society has ensured that the traditional balance between individual privacy and public safety was maintained. This is reflected in the Supreme Court's jurisprudence. In Katz versus the United States, the Court held that the Fourth Amendment applied to the government's bugging of a telephone booth -- even though this technique did not strictly involve a search of a suspect’s person, house, papers, and effects. Decades later in Kyllo [v. United States], the Court held that the Fourth Amendment applied to the use of [a] thermal imaging device to look inside a home, even though prior doctrine strongly indicated that government exploitation of light waves emitted from property was outside the scope of Fourth Amendment protections. The Supreme Court’s application of Fourth Amendment protections to the attachment of GPS tracking devices, to cars -- in the United States versus Jones -- had a similar effect. In each of those cases, the Court protected privacy against advances in technology. But of course, law enforcement retained the ability to bug a phone booth, to use thermal imaging, or to attach a GPS device if it obtained a warrant. The same script has played out in reverse with the Supreme Court taking steps to ensure that advances in technology do not unduly tip the scales against public safety by preventing effective law enforcement. A notable example is the automobile. If the zone of privacy was extended to the automobile -- as a type of "personal effect" or akin to a "mobile house" -- then it would be difficult, if not impossible, for law enforcement to work within the traditional requirements that police obtain a warrant [from] a neutral magistrate before conducting a search and seizure. Even when an officer had probable cause to seize a car or its contents, the driver could get away long before the officer could get a warrant. This development threatened again to disrupt that traditional balance between individual privacy and public safety. So what did we do? In a series of decisions that started with Carroll [v. United States] in 1925, the Supreme Court articulated an exception to the traditional warrant requirement which allows police to search and seize a car without a warrant so long as it can later be shown that they had probable cause to support the investigation. In other words, we did not make automobiles a law-free zone. We preserved the constitutional balance by ensuring that law enforcement retained the practical capability to conduct a search when lawfully predicated. The point I hope to -- you take away today is that our societal response to advances in technology that affect the balance between individual privacy and public safety has always been, and always should be, a two-way street. When the advances tip the scale too far in favor of the Government, the response is to expand privacy protections. And when these advances threaten public safety by thwarting effective enforcement, the response should be to preserve lawful access. By enabling dangerous criminals to cloak their communications and activities behind an essentially impenetrable digital shield, the deployment of warrant-proof encryption is already imposing huge costs on society. It seriously degrades the ability of law enforcement to detect and prevent crime before it occurs. And after crimes are committed, it is thwarting law enforcement’s ability to identify those responsible or to successfully prosecute the guilty parties. These costs will grow exponentially as deployment of warrant-proof encryption accelerates and criminals are emboldened by their ability to evade detection. At conferences like this, we talk about these costs in abstract terms. But they are not abstract; they're real. The costs of irresponsible encryption that blocks legitimate law enforcement access is ultimately measured in a mounting number of victims -- men, women, and children -- who are the victims of crimes, crimes that could have been prevented if law enforcement had been given lawful access to encrypted evidence. Law enforcement has generally not wanted to get into specifics about these cases because details can help sophisticated criminals and terrorists evade detection. But given the frequency with which these situations are now arising, it is only a matter of time before a sensational case crystallizes the issue for the public. Now, FBI Director Wray will be speaking later in the week at this conference and will address some of the damage being inflicted on law enforcement by encryption that blocks lawful access. But for now, I want to make a couple of points about the extent of the damage. Like everybody else, criminals of all stripes increasingly rely on wireless communications, hand-held devices, and the Internet. This is especially true of larger-scale criminal organizations that need to coordinate many conspirators across wide geographical areas. Thus, we have seen transnational drug cartels increasingly move this -- move their communications onto commercially available encrypted platforms designed to block lawful access. One of the many examples is a Mexican cartel that recently started trafficking large quantities of finished fentanyl from Asia to Mexico and then into the United States. The cartel started using WhatsApp as their primary communication method, preventing U.S. law enforcement from conducting wiretaps that would have enabled us to locate the fentanyl shipments and seize them at the border. We also found that the cartel had used WhatsApp for the specific purpose of coordinating the murders of Mexic[o]-based police officials. The cartel ended up murdering hundreds of these police officers. Had we been able to gain access to the chat group on a timely basis, we could have saved these lives. So the costs of not being able to gain lawful access in this case were the lives of the assassinated officers, as well as the many lives impacted by unimpeded entry into the United States of huge amounts of deadly fentanyl. This is just one of the countless examples involving the drug war. Indeed, in my view, just the damage done by warrant-proof encryption to our ability to combat drug trafficking is a cost too high for the public to pay. The tsunami of opioids, cocaine, and methamphetamine that started surging into the United States from Mexico in the latter years of the Obama Administration is one of the greatest dangers to the well-being of our nation that we face today. In a single year, more Americans die from drug overdoses than we lost in the entire Vietnam War. In addition to this death toll, hundreds of thousands of lives are destroyed. The vast majority of drugs are trafficked into the United States by large, sophisticated, transnational criminal organizations. In past times, when we have had considerable [success] in combating the cartels like this, the indispensable tool has been communications intelligence. And it remains the indispensable tool today. If our law enforcement agencies do not recover the ability to gain lawful access to encrypted communications and platforms, the prospect of successfully prosecuting the drug war by traditional law enforcement means are dim. Warrant-proof encryption is also seriously impairing our ability to monitor and combat domestic and foreign terrorists. As with drug cartels, we are seeing terrorist organizations moving their communications to encrypted platforms designed to block lawful access. Even smaller terrorist groups and "lone wolves" have now turned increasingly to encryption. We are seeing more and more, as we monitor terrorist communications, suddenly in the middle of the communication when they get into sensitive areas they switch to an encrypted app, a commercially available encrypted app -- in the middle of the conversation, frequently where they are discussing deadly operations. The 2015 terrorist attack in Garland, Texas still rankles. There, two Islamist extremists carried out an attack for which ISIS claimed responsibility. On the morning of the attack, one of the terrorists exchanged approximately 100 instant messages with an overseas terrorist using an encrypted app. To this date, the FBI has still not been able to determine the contents of these messages. The deployment of warrant-proof encryption is seriously diminishing the communications intelligence we are able to collect against foreign and domestic terrorists. Due to the very nature of terrorism, where each actor seeks to inflict high casualties, encryption that allows terrorists to operate beyond the reach of lawful surveillance poses an unacceptable risk to the nation. One further point about the costs imposed on society by warrant-proof encryption. It is not only about the crimes that we are unable to detect and avoid, or the criminals that escape punishment. Converting the Internet and communications platforms into a "law-free" zone, and thus giving criminals the means to operate free of lawful scrutiny, will inevitably propel an expansion of criminal activity. If you remove any possibility that the cops are going to be watching a neighborhood, the criminals already in the neighborhood are going to commit a lot more crimes. The "going dark" problem is not limited to terrorism or drug cartel cases. While those cases are vitally important, it is also important that law enforcement at the federal, state, and local level, who must retain the ability to investigate and prosecute the full spectrum of crimes that plague our society. We are aware, for example, that a large, violent gang is using encrypted apps to "green light" assassinations, and yet, because we cannot access the messages, we cannot prevent the murders. We also know that human traffickers and pedophiles use the Internet to facilitate their crimes, and yet encryption is already impairing our visibility into some of these activities. With growing -- With the growing availability of commoditized encryption, it is becoming easier for the most common criminal to communicate beyond the reach of traditional surveillance. And this problem is becoming especially acute for our state and local partners, who lack the resources of the federal government, and the ability to investigate and prosecute crimes is being seriously impaired.
Now, the Department has made clear what we are seeking. We believe that when technology provides -- providers deploy encryption in their products, services, and platforms, they need to maintain an appropriate mechanism for lawful access. This means a way for government entities, when -- when they have appropriate legal authority, to access data securely, promptly, and in an intelligible form, whether it is stored on the device or in transmission. We do not seek to prescribe any particular solution. Our private-sector technology providers have immensely talented engineers who have built the very products and services that we're talking about. They are in the best position to determine what methods of lawful access work best with their technology. But there has been enough dogmatic pronouncements that lawful access simply cannot be done. It can be, and it must be. We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption. Such encryption regimes already exist. For example, providers design their products to allow access for software updates using centrally managed security keys. We know of no instance where encryption has been defeated by compromise of those provider-maintained keys. Providers have been able to protect them. We think our tech sector has the ingenuity to develop effective ways to provide secure encryption while also providing secure legal access. Some good minds have already started to focus on this, and some promising ideas are emerging. Our colleagues at the United Kingdom's GCHQ have proposed "Virtual Alligator Clips" which allow a provider to respond to a warrant by adding a silent law enforcement recipient to an otherwise secure chat. Ray Ozzie has tabled a proposal for "Exceptional Access Keys" for locked, encrypted phones so that they can be unlocked pursuant to a warrant. And Matt Tait has proposed Layered Cryptographic Envelopes to allow lawful access to encrypted data-at-rest on disks or other storage devices. I am sure that the putative shortcomings of these ideas have been identified, which hopefully will spur further refinements and alternative proposals. And through this dialectic we can identify a workable solution. I'm not endorsing any particular solution. And we will likely need different approaches for communications and data in transit. But I am suggesting that it is well past time for some in the tech community to abandon the posture that a technical solution is not worth exploring and instead turn their considerable talent to developing products that will reconcile good cyber security to the imperative of public safety and national security. As Microsoft’s Bill Gates has observed, "There’s no question of ability; [it's a] question of willingness."2 Some object that requiring providers to design their products to allow for lawful access is incompatible with some companies’ "business models." But what is the business's objective? What is their model? Is it "A" -- to sell encryption that provides the best protection against unauthorized intrusion by bad actors? Or is it "B" -- to sell encryption that assures that law enforcement will not be able to gain lawful access? I hope we can all agree that if the aim is explicitly "B" -- that is, if the purpose is to block lawful access by law enforcement, whether or not this is necessary to achieve the best protection for bad actors -- then that is a business model that from society’s standpoint is illegitimate, and so is any demand for that product. The product jeopardizes the public’s safety, with no countervailing utility. Few companies would say that this is their objective. On the other hand, it is contended that achieving "B" (the blocking of lawful access) is essential to achieving "A" (giving the best protection to [against] bad actors). So, providing for lawful access is collateral damage to the overarching objective of the best protection against bad actors. The argument is that a business is thwarted in its purpose of offering the best possible product unless it can override society’s interest in retaining lawful access. Now, some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cyber security, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability -- a point which the tech community acknowledges when they are proposing that law enforcement can satisfy its requirements by hacking into the vulnerabilities of their current products. The real question is whether the residual risk of vulnerability, which results from incorporating a lawful access mechanism, is materially greater than those already in the unmodified product. And the Department does not believe that this has been demonstrated. Moreover, even if there was, in theory, a slight risk differential, its significance could not be judged solely by the fact that it falls short of some theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on the practical effect on consumer cyber security, as well as its relation to the net risks that offering the product poses to society. After all, we're not talking about protecting the nation’s nuclear codes here. We -- Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications. If one already has an effective level of security -- say, by way of illustration, one that protects against 99 percent of foreseeable threats -- is it reasonable to incur massive further costs to move slightly closer to some theoretical optimality and -- and attain, say, 99.5 percent level of protection, especially when the risk being addressed at that point is highly remote? Here, a company would not invest its own money to -- to gain that kind of incremental benefit. And society should not be asked to pay that cost to accomplish the same purpose. Now, some argue the best way to achieve this slight incremental improvement is worth the cost of imposing those costs on society in the form of degraded public safety. I think this is untenable -- again using a crude illustration, if the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access that it requires -- that's one world -- or a world where we have boosted our cyber security to 99.5 percent for consumers but at a cost of reducing law enforcement's access to zero percent -- the choice for society should be clear. Some who resist lawful access complain it places an unreasonable burden on companies, who must spend time and resources on developing and implementing a compliance mechanism. To that I say, "That's part of being part of civil society." We regularly expect -- and often mandate if necessary -- that our companies take steps to ensure that their products and services do not impose negative externalities on the public. If my business plan is to sell sawed-off shotguns, that's tough. We, as a community, have the right to say, "No, we don't care if that's your business plan. The barrel has to be this long." Sometimes, this requires prohibiting certain products altogether; and other times it requires modification of products so that they are compatible with the public interest. Further, the burden is not as onerous as some make it out to be. I served -- as it was said here -- for many years as the general counsel of a telecommunications company (GTE and then Verizon). And during my tenure, we dealt with these issues and lived through the passage of CALEA -- the Communications Assistance [for] Law Enforcement Act. Now, the debate we were having -- that I mentioned at the beginning of my speech about companies mak[ing] their switches, their new switches available to us in a way that allowed us to conduct the normal Title III interceptions that we had traditionally performed. And that Act imposes a statutory duty on telecommunications carriers to maintain the capability to provide lawful access to communications over their facilities. And that has gradually been extended to cable companies, and even to Voice Over Internet Protocol [VoIP] providers. Companies bear the cost of compliance but they have flexibility in how to achieve it; and the system has by and large worked. It is absurd to think that we would preserve lawful access by mandating that physical telecommunications facilities be accessible to law enforcement for the purpose of obtaining content, while allowing tech providers to block law enforcement from attaining that very content. The United States is not alone in -- in addressing this issue. In fact, many of our international partners, such as the UK and Australia, are already moving on a statutory framework to address it. American companies have an opportunity to advance their interests by setting industry standards now that can influence the conversation here and worldwide in years to come. Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to cooperative approaches, the time to achieve them may be limited. Key countries, as I said, including some of our most important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues. Whether we end up with legislation or not, the best course, I think, is for everyone involved to work soberly and in good faith together to craft an appropriate solution, rather than have outcomes dictated during a crisis. As this debate has dragged on, and the deployment of warrant-proof encryption has accelerated, our ability to protect the public from criminal and national security threats is rapidly deteriorating. The status quo is exceptionally dangerous. It is unacceptable, and only getting worse. The rest of the world has woken up to this threat. It is time for the United States to stop debating whether to address it, and start talking about how to address it. Thank you very much. 1 Allusion 2 Allen, M. (13 Feb 2018). Bill Gates: tech companies inviting government intervention. Phone interview with Axios. Available at: https://www.axios.com/bill-gates-warns-big-tech-1518515340-fa3aa353-6078-405b-b3aa-8252bd06c1fc.html Speaker Note: Mr. Barr (BA, MA, the University of Columbia, JD, George Washington University) delivered this address in his capacity as the 85th Attorney General of the United States of America
Original Text Source: Justice.gov
Page Updated: 8/1/19 U.S. Copyright Status: Text = Uncertain. Images (Screenshots) = Fair Use. |
|
© Copyright 2001-Present. |