Encryption and Evolving Technology: Implications for U.S. Law Enforcement Investigations Kristin Finklea Specialist in Domestic Security September 8, 2015 Congressional Research Service 7-5700 www.crs.gov R44187 Encryption and Evolving Technology: Implications for U.S. Law Enforcement Summary Because modern-day criminals are constantly developing new tools and techniques to facilitate their illicit activities, law enforcement is challenged with leveraging its tools and authorities to keep pace. For instance, interconnectivity and technological innovation have not only fostered international business and communication, they have also helped criminals carry out their operations. At times, these same technological advances have presented unique hurdles for law enforcement and officials charged with combating malicious actors. Technology as a barrier for law enforcement is by no means a new issue in U.S. policing. In the 1990s, for instance, there were concerns about digital and wireless communications potentially hampering law enforcement in carrying out court-authorized surveillance. To help combat these challenges, Congress passed the Communications Assistance for Law Enforcement Act (CALEA; P.L. 103-414), which among other things, required telecommunications carriers to assist law enforcement in executing authorized electronic surveillance. The technology boundary has received renewed attention as companies have implemented advanced security for their products—particularly their mobile devices. In some cases, enhanced encryption measures have been put in place resulting in the fact that companies such as Apple and Google cannot unlock devices for anyone under any circumstances, not even law enforcement. Law enforcement has concerns over certain technological changes, and there are fears that officials may be unable to keep pace with technological advances and conduct electronic surveillance if they cannot access certain information. Originally, the going dark debate centered on law enforcement’s ability to intercept real-time communications. More recent technology changes have potentially impacted law enforcement capabilities to access not only communications, but stored data as well. There are concerns that enhanced encryption may affect law enforcement investigations, though there is limited empirical evidence. If evidence arises that investigations are hampered, policy makers may question what, if any, actions they should take. One option is that Congress could update electronic surveillance laws to cover data stored on smartphones. Congress could also prohibit the encryption of data unless law enforcement could still access the encrypted data. They may also consider enhancing law enforcement’s financial resources and manpower, which could involve enhancing training for existing officers or hiring more personnel with strong technology expertise. Some of these options may involve the application of a “back door” or “golden key” that can allow for access to smartphones. However, as has been noted, “when you build a back door ... for the good guys, you can be assured that the bad guys will figure out how to use it as well.” This is the tradeoff. Policy makers may debate which—if either—may be more advantageous for the nation on the whole: increased security coupled with potentially fewer data breaches and possibly greater impediments to law enforcement investigations, or increased access to data paired with potentially greater vulnerability to malicious actors. Congressional Research Service Encryption and Evolving Technology: Implications for U.S. Law Enforcement Contents The Technology Boundary: A Perennial Issue................................................................................. 1 Communications Assistance for Law Enforcement Act (CALEA) ........................................... 2 Crypto Wars............................................................................................................................... 3 Law Enforcement Use of Cell Phone Data...................................................................................... 3 Current Debate ................................................................................................................................ 5 Major Components: Communications and Stored Data ............................................................ 6 Real Time Access to Encrypted Communications .............................................................. 6 Encryption of Data Stored on Smartphones ........................................................................ 7 Going Dark or Going Forward? ...................................................................................................... 8 Evaluating a Need for Action .................................................................................................... 9 Requirements for Communications and Stored Data Access ............................................ 10 Law Enforcement Tools .................................................................................................... 10 Law Enforcement Capabilities ........................................................................................... 11 Figures Figure 1. Authorized Wiretaps Encountering Encryption, 2014...................................................... 5 Contacts Author Contact Information ........................................................................................................... 11 Congressional Research Service Encryption and Evolving Technology: Implications for U.S. Law Enforcement Fast-changing technology creates a challenging environment for crime-fighting.1 According to former Attorney General Eric Holder, “[r]ecent technological advances have the potential to greatly embolden online criminals, providing new methods ... to avoid detection.”2 Technology is a two faced creature. On the one hand, it has enhanced the speed and ease of communication and legitimate business, providing a bridge across international borders. On the other, it has opened the doors for potential exploitation by a range of malicious actors.3 Just as the growth of technology offers advances and challenges, so does its security. The stronger the security features of our technology, the less vulnerable the technology may be. However, if the security is sufficiently strong, the technology and its associated information may become inaccessible to legitimate law enforcement investigations. This is one aspect of the current debate surrounding smartphone and other mobile technology and security. Smartphone ownership is on the rise, with 64% of adult Americans owning a smartphone as of October 2014.4 Smartphones have become valuable targets for hackers because, in part, of the breadth of personal information they contain.5 Because of this, manufacturers regularly update their devices’ security features, and experts have encouraged consumers to take advantage of these features—such as locking smartphones with a passcode and encrypting the contents.6 One current concern is that such strong security measures could not only keep out potential malicious actors, but legitimate individuals as well, including users who forget their passcodes or law enforcement with a lawful search warrant. This report provides an overview of the perennial issue involving technology outpacing law enforcement and discusses how policy makers and law enforcement officials have dealt with this issue in the past. It discusses the current debate surrounding smartphone data encryption and how this may impact U.S. law enforcement operations. The report also discusses existing law enforcement capabilities, the debate over whether law enforcement is “going dark” because of rapid technological advances, and resulting issues that policy makers may consider. The Technology Boundary: A Perennial Issue Technology as a boundary for law enforcement is by no means a new issue in U.S. policing. In the 1990s, for instance, there were concerns that increasing adoption of technologies such as digital communications and encryption could hamper law enforcement’s ability to investigate crime. More specifically, concerns have been whether these technologies could interfere with surveillance or the interception and understanding of certain communications. 1 CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin Finklea. 2 U.S. Department of Justice, “Remarks by Attorney General Holder at the Biannual Global Alliance Conference Against Child Sexual Abuse Online,” press release, September 30, 2014. 3 See, for example, National Crime Prevention Council, Evolving With Technology; Reese Jones, “Criminals and Terrorists in a Borderless, Technological Arms Race,” Forbes, July 14, 2012; and CRS Report R41927, The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin Finklea. 4 PewResearch, Mobile Technology Fact Sheet, January 2014. This is up from 35% of American adults owning smartphones in May 2011, according to PewResearch, Device Ownership Over Time, October 2014. 5 Kaspersky Lab and INTERPOL, Mobile Cyber Threats, October 2014. 6 Roberto Baldwin, “Don't Be Silly. Lock Down and Encrypt Your Smartphone,” Wired, October 26, 2013. Congressional Research Service 1 Encryption and Evolving Technology: Implications for U.S. Law Enforcement Communications Assistance for Law Enforcement Act (CALEA) In the 1990s, there were “concerns that emerging technologies such as digital and wireless communications were making it increasingly difficult for law enforcement agencies to execute authorized surveillance.”7 Specifically, the Government Accountability Office (GAO; then, the General Accounting Office) cited the increasing use of digital, including cellular, technologies in public telephone systems as one factor potentially inhibiting the Federal Bureau of Investigation’s (FBI’s) wiretap capabilities.8 Congress passed the Communications Assistance for Law Enforcement Act (CALEA; P.L. 103414) to help law enforcement maintain its ability to execute authorized electronic surveillance in a changing technology environment. Among other things, CALEA requires that telecommunications carriers assist law enforcement in executing authorized electronic surveillance. There are several notable caveats to this requirement, however:   Law enforcement and officials are not authorized to require telecommunications providers (as well as manufacturers of equipment and providers of support services) to adopt “specific design of equipment, facilities, services, features, or system configurations.” Similarly, officials may not prohibit “the adoption of any equipment, facility, service, or feature” by these entities.9 Telecommunications carriers are not responsible for “decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.”10 A decade after the passage of CALEA, federal law enforcement officials were again concerned that their ability to conduct electronic surveillance was constrained because of constantly emerging technologies. Not all telecommunications providers had implemented CALEAcompliant intercept capabilities. As such, the Department of Justice (DOJ), FBI, and Drug Enforcement Administration (DEA) filed a Joint Petition for Expedited Rulemaking asking the Federal Communications Commission to extend CALEA provisions to a wider breadth of telecommunications providers.11 Subsequently, the FCC administratively expanded CALEA’s requirements to apply to both broadband and VoIP providers.12 Notably, CALEA is not viewed as applying to email or data while stored on smartphones and similar mobile devices. Reportedly, there has been “intense debate” about whether it should be expanded to cover this content.13 For instance, there have been reports over the past several years 7 Federal Communications Commission, Communications Assistance for Law Enforcement Act, January 8, 2013. U.S. General Accounting Office, FBI: Advanced Communications Technologies Pose Wiretapping Challenges, IMTEC-92-68BR, July 17, 1992. 9 42 U.S.C. § 1002(b)(1). 10 42 U.S.C. § 1002(b)(3). 11 It was expanded to cover facilities-based broadband Internet access and interconnected Voice over Internet Protocol (VoIP) providers. Joint Petition for Expedited Rulemaking from United States Department of Justice, Federal Bureau of Investigation, and Drug Enforcement Administration to Federal Communications Commission, March 10, 2004. “Interconnected” VoIP services are those that, among other things, use the Public Switched Telephone Network. See 47 C.F.R. § 9.3. 12 Federal Communications Commission, Second Report and Order and Memorandum Opinion and Order, ET Docket No. 04-295, May 3, 2006. For more information on CALEA and its administrative changes, see archived CRS Report RL30677, The Communications Assistance for Law Enforcement Act, by Patricia Moloney Figliola. 13 David E. Sanger and Brian X. Chen, “Signaling Post-Snowden Era, New iPhone Locks Out N.S.A.,” The New York (continued...) 8 Congressional Research Service 2 Encryption and Evolving Technology: Implications for U.S. Law Enforcement that the Administration has considered legislative proposals to amend CALEA to apply to a wider range of communications service providers such as social networking companies.14 Crypto Wars Also in the 1990s, what some have dubbed the “crypto wars” pitted the government against data privacy advocates in a debate surrounding the use of data encryption.15 This tension was highlighted by the federal investigation of Philip Zimmermann, the creator of Pretty Good Privacy (PGP) encryption software, the most widely used email encryption platform.16 When PGP was released, it “was a milestone in the development of public cryptography. For the first time, military-grade cryptography was available to the public, a level of security so high that even the ultra-secret code-breaking computers at the National Security Agency could not decipher the encrypted messages.”17 When someone released a copy of PGP on the Internet, it proliferated, sparking a federal investigation into whether Zimmerman was illegally exporting cryptographic software (then considered a form of “munitions” under the U.S. export regulations) without a specific munitions export license. Ultimately the case was resolved without an indictment. Courts have since been presented with the question of how far the First Amendment right to free speech protects written software code—which includes encryption code.18 Law Enforcement Use of Cell Phone Data As cell phone—and now smartphone—technology has evolved, so too has law enforcement use of the data generated by and stored on these devices. As cell phones have advanced from being purely cellular telecommunications devices into mobile computers that happen to have cell phone capabilities, the scope of data produced by and saved on these devices has morphed. In addition to voice communications, this list can include   call detail records, including cell phone records that indicate which cell tower was used in making or receiving a call;19 Global Positioning System (GPS) location points, stored both on the device and in some of its applications, indicating the location of a particular device; (...continued) Times, September 26, 2014. 14 Ellen Nakashima, “Administration Seeks Ways to Monitor Internet Communications,” The Washington Post, September 27, 2010. 15 http://fortune.com/2014/09/27/apple-and-the-fbi-re-enact-the-90s-crypto-wars/; http://archive.wired.com/wired/ archive/5.05/cyber_rights_pr.html. The term, “crypto wars,” has been used by the Electronic Frontier Foundation to describe this debate. 16 Robert J. Stay, “Cryptic Controversy: U.S. Government Restrictions on Cryptography Exports and the Plight of Philip Zimmermann,” Georgia State University Law Review, vol. 13, no. 2 (1996), Article 14. See also John Markoff, “Federal Inquiry on Software Examines Privacy Programs,” The New York Times, February 21, 1993. 17 Robert J. Stay, “Cryptic Controversy: U.S. Government Restrictions on Cryptography Exports and the Plight of Philip Zimmermann,” Georgia State University Law Review, vol. 13, no. 2 (1996), Article 14, pp. 584-585. 18 Bernstein v. U.S. Department of Justice; https://www.eff.org/deeplinks/2010/09/government-seeks. 19 The range of any given cell tower can vary based on a variety of factors. See, for instance, “What is a Cell Tower’s Range?” The Washington Post, June 27, 2014. See also Tom Jackman, “Experts Say Law Enforcement’s Use of Cellphone Records Can Be Inaccurate,” The Washington Post, June 27, 2014. Congressional Research Service 3 Encryption and Evolving Technology: Implications for U.S. Law Enforcement   data—such as email, photos, videos, and messages—stored directly on a mobile device; data backed up to the “cloud” and stored off a mobile device. Cell phones “are potentially rich sources of evidence” for law enforcement.20 Where these data are stored varies based on factors such as default smartphone settings, users’ personalized settings, and telecommunications providers’ policies. When law enforcement accesses, or attempts to access this information, it is often gathered through authorized wiretaps or search warrants. It’s not always clear, however, exactly how often law enforcement gathers or relies upon these data in their investigations. Data exist on the number of wiretap requests and intercept orders21 that are issued in investigations of felonies as well as on how often law enforcement encounters encryption in carrying out these orders. These data provide a snapshot of law enforcement use of wiretaps and possible encryption barriers.    In 2014, judges authorized 3,554 wiretaps, of which about 36% (1,279 orders) were under federal jurisdiction.22 Notably, 96% (3,409) of total authorized intercept orders were for portable devices.23 From the 1,279 federally authorized intercept orders, they produced an average of 5,724 intercepts, including an average of 886 “incriminating intercepts.”24 In 2001, the Administrative Office of the U.S. Courts began collecting data on whether law enforcement encountered encryption in the course of carrying out wiretaps as well as whether officials were able to overcome the encryption and decipher the “plain text” of the encrypted information.25 Law enforcement has reported encountering encryption in at least one instance each year, with the exception of 2006 and 2007.26 The first known, reported instance of an authorized wiretap being stymied by encryption came in 2011.27 In 2014, there were 4 such instances—lower than the 10 known instances from 2013 in which encryption foiled officials. 28 From the 3,554 total authorized wiretaps in 2014—of which 25 contained encrypted 20 Christal Chan, Glenn Kolomeitz, and Tom Ralph, et al., National Association of Attorneys General, “Mobile Devices: Challenges and Opportunities for Law Enforcement,” NAAGazette, vol. 8, no. 2. 21 Wiretap requests are submitted by law enforcement to judges, requesting permission to intercept certain wire, oral, or electronic communications. Intercept orders given by judges authorize/approve wiretap requests, which allow for law enforcement to take measures to intercept these communications, as authorized under 18 U.S.C. § 2510-2522. 22 Administrative Office of the U.S. Courts, Wiretap Report 2014. The federal statute authorizing wire, oral, or electronic communications interception is 18 U.S.C. § 2510-2522. Of note, 91% of federal intercept orders were granted for suspected narcotics violations. These data do not include those interceptions of wire, oral, or electronic communications that are regulated by the Foreign Intelligence Surveillance Act of 1978. 23 Administrative Office of the U.S. Courts, Wiretap Report 2014. 24 Administrative Office of the U.S. Courts, Wiretap Report 2014, Table 4. These incriminating intercepts may produce evidence implicating an individual in criminal activity. 25 These data are reported pursuant to P.L. 106-197, the Continued Reporting of Intercepted Wire, Oral, and Electronic Communications Act. 26 Administrative Office of the U.S. Courts, Wiretap Report Archive. 27 This was reported as part of the U.S. Courts Wiretap Report 2012. Information provided to CRS by the Administrative Office of the U.S. Courts. 28 In 2013, there were nine reported instances of officials being stymied by the encryption. In 2014, one additional instances (that had occurred in 2013) was reported. Information provided to CRS by the Administrative Office of the U.S. Courts. Congressional Research Service 4 Encryption and Evolving Technology: Implications for U.S. Law Enforcement communications—officials could not decipher the plain text in 4 instances (or 0.11% of authorized wiretaps).29 Notably, these numbers relate to lawful wiretaps of certain suspected or actual criminal offenses, as authorized by Title III of the Omnibus Crime Control and Safe Streets Act of 1968.30 The data do not include wiretaps as authorized by the Foreign Intelligence Surveillance Act of 1978 (FISA)—the law which authorizes surveillance primarily of foreign intelligence and international terrorism threats. See Figure 1 for an illustration of the 2014 data. As noted, law enforcement has reported encountering encryption nearly every year since 2001, though law enforcement has only encountered encryption it could not circumvent since 2011. The number of instances in which this has occurred, however, has fluctuated and has been relatively low, such that analysts cannot make claims as to whether or not this number is on a specific trajectory. The presence of reported surveillance attempts wherein encryption could not be circumvented by law enforcement may have contributed to claims that advances in encryption have outpaced law enforcement’s (and others’) ability to crack it. Current Debate Figure 1. Authorized Wiretaps Encountering Encryption, 2014 Source: Administrative Office of the U.S. Courts, Wiretap Report 2014. Notes: These data do not include those interceptions of wire, oral, or electronic communications that are authorized by the Foreign Intelligence Surveillance Act of 1978. In September 2014, Apple released a major update to its mobile operating system, iOS 8. In the accompanying privacy policy, Apple noted that personal data stored on devices running iOS 8 are protected by the user’s passcode. Moreover, the company stated, “Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”31 The company has also stated with respect to certain communications—namely, iMessage and FaceTime—that “Apple has no way to decrypt iMessage and FaceTime data when it’s in transit between devices ... Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”32 Similarly, Google’s Android 5.0 mobile operating system, which launched in November 2014, includes default privacy protections such as automatic encryption of data that is protected by a passcode.33 When devices running Android 5.0 are locked, data on them are only accessible by 29 Administrative Office of the U.S. Courts, Wiretap Report 2012. Administrative Office of the U.S. Courts, Wiretap Report 2013. There were also 52 encryption instances newly reported for 2012, though law enforcement was able to decipher all of these. 30 18 U.S.C. § 2516. 31 Apple, “Privacy: Government Information Requests,” as of the date of this report. 32 Apple, “Privacy: Privacy Built In,” as of the date of this report. 33 Android Official Blog, “A Sweet Lollipop, With a Kevlar Wrapping: New Security Features in Android 5.0,” October 28, 2014. Congressional Research Service 5 Encryption and Evolving Technology: Implications for U.S. Law Enforcement entering a valid password, to which Google does not have a key. Thus, like Apple, Google is not able to unlock encrypted devices.34 Apple’s Elimination of a Back Door Enhanced data encryption, in part a response to privacy concerns following Edward “Key” Snowden’s revelations of mass government In earlier versions of Apple’s mobile operating system— prior to iOS 8—Apple maintained a “key” that allowed surveillance, has opened the discussion on the company to unlock any device without the passcode. how this encryption could impact law As such, when presented with a search warrant or a enforcement investigations.35 Law wiretap order, Apple had the ability to unlock devices for enforcement officials have likened the new law enforcement. While this back door key was able to encryption to “a house that can't be searched, assist in legitimate law enforcement investigations, it was also vulnerable to exploitation by hackers, criminals, and or a car trunk that could never be opened.”36 others. iOS 8 enhanced automatic encryption and There have been concerns that malicious eliminated the back door key. Along with this was the actors, from savvy criminals to terrorists to elimination of Apple’s ability to unlock the device for nation states, may rely on this very encryption anyone under any circumstance. to help conceal their illicit activities. There is also concern that law enforcement may not be able to bypass the encryption, their investigations may be stymied, and criminals will operate above the law. Critics of these concerns contend that law enforcement maintains adequate tools and capabilities needed for their investigations.37 Major Components: Communications and Stored Data Developments in encryption—and companies’ implementation of enhanced data protections— have reinvigorated the debate regarding the balance between privacy needs and information access. Most recently, the conversation has largely been in the context of smartphones and mobile devices. These devices present a unique discussion point because they bridge the realms of communications and stored data. Real Time Access to Encrypted Communications CALEA requires that telecommunications carriers (including broadband Internet access and VoIP providers) assist law enforcement in executing authorized electronic surveillance of real time communications. However, some developments in the communications landscape have allowed some communications to be exempt from being wiretap-ready, as is otherwise mandated by CALEA.  First, some companies, for instance Apple, have implemented text messaging systems—Apple’s is the iMessage—that are not readable by telecommunications (or broadband or VoIP) providers. Therefore, these communications fall outside of CALEA mandates. 34 Craig Timberg, “Newest Androids Will Join iPhones in Offering Default Encryption, Blocking Police,” The Washington Post, September 18, 2014. 35 See, for example, Pamela Brown and Evan Perez, “FBI Tells Apple, Google Their Privacy Efforts Could Hamstring Investigations,” CNN, October 12, 2014. 36 Devlin Barrett and Danny Yadron, “New Level of Smartphone Encryption Alarms Law Enforcement,” The Wall Street Journal, September 22, 2014. 37 See, for example, Ken Gude, “The FBI Is Dead Wrong: Apple’s Encryption Is Clearly in the Public Interest,” Wired, October 17, 2014. Congressional Research Service 6 Encryption and Evolving Technology: Implications for U.S. Law Enforcement  Also, Apple has implemented end-to-end encryption of messages sent through the iMessage system between Apple devices and does not maintain a key to decrypt these messages. CALEA exempts from its requirements encrypted communications for which telecommunications carriers (as well as manufacturers and service providers such as Apple) do not have a key.38 As evolving technology changes how communication takes place, not all communications may be readily accessible to law enforcement, regardless of whether law enforcement presents a warrant for a wiretap.39 If technology companies do not retain the ability to decrypt certain communications, they, in turn, may be unable to help law enforcement conduct court-authorized electronic surveillance of these communications. Encryption of Data Stored on Smartphones In addition to encryption’s effect on access to communications data generated and received by smartphones, encryption also directly affects access to data stored on these mobile devices (as well as data stored elsewhere that may be retrieved via the mobile device). If companies like Apple and Google provide for encryption of data on locked mobile devices—and do not maintain the keys to unlock these devices—the companies may be unable to assist law enforcement in carrying out court-authorized searches of content stored on the device—even if the police possess a warrant.40 As these companies have noted, because they cannot break the encryption of a locked device, they also cannot provide decrypted information to authorities. Some have questioned how challenges for police in cracking encryption to obtain information on smartphones compare to those in obtaining information stored in other types of containers such as home safes and safe deposit boxes. Master Keys Technology companies like Apple and Google are not required under federal law to maintain a key to unlock the encryption of their devices sold to consumers. If they did maintain a key, however, they may be required to provide this key to unlock devices for law enforcement presenting a valid search warrant. Similarly, safe manufacturers are not required under federal law to maintain the combination or key to safes sold to consumers. However, if manufacturers voluntarily maintained such a master key, they, too, may be required to provide assistance to law enforcement to access the safe. In addition, if law enforcement presents a warrant to search an individual’s safe deposit box, a bank may assist law enforcement by providing a master key for the box.41 38 Notably, if a message is sent between an Apple device and a non-Apple device, law enforcement may be able to intercept it because (1) it would involve a telecommunications carrier on the end of the non-Apple device and (2) the message may not be encrypted on the end of the non-Apple device. 39 Generally, law enforcement needs a warrant to execute a wiretap. 40 Notably, while law enforcement generally does not need a warrant to search items found on suspects at the time of arrest, the Supreme Court (in Riley v. California) has ruled that this exception does not apply to digital information on cell phones; police need a warrant to search these devices. See Riley v. California, 13-132 (2013). See also CRS Legal Sidebar WSLG987, Supreme Court Says “Get a Warrant” Before Searching Cell Phones, by Richard M. Thompson II. 41 Instances of this assistance exist. See, for example, United States v. Scolnick, United States Court of Appeals Third Circuit. Congressional Research Service 7 Encryption and Evolving Technology: Implications for U.S. Law Enforcement Cryptanalytic Attack Since some companies may not retain a key to open a locked mobile device, one option for law enforcement in attempting to obtain information on a device for which they have a valid search warrant may be to use a cryptanalytic attack. One such form of cryptanalytic attack has been referred to as “brute force.”42 Using this method, law enforcement would likely use software to try every possible combination of keys in an attempt to unlock the device. The success of this method may depend, among other things, on the amount of time available to try and unlock a device and on the number of keys used in the passcode. FBI Director Comey has cited barriers to law enforcement relying upon brute force tactics to break encryption. One challenge he has noted is increasingly advanced encryption techniques that even “supercomputers” may not be able to crack. In addition, “some devices have a setting whereby the [data] is erased if someone makes too many attempts to break the password, meaning no one can access that data.”43 Just as police may use brute force to try and break encryption when executing a search warrant, they are authorized to break other locks—such as those to physical buildings—in order to carry out a lawful search with a warrant. The Supreme Court has noted that “[i]t is well established that law officers constitutionally may break and enter to execute a search warrant where such entry is the only means by which the warrant effectively may be executed.”44 Going Dark or Going Forward? As modern technology has developed, there has arguably been an evolving gap between law enforcement’s investigative authorities and capabilities to carry out authorized activities. This is not a new phenomenon; rather, as experts have noted, “[l]aw enforcement has been complaining about ‘going dark’ for decades now.”45 The FBI, for instance, established a Going Dark initiative in an attempt to maintain law enforcement’s ability to conduct electronic surveillance in a rapidly changing technology environment.46 Originally, the “going dark” debate centered on law enforcement’s ability to intercept real-time communications. As communications technologies evolved, so did questions about whether or how law enforcement could work within existing electronic surveillance laws to carry out courtauthorized surveillance on real time communications. Experts, officials, and stakeholders debated whether certain laws such as CALEA should be expanded to require additional entities—such as all VoIP and Internet service providers—to assist law enforcement in accessing this real-time information. The most recent encryption enhancements by companies like Apple and Google “highlight the continuing challenge for law enforcement in responding to new technologies. Other innovations, such as texting, instant messaging and videogame chats, created hurdles to 42 See Matt Curtin, Brute Force: Cracking the Data Encryption Standard (Springer Science & Business Media, 2007). See also Jeremy Kirk, “Four-Digit Passcodes are a Weak Point in iOS 8 Data Encryption,” ComputerWorld, October 8, 2014. 43 Federal Bureau of Investigation, “James B. Comey, FBI Director, before the Brooking Institution, Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course?,” press release, October 16, 2014. 44 Dalia v. United States, 441 U.S. 238, 247, 99 S. Ct. 1682, 1688, 60 L. Ed. 2d 177 (1979). See also 18 U.S.C. § 3109. 45 Bruce Schneier, “Stop the Hysteria Over Apple Encryption,” Schneier on Security, October 3, 2014. 46 Electronic Frontier Foundation, Expanding CALEA and Electronic Surveillance Laws, FBI “Going Dark” FOIA Documents – Release 1, Part 1, https://www.eff.org/document/fbi-going-dark-foia-documents-release-1-part-1. The FBI’s FY2010 budget request specified an “Advanced Electronic Surveillance, otherwise known as the FBI’s Going Dark Program. This program supports the FBI’s electronic surveillance (ELSUR), intelligence collection and evidence gathering capabilities, as well as those of the greater Intelligence Community (IC).” Congressional Research Service 8 Encryption and Evolving Technology: Implications for U.S. Law Enforcement monitoring communication,” though some contend that law enforcement has found means to overcome many of these technological challenges.47 Others, however, are concerned about law enforcement’s ability to keep pace with advancing technology, particularly “the expansion of online communication services that—unlike traditional and cellular telephone communications— lack intercept capabilities because they are not required by law to build them in.”48 Concerns over “going dark” have become two–pronged. More recent technology changes have potentially impacted law enforcement capabilities to access not only communications, but stored data. As a result, current law enforcement concerns around “going dark” now involve how, in practice, encryption of stored data, as currently implemented by technology companies may affect law enforcement investigations. Analysts have not yet seen data on whether or how encryption has affected law enforcement access to stored data or influenced the outcome of cases. In the past, Congress has requested that similar information be collected and reported. P.L. 106-197 required the Administrative Office of the U.S. Courts to report on whether law enforcement encountered encryption in the course of carrying out wiretaps, as well as whether officials were prevented from deciphering the “plain text” of the encrypted information. While current data collection and reporting requirements on encryption relate to real time communications, policy makers may debate the potential utility of asking law enforcement to report on encryption relating to stored data as well. While some contend that law enforcement is “going dark,” others have argued that law enforcement and intelligence agencies are in a “golden age of surveillance,” with more robust surveillance capabilities.49 They contend that police access to location data, information about individuals’ contacts, and a host of websites that collectively create “digital dossiers” on a person all enhance law enforcement surveillance.50 Those who see the current technology environment as a golden age of surveillance may believe that, while technology advances (such as encryption) may slow or stymie law enforcement access to certain information, these advances can also create alternate opportunities for information access that law enforcement can learn to harness. Evaluating a Need for Action If there is evidence that investigations are hampered or that lives are at risk because of law enforcement’s inability to access critical encrypted information, will there need to be some sort of compromise between law enforcement and the technology industry?51 What might be the congressional role? Policy makers may weigh whether aiding federal law enforcement will involve incentives or requirements for communications and technology companies to provide specified information to law enforcement, enhanced investigative tools, bolstered financial and manpower resources to help law enforcement better leverage existing authorities, or combinations of these and other options. 47 Devlin Barrett and Danny Yadron, “New Level of Smartphone Encryption Alarms Law Enforcement,” The Wall Street Journal, September 22, 2014. 48 Ellen Nakashima, “Proliferation of New Online Communications Services Poses Hurdles for Law Enforcement,” The Washington Post, July 26, 2014. 49 Peter Swire and Kenesa Ahmad, ‘Going Dark’ Versus a ‘Golden Age for Surveillance’, Center for Democracy and Technology, November 28, 2011. 50 Ibid. 51 Editorial Board, “Compromise Needed on Smartphone Encryption,” The Washington Post, October 3, 2014. Congressional Research Service 9 Encryption and Evolving Technology: Implications for U.S. Law Enforcement Requirements for Communications and Stored Data Access In debating law enforcement’s need to access certain real time communications and stored data, Congress could move to update CALEA and related laws to cover a broader range of communications and data. Currently, requirements under CALEA apply to telecommunications carriers as well as facilities-based broadband Internet access and interconnected Voice over Internet Protocol (VoIP) providers. Proposals have reportedly been floated that would extend CALEA requirements to apply to a wider range of technology services and products such as instant messaging, video game chats, and real-time video communications like Skype.52 Proponents of expanding CALEA mandates may believe that it would enhance law enforcement’s abilities to carry out existing authorities to intercept real time communications. Opponents to CALEA expansion proposals, however, may contend that mandating other communications services and technology manufacturers to build in intercept capabilities could be costly, both financially and in terms of security. Financially, companies may need to dedicate resources to reengineer their products; they may need to add or allocate personnel to liaise with law enforcement to facilitate wiretap requests. On the security front, companies would necessarily need to build in a “back door” to allow for authorized access, and any means of access necessarily opens the doors to exploitation. If policy makers are interested in requiring The Back Door Tradeoff technology companies to assist law Back doors, also referred to as front doors or golden keys, are essentially holes in security. They can be in enforcement carry out authorized surveillance systems intentionally or unintentionally. As experts have and searches, legislators may consider options noted, “[w]hen you build a back door ... for the good other than amending CALEA. One such guys, you can be assured that the bad guys will figure out option may be to directly mandate that how to use it as well.”53 This is the tradeoff. Policy technology companies build in “back door” makers may debate which is more advantageous for the nation on the whole: (1) increased security coupled with access for law enforcement into specified potentially fewer data breaches and possibly greater communications products sold in the United impediments to law enforcement investigations, or (2) States. One unintended consequence of this increased access to data paired with potentially greater could be that U.S. consumers, in search of vulnerability to malicious actors. privacy, might buy more products from overseas, and consumers outside the United States might decline to buy certain U.S. products that conform with these requirements. Law Enforcement Tools While placing requirements on technology companies may be one route to assisting law enforcement, policy makers may also debate options that could enhance the tools available to law enforcement. These could include making it a crime for an individual (when presented with a court authorized warrant) to fail to turn over his passcode or other information that would allow law enforcement to decrypt a given device. However, those in support of encryption note that a search warrant is “an instrument of permission, not compulsion.”54 In other words, individuals need not proactively reveal or open hiding places for investigators presenting a search warrant. 52 See, for example Ben Adida, Collin Anderson, and Annie Anton, et al., “CALEA II: Risks of Wiretap Modifications to Endpoints,” May 17, 2013. 53 John Backus, “Commentary: Don't Let the FBI Wiretap Your Smartphone Apps,” The Washington Post, July 7, 2013. 54 Kevin Poulsen, “Apple’s iPhone Encryption is a Godsend, Even if Cops Hate It,” Wired.com, October 8, 2014. Congressional Research Service 10 Encryption and Evolving Technology: Implications for U.S. Law Enforcement Additionally, judges may in some cases be able to hold individuals in contempt for failure to turn over information that would help law enforcement unlock certain electronic devices. Although technology companies like Apple and Google may not have the ability to unlock and thus reveal some information stored on locked, encrypted smartphones, they generally retain the ability to turn over information on unencrypted communications and data stored off the devices in locations such as the “cloud.”55 As such, some supporting encryption may contend that regardless of what data in motion may be encrypted or what data is encrypted on locked devices, law enforcement still has effective tools to retrieve digital data. Encryption proponents may also suggest that stronger digital security could benefit law enforcement by helping prevent malicious activity, including hacks and data breaches. Law Enforcement Capabilities Combating malicious actors (including cybercriminals and those who exploit technology to conceal their crimes) is an issue that cuts across the investigative, intelligence, prosecutorial, and technological components of law enforcement. Because clear data on how technological advances such as enhanced encryption of communications and stored data on mobile devices may impact law enforcement capabilities to combat these bad actors do not exist, policy makers may be hesitant to take any significant legislative actions to “fix” a problem of an unknown magnitude. Even if policy makers believe there is a significant problem with law enforcement’s ability to carry out authorized activities, they may debate whether expanding requirements for certain technology companies and communications services or adding to law enforcement’s toolbox of authorities may be the more appropriate options. Some have argued that another option may be to enhance law enforcement’s financial resources and manpower. This could involve enhancing training for existing officers or hiring individuals with bolstered technology expertise. Author Contact Information Kristin Finklea Specialist in Domestic Security kfinklea@crs.loc.gov, 7-6259 55 This ability is subject to various statutory restrictions and may depend on the location of the server. Congressional Research Service 11