Comments on DOJ's "Cyber-Digital Task Force" Report

Earlier this month, the Department of Justice’s “Cyber-Digital Task Force” released a report “assess[ing] the Department’s work in the cyber area.” The report, which runs over 150 pages, covers a broad range of topics. Among these, in the “Looking Ahead” chapter, is “Going Dark”: DOJ’s name for a constellation of issues that render the government “unable to obtain critical information in an intelligible and usable form (or at all),” primarily encryption (and default encryption in particular).

The report devotes three pages to Going Dark, and concludes with a list of seven recommended efforts DOJ should undertake to address Going Dark’s “vexing” challenges. I’m going to list all seven, but only comment on two, since I and others have already commented on some of the other bullet points here (and because longtime readers can probably guess what I have to say about most of these anyway).

1. Considering whether legislation to address encryption (and all related service provider access) challenges should be pursued
2. Coordinating with international law enforcement counterparts to better understand the international legal, operational, and technical challenges of encryption
3. Collecting accurate metrics and case examples that demonstrate the scope and impact of the problem
4. Working to use technical tools more robustly in criminal investigations
5. Insisting that providers comply with their legal obligations to produce all information in their possession called for by compulsory process, and holding them accountable when they do not
6. Working with State and local partners to understand the challenge from their perspective and to assist them technologically in significant cases
7. Reaching out to academics, industry, and technologists to fully understand the implications and possibilities for lawful access solutions

Now, on to the two items I wanted to discuss: numbers 2 and 5.

2. Coordinating with international law enforcement counterparts to better understand the international legal, operational, and technical challenges of encryption

This is an idea that could be very fruitful but could also turn out deeply counterproductive. While I support such a collaborative approach in theory (at least with regard to other democratic governments), I fear that DOJ will end up creating an echo chamber of only other countries whose governments have adopted anti-encryption stances. Why do I think this is likely? Check out the full page the report devotes to a “Going Dark” graphic: it features photos and anti-encryption quotes by the UK’s Amber Rudd and Australia’s Angus Taylor—governments that have both been hostile to encryption—alongside photos and quotes from Pres. Obama, former FBI Director Louis Freeh, and current Director Chris Wray. No other foreign government is featured.

Any good-faith outreach by DOJ to its foreign counterparts must also include countries that have come out in support of strong encryption and against mandates to weaken it. Those include the Netherlands and (to some extent) Germany. At the EU level, as explained in a recent policy brief from a “pan-European” think tank, Europol (the EU’s law enforcement agency) and ENISA (its security agency) have “highlighted the benefits of strong encryption” and “came out against backdoors and key escrow.” In addition, LIBE (the European Parliament’s committee on civil liberties, justice, and home affairs) issued a report that backed strong encryption and opposed backdoors, which the policy brief states “could end up pressuring EU governments to abolish any ideas on backdoors and key escrow.”

These other perspectives, which diverge sharply from the UK/Australia anti-crypto line, are found nowhere in that full-page graphic. If DOJ actually listens to these EU-level and Member State-level officials and agencies, it might learn why they believe it is feasible and preferable to carry out their public safety missions without mandating weakened encryption. They might learn why so many European countries’ law enforcement agencies told the European Parliament that they want more resources and tools to deal with the challenge of accessing evidence despite encryption, not new anti-crypto legislation.

Leaving those perspectives out will only lead to DOJ’s holding up a cherry-picked batch of anti-crypto viewpoints as universal consensus. That would be misleading to the American public, unhelpful to our law enforcement relationships with Holland, Europol, et al., and would lend credibility to the oppressive, undemocratic regimes around the world that also oppose strong encryption.

5. Insisting that providers comply with their legal obligations to produce all information in their possession called for by compulsory process, and holding them accountable when they do not

This list item is a non sequitur that puzzles me. DOJ’s complaints vis-à-vis encryption usually pertain to (1) the contents of a user’s encrypted smartphone, or (2) end-to-end encrypted communications in transit “on the wire.” Neither of those is “information in providers’ possession,” a term which sounds to me like it should mean information that is stored in providers’ custody or control. So where did this issue come from? Why is it in a list that’s otherwise about encryption and encryption workarounds?

While this topic is orthogonal to DOJ’s concerns about encryption, the first part of the “Going Dark” section of the report does also list “provider compliance (or absence thereof)” as one of the other “Going Dark” constellation of issues besides encryption. But that doesn’t explain this list item either, because as far as I know, it’s not an actual problem. That is for three reasons: (1) Where providers have the data DOJ seeks, they comply with the demand; (2) where they have it but don’t comply, it’s because it’s not clear that the law requires it; and (3) where they don’t have the data, there’s no law saying they’re supposed to have it.

First: Providers do “comply with their legal obligations.” They routinely disclose responsive information about a user to law enforcement when served with the proper legal process. Their transparency reports prove as much. They do just what DOJ says it will “insist” that they do. True, they typically do encrypt the information they store “in their possession” on behalf of their users (e.g., emails, cloud storage). But they do so in a form that still allows the provider to hand over that information to law enforcement in legible form. Encryption poses no impediment here. There simply is no epidemic of lawless providers just plain ignoring their legal duties. So where’s the “non-compliance” problem?

Second: When providers have not disclosed user data in their possession in response to legal process, it has not been because they are lawless rogues. Their transparency reports explain some reasons why they push back upon some of the legal process they receive. Sometimes it’s because they had a good-faith belief that the law, as they interpreted it, did not require the disclosure. And sometimes legislatures and judges have vindicated that belief.

A recent example is the Microsoft Ireland case about the scope of the Stored Communications Act’s (SCA’s) warrant provision. Microsoft pushed back against an SCA warrant for user data that Microsoft stored abroad, arguing that the SCA didn’t have extraterritorial reach. The case went all the way up to the Supreme Court, but was rendered moot by the enactment of the CLOUD Act earlier this year. That law was supposed to be a fix for another of the “Going Dark” constellation of issues the report lists—“foreign-stored data”—by giving U.S. law enforcement a clear path to obtain such data. The law’s passage showed that Microsoft’s argument wasn’t frivolous; there really was an ambiguity in the SCA about what Microsoft’s “legal obligations” were. Microsoft and other major providers (Apple, Google, Facebook, and Yahoo parent company Oath) all supported the CLOUD Act—hardly the attitude you’d expect if they were rampantly “non-compliant” with their legal duties.

Another example is DOJ’s 2015 attempt to use the All Writs Act to try to force Apple to unlock an encrypted iPhone (back when Apple still had the ability to do so, which it no longer has). A federal judge ruled in early 2016 that the AWA doesn’t actually authorize such a demand, siding with Apple’s take on the issue. That is, he held that there was no “legal obligation” on Apple that DOJ could “insist” Apple comply with and that Apple could be “held accountable” for flouting. That’s why DOJ included item #1 on its list: “legislation to address encryption” that would clearly impose an obligation (like the CLOUD Act did). Item #1 is an implicit acknowledgement that no such law currently exists. So what present-day “legal obligations” does DOJ think there are?

Third: As the report acknowledges, often providers simply do not retain data DOJ wants, or they do but it “is not retained long enough to be useful” to DOJ. The report bemoans “the lack of any uniform data retention standards or requirements for service providers,” complaining that “there are few rules governing most providers’ retention of data in the normal course.” Again, DOJ is admitting that there is no “legal obligation” that providers must comply with but aren’t. If they don’t have “information in their possession” at the time compulsory process is served on them, they aren’t being “non-compliant.” They are within their rights and they can’t be “held accountable” for retention choices that are entirely legal. Again: What problem is this list item trying to solve?

The report’s seven-point list of future efforts it recommends DOJ undertake on “Going Dark” is a mixed bag. It suggests that the Department may not have a clear grasp of the exact nature and size of the various problems within the “Going Dark” “array of issues.” The report concludes by noting that these are “complex issues” and that they are “another Department priority” within the greater landscape of “cyber-digital” topics. But the report contains some troubling indications that suggest DOJ may not be considering all the perspectives and options that are out there for dealing with “Going Dark” challenges. A comprehensive, good-faith approach to these complicated issues is imperative if DOJ is serious about moving forward.

UPDATE 7/25/2018: Ask and ye shall receive! A brand-new report from the Center for Strategic & International Studies (CSIS) describes the results of surveys and interviews with members of federal, state, and local law enforcement agencies (LEAs) as well as six major providers (Apple, Google, Microsoft, Facebook, Twitter, and Oath). Encryption was not the biggest digital-evidence challenge the survey respondents reported, contrary to what the DOJ report might lead you to believe. The #1 problem was identifying which provider would have the relevant evidence in the first place. And #2 was the issue that puzzled me about the DOJ report: provider compliance. 

So, what did the DOJ report mean when it mentioned providers' supposed non-compliance? The CSIS report gives some possible explanations, backed up with data. It reports that 25% of LEA survey respondents said the biggest problem they had was getting relevant digital evidence from providers. LE officials perceived the issues with provider compliance to be: (1) slow response times, (2) having a request rejected if the LEA didn't use the right "magic words" the provider expected, (3) suspicion that providers were "deliberately seeking to forestall lawful access," including by "failing to disclose the extent of available information," and (4) providers handing over data in "unwieldy or unstructured formats" that are not intuitive. The providers, for their part, expressed frustration as well, and "pushed back on many of the critiques from law enforcement," according to the CSIS report.

CSIS concludes that "the data supports both narratives" and suggests ways for LEAs and providers to move forward to collaborate more effectively, while still respecting users' privacy and civil liberties. "Fixing this requires effort ... on the part of both law enforcement and the providers," it says. This exhortation stands in marked contrast to the DOJ report's seven-item list, which calls for "collaboration" when dealing with other nations' LEAs, but takes a blunt-force approach of new legislation, "insistence" and punishment ("holding them accountable") when it comes to the providers. That is a counterproductive attitude, as CSIS--hardly a hotbed of tinfoil-hat anti-police zealots--has recognized here.

Overall, the CSIS report contains a number of concrete, feasible, and actionable recommendations for improving LEA access to digital evidence. It is a must-read for the DOJ Cyber-Digital Task Force, the upper echelons of DOJ at whom the task force's report was directed, and anyone whose work involves the "Going Dark" debate.