Wednesday, 20 April 2016

F.B.I. Says It Needs Hackers to Keep Up With Tech Companies

F.B.I. Says It Needs Hackers to Keep Up With Tech Companies

 

F.B.I. Official Testifies About Privacy

A senior F.B.I. official told Congress members that she thinks the government generally should not use third-parties to aid in the hacking of phones, but that the agency must decide on a case-by-case basis.
By THE ASSOCIATED PRESS on Publish Date April 19, 2016. Photo by Zach Gibson/The New York Times. Watch in Times Video »
WASHINGTON — The F.B.I. defended its hiring of a third party to break into an iPhone used by a gunman in last year’s San Bernardino, Calif., mass shooting, telling some skeptical lawmakers on Tuesday that it needed to join with partners in the rarefied world of for-profit hackers as technology companies increasingly resist their demands for consumer information.
Amy Hess, the Federal Bureau of Investigation’s executive assistant director for science and technology, made the comments at a hearing by members of Congress who are debating potential legislation on encryption. The lawmakers gathered law enforcement authorities and Silicon Valley company executives to discuss the issue, which has divided technology companies and officials in recent months and spurred a debate over privacy and security.
The hearing follows a recent standoff between the F.B.I. and Apple over a court order to force the company to help unlock an iPhone used by one of the San Bernardino attackers. Apple opposed the order, citing harm to the privacy of its users. The F.B.I. later dropped its demand for Apple’s help when it found a third-party alternative to hack the device.
Yet that has done little to quell the controversy. The encryption debate has continued with new hearings, proposed legislation and other cases that involve locked iPhones and law enforcement demands that the devices be opened to aid investigations.
In Tuesday’s hearing, Ms. Hess did not provide details on how the F.B.I. ultimately gained access to the San Bernardino iPhone but said the agency had come to rely on private sector partners to keep up with changes in technology. She said that there was no one-stop solution and that the agency generally should not use third parties to hack into systems but lacks the expertise to break past encryption.
“These types of solutions that we may employ require a lot of highly skilled, specialized resources that we may not have immediately available to us,” Ms. Hess said.
The focus on third parties at the hearing illustrates a growing discomfort by some in Congress and in the tech industry with the use of “gray hat” hackers, who are hackers who may push the boundaries of the law and anger companies but whose intentions are not malicious.
“I don’t think relying on a third party is a good model,” said Representative Diana DeGette, a Democrat from Colorado. She questioned if the use of third-party hackers was ethical and whether it could open up greater security risks because sensitive and valuable data could be accessible to outside groups.
Ms. Hess did not answer directly when asked about whether there were ethical issues in using third-party hackers but said the bureau needed to review its operation “to make sure that we identify the risks and benefits.” The F.B.I. has been unwilling to say whom it paid to demonstrate a way around the iPhone’s internal defenses, or how much, and it has not shown Apple the technique.
Apple’s general counsel, Bruce Sewell, said at the hearing that encryption did not prevent the authorities from solving crimes.
“As you heard from our colleagues in law enforcement, they have the perception that encryption walls off information to them,” Mr. Sewell said. “But technologists and national security experts don’t see the world that way. We see a data-rich world that seems to be full of information. Information that law enforcement can use to solve — and prevent — crimes.”
Mr. Sewell also defended Apple’s security practices, saying the company always aimed to keep its devices safe from prying eyes. Within the last two years, he said, the Chinese government has requested Apple’s source code but the company has refused to hand it over. In a public report on Monday, the company said American law enforcement officials made 4,000 requests for customer data covering more than 16,000 devices in the second half of last year.
Law enforcement officials testifying before the committee on Tuesday expressed frustration over their inability to run a number of cases to ground — particularly sex abuse and child pornography cases — because of encrypted phones. They said the recent publicity over the issue could end up helping criminals.
“Make no mistake — criminals are listening to this testimony and learning from it,” said Charles Cohen, commander of the Indiana Internet Crimes Against Children Task Force.
The F.B.I. said there has been an increase in the number of devices it has acquired through investigations but was unable to gain access to because of encryption. Ms. Hess said that since October, 13 percent of the devices obtained by the F.B.I. were impenetrable by the agency. When asked at Tuesday’s hearing if the relationship between the tech industry and law enforcement had become adversarial, Ms. Hess responded, “I hope not.”
The encryption debate is continuing in other quarters. Apple is fighting an order in a federal court in New York to provide access to a phone involved in a criminal drug investigation. And last week, Senator Richard Burr, the chairman of the Senate Intelligence Committee and a Republican, and Dianne Feinstein, the ranking Democrat on the committee, released a draft version of a bill that would require tech companies to decrypt data if requested by a court.
Tech companies, which have largely banded together in support of Apple’s pro-encryption position, are lobbying against the draft bill.
Timed to the Tuesday hearing, trade groups representing top technology companies including Apple, Facebook, Google and Microsoft sent a letter to Senators Burr and Feinstein, opposing their bill.
“We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems,” the groups, which include the Reform Government Surveillance and Computer and Communications Industry Association, said. “Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences.”
Michael Petricone, senior vice president for government affairs at the Consumer Technology Association, added, “This is urgent because the one thing you don’t want is Congress coming in a knee-jerk fashion and doing something with all sorts of negative consequences, which is what we may be seeing happen now.”
City and state law enforcement officials support the Senate draft bill, but it faces strong opposition from many in Congress.
President Obama has done little to assuage concerns by the tech industry. In a speech in March, the president warned against “fetishizing” encryption and urged more compromise between tech companies and the F.B.I.

No comments:
Write comments