US military reportedly acts against ransomware groups The cost of flying internationally Spider-Man: Across the Spider-Verse trailer Omicron vs. delta Free COVID at-home test kits Cyber Week deals

FBI: We're not demanding encryption back doors

FBI's top lawyer tells Congress the bureau is not calling for restrictions on encryption without back doors for police, an apparent retreat from its position last fall.

The FBI said today that it's not calling for restrictions on encryption without back doors for law enforcement.

FBI general counsel Valerie Caproni told a congressional committee that the bureau's push for expanded Internet wiretapping authority doesn't mean giving law enforcement a master key to encrypted communications, an apparent retreat from her position last fall.

"No one's suggesting that Congress should re-enter the encryption battles of the late 1990s," Caproni said. There's no need to "talk about encryption keys, escrowed keys, and the like--that's not what this is all about."

Instead, she said, discussions should focus on requiring that communication providers and Web sites have legally mandated procedures to divulge unencrypted data in their possession.

As CNET was the first to report yesterday, the FBI says that because of the rise of Web-based e-mail and social networks, it's "increasingly unable" to conduct certain types of surveillance that would be possible on cellular and traditional telephones. Any solution, it says, should include a way for police armed with wiretap orders to conduct surveillance of "Web-based e-mail, social-networking sites, and peer-to-peer communications technology."

Caproni tried to distance the FBI from its stance a decade ago, when it was in the forefront of trying to ban secure encryption products that are, in theory, unbreakable by police or intelligence agencies.

"We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism," then FBI director Louis Freeh told the Senate Judiciary committee in September 1998. "Not just bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices."

In response to lobbying from the FBI, a House committee in 1997 approved a bill that would have banned the manufacture, distribution, or import of any encryption product that did not include a back door for the federal government. The full House never voted on that measure. (See related transcript.)

Even after today's hearing ended, it wasn't immediately clear whether the members of the House Judiciary crime subcommittee would seek to expand wiretapping laws as a result.

Rep. Bobby Scott, D-Va., said that the panel's members received a secret briefing last week from the FBI, but that the bureau should make its arguments in public. "It is critical that we discuss this issue in as public a matter as possible," he said. It's "ironic to tell the American people that their privacy rights may be jeopardized because of discussions held in secret."

Rep. John Conyers, D-Mich., said "to me this is a question of building back doors into systems...I believe that legislatively forcing telecommunications providers into building back doors into systems will actually make us less safe and less secure."

That was echoed by Susan Landau, a computer scientist at Harvard University's Radcliffe Institute for Advanced Study, who said "there aren't concrete suggestions on the table...I don't quite understand what the FBI is pushing for."

Caproni said her appearance before the panel was designed to highlight the problems, not call for specific legislation. But, she added, "it's something that's being actively discussed in the administration."

Under a 1994 federal law called the Communications Assistance for Law Enforcement Act, or CALEA, telecommunications carriers are required to build in back doors into their networks to assist police with authorized interception of conversations and "call-identifying information."

As CNET was the first to report in 2003, representatives of the FBI's Electronic Surveillance Technology Section in Chantilly, Va., began quietly lobbying the FCC to force broadband providers to provide more-efficient, standardized surveillance facilities. The Federal Communications Commission approved that requirement a year later, sweeping in Internet phone companies that tie into the existing telecommunications system. It was upheld in 2006 by a federal appeals court.

But the FCC never granted the FBI's request to rewrite CALEA to cover instant messaging and VoIP programs that are not "managed"--meaning peer-to-peer programs like Apple's Facetime, iChat/AIM, Gmail's video chat, and Xbox Live's in-game chat that do not use the public telephone network.

Also not covered by CALEA are e-mail services or social-networking sites, although they must comply with a wiretap order like any other business or face criminal charges. The difference is that those companies don't have to engineer their systems in advance to make them easily wiretappable.