In mid-October 2014, about a year into his tenure as director of the Federal Bureau of Investigation, James Comey gave a speech at the Brookings Institution warning of the dangers ahead as tech companies increasingly encrypted their products. “What it means is this,” he said. “Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism, even with legal authority.” He called the use of encryption “going dark.”
In that speech, Comey singled out Apple, which had recently introduced new security features to its iPhone operating system that automatically encrypted all of the data stored on the device. E-mails, texts, photographs, videos, contacts, and location data were now out of reach of anyone without its password, Apple and law enforcement included. “Apple argues,” Comey told the group,
that its users can back-up and store much of their data in “the cloud” and that the FBI can still access that data with lawful authority. But uploading to the cloud doesn’t include all of the stored data on a bad guy’s phone, which has the potential to create a black hole for law enforcement.
And if the bad guys don’t back up their phones routinely, or if they opt out of uploading to the cloud, the data will only be found on the encrypted devices themselves. And it is people most worried about what’s on the phone who will be most likely to avoid the cloud and to make sure that law enforcement cannot access incriminating data.
Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?
We were soon to find out. Thirteen months after that Brookings speech, in the first days of December 2015, a county health inspector named Syed Rizwan Farook and his wife Tashfeen Malik opened fire on a holiday gathering of Farook’s colleagues in San Bernardino, California, killing fourteen and wounding twenty-two, while claiming allegiance to the Islamic State. These were terrorists who appeared to materialize out of nowhere, and though they were killed in a shoot-out with police, federal investigators were concerned that they might have had assistance from others, either in the United States or in other countries, or in that borderless, vaporous place we’ve come to call “cyberspace.” A raid on the terrorists’ home netted personal computers and a significant cache of guns and explosives. As luck would have it, investigators also recovered Farook’s employer-issued iPhone. That phone, though, used Apple’s new, encrypted operating system, which protects the user’s password, and the Feds had no idea what combination of numbers Farook used to unlock…
This is exclusive content for subscribers only.
Get unlimited access to The New York Review for just $1 an issue!
Continue reading this article, and thousands more from our archive, for the low introductory rate of just $1 an issue. Choose a Print, Digital, or All Access subscription.