Technology companies need to stop putting profits and growth over the safety and security of their customers. That scolding lesson came from Deputy Attorney General Rod Rosenstein, who spoke at a cybercrime symposium on Thursday at Georgetown University’s Law Center in Washington.
“Technology is advancing at a speed and volume that exceeds the capacity of most people to comprehend the accompanying risks, let alone to protect against them,” Rosenstein said in his speech. “We need technology companies and communications providers to accept responsibility for developing routine business practices that account for all the ways their products may be misused.”
Rosenstein defined that as a two-part obligation: design hardware, software and services for safety above all, then ensure these protective and defensive measures don’t shut out law-enforcement investigators with a search warrant.
The two obligations, depending on your perspective, can cancel each other out. But, as in his prior discussions of maintaining law-enforcement access to encrypted devices and communications systems, Rosenstein did not offer a solution to reconcile those differences.
Plan for the worst
“We must place security on the same footing as novelty and convenience, and design technology accordingly,” Rosenstein said. “Anticipating worst-case scenarios needs to be part of the development process.”
The deputy attorney general cited such cases of avoidable problems as social networks being overrun by foreign disinformation campaigns, denial-of-service attacks launched by hacked “internet of things” gadgets and worldwide outbreaks of ransomware.
Too often, Rosenstein said, competitive pressures and bottom-line considerations drive companies to leave security as the low-order bit.
“Building secure devices requires additional testing and validation—which slows production times — and costs more money,” he warned. “Creating more secure devices risks building a product that will be later to market, costlier and harder to use. That is a fundamental misalignment of economic incentives and security.”
Rosenstein said this focus on convenience often leads companies to neglect public-safety concerns, saying “some communications providers chronically understaff their offices that respond to legal process from law enforcement.”
With that, the deputy attorney general turned his attention to the strong device encryption that Apple (AAPL) and Google (GOOG, GOOGL) have deployed in their mobile operating systems. Such encryption scrambles all the data on an iPhone or an Android phone unless a user unlocks the handset.
Those companies and cryptography experts call that “strong encryption.” In his speech, Rosenstein described it as “warrant-proof encryption,” in that even if a judge orders Apple or Google to unlock a suspect’s phone, they can’t, because there is no backup key.
“These barriers are having a dramatic impact on our cases, to the significant detriment of public safety,” he said in repeating past calls for “responsible encryption” that would give law enforcement some way into those devices.
Rosenstein cited the analogy of an elevator that shuts down in a fire while still allowing firefighters to access it. But he did not offer any details on how “responsible encryption” might work beyond saying any backup key “does not need to be held by a single entity, and it does not need to be held by the government.”
Rosenstein also complimented a 2017 proposal by Lotus Notes inventor Ray Ozzie to have device manufacturers keep an emergency unlock key unique to each phone. Critics immediately assailed that as being dangerously unworkable at the scale of the iPhone market.
The real-world invulnerability of an iPhone or Android handset remains unproven, as the data-recovery firm DriveSavers illustrated this week when it announced a “Passcode Lockout Recovery Service.” The offering, the company says, provides “a 100% success rate with unlocking and recovering data from passcode-protected smartphones of every make, model and operating system with any length passcode.”
Rosenstein didn’t mention that service or DriveSavers’ declaration that it will not offer its service to law-enforcement organizations.
Rosenstein also expressed his concerns over the Supreme Court’s June ruling that the government would need a search warrant to inspect historical cell-site location information.
That decision in Carpenter v. U.S. opened a hole in the “third-party doctrine” under which courts have assumed that if a person gives data to a third party, they can’t expect it to remain private. Justice Neil Gorsuch’s dissenting opinion suggested that the entire third-party doctrine should be junked.
“That was a pretty bright line,” Rosenstein said of the former understanding of the third-party doctrine. “Nobody’s entirely sure where the new line may be.”
But at no point in the speech or Q&A did Rosenstein discuss his own most recent turn in the news—President Trump’s retweet of an image depicting him behind bars alongside President Obama, special counsel Robert Mueller, Hillary Clinton, and others.
His only vague nod to that came in an ad-libbed addition to a line in his prepared remarks: “Just because people are quick to criticize you does not mean that you are doing the wrong thing. Let me tell you!”
The room erupted with knowing laughter.
More from Rob:
- Facebook still hasn’t fixed this loophole for fake accounts
- Why Crystal City is the right call for Amazon HQ2
- Why those chips in your credit cards don’t stop online fraud
- What it’s like to use a search engine that’s more private than Google