The US Government has revealed that it believes it is able to demand tech companies build encryption backdoors without any sort of court order being needed beforehand.
The revelation has come in the responses to series of questions tabled by Senator Ron Wyden (D-OR) to the Office of the Director of National Intelligence. They were given to the Senate Oversight Committee back in July, but have only this week come into the public domain.
No court orders needed
It was stated in the answers that no legal support or court order from the Foreign Intelligence Surveillance Court (FISC) is needed to demand access to encryption from a US-based company. The implication of their response is that the US Government believes it already has the legal powers to do this.
The role of the FISC, which is the US’s secret court established to handle legal matters related to surveillance, come in if the company refuses to comply with the order. At that stage, the US Government can petition the court to compel the company in question to apply.
Even at that stage of the process, the FISC has no role in approving the demand but simply decides whether compelled assistance is necessary or not.
In further answers, it was also revealed that the US Government has “not to date” needed to ask the FISC to compel a company to comply with its request. No further detail was given on whether this meant that no such requests had been made, or all requests to date had been complied with unquestioningly.
A spokesperson for the Director of National Intelligence refused to comment on this or any other aspect of the answers which have been published.
Have these powers already been used?
It is known that the Government has used other legal means to try and compel companies to provide access to encrypted communications before. The case of the San Bernardino shooter’s iPhone being the most prominent one.
If the US Government had demanded encryption tools in this way there would be very little in terms of a paper trail to prove it. And while it seems likely that the story would leak out somewhere, it is possible that this power has already been exercised.
That will be deeply worrying for those in the US who value their online privacy and rely on encryption to protect their communications and personal information. Users of encrypted messenger services like WhatsApp as well as some US-based VPNs may begin to wonder just how private their encrypted online activity actually is.
The revelations come at a timely moment in the US as the renewal of Section 702 of the Foreign Intelligence Surveillance Act (FISA) edges closer. This is the legal clause which underpins much of the US’s online surveillance activity.
There has been a fierce debate between the merits of renewing Section 702 as it is or delivering the badly needed reforms to bring the law in line with the US Constitution. We reported earlier this year that the Trump administration planned to renew it without reforms. And as the end of year deadline draws closer, that article appears to be worryingly prescient.
Law enforcement smokescreens?
At the same time as the Director of National Intelligence was confirming that the US Government had the legal right to demand encryption backdoors, the head of the FBI was once again complaining about the impact encryption has on his investigations.
Speaking at a law enforcement conference, FBI Director Christopher Wray described encryption as “a huge, huge problem” and claimed that it “impacts investigations across the board – narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.”
Such contributions to the debate are nothing new from the US law enforcement community. But in light of the new revelations from the Director of National Intelligence, the question now is whether this is all a smoke-screen.
Is encryption still a hurdle the US Government has to overcome, or are they already applying the powers they claim they have to undermine it?
This question will most likely not be answered until a high-profile encrypted online service is successfully hacked. If backdoors have been secretly introduced, this will only be a matter of time.
There isn’t much for VPN users to worry about on this matter just yet. The focus of the US authorities is on encrypted devices like iPhones and online messenger services like WhatsApp.
But if you are concerned about the US government snooping on your online activity, the safest thing to do is to opt for a VPN located outside the USA and therefore out of the range of the US legal system. ExpressVPN, which is located in the British Virgin Islands, and NordVPN, which is based in Panama are two of your best bets.