Remarks as prepared for delivery
Thank you, Zach [Goldman], for that kind introduction. It’s a pleasure to be here. I was invited to speak today about the Justice Department’s approach to investigating and prosecuting organized cybercrime. And what better place to do that than New York—once the stronghold of La Cosa Nostra and now a target of cyber criminals from across the world.
Today, I will focus on two challenges we face in this effort: first, how technology has enabled sophisticated and organized cyber criminals; and second, current limitations on the Justice Department’s ability to respond.
The department has had a long and successful track record in dismantling traditional organized crime, dating back to 1970, when Congress enacted the Organized Crime Control Act and its “Racketeer Influenced and Corrupt Organizations” provisions, commonly referred to as RICO. For decades, groups like La Cosa Nostra or the Lucchese crime family were the focus of the department’s organized crime efforts. Starting in the 1980s, for instance, we used the RICO statute in the Eastern District of New York—just across the water—to strike a blow to the five organized crime families of La Cosa Nostra in New York City.
Today, that kind of organized crime seems almost quaint, and not because organized crime has vanished. Rather, the same global networks and communications technologies that have transformed the world’s economy have also enabled a troubling evolution in criminal activity. Criminal organizations use increased computing power, the widespread availability of high-speed internet, the growth of virtual currencies and the cover provided by technologies such as encryption and anonymizing software to launder money, traffic in narcotics and exploit children. They also turn those advances into means of invading privacy, stealing intellectual property and emptying bank accounts of individuals and businesses around the world. This is not your grandfather’s mafia.
The threat is increased with organized cybercrime because of its international reach. Worldwide networks have turned local crimes into global crimes. Hackers sitting in one country can now rob a bank—or many banks—from halfway around the world. Cyber criminals steal personal information located in one country, sell the data to fraudsters in another country and count their profits in a third. And just as sophisticated cyber criminals take advantage of weaknesses in computer security, technology can allow them to take advantage of international borders and differences in legal systems, hoping that investigators from the victim’s country will not be able to obtain evidence from abroad, if it is even available.
I am proud to say that we’ve been successful in infiltrating and dismantling some of these organizations. For example, we are currently prosecuting an internet-based, international criminal enterprise known as Carder.su. The over 5,500 members of this enterprise trafficked in compromised credit card account data and counterfeit identifications, and committed money laundering, narcotics trafficking and various computer crimes. They used web forums largely hosted in former Soviet Union countries and communicated through secure and encrypted forums, proxy computers and virtual private networks. Gaining membership in the group required the recommendation of two current members in good standing. Disloyal members were stripped of membership and barred from the websites.
In July 2015, federal law enforcement seized a dedicated cybercrime forum known as Darkode. Darkode was an online, password-protected cybercrime marketplace in which hackers and other cyber criminals convened to buy, sell, trade and share information, ideas and tools to facilitate unlawful cyber intrusions. As with Carder.su, prospective members were vetted before they could join to determine whether they had marketable skills or products to bring to the group.
Like most criminal organizations, the members of these two sites had different and defined roles. But instead of Dons and Capos, “Administrators” handled day-to-day management. In the place of Consiglieres, “Moderators” would monitor and police the websites. “Vendors” advertised and sold illegal products, services and contraband and “Members” used the websites to purchase contraband and share criminal schemes.
Of the hundreds of criminal internet forums around the world, Darkode and Carder.su were two of the most pernicious. Yet despite their sophisticated technologies, these groups remained vulnerable to a tried and true mob-busting technique: infiltration by undercover agents or confidential informants. In Carder.su, 56 individuals were charged in four separate indictments. To date, 33 individuals have been convicted and the rest are either fugitives or pending trial. In Darkode, charges have been filed against 12 individuals in U.S. federal court; convictions have been obtained in seven U.S. cases and one foreign prosecution.
As organized crime digitizes its operations, law enforcement faces two significant challenges: first, the use by criminals of new encryption technologies to victimize innocent people while avoiding identification; and second, territorial limits on our ability to gather digital evidence of crimes. Addressing these challenges is among the Justice Department’s top priorities.
First, let me say the Criminal Division is on the front lines of the fight against cybercrime. We recognize that the development and adoption of strong encryption is essential to counteracting cyber threats and to promoting our overall safety and privacy. But certain implementations of strong encryption pose an undeniable and growing threat to our ability to protect the American people.
In an attempt to market products and services as protective of personal privacy and data security, companies increasingly are offering products with built-in encryption technologies that preclude access to data without the consent of the user. For law enforcement, this has resulted in something we often describe as “warrant-proof encryption.” Warrant-proof is not a technical term, and it can encompass different types of technology, but we use it to describe a situation where a service provider has implemented encryption in a way that prevents them from producing usable, unencrypted information even if they are served with a valid court order.
This is no small problem. Service providers with over a billion user accounts, that transmit tens of billions of messages per day around the world, now advertise themselves as unable to comply with warrants. And device manufacturers that have placed hundreds of millions of products in the market have embraced the same principle.
Where investigators used to rely on physical evidence, we now look to electronic evidence and digital communications. In nearly every criminal investigation we undertake at the federal level—from homicides and kidnappings to drug trafficking, financial fraud and child exploitation—critical evidence comes from smart phones, computers and online communications. These materials are increasingly unavailable to law enforcement as a result of some encryption technologies, even when we have a warrant to examine them.
Our inability to access such data can stop our investigations and prosecutions in their tracks. Securing and keeping private our electronically-stored information is critically important, but so too is the time-honored legal process that protects our values and our safety. These are complementary, not competing priorities, and they are considered every time a warrant is issued. If an independent judge has evaluated the facts of a case, and, after balancing the constitutional privacy interests and the needs of justice, issues a warrant or order, a company served with that order must comply.
To be sure, solutions to the challenge of widespread, warrant-proof encryption will not be easy. But the decision about whether law enforcement can access data must be made in the policy arena, not by the private sector. We should not allow changing technologies or the economic interests of the private sector to overwhelm larger policy issues relating to the needs of public safety and national security.
The challenge we face with warrant-proof encryption is part of a broader trend requiring harmonization of law and technology. In July, in the so-called “Microsoft Ireland” case, the Court of Appeals for the Second Circuit held that a judge could not authorize the use of a Stored Communications Act (SCA) warrant to compel disclosure by Microsoft of email communications stored in Microsoft’s Ireland data center, or any server outside U.S. borders. This holding means that, in the Second Circuit, the contents of communications held by any service provider outside the United States—even when they belong to a U.S. person, are maintained by a U.S.-based company and are controlled by a person sitting at a computer terminal in the United States—is off limits under an SCA warrant.
Data stored by communications providers, such as emails, IP records or even subscriber information, can be crucial to the department’s work. It is not unusual for this type of information to be stored in the United States, whether the information relates to an American, or to a foreign citizen who happens to use an American service.
Increasingly, however, American providers and other providers subject to the jurisdiction of U.S. courts are storing information outside the United States, and not always at rest and in the same location. For example, one major American provider has said that it has begun to store the contents of many accounts in data centers located abroad. That provider indicated that it chooses whether to maintain data in the United States or abroad based solely on the user’s selection of her country of residence at the time the account is created. Accordingly, even Americans who live in the United States can effectively choose to have their account data stored abroad by doing no more than choosing a desired country from the drop-down menu on the sign-up form. In fact, many of the largest American providers now operate data storage centers abroad and it is unusual for a major provider to store all of its data within the United States.
In today’s world of global cloud computing, it makes little sense to determine the legality of search warrants based on where companies choose to store their data. U.S. providers control billions of user accounts for customers across the globe, and nothing in U.S. law requires their data to be stored in this country. Today’s technology means that data can be moved across jurisdictions or stored in multiple locations for any number of business reasons. The location of the data could change day-by-day or hour-by-hour. Meanwhile, U.S. providers increasingly face tax or other business incentives to operate data storage centers outside the United States.
Already, U.S. providers have declared in response to multiple federal warrants, on the basis of the Microsoft Ireland ruling, that they will only produce responsive information known to be located in the United States. That number will certainly grow.
Alternative methods, such as the Mutual Legal Assistance Treaty—or MLAT—process, are not sufficient. The United States has MLATs with less than half the countries in the world, and many of those treaties exclude certain categories of evidence altogether. Even when a request for evidence is covered, the MLAT process generally lacks the requisite efficiency for time-sensitive investigations and other emergencies. Ireland, for example, reports that requests take 15 to 18 months in routine cases. In less experienced or less cooperative countries, the process can take even longer. Sometimes we never receive a response at all. What all of this means is that an enormous amount of electronic evidence—information necessary for investigations ranging from national security cases to human and drug trafficking, to cyber intrusions and child exploitation—may now be out of reach entirely.
That is why the administration has made clear that it intends to promptly submit legislation to address the significant public safety implications of the Microsoft decision. But in doing so, we must be mindful of the responsibility Congress and the American people have entrusted to us: to protect Americans from threats to their safety and security. Legislative proposals that base law enforcement access to electronic evidence solely on MLAT requests to other countries will inevitably slow, and in some cases end, the investigation of serious offenses against Americans.
That cannot be the path forward. In a world where business decisions and cumbersome bureaucratic processes, rather than time-tested constitutional standards, determine when criminal investigations can advance, both privacy and the safety of Americans surely lose. As with the encryption debate, we should not leave the commercial market to resolve what must be balanced policy decisions.
In each of these areas, we must proceed thoughtfully and balance multiple different legitimate interests. Yet several basic principles should be obvious. First, sitting back and doing nothing is not an acceptable option. The world is changing around us, and those seeking to do harm are evolving with it. If those responsible for ensuring public safety do not have the same ability to adapt, public safety will suffer.
Second, these changes pose policy challenges and we need to develop policy responses. Rather than let events or evolutions in technology dictate our responses, we must think ahead as a society and develop appropriate frameworks to address new and upcoming challenges before they become crises.
And finally, when there are multiple interests at stake—public safety, cybersecurity, international comity and civil rights and civil liberties—we cannot allow the most consequential decisions to be made by a single stakeholder, or leave them to the whim of the commercial marketplace. We would never countenance that approach in other areas of importance to society, and we should not do so here.