Remarks as prepared for delivery
Good morning, and thank you, Denise [Zheng], for that kind introduction. I want to welcome all of you to the Criminal Division’s second Cybercrime Symposium. I would like to thank the Center for Strategic and International Studies (CSIS) for organizing this event along with the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS). I also want to acknowledge the presence of the many distinguished participants in today’s events, who have traveled from across the country and around the world to be here.
The focus of this year’s cybercrime symposium is “Cooperation and Electronic Evidence Gathering Across Borders.” This focus encompasses two emerging challenges to public safety and national security – the challenge posed when criminals use new technologies to victimize innocent people and avoid accountability or even identification; and the challenge posed when criminal schemes cross international borders and legitimate law enforcement efforts to counter those schemes require international cooperation to be successful. Addressing these twin challenges are among the Department of Justice’s top priorities.
For both the Department of Justice and our international partners, working to address these challenges requires balancing several, sometimes competing goals and the interests of multiple stakeholders. We must protect the American people from threats to their safety and security while at the same time protecting privacy and freedom of expression and promoting cybersecurity. We must also do our best to meet our treaty obligations and honor the legitimate public safety needs of other countries that seek access to evidence that happens to be stored in the United States, without putting American businesses in an untenable position.
But although we will need to proceed thoughtfully and balance multiple different legitimate interests, a few basic principles should be obvious. First, sitting back and doing nothing is not an acceptable option. The world is changing around us, and those seeking to do harm are evolving with it; if those responsible for ensuring public safety do not have the same ability to adapt, public safety will suffer. Second, these changes pose policy challenges and we need to develop policy responses. Rather than let events or evolutions in technology dictate our responses, we must think ahead as a society and develop appropriate frameworks to address new and upcoming challenges before they become crises. And finally, when there are multiple interests at stake – public safety, cybersecurity, international comity and civil rights and civil liberties – we cannot allow the most consequential decisions to be made by a single stakeholder, or leave them to the whim of the commercial marketplace. We would never countenance that approach in other areas of importance to society, and we should not do so here.
Today’s symposium takes an important step forward in exploring these sometimes competing interests by bringing together a wide variety of perspectives – including experts from the United States and foreign governments, academia, trade organizations and public policy groups – to talk about these challenges and to continue the discussion about how to overcome them.
There is no question that advances in technology and the internet have brought tremendous benefits to the global economy. Email, social networking, messaging platforms and other innovations have allowed us to shift many aspects of our daily lives and commerce to online, networked systems. These innovations are connecting people both locally and globally, allowing businesses to compete in expanding markets. These advances have also transformed how we in law enforcement do our jobs, expanding our ability to detect, investigate and prosecute crimes. By using new technologies, we can analyze evidence with unprecedented speed and accuracy, and coordinate with partners around the world in real time.
But it is now becoming all too apparent that these benefits sometimes come at a cost, which was not widely appreciated until recently: criminals have been able to turn the advantages of the internet against us.
Criminals, including cybercriminals, use increased computing power, the widespread availability of high-speed internet, the growth of virtual currencies and the cover provided by technologies such as encryption and anonymizing software to launder money, traffic in narcotics and exploit children. Criminals also turn those advances into means of invading privacy, stealing intellectual property and emptying bank accounts of individuals and businesses around the world.
Cybercrime in particular is a threat that is particularly difficult for any one country to combat because of its international nature. Criminals are able to use worldwide networks to expand the reach of what had previously been local crime. Technology allows hackers sitting in one country to rob a bank halfway around the world, or attack many banks simultaneously. Technology allows hackers to steal personal information located in one country; sell the data to fraudsters in another country; and count their profits in a third. And just as sophisticated cybercriminals take advantage of weaknesses in computer security, technology can allow them to take advantage of international borders and differences in legal systems, hoping that investigators from the victim’s country will not be able to obtain evidence from abroad, if it is even available. As a result, international partnerships are a critical tool in the fight against cybercrime.
The Criminal Division is on the front lines of the fight against cybercrime, and we recognize that the development and adoption of strong encryption is essential to counteracting cyber threats to our critical national infrastructure, our intellectual property and our data, and to promote our overall safety and privacy. But certain implementations of encryption pose an undeniable and growing threat to our ability to protect the American people.
In an attempt to market products and services as protective of personal privacy and data security, companies increasingly are offering products with built-in encryption technologies that preclude access to data without the consent of the user. For law enforcement, this has resulted in something we often describe as “warrant-proof encryption.” “Warrant-proof” is not a technical term, and it can encompass different types of technology, but we use it to describe a situation where a service provider has implemented encryption in a way that prevents them from producing usable, unencrypted information even if they are served with a valid court order.
This is no small problem. Service providers with over a billion user accounts, that transmit tens of billions of messages per day around the world, now advertise themselves as unable to comply with warrants. And device manufacturers that have placed hundreds of millions of products in the market have embraced the same principle. Where investigations used to rely on physical evidence – like photographs, handwritten notes or documents stored in filing cabinets – that is being replaced by electronic evidence and digital communications. In nearly every criminal investigation we undertake at the federal level – from homicides and kidnappings, to drug trafficking, financial fraud and child exploitation – critical evidence comes from smart phones, computers and online communications. These materials are increasingly unavailable to law enforcement as a result of some encryption technologies, even when we have a warrant to examine them. Our inability to access this data can stop our investigations and prosecutions in their tracks, which in turn poses a real threat to public safety and national security.
Securing and keeping private our electronically-stored information is critically important, but so is the legal process that protects our values and our safety. These are complementary, not competing priorities. After all, digital security is a vital tool, but it is not a cure-all – especially when it impedes our ability to protect ourselves and each other in the physical world. Indeed, among the most widely-used network security products – such as malware scanning and many intrusion detection systems –simply could not function in a world of universal warrant-proof encryption because they require access by someone other than the end user to the contents of communications. We must treat the implementation of strong encryption as one mechanism to manage risk – one of many such tools at our disposal – and not adopt an absolutist view of its benefits or disregard its costs.
The widespread adoption of default warrant-proof encryption affects real investigations, with real consequences. Let me offer an example. Brittney Mills, 29 and pregnant, was shot in her Baton Rouge, Louisiana, apartment in 2015. She died that day, shortly after giving birth to her child; the child died three days later. Based on their investigation, police believe clues to solving her murder may lie in her phone. But because of the encryption technology used on the phone, it cannot be unlocked without the help of the very person whose murder they are trying to solve. Because they cannot unlock the phone or ever gain access to its contents, the investigation is at a dead end. In an unknowable number of other situations, investigators may not even pursue a court order because they know that a particular provider would not be able to execute the order.
In the United States, we are in the middle of a debate over how to handle new encryption technologies and the challenges they create for law enforcement. I am confident that we will find a way to navigate such difficult issues while retaining the values that make us who we are, because that is what we have always found a way to do. We also know we are not alone in trying to find our way through this, because similar debates are happening in nations all around the world.
Today’s symposium offers another forum to advance our common interests, by encouraging dialogue – such as today’s encryption panel – that will help us better understand how other governments and their citizens are thinking about these issues, and what solutions will meet the needs of public safety, while preserving the interests of cyber security, privacy, civil liberties and innovation.
Solutions to the challenge posed by default, warrant-proof encryption will not be easy. But the decision about whether law enforcement can access data must be made in the policy arena, not by the private sector. If an independent judge has evaluated the facts of a case, and after balancing the constitutional privacy interests and the needs of justice issues a warrant or order, a company served with that order must comply.
A public company’s interests are not necessarily aligned with those of the public at large. The main mission of a publicly-traded company is to maximize value for its shareholders. To that end, a company is understandably focused on actions aimed at achieving that goal. Companies may seek to avoid reputational risks with certain types of customers; they may have or desire to establish a presence in international markets in a manner that makes them sensitive to interests of other governments. However, the role of a publicly traded for-profit company is not and should not be to make definitive policy decisions that affect public safety. As the president has stated, no party in this debate can take an absolutist view on the issue of encryption.
That is why when we discuss the larger questions posed by warrant-proof systems, we must ensure that we have a broad-based policy discussion. We should not allow changing technologies or the economic interests of the private sector to overwhelm larger policy issues relating to the needs of public safety and national security.
I would also like to review the ways in which the Criminal Division has been addressing the challenges posed by international cybercrime and the impact of encryption and other technological advances on our electronic evidence gathering. In particular, I would like to highlight the ways in which the Criminal Division has worked to increase cross-border cooperation on cybercrime matters.
First, we remain heavily engaged with our international partners on cybercrime operations. We recently coordinated an international takedown of an online forum in which hackers and cybercriminals convened to buy, sell and share stolen information and hacking techniques. The takedown coalition included law enforcement authorities from 20 nations, including some that might surprise you: Colombia, Croatia, Latvia, Nigeria, Serbia, among many others. This takedown represents the largest coordinated international law enforcement effort ever directed at an online cybercriminal forum.
We have also been devoting additional resources to provide assistance to our foreign partners who seek to access electronic evidence stored within the United States in order to protect their public safety and national security. In many situations, the law requires our foreign partners to submit a formal request for mutual legal assistance in order to access the contents of stored electronic communications maintained by a service provider in the United States. These formal requests are handled by the Criminal Division’s Office of International Affairs (OIA), which has seen a 1,000 percent increase in requests for computer records since Fiscal Year 2000.
In order to increase our capacity to provide effective legal assistance to other countries in these cases, the Criminal Division has created a cyber unit within OIA focused exclusively on responding to and executing requests for electronic evidence from foreign authorities. Attorneys from that unit work with their foreign counterparts to ensure that their requests are factually and legally sufficient to obtain U.S. legal process for the evidence that they need.
Recognizing that providing such assistance is vital to U.S. interests, the administration received approval from Congress to reprogram funds specifically for this work. The Criminal Division is in the process of using this funding to upgrade technology, hire additional personnel and train foreign partners in order to remove the backlog of requests and provide timely responses to these foreign requests for data in the future. But the reprogrammed funds are a temporary fix, and we are hopeful that we will continue to receive ongoing Congressional support for this important effort.
The Criminal Division has also worked with the State Department to maximize existing multilateral frameworks to enhance the global capacity to combat cybercrime and engage in electronic evidence sharing. Those efforts have centered on promoting the Convention on Cybercrime, often referred to as the Budapest Convention. The convention requires signatories to have a basic level of domestic criminal law for computer-related crimes, and it provides a platform for transnational law enforcement cooperation in investigations, evidence sharing and extradition. Countries continue to join the Budapest Convention as it gains worldwide recognition as the “gold standard” agreement addressing cybercrime, cyber investigations and evidence sharing. To date, 49 countries have joined the convention and more are expected soon.
The Budapest Convention also requires signatories to join the 24/7 High Tech Crime Points of Contact Network, which consists of representatives from more than 70 countries that are available around-the-clock to assist law enforcement from other member countries with high-tech issues in criminal cases. The Criminal Division helps foreign authorities to process emergency requests to preserve and obtain electronic data in the United States, and we receive similar support from other member countries for data stored in their countries. In recent incidents of international terrorism, the services of the 24/7 Network have proved invaluable in helping to ensure that investigators could preserve and seek the information they needed to investigate the emergency.
Yet despite ongoing investments in mutual legal assistance, many of our foreign partners remain in the difficult position of relying on access to electronic evidence located within the United States for their legitimate public safety and national security needs. As with the encryption debate, it is increasingly clear that the status quo – based on formal mutual legal assistance alone – is unsustainable.
While foreign governments may seek to compel the production of electronic communications from U.S. providers using mechanisms available under their own laws, U.S. law may at times prohibit the providers from complying. Thus, U.S. companies, many of whom operate as multinationals in the global economy, may face a potential legal conflict: comply with a foreign order and risk violating U.S. law, or refuse to comply and risk violating the laws of another country.
This conflict can occur even though the request is made pursuant to lawful process in the foreign country, it involves communications between foreign nationals abroad and it concerns criminal activities outside the United States with no relation to this country other than the fact that the service provider stores the data in the United States. Absent an adjustment, we risk competing “data localization” requirements and initiating enforcement actions against U.S. companies for non-compliance.
Again, in facing this difficult problem, we cannot do nothing. It cannot be that we rely solely on the mutual legal assistance treaty system. And it cannot be that we let corporate or government decisions about where to store data endanger the safety and security of innocent people.
We must also guard against any legislation that would erect new obstacles to the ability of U.S. law enforcement investigators to obtain timely access to information stored abroad by U.S. providers. Legislative proposals that condition law enforcement access to electronic communications based on corporate decisions about where the data is stored will inevitably slow – and in some case, end – the investigation of serious offenses against Americans, such as child sexual exploitation and terrorism. As with the encryption debate, we should not leave the commercial market to resolve what must be balanced policy decisions.
A more productive approach relies on mutual benefit and reasonable rules for cross-border access to information. That is why the United States has begun considering a framework under which U.S. providers could disclose data relevant to combatting serious crimes directly to approved foreign governments, without triggering a potential conflict of law. This approach would require amendments to U.S. law to lift the statutory prohibitions on disclosure for requests made by a foreign partner pursuant to an approved executive agreement. The framework would include rigorous protections for privacy and civil liberties, and it would not permit targeting of U.S. persons or persons known to be located in the United States.
The United States is negotiating a potential agreement now with the United Kingdom. If implementing legislation takes effect, if the agreement is signed and if the framework proves successful, we would consider this approach for other like-minded governments.
It is important to note that, for each of the Criminal Division’s efforts I have discussed, we have maintained our long-standing commitment to respecting privacy and protecting civil liberties. Concerns about privacy and civil liberties are fundamental to the Constitution and other laws that establish the rules we follow as law enforcement officers and prosecutors. Our commitment extends beyond protecting the rights of U.S. citizens, as was shown through our recent efforts in seeking passage of the Judicial Redress Act, which President Obama signed into law on February 24, 2016. The Judicial Redress Act provides judicial redress to non-U.S. persons – on a par with U.S. persons – for access, rectification and wrongful disclosure of law enforcement data provided to the United States by designated countries.
In closing, we face many challenges in the ongoing fight against cybercrime, especially as it relates to electronic evidence gathering and cross-border cooperation. The solutions to these problems are matters for public policy makers. And without a coherent set of policy decisions to address these challenges, we will be left in a world where technology will overtake our ability to protect the public and assure justice. Finding solutions is not easy, but sharing different perspectives – and having difficult discussions about the often competing interests in play – can help. This second annual Cybercrime Symposium seeks to do exactly that by bringing together stakeholders from around the world to discuss topics such as navigating diverse frameworks for freedom of expression regarding online content, the future of electronic evidence gathering, the effect of privacy laws on criminal investigations abroad and a global perspective on encryption. I hope that you find these discussions both fruitful and enlightening.