Hackers have gained sweeping access to U.S. text messages and phone calls — and in response, the FBI is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years.
In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI’s idea, which it calls “responsibly managed encryption,” is nothing more than a rebranding of a government backdoor.
“It’s not this huge about-face by law enforcement,” said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. “It’s just the same, illogical talking points they have had for 30+ years, where they say, ‘Encryption is OK, but we need to be able to access communications.’ That is a circle that cannot be squared.”
The Hack
At least eight telecommunications companies were compromised in the hack, which was first made public in September and has been described as ongoing by U.S. officials.
The hackers have swept up vast amounts of data about phone calls and text messages in the Washington, D.C,. area, according to what officials said at a press conference last week. That information includes details about when and where calls were placed and to whom, but not their contents.
There is a smaller circle, of about 150 people, who had the contents of their communications hacked, including real-time audio of communications, according to a report in the Washington Post last month. The targets of that hack included Donald Trump, his lawyer, JD Vance, and the Kamala Harris campaign.
Another “vector” of the attack, according to government officials, was the interface where law enforcement agencies request wiretaps from telecom companies under the 1994 Communications Assistance for Law Enforcement Act.
“If you build a system so that it is easy to break into, people will do so — both the good guys and the bad.”
Essentially, the CALEA system may have given hackers a shopping list of people who have fallen under FBI suspicion.
It was a development long predicted by privacy advocates. In a blog post last month, encryption expert Susan Landau said CALEA had long been a “national security disaster waiting to happen.”
“If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That’s the inevitable consequence of CALEA, one we warned would come to pass — and it did,” she said.
The Elusive Golden Key
The FBI has pushed back on the idea that CALEA was the only “vector” for Chinese hackers. It has also rejected the larger moral drawn by privacy advocates, which is that only fully end-to-end encrypted communications are secure.
End-to-end encrypted communications make sure that a written message or voice call is protected from the moment it leaves your device to the moment it arrives at its destination, by ensuring that only the sender and the recipient can decrypt the messages, which are unreadable by any third party — whether that happens to be a Chinese hacker or the FBI.
That type of encryption does not protect communications if the third party has gained access to one of the communication endpoints, such as a phone or a laptop. Hackers could still plant spyware on phones, and the FBI, civil liberties advocates have long noted, can still search through phones through a variety of methods, just on a case-by-case basis.
Major tech companies such as Apple have endorsed end-to-end encryption in recent years, to the dismay of law enforcement agencies. The feds have complained loudly about criminals “going dark” on them, by using the same veil of encryption that protects ordinary people from scammers, pirates, and eavesdroppers.
The FBI and other agencies have long maintained that there might be some way to give them special access to communications without making things easier for hackers and spies. Security experts say the idea is hogwash. Call it a backdoor, a “golden key,” or something else, those experts say, it can’t work.
In their advice to the public last week, federal officials gave a strong endorsement to encryption.
“Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency.
Yet notably, an FBI official on the same call fell back on the idea of “responsibly managed” encryption. The FBI says this encryption would be “designed to protect people’s privacy and also managed so U.S. tech companies can provide readable content in response to a lawful court order.”
“If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe.”
From a practical perspective, it is unclear what programs, if any, the FBI has in mind when it calls on people to use “responsibly managed” encryption. The FBI did not respond to a question about any apps that would comply with its advice.
Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured.
“If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe,” Vitka said.
Going Dark is Good, Actually
In a statement, longtime privacy hawk Sen. Ron Wyden, D-Ore., said it was time for government agencies to endorse end-to-end encryption.
“It’s concerning that federal cybersecurity agencies are still not recommending end-to-end encryption technology — such as Signal, WhatsApp, or FaceTime — which is the widely regarded gold standard for secure communications,” Wyden said.
Wyden has teamed up with Sen. Eric Schmitt, R-Mo., to call on the Department of Defense inspector general to probe why the Pentagon did not use its massive buying power to push cellphone carriers to better secure their services when it signed a $2.7 billion contract with AT&T, Verizon, and T-Mobile.
“Government officials should not use communications services that allow companies to access their calls and texts. Whether it’s AT&T, Verizon, or Microsoft and Google, when those companies are inevitably hacked, China and other adversaries can steal those communications,” Wyden said in his statement.
Privacy advocates say that the best thing that people can do to protect themselves from prying eyes is to use some of the same apps recommended by Wyden, such as Signal or WhatsApp.
They added that in light of Salt Typhoon, it is time for law enforcement to call it quits on its long-running campaign in Congress to thwart stronger encryption. Landau, in a November 21 blog post, noted that even former NSA and CIA Director Michael Hayden has endorsed end-to-end encryption.
“For decades, technologists have been making the point that the strongest and best form of communications security is provided by end-to-end encryption; it is well past time for law enforcement to embrace its widespread public use. Anything less thwarts the nation’s basic security needs,” Landau said.
