Hackers have gained sweeping access to U.S. text messages and phone calls — and in response, the FBI is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years.
In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI’s idea, which it calls “responsibly managed encryption,” is nothing more than a rebranding of a government backdoor.
“It’s not this huge about-face by law enforcement,” said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. “It’s just the same, illogical talking points they have had for 30+ years, where they say, ‘Encryption is OK, but we need to be able to access communications.’ That is a circle that cannot be squared.”
The Hack
At least eight telecommunications companies were compromised in the hack, which was first made public in September and has been described as ongoing by U.S. officials.
The hackers have swept up vast amounts of data about phone calls and text messages in the Washington, D.C,. area, according to what officials said at a press conference last week. That information includes details about when and where calls were placed and to whom, but not their contents.
There is a smaller circle, of about 150 people, who had the contents of their communications hacked, including real-time audio of communications, according to a report in the Washington Post last month. The targets of that hack included Donald Trump, his lawyer, JD Vance, and the Kamala Harris campaign.
Another “vector” of the attack, according to government officials, was the interface where law enforcement agencies request wiretaps from telecom companies under the 1994 Communications Assistance for Law Enforcement Act.
“If you build a system so that it is easy to break into, people will do so — both the good guys and the bad.”
Essentially, the CALEA system may have given hackers a shopping list of people who have fallen under FBI suspicion.
It was a development long predicted by privacy advocates. In a blog post last month, encryption expert Susan Landau said CALEA had long been a “national security disaster waiting to happen.”
“If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That’s the inevitable consequence of CALEA, one we warned would come to pass — and it did,” she said.
The Elusive Golden Key
The FBI has pushed back on the idea that CALEA was the only “vector” for Chinese hackers. It has also rejected the larger moral drawn by privacy advocates, which is that only fully end-to-end encrypted communications are secure.
End-to-end encrypted communications make sure that a written message or voice call is protected from the moment it leaves your device to the moment it arrives at its destination, by ensuring that only the sender and the recipient can decrypt the messages, which are unreadable by any third party — whether that happens to be a Chinese hacker or the FBI.
That type of encryption does not protect communications if the third party has gained access to one of the communication endpoints, such as a phone or a laptop. Hackers could still plant spyware on phones, and the FBI, civil liberties advocates have long noted, can still search through phones through a variety of methods, just on a case-by-case basis.
Major tech companies such as Apple have endorsed end-to-end encryption in recent years, to the dismay of law enforcement agencies. The feds have complained loudly about criminals “going dark” on them, by using the same veil of encryption that protects ordinary people from scammers, pirates, and eavesdroppers.
Going Dark is Good, Actually
In a statement, longtime privacy hawk Sen. Ron Wyden, D-Ore., said it was time for government agencies to endorse end-to-end encryption.
“It’s concerning that federal cybersecurity agencies are still not recommending end-to-end encryption technology — such as Signal, WhatsApp, or FaceTime — which is the widely regarded gold standard for secure communications,” Wyden said.
Wyden has teamed up with Sen.
Eric Schmitt, R-Mo., is urging the Department of Defense inspector general to investigate why the Pentagon did not leverage its significant purchasing power to compel cellphone carriers to enhance the security of their services when it entered into a $2.7 billion contract with AT&T, Verizon, and T-Mobile.
“Government officials should not use communications services that allow companies to access their calls and texts. Whether it’s AT&T, Verizon, or Microsoft and Google, when those companies are inevitably hacked, China and other adversaries can steal those communications,” Wyden stated.
Privacy advocates recommend using apps like Signal or WhatsApp to protect against unauthorized access to personal communications.
In light of Salt Typhoon, it is suggested that law enforcement cease its efforts to impede stronger encryption. Former NSA and CIA Director Michael Hayden has endorsed the use of end-to-end encryption for enhanced security.
“For decades, technologists have emphasized that end-to-end encryption offers the strongest form of communications security. It is imperative for law enforcement to support its widespread adoption for the nation’s security needs,” Landau emphasized.
