Susan Landau and the Challenge of Electronic Detective Work


Susan Landau is Bridge Professor in the Fletcher School of Law and Diplomacy and the School of Engineering, Department of Computer Science, Tufts University, and visiting professor in the Department of Computer Science, University College London. In this interview, she describes the challenges arising at the intersection of cybersecurity, national security, law, and policy.

Question: You testified before the House Judiciary Committee in March 2016. What were some of your major points?

Susan Landau: The committee asked me to testify on encryption, which is an issue that Congress has examined periodically over the past two decades. But immediately after I was asked to testify, the story broke about the FBI being unable to unlock the iPhone being used by one of the San Bernardino shooters. That news shifted the focus of the hearing. FBI Director James Comey testified for three and a half hours on the Apple/FBI case and the issue of locked digital devices. This was followed by a panel that included Apple General Counsel Bruce Sewell, Manhattan District Attorney Cy Vance Jr., and me.

The issue was whether Apple should be compelled to build software to circumvent the iPhone’s security protections. This particular iPhone actually belonged to the shooter’s employer and should have been backing up data to iCloud. But the shooter turned off the backup mechanism six weeks before the attack, so certain recent data was not available except on the phone — and that was locked.

With this iPhone model, someone without the unlock PIN — in this case, the FBI — could make 10 attempts to guess it before the phone would erase its memory. The FBI asked Apple to write an update for the particular phone to enable more than 10 attempts and to remove the delay factor between each try (to deter breaking into the phone, Apple’s security mechanism increasingly delayed time between each PIN attempt).

Apple refused, arguing that the FBI’s request was an overly expansive interpretation of the All Writs Act because of the amount of time and software engineers required. Apple also argued — and this is the point I made during the hearing and since — is that Apple’s developing such software would create a security risk. The FBI said the back door would apply only to the shooter’s phone. But during the hearings, Director Comey said the FBI had additional phones it wanted Apple to unlock. At the same hearing, District Attorney Vance said that his office had 205 phones they wanted Apple to unlock. And that’s a problem. And that raised a serious security concern. When you create a process that is used frequently to undo security protections, it’s quite possible that others could exploit it to access other phones.

Question: Has wiretapping changed over the last couple of decades as cell phones and then smartphones were introduced?

Landau: Twenty years ago, wiretapping was not hard. It was beginning to get complicated because people were using cell phones, but they have the same technical architecture as landlines in terms of how a call is completed. IP-based voice, video, and chat apps such as Facebook Messenger and WhatsApp made wiretapping much more complicated.

State and municipal law enforcement are really struggling with the diversity and proliferation of apps and phone models. In the spring of 2011, I testified before a House Judiciary subcommittee. One of the other speakers was President of the International Association of Chiefs of Police. His complaint wasn’t about encryption. Instead, his people were overwhelmed by the variety of phone models.

A large police department, like New York City’s or Los Angeles’, can develop a technical unit that deals with many different types of phones. But in smaller cities, law enforcement doesn’t have the resources to keep up, so they struggle with those kinds of electronic investigations. It’s just gotten too complicated.

Question: In your testimony, you said that law enforcement, particularly the FBI, is stuck in the 20th century when it comes to electronic surveillance and security. You also said that the National Security Agency (NSA) takes a completely different approach. What are some examples of what the FBI is doing wrong and the NSA is doing right?

Landau: When I say that the FBI is still stuck in the 20th century, I mean that we have a lot more data now. The phones release information about where people are, and that’s tremendously valuable. We have automated license plate readers that help police pick up where people are traveling. We have the electronic toll records.

All of those are incredibly useful, but you need a certain level of technological capability to be able to track it. Only some police departments do. It’s a problem that’s been clear to law enforcement for at least a half-dozen years, but national law enforcement, the FBI, has been slow to provide adequate solutions to the problem. The FBI has begun efforts to improve that for state and local law enforcement with the National Domestic Communications Assistance Center (NDCAC). Those are all easy solutions in the sense that it’s just adding people to provide state and local with information as opposed to developing new technological solutions.

But suppose you can’t get at the content. Are there other ways to figure out what happened? Sometimes there are. Suppose you know that the suspect talked with a particular person and then went out and bought detonators. Then the suspect did a Google search on the place that he bombed. You pretty much know what happened even though you didn’t hear or read those conversations and searches. Cases have always been built on a certain amount of circumstantial evidence, so that remains available, and the communications metadata is now increasingly rich.

Then there is breaking in through what we call “lawful hacking.” I believe that my coauthors — Steve Bellovin, Matt Blaze, and Sandy Clark — and I were actually the ones who coined the term. This is if, for example, my communication on my phone is encrypted, maybe there is a way to break into my phone and actually get my phone to release the key. There are solutions like that, such as from the NSA. They’re expensive, and sometimes they’re one-offs. Such kinds of vulnerabilities that work against a large slew of criminal suspects are going to be rare, so you want to use them only in cases that are really important.

Question: If the US President appointed you FBI Director, how would you describe the approach the agency would take under your leadership? And what would you ask Congress to do to help you achieve those goals?

Landau: I would increase the size of what’s called the “going dark” unit by a factor of 10 or 20. I would create groups that look at specific types of phones, specific types of communications, and I’d improve what the NDCAC does and increase its ability to help state and local. I’d do more education of state and local. They do half the wiretaps in this country. They need capability to look at communications metadata and understand what they’re seeing. They don’t always know what it is they’re looking for and how to get at it. That’s what I do right off the bat.

Editor’s note: Watch for a second installment related to Susan Landau’s forthcoming book Listening In: Cybersecurity in an Insecure Age.