For more than a year, FBI Director James Comey has been publicly complaining about how much of a hard time his agents, as well as local and state cops, are having when they encounter encryption during their investigations.
Now, the FBI is asking for more money to break encryption when needed.
In its budget request for next year, the FBI asked for $38.3 more million on top of the $31 million already requested last year to "develop and acquire" tools to get encrypted data, or to unmask internet users who hide behind a cloak of encryption. This money influx is designed to avoid "going dark," an hypothetical future where the rise of encryption technologies make it impossible for cops and feds to track criminal suspects, or to access and intercept the information or data they need to solve crimes and investigations.
The new budget to counter the rise of encryption (if approved) would rise to a total of $69.3 million, a significant increase from the $31 million to combat "going dark" that the agency requested last year.
For surveillance and law enforcement experts, this comes as no surprise, especially given the FBI's emphasis on this problem since September of 2014, when Apple announced that it wouldn't be able to unlock new iPhones, even if authorities came asking for it. These measures—despite the fact that there's little evidence that encryption is really an issue—have prompted Comey to publicly warn, on countless occasions, of the perils of preventing law enforcement agents from legally accessing secured information.
Thus, it's natural that the FBI would need more resources to get around or to break encryption. And hacking tools are the natural countermeasure.
"The days of reliable wiretaps are vanishing. [Hacking] is the next best thing for the FBI."
"The days of reliable wiretaps are vanishing. [Hacking] is the next best thing for the FBI," Christopher Soghoian, the principal technologist at the American Civil Liberties Union, who has studied surveillance technology for years, told me in an encrypted chat.
But what the budget proposal doesn't say is how exactly the FBI plans to spend that money. An FBI spokesperson declined to answer any question related to the budget request.
The FBI has been increasingly been relying on hacking tools, such as malware or spyware, for its investigations. Recently, Amy Hess, the head of the FBI's high-tech surveillance unit, admitted that the Bureau uses hacking, and particularly zero-days, which are unknown software flaws or bugs that allow hackers to break into a target's computer.
So for some, it's natural to assume the new money is going to be spent on these tools.
"38.3 million dollars buys a hell of a lot of malware and zero-day exploits," Soghoian said.
"38.3 million dollars buys a hell of a lot of malware and zero-day exploits."
For Julian Sanchez, one of the authors of a recent report on going dark, which concluded that technology is actually helping law enforcement, rather than hindering it, is skeptical that the FBI even needs all this money.
"$38.3 million is a hefty chunk of change to dole out for a 'problem' the FBI has so steadfastly refused to publicly quantify in any meaningful way," he told me. "First let's see some hard numbers about how often encryption is a serious obstacle to investigations and what the alternatives are; then maybe we'll be in a position to know how much it's reasonable to spend addressing the issue."
The FBI has used hacking in a few high-profile investigations, such as the one against Freedom Hosting, a provider of websites on the Dark Web, or the more recent one against a child pornography site also on Tor hidden services. In both cases, the targets were people using the anonymity software Tor, which uses encryption to hide a person's real location and IP address. In the past, users had to manually install updates to the Tor browser. But now that the Tor browser automatically updates, it will be harder for law enforcement to hack targets relying on old flaws. This means the FBI will need more zero-days to unmask Tor users in the future, Soghoian said.
There's already a flourishing market of spyware and zero-days, with countless companies selling turnkey spying and crypto-breaking software. Foreign companies such as Hacking Team, and even US-based ones like Harris and James Bimen Associates, have been selling such products for years. And there are now even boutique firms, such as Zerodium, buying and developing only zero-days, which sometimes go for $1 million.
So, as David Gomez, a retired FBI agent who's currently a senior fellow at George Washington University's Center for Cyber and Homeland Security, told me, "if you want state-of-art equipment, you gotta have the money to pay for it."
Correction: An earlier version of this article stated that the FBI was requesting a total of $38.3 million, but the Bureau is actually requesting $38.3 million on top of the $31 million requested last year for a total of $69.3 million. This story has also been updated to include comments from Julian Sanchez and the FBI.