Rob Sloan, head of cyber content and data at Dow Jones, looks at the FBI vs Apple case and whether privacy will be the victor.
In the recent legal case between Apple and the Federal Bureau of Investigation, the FBI wanted to force Apple to provide a security bypass to allow access to a dead gunman’s iPhone. Encrypted devices have been a bugbear of law enforcement agencies for some time and FBI Director James Comey has been vocal about the damage being done to investigations stating: “I don’t know why we would want to put people beyond the law.”
The courtroom battle and war of words have not been productive for either side, resulting only in more deeply entrenched positions. In the longer term however there is a fundamental question regarding how best to balance the requirements of law enforcement agencies with the privacy concerns of citizens and software producers.
Avenues of Investigation
Over 90% of iOS devices are encrypted by default compared to only around 5% of Android devices due to the fragmentation of operating system versions and low take up of the latest version, Marshmallow. Device encryption does not however close off all investigative routes. Far from it.
All telecoms operators in the EU must retain metadata relating to calls and texts for up to two years, while data retention in the U.S. is voluntary. Call audio can be intercepted, as can internet traffic, and mobile phone geolocation data shows a location log. Cloud providers, including Google and Apple, share data where required by law and this can include files and photos, email communications and contact lists. It does not however help investigators trying to understand the data on third-party apps (including other encrypted messaging solutions) or files stored only on the device. Backdoors shortcut investigative legwork and represent the convenience of getting maximum investigative gain with minimum effort.
Keys to the Kingdom
Where access to a device containing crucial evidence cannot be secured, there is the option to charge the suspect under the UK Regulation of Investigatory Powers Act that contains a provision for prosecuting individuals who fail to surrender passwords when required to do so. The penalty is up to five years in prison. The Fifth Amendment in the U.S protects individuals from self-incrimination and there is currently no key disclosure law, giving law enforcement fewer options.
Speaking in March this year, GCHQ Director Robert Hannigan showed a more practical stance, "I am not in favor of banning encryption just to avoid doubt. Nor am I asking for mandatory backdoors." Such challenges have been navigated many times before by intelligence services, not least when hard drives began to be encrypted. Mandatory backdoors threaten user confidence and software vendors cannot be relied upon to facilitate spying on their customers. A different approach to investigations is required.
Vulnerabilities in software are still prevalent enough that agencies can develop (or procure) attacks to provide access to data. There is of course a question of leaving a vulnerability unpatched, but with regular version changes the window of exploitation is generally short and the vulnerability can be disclosed to the vendor at any time. Especially when physical access to the device is required, it is unlikely to threaten the security of millions. Finding and fixing bugs is a constant battle between attackers and defenders and provides investigators an opportunity for access. There is also a broader question around terrorist modus operandi. By running deception operations it could be possible to mis-direct terrorists and criminals to use techniques or software that are not as secure as they appear to be, thereby removing the need to implant backdoors in software that is never used by the bad guys.
Unexpected Consequences
Software vendors should expect to see a rise in disclosure and interception requests as investigators seek to collect data earlier in investigations rather than risk losing access to it later. It may also result in more creative ways to get access to phones ahead of arrests, such as the recent case of British police using an undercover operation to secure an unlocked iPhone 5S.
Decisions concerning privacy and government capabilities are too often made as knee-jerk reactions to extreme events. Government spying programs were reined back post-Snowden following widespread anger, while the general public was happy to surrender a degree of privacy for security following the Paris and Brussels terror attacks.
The issue comes down to one of necessity and proportionality. Impacting the privacy of millions of innocent users where the investigative gain is limited is clearly disproportionate and unnecessary, but when lives are potentially at stake that balance can change, perhaps even must change, albeit for a limited time. We must be prepared, in certain circumstances, to forego some individual liberties for the sake of protecting our fellow citizens. This is not a case of letting the terrorists win; it is a case of doing what we have to do to make sure they don’t.