I recently wrote about the efforts by the U.S. Government to force Microsoft to deliver the contents of a customer’s e-mail located in Dublin, Ireland.
The Court in New York ruled that the computer giant had to deliver to the U.S. grand jury the contents of someone else’s e-mails (not Microsoft’s) in a foreign country, because these were in Microsoft’s “possession, custody and control.” In other words, because they could.
Not so much anymore. At least for Apple.
It has been reported that in its new iOS8, Apple has included a unique “feature” which, frankly should have been included in every e-mail service, storage facility and operating system since MS-DOS, but wasn’t because the U.S. government didn’t want it to be. Security.
Now we will see how the government (all governments, actually) really feels about security. You see, security is a double-edged sword. If files are really secure, they can’t easily be read or disclosed. That’s good when we want them protected. Not so good when the “good guys” want to read them. Sauce for the goose.
The new Apple mobile operating system encrypts the contents of files on the actual device (not yet for the iCloud or backups necessarily), and — here is the clincher — provides no key or back door to Apple.
Google also has announced it will be doing the same for Android.
In the past, the government would seize or compel the production of a device, and would go to Apple and have the company decrypt the device for the government — sometimes with a court order, sometimes without. Now this compelled decryption by the company is impossible. They simply don’t have
This is how it should be, not only for devices, but for files, communications and other electronically stored stuff. And it helps solve the “third party doctrine” — that is, where the owner of the data or information stores or transmits that data or information through a third party, or in a way or place that is accessible by a third party — like AT&T, Comcast, Microsoft, Google or Apple. The third party can then be compelled to produce and decrypt the record, not just be law enforcement or intelligence agencies, but by your average ambulance chaser or divorce lawyer.
I’m Still Standing
By bifurcating “ownership” and “possession” you create a host of legal problems. My attorney client privileged documents — the physical records — are in my office and on my PC. If the government wants to search them, they have to get a warrant, and tell me about it. They have to serve the warrant on ME, and leave an inventory of what they took with ME. I then have the opportunity to go to court and object to the search, assert privilege, or claim that the warrant or search was overbroad or otherwise unconstitutional. I know about the search.
The government can still get an order for a “remote search” — essentially installing spyware or back door programs onto my computer to seize the files without my knowing about it. In fact, the government has proposed changes to the Federal Rules of Criminal Procedure, which would allow them to get court orders for “remote” searches to allow them to conduct such remote searches on computers anywhere in the world from anywhere “where activities related to a crime may have occurred.”
So a Judge in Washington, D.C. can issue a warrant for an FBI agent to hack into my computer in Brisbane (or Bismarck, Baltimore of Bali) if ANY activity related to a crime MAY have occurred in Washington. Oh, and they can search and seize anywhere if they simply don’t know where the source of the crime is — because it has been “concealed through technological means.” Got that, TOR users?
But if I keep my files on a cloud server, the situation is even worse. The government simply goes to the cloud server and demands my records.
And it’s worse than that.
If the cloud server objects to the production of the records, because the warrant is overbroad or unconstitutional, the government will argue that the ISP or email provider lacks “standing” to challenge the search. In fact, that’s exactly what the DOJ argued before the super-secret FISA court when Yahoo! objected to being compelled to produce the records of ALL of its subscribers.
The DOJ has previously and successfully argued that individuals who suspect that they may have been the target of unlawful government surveillance cannot challenge that surveillance unless they can show for certain that they have been the subject of surveillance and have suffered an injury as a result.
What the law calls “standing” to challenge the government action. Of course, the individual can’t know that they have been subject to surveillance because (A) the government won’t tell them and classifies the surveillance for national security; and (2) the government orders the ISP or email provider not to tell them either.
So the target is out of luck. In those cases, the government has argued that the subject of the surveillance is not being asked to do anything — the ISP is. Therefore only the ISP has “standing” to challenge the search of their computers.
More recently, the government has sought to have its cake and eat it too. When, for example the United States Attorney’s Office on New York subpoenaed the Facebook records of several hundred subscribers, and ordered Facebook not to tell the subscribers about the subpoena, the Court ruled that Facebook lacked “standing” to challenge the warrant because they had no privacy interest in the subscribers files.
Similarly, the NSA argued that Yahoo! had no standing to challenge the compelled production of records of ALL of their subscribers because they had no privacy interest in their subscribers’ data.
So the subscriber can’t object because they don’t know (and therefore have no standing) and the ISP can’t object because they have no privacy interest. A win-win for the government.
Power to the People
Apple’s solution — if effective — is as simple as it is elegant. Encrypt data by default at rest, and give the owner of that data the key. And the only key. After all, it’s their data.
The Supreme Court has already ruled that people have a reasonable expectation of privacy in the contents of their cell phones — presumably including their new iPhone 6 with iOS 8 (do you hear that, Aimee?) The new iOS 8-encryption regime merely enforces that privacy expectation. It is the OWNER’s expectation of privacy, not that of the third party. The third party should have neither the obligation nor the ability to produce the records of its customers.
There will be cases — thousands in fact — in which this will cause problems for law enforcement and intelligence agencies. In fact, recently an old friend’s son died of an overdose, and the records relating to his dealer and others who could be prosecuted were on his password-protected iPhone.
While Apple could decrypt the phone, none of the law enforcement agencies contacted (about a dozen) were interested in spending the energy to get this done. Under Apple’s new encryption regime, it wouldn’t matter — they couldn’t decrypt even if they wanted to, or were ordered to.
This also points to the need for people to take responsibility for their data and passwords. You see, we want it both ways. We want strong security and encryption, but when we forget our password, we want it to be easy to reset.
And there’s a flaw in the Apple encryption scheme. The “authorized” user will be able to decrypt the contents with their password or passphrase. If I were the government, I wouldn’t compel Apple to decrypt the files, I would compel them to reset the password or passphrase.
If they can. If not, both the cops and the customer (or the customer’s family) are out of luck. Unless there’s a backup. In which case, we compel the decryption and production of the back up. And if we REALLY want to get the contents of these encrypted files, all we have to do is tell the Internet that there are naked pictures of (very attractive) celebrities on the files. And then wait.