In the wake of the horrific shooting at a Texas church in November, law enforcement officials are attempting to obtain access to the contents of the suspect’s cell phone, according to published reports. The FBI Agent in Charge of the San Antonio Field Office responsible for the investigation noted, “With the advance of the technology and the phones and the encryptions, law enforcement — whether that’s at the state, local or federal level — is increasingly not able to get into these phones.” The agent declined to state the make and model of the suspect’s cell phone for fear of telling others what kind of phone to buy if they want to avoid police detection.
This comes on the heels of the San Bernardino shooting which resulted in both a face-off and litigation between the Department of Justice and Apple over access to the deceased suspects’ cell phone, and whether the courts had the authority to force the technology company to unlock the phone. In both cases, law enforcement wanted access to the cell phones to attempt to determine the motives of the attackers and whether others were involved in the attacks. In addition, there may be cases in which access to the phone may be necessary to thwart imminent future attacks.
The Washington Post has reported that Apple offered its assistance in helping the FBI unlock the church shooter’s phone, and that the tech company reportedly offered suggestions about how and when to defeat the fingerprint sensors using the shooter’s actual fingers, and noting that the sensors time out after a particular period of time. The Post reported that the FBI rebuffed these approaches.
Increasingly, cell phones are being designed to thwart exactly this kind of access – both by hackers and bad guys, and by law enforcement agents, prosecutors, and others who may have a warrant or other court order permitting or compelling access to the records. For example, those worried that some cop may force them to unlock their iPhone X with facial recognition can simply click the side button 5 times in rapid succession, thereby turning off the “unlock with face” feature – at least temporarily. In cases like Texas and San Bernardino, the facial unlock feature would have no effect on the ability of law enforcement to force an unlock, as in both cases the suspect was dead (and in neither case was an iPhone X used – but this is a hypothetical), and the iPhone X facial recognition unlock won’t work if the owner is dead. At least that’s what Apple says, and one can wonder how they tested that.
The cell phone unlock problem represents a small portion of what the government calls the “going dark” problem overall. While technology increasingly allows police to track what people are doing, who they are with, where they are, and what they are looking at, as well as their pulse rate, their viewing habits, etc., the same technology is, as the police describe it, “warrant proof.” A well-locked cell phone requires the use of either a password or biometric, which in turn requires some degree of cooperation (compelled or not) of the device owner. If the device owner is dead, uncooperative, or unavailable, then the warrant is meaningless. Absent secret methods to decrypt the contents of a locked phone, computer, or file, the warrant authorizes a search and seizure—not the ability to understand or unlock what was seized.
As a result, there WILL be crimes that will be unsolved, unprosecuted and un-prevented. And some of these crimes will be quite serious indeed.
On the other hand, having every device encrypted by default, with strong and relatively unbreakable encryption, which includes multifactor authentication and biometric activation, prevents many, many more crimes than access to the devices would prevent. It helps prevent ID fraud and theft, theft of Intellectual Property, and a whole host of cyber and non-cyber offenses. As a society, we are much safer and much more secure with everything locked (thus frustrating law enforcement and intelligence agencies) than everything unlocked (and making everything subject to hacking).
So why not use a super-special kind of security that keeps everything secure, BUT allows the cops (with a court order) to unlock it? Sure, and why not have everyone just get along and sing kumbaya? The thing is, no such “good guy” “bad guy” encryption exists—nor is it likely to ever exist.
But all is not lost.
That’s because the inability of the government to access a suspect’s cell phone is not as detrimental to an investigation as you might suppose. Virtually everything ON a cell phone had to get there somehow, and almost all of it got there over the Internet. Emails, text messages, postings to social media, tweets, SMS and MMS, downloaded files, music, streaming files, pictures, etc., most likely were transmitted in the clear to the target over the cellular provider’s network. And often the cellular provider will have retained some or all of this information on their own network, subject to compulsory process. In addition, files stored on the cell phone are likely to have been (but not always) stored or backed up, either on some cloud server or on some computer elsewhere, usually protected with only a guessable password. I say “guessable” because the automatic lock on multiple bad guesses can be turned off by the cloud provider – at least allowing for the potential of a brute force attack.
It’s not convenient or easy for law enforcement, but remember, it wasn’t easy or convenient for law enforcement in the days before people walked around with a device in their pocket that recorded every newspaper they read, every step they took, every person they chatted with, and every location they had been at. In the old days, I couldn’t defeat a warrant to seize my wallet, but my wallet had very little information (and even less money) in it. Ahhh… the good old days.
So, what about the ticking time bomb case? A person is arrested (or worse, killed) with a device which would reveal the location of a ticking time bomb. If you can unlock the device, you can disarm the bomb. In that case, there’s not a lot you can do. The same is true if the suspect used privacy enhancing communications like Signal or Koolspan. Any “end to end” encryption technology where the parties to the communications hold the keys to their communications means that they are using an end to end encryption technology where only the parties to the communications hold the key. So, the solution is for the government to invest more in decryption technology.
Fundamentally, we have to ask whether, as a society, we are better off with people using strong, well designed, and well implemented technologies to protect their privacy and the privacy of others (even when that privacy is to do evil things), or whether we want to expose all of our secrets to the government, foreign governments, hackers, attackers, and others. There’s no real middle ground here. It’s either pretty secure or it’s not.