Will phone encryption trip up law enforcement?
While the newest Apple and Google smartphones will automatically encrypt data stored on them, that won’t keep U.S. law enforcement and intelligence agencies from obtaining evidence linked to the devices.
Marketing by the two companies in which they pledge to shield photos, documents, contact lists and other data from the prying eyes of government or hackers won plaudits from privacy advocates. It also drew condemnation from U.S. Attorney General Eric Holder, FBI Director James Comey and local police officials who say it will make it harder to investigate crimes ranging from child abuse to drug trafficking and terrorism.
Those assertions “are wildly exaggerated” because police can still obtain evidence through traditional court warrants while revelations about government spying show the National Security Agency can break or bypass encryption for terrorism investigations, said Jonathan Turley, a constitutional law professor at The George Washington University Law School.
“Citizens should not assume that these encryption devices will necessarily prevent government from intercepting communications,” Turley said. “If history is any guide, the government will find a way to penetrate these devices.”
The issue has renewed tension between law enforcement and intelligence agencies and technology companies trying to stand up for the privacy rights of their users. Apple, Google and other companies have been trying to restore their reputations after revelations by former NSA contractor Edward Snowden that they cooperated with government spying programs in the past.
The companies announced in recent weeks that their new phones will automatically scramble data so that a digital key kept by the owner is needed to unlock it, making it harder for detectives to examine the content of suspects’ phones without their knowledge or cooperation. Previously, such encryption was an option that required users to endure a time-consuming process to activate.
“This is going to have a very big impact on law enforcement,” said Stewart Baker, a former general counsel for the NSA and now a partner at the law firm Steptoe & Johnson in Washington. “There will be crimes that people get away with because this information is not available.”
However, many traditional investigative methods will still work, he said.
“Wiretaps would still work. You can also get call-details records,” he said. “That’s available from the phone companies and it’s not affected by this decision.”
Much of the data sent from or to the devices can still be captured and investigators can hack software to collect evidence. That means there will likely be little change in the way text messages, emails, phone calls, location coordinates and other data are mined for terrorist communications and other threats.
Data stored in so-called cloud services, including photos such as the ones stolen from Jennifer Lawrence and other celebrities, would still be vulnerable to hackers.
The encryption feature offers users some confidence and is a selling point for the companies.
“There’s a little bit of PR, there’s a little bit of competitive pressure, and there’s a little bit of honest effort to improve the security of the Internet as a whole,” said Jon Oberheide, co-founder and chief technology officer of Duo Security. The Ann Arbor, Michigan-based company provides computer security.
Companies can be forced to turn over information stored in cloud services, Baker said. And governments with powerful spying tools such as the United States and China can bypass encryption on mobile phones by hacking into suspects’ devices. Right now, a committee of U.S. judges is weighing a proposal that would give federal agents greater leeway to secretly access suspected criminals’ computers in bunches not simply one at a time.
While the improved security of their smartphones is a challenge for law enforcement, the moves can help protect the privacy rights of users who haven’t broken any laws, Turley said.
“Civil libertarians have long called for privacy speed bumps or barriers for the government,” he said.
The NSA is “concerned about the proliferation of any technology that might allow international terrorists or other foreign intelligence targets to evade lawfully authorized surveillance,” said agency spokeswoman Vanee Vines.
A Google spokeswoman, Niki Christoff, said “People previously used safes and combination locks to keep their information secure - now they use encryption.”
Apple spokesman Colin Johnson declined to comment on the impact of their encryption measures beyond pointing out a public statement by Apple CEO Tim Cook on the company’s website.
“We have never worked with any government agency from any country to create a backdoor in any of our products or services,” Cook wrote. “We have also never allowed access to our servers. And we never will.”
The scope and force of secret government requests for data was highlighted last month when newly released documents showed Yahoo might have had to pay millions of dollars a day in fines if it kept refusing to comply with U.S. requests for its users’ Internet data. Yahoo complied on May 12, 2008, giving in to the NSA’s Prism electronic surveillance program that had operated without public knowledge until Snowden exposed it. The company then went to court to win the right to release details of its fight against the order.
Apple, which has in the past cooperated with court orders and extracted data from phones for law enforcement or provided data from its systems, described its new measures in a statement on its website on Sept. 17.
“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” the policy says.
Google, based in Mountain View, California, earlier in September said that it was making its encryption feature automatic after offering it as an option for more than three years. Google also said it cannot access users’ passcodes or decrypt encrypted devices.
The more aggressive focus on security has also put a spotlight on the ability of technology companies themselves to access users’ data. One tool in particular, little-known outside of the security community, is known as a kill switch.
Built into mobile operating systems, kill switches give companies such as Apple and Google the ability to reach into users’ devices remotely to delete malicious software and access content stored on them. Designed as a security feature, it’s also a potential avenue for spying.
More in Industry
Korea Shipbuilding signs ￦87.5 billion deal to build LPG carrier
DMI to develop drone-based marine charting system
Graft regulations eased to allow for more expensive gifts
Hanwha is first Rolls-Royce supplier permitted to handle quality control
Live commerce, perfect for the pandemic, is all the rage