Smartphone Encryption and the FBI Demystified
- 1. Smartphone Encryption and the FBI, Demystified With the release of the iOS 8 mobile operating system (OS), Apple imposed strong – almost prohibitive – boundaries on law enforcement and intelligence agencies’ capacity to collect information from smartphones. Previous versions of the OS gave Apple unencrypted access to certain files on users’ mobile devices, including photos, call history and notes; iOS 8, however, encrypts all data on the device under the user’s passcode by default.i (Android’s latest OS, Lollipop, followed suit, although similar protection has been optional since 2011).ii FBI director James Comey says the shift goes “too far,”iii and will thwart government efforts to pursue criminal cases in which probable cause is established. American Civil Liberties Union (ACLU) technologist Christopher Soghoian aptly contrasted Apple’s previous data extraction policy, “Come back with a warrant,” with its new policy, “Get lost.”iv An iPhone with a six-digit password would take 5 ½ years to crack by brute force;v without the device, the encrypted data would take longer than the age of the universe to unscramble. A historic precedent is at stake. Under the Communications Assistance for Law Enforcement Act, telecommunications companies are required to comply with government wiretap orders.vi The law, passed in 1994, has not been expanded to include similar requirements for email or mobile device companies like Apple or Google (the producer of Android), and the post-Snowden political climate all but guarantees that such an effort would meet substantial opposition. Why don’t smartphone companies create a “backdoor” to access users’ data and provide it to intelligence or law enforcement agencies, in the same way telecommunications companies do? The answer is that they can, but criminals and
- 2. foreign spy agencies could also exploit such a backdoor.vii In Operation Aurora, the Chinese government hacked into Gmail’s servers by exploiting the access system Google had designed to comply with U.S. government requests for user data.viii So far, there is little evidence that encryption poses a major threat to government investigations: in 2013, encryption precluded the U.S. government from reading suspects’ text messages nine times out of 3,576 authorized interceptionsix (approximately the same percentage as in 2012).x Given Apple and Google’s move towards stronger encryption, however, that number will likely increase in 2014 and 2015. On June 25, 2014 in Riley v. California, the Supreme Court ruled unanimously that the police need a warrant before searching a suspect’s cell phone. The decision describes cell phones as so pervasive in daily life “that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”xi Chief Justice John Roberts’s opinion accounts for the possibility that phones could be remotely encrypted or wiped, and grants an exception to the warrant requirement in circumstances where the remote encryption or wiping threat is imminent.xii These stronger smartphone encryption protocols turn Roberts’s decision on its head: given how pervasive cell phones are in daily life, what happens now, that their strong encryption is the default? What are the policy and legal implications if it takes over five years to act on a warrant for a suspect’s iPhone? Most importantly, these developments raise new questions about privacy as a principle in modern society. Generally speaking, in the U.S., public servants and private citizens agree we have a right to privacy unless and until that privacy endangers the well being of others. If someone is a malicious criminal or a terrorist, we acknowledge law
- 3. enforcement’s need to search his home and vehicle, and to subpoena individuals in his social network to testify against him. The exceptions to this government power have been few and far between: safes rigged to explode if tampered with or criminal suspects fleeing the country. Today, however, virtually anyone can opt into stronger, more absolute privacy by simply purchasing a new smartphone and setting a strong password. This capability has been available before – serious cryptography has existed for over a centuryxiii – but it has never been so dispersed, entrenched and normalized before. The shift to stronger smartphone encryption protocols underscores the necessity for serious political dialogue about privacy and its limits in cyberspace. It is time to stop treating privacy like a “pendulum,”xiv from 9/11 and the Patriot Act to warrantless wiretap disclosures and the Snowden leaks. Our legislators must address citizens’ right to privacy and the government’s capacity to act on warrants not in reaction to a terrorist attack or a document dump, but as competing concerns in and of themselves. Addressing these issues in a non-reactionary fashion will limit law enforcement and intelligence agency overreach and enable our government to better represent the level-headed values of the American people as a whole. i Sanger, David, and Brian Chen. "Signaling Post-Snowden Era, New IPhone Locks Out N.S.A." The New York Times. September 26, 2014. Accessed November 28, 2014. ii Timberg, Craig. "Newest Androids Will Join IPhones in Offering Default Encryption, Blocking Police." Washington Post. September 18, 2014. Accessed November 28, 2014. iii Pelley, Scott. "FBI Director on Privacy, Electronic Surveillance." CBSNews. October 12, 2014. Accessed November 28, 2014. iv Soghoian, Christopher, Twitter post, September 17, 2014, 6:36 p.m., https://twitter.com/csoghoian v "IOS Security Guide Sept 2014." September 1, 2014. Accessed November 29, 2014. https://www.documentcloud.org/documents/1302613-ios-security-guide-sept-2014.html. vi "Communications Assistance for Law Enforcement Act." Federal Communications Commission. November 24, 2014. Accessed November 28, 2014.
- 4. vii Green, Matthew. "The Real Reason Apple Won’t Unlock Your IPhone for the Police." Slate Magazine. Accessed November 28, 2014. viii Schneier, Bruce. "U.S. Enables Chinese Hacking of Google." CNN. January 23, 2010. Accessed November 28, 2014. ix "Wiretap Report 2013." United States Courts. Accessed November 29, 2014. x Greenberg, Andy. "Rising Use of Encryption Foiled the Cops a Record 9 Times in 2013 | WIRED." Wired.com. June 30, 14. Accessed November 29, 2014. xi U.S. Supreme Court. 2014. Riley v. California, syllabus, 573 U.S. 9. xii U.S. Supreme Court. 2014. Riley v. California, syllabus, 573 U.S. 15. xiii "One-time-pad." Cipher Machines and Cryptology. January 1, 2004. Accessed November 29, 2014. xiv Sanger, David, and Matt Apuzzo. "James Comey, F.B.I. Director, Hints at Action as Cellphone Data Is Locked." The New York Times. October 16, 2014. Accessed November 29, 2014.