Apple Can't Decrypt Data for Law Enforcement; Is It Enough?
Back in 2013, CNET learned that Apple had the ability to break the encryption on locked iPhones if it so desired. This led to a long waiting list of decryption requests by police eager to get at the juicy probative evidence inside (or failing that, a bunch of photos of the suspect's brunch).
Apparently fed up with this, Apple announced yesterday that a new encryption method employed iOS 8 means that it can't decrypt a locked iPhone running iOS 8 even it wanted to -- or was ordered to. Google quickly followed suit, saying the next version of Android will come with encryption turned on by default and the encryption "keys are not stored off of the device, so they cannot be shared with law enforcement," reported The Washington Post.
Forced Insecurity
This presents problems for quote-unquote national security. If you were a Congress deeply scared of terrorists, desperate for an exclusion that allows you to peer into whatever you want to peer into, would you let Apple get away with this? Of course not!
In the face of Apple's strategy -- "you can't order us to decrypt phones because we've encrypted them so well even we can't decrypt them" -- and CALEA, it's not hard to imagine a dystopian future in which Congress passes legislation requiring phone providers to intentionally implement encryption weak enough that the provider can decrypt a phone through a court order.
It's more likely than you think. For years, the Communications Assistance to Law Enforcement Act (CALEA) has required Internet Services Providers to build law enforcement-friendly backdoors into Voice over Internet Protocol (VoIP) routers. The FCC has broadly interpreted CALEA to apply to regular broadband Internet services as well. And the FBI is backing amendments that would explicitly apply CALEA to any online communications.
Gimme That Password
But imagine the PR nightmare that extending CALEA to cell phones would engender: "Government mandates backdoors into cell phones." No, that would be a last resort. Law enforcement's next tactic instead will be to require suspects to hand over their passwords.
Courts are split on whether a phone password -- or any password -- is subject to the Fifth Amendment privilege. Last year, a federal district judge in Wisconsin held that the Fifth Amendment didn't stop the court from ordering a suspect to decrypt his own hard drives. In 2012, a federal judge in Colorado ordered a suspect to do the same, but because the suspect entered a plea agreement, the Tenth Circuit never heard the issue.
So far, only a single district court judge in Michigan has upheld a Fifth Amendment defense to password disclosure.
Apple's commitment to privacy is laudable and will hopefully give law enforcement some pause. But more likely, they will just make the suspect hand over his passwords.
Related Resources:
- Compelling Access to Encrypted Information, Part II (Federal Evidence Review)
- Exclusive: Secret Contract Tied NSA and Security Industry Pioneer (Reuters)
- To Counter NSA Snooping, Yahoo, Others Encrypting User Data (FindLaw's Technologist)
- Tinkering With Tor: Anonymous Web Has Promise, Perils, Privacy (FindLaw's Technologist)