Is the New York legislature trying to ban iPhones? Not exactly, but state lawmakers have introduced a bill that would ban the sale of smartphones with data encryption technology that can keep both cops and criminal hackers from accessing personal data.
For months, law enforcement officials and the FBI have been railing against companies like Apple and Google for automatically scrambling personal data stored on mobile devices and some smartphone apps with encryption and hiding it behind locks that require personal passcodes, making the devices inaccessible to investigators.
Most recently, Manhattan District Attorney Cyrus Vance called on state and federal lawmakers to forbid smartphones and tablets that are “sealed off from law enforcement.” Lawmakers in the New York State Assembly apparently took up the call and introduced legislation in January that would impose harsh fines on sellers of smartphones that cannot be unlocked and decrypted by manufacturers or operating system providers.
Jamie Williams, a legal fellow on the civil liberties team at the Electronic Frontier Foundation, said the bill ignores the reality that it is technically impossible to give the government access to personal data without making consumers more vulnerable.
“If device manufactures were to build such vulnerabilities into phones, it would be a serious threat to privacy and security – leaving us all less safe as a result,” Williams said. “And a law mandating that a manufacturer retain the capability to decrypt or unlock a phone also could present significant First Amendment implications.”
The pro-privacy and internet freedom group Fight for the Future recently launched a petition against the bill. The group argues that requiring phone companies to put “secret backdoors” in smartphones “would mean we have no way of knowing if our private communications are actually private at all.”
Encryption Sparks Privacy Debate After Snowden Leaks
In 2014, about a year and half after the revelations provided by Edward Snowden shocked the country and the world, Apple announced that it would provide “full disk encryption” to automatically encrypt data on new mobile devices and operating systems. Google announced similar protections for its Android software soon after, and now password-protected data on these devices is scrambled and stored locally, so even the manufacturer cannot access it without a user passcode.
Since the Snowden leaks revealed that Verizon and AT&T had secretly handed over troves of customer data to the National Security Agency (NSA), Apple has been reluctant to provide the government with customer data and has even ignored police search warrants to unlock iPhones. Full data encryption gives the company some cover; by design, Apple cannot access data on an individual iPhone without the user’s personal passcode, at least in theory.
In providing encryption, the companies are not primarily targeting the threat of state intervention: Apple and privacy advocates agree that these measures also protect sensitive personal data like photos and account information from hackers and identity thieves, especially when phones are stolen.
“Whoever stole your phone has a copy of your digital life,” wrote Fight for the Future activist Holmes Wilson in a recent email blast. “They could empty your savings, ruin your credit, or steal workplace files and cost you your job. Just one risqué photo could become a life-altering nightmare … especially for teachers, young people or public figures. This happens, and it’s awful.”
Full disk encryption, Wilson said, is a solution to this problem, but law enforcement officials like Vance say it has also blocked access to criminal evidence.
Cops Against Encryption
In November, Vance issued a report detailing how newer smartphone operating systems like Apple’s iOS 8 prevent law enforcement officers from unlocking and searching smartphones, even if they have a search warrant. As it turns out, defendants in criminal cases are not jumping at the chance to give Vance and New York City detectives the passcodes to their phones.
Officials like Vance and FBI Director James Comey are demanding that full disk encryption be removed from devices so that detectives can execute search warrants by hacking into phones or asking manufacturers to unlock them. However, privacy advocates and computer scientists argue that forcing software designers to bend to the whims of law enforcement would mean creating intentional vulnerabilities in devices, opening new doors for criminal hackers and even malicious foreign nations.
Comey has lead the charge on the federal level, arguing in the media and before Congress that full disk encryption hampers efforts by the FBI to thwart violent criminals and even terrorists. Many smartphones erase their data if the wrong passcode is entered too many times, so his agents cannot beat the encryption with “brute force” attacks that basically involve entering random passcodes until the right one comes up, leaving them without an easy option for breaking into phones. Investigations, Comey said, are “going dark.”
A Harvard roundtable of technology and security experts, including members from the US intelligence community, has a simple message for Comey: Don’t panic. In a report released on February 1, the panel concluded that the “going dark” metaphor is a bit hyperbolic.
The panel concluded that technology is not making it harder for law enforcement officials to use surveillance and catch the “bad guys”; if anything, it’s making it easier. Tech companies rely on user data to generate revenue from advertisements and keep their products functional even when users forget their passwords; so heavy encryption is unlikely to spread to other communication products such as email that are of interest to law enforcement. Plus, the emerging “Internet of Things” has opened “uncharted paths to surveillance.”
“Appliances and products ranging from televisions and toasters to bed sheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables are being packed with sensors and wireless connectivity,” the panel wrote in the report.
In short, Comey and Vance still have plenty of options for mass surveillance – even if they don’t have the passcode to your iPhone.