Wednesday, November 8, 2017

FBI tries to crack another smartphone: 5 essential reads

File 20171108 14209 1ki7y0d.jpg?ixlib=rb 1.1
Who should be allowed inside? PopTika/Shutterstock.com
Jeff Inglis, The Conversation

Editor’s note: The following is a roundup of archival stories.

Federal investigators following up on the mass shooting at a Texas church on Nov. 5 have seized the alleged shooter’s smartphone – reportedly an iPhone – but are reporting they are unable to unlock it, to decode its encryption and read any data or messages stored on it.

The situation adds fuel to an ongoing dispute over whether, when and how police should be allowed to defeat encryption systems on suspects’ technological devices. Here are highlights of The Conversation’s coverage of that debate.

#1. Police have never had unfettered access to everything

The FBI and the U.S. Department of Justice have in recent years – especially since the 2015 mass shooting in San Bernardino, California – been increasing calls for what they term “exceptional access,” a way around encryption that police could use to gather information on crimes both future and past. Technology and privacy scholar Susan Landau, at Tufts University, argues that limits and challenges to investigative power are strengths of democracy, not weaknesses:

“[L]aw enforcement has always had to deal with blocks to obtaining evidence; the exclusionary rule, for example, means that evidence collected in violation of a citizen’s constitutional protections is often inadmissible in court.”

Further, she notes that almost any person or organization, including community groups, could be a potential target for hackers – and therefore should use strong encryption in their communications and data storage:

“This broad threat to fundamental parts of American society poses a serious danger to national security as well as individual privacy. Increasingly, a number of former senior law enforcement and national security officials have come out strongly in support of end-to-end encryption and strong device protection (much like the kind Apple has been developing), which can protect against hacking and other data theft incidents.”

#2. FBI has other ways to get this information

The idea of weakening encryption for everyone just so police can have an easier time is increasingly recognized as unworkable, writes Ben Buchanan, a fellow at Harvard’s Belfer Center for Science and International Affairs. Instead,

“The future of law enforcement and intelligence gathering efforts involving digital information is an emerging field that I and others who are exploring it sometimes call "lawful hacking.” Rather than employing a skeleton key that grants immediate access to encrypted information, government agents will have to find other technical ways – often involving malicious code – and other legal frameworks.“

Indeed he observes, when the FBI failed to force Apple to unlock the San Bernardino shooter’s iPhone,

"the FBI found another way. The bureau hired an outside firm that was able to exploit a vulnerability in the iPhone’s software and gain access. It wasn’t the first time the bureau had done such a thing.”

#3. It’s not just about iPhones

When the San Bernardino suspect’s iPhone was targeted by investigators, Android researchers William Enck and Adwait Nadkarni at North Carolina State University tried to crack a smartphone themselves. They found that one key to encryption’s effectiveness is proper setup:

“Overall, devices running the most recent versions of iOS and Android are comparably protected against offline attacks, when configured correctly by both the phone manufacturer and the end user. Older versions may be more vulnerable; one system could be cracked in less than 10 seconds. Additionally, configuration and software flaws by phone manufacturers may also compromise security of both Android and iOS devices.”

#4. What they’re not looking for

What are investigators hoping to find, anyway? It’s nearly a given that they aren’t looking for emails the suspect may have sent or received. As Georgia State University constitutional scholar Clark Cunningham explains, the government already believes it is allowed to read all of a person’s email, without the email owner ever knowing:

“[The] law allows the government to use a warrant to get electronic communications from the company providing the service – rather than the true owner of the email account, the person who uses it.

"And the government then usually asks that the warrant be "sealed,” which means it won’t appear in public court records and will be hidden from you. Even worse, the law lets the government get what is called a “gag order,” a court ruling preventing the company from telling you it got a warrant for your email.“

#5. The political stakes are high

With this new case, federal officials risk weakening public support for giving investigators special access to circumvent or evade encryption. After the controversy over the San Bernardino shooter’s phone, public demand for privacy and encryption climbed, wrote Carnegie Mellon professor Rahul Telang:

"Repeated stories on data breaches and privacy invasion, particularly from former NSA contractor Edward Snowden, appears to have heightened users’ attention to security and privacy. Those two attributes have become important enough that companies are finding it profitable to advertise and promote them.

"Apple, in particular, has highlighted the security of its products recently and reportedly is doubling down and plans to make it even harder for anyone to crack an iPhone.”

The ConversationIt seems unlikely this debate will ever truly go away: Police will continue to want easy access to all information that might help them prevent or solve crimes, and regular people will continue to want to protect their private information and communications from prying eyes, whether that’s criminals, hackers or, indeed, the government itself.

Jeff Inglis, Science + Technology Editor, The Conversation

This article was originally published on The Conversation. Read the original article.