The document discusses how Apple and Android have implemented stronger default encryption on smartphones that limits law enforcement access to user data even with a warrant. This shift has concerned the FBI director but protects users from potential exploitation of any backdoor access. While encryption has prevented access to a small percentage of authorized intercepts so far, this number will likely rise as more users opt into the stronger protections. The development raises questions about balancing privacy rights with government access that require serious political discussion.
Smartphones Have Privacy Risks.docxSmartphones Have Privacy Ri.docx
Smartphone Encryption and the FBI Demystified
1. Smartphone Encryption and the FBI, Demystified
With the release of the iOS 8 mobile operating system (OS), Apple imposed
strong – almost prohibitive – boundaries on law enforcement and intelligence agencies’
capacity to collect information from smartphones. Previous versions of the OS gave
Apple unencrypted access to certain files on users’ mobile devices, including photos, call
history and notes; iOS 8, however, encrypts all data on the device under the user’s
passcode by default.i (Android’s latest OS, Lollipop, followed suit, although similar
protection has been optional since 2011).ii FBI director James Comey says the shift goes
“too far,”iii and will thwart government efforts to pursue criminal cases in which probable
cause is established. American Civil Liberties Union (ACLU) technologist Christopher
Soghoian aptly contrasted Apple’s previous data extraction policy, “Come back with a
warrant,” with its new policy, “Get lost.”iv An iPhone with a six-digit password would
take 5 ½ years to crack by brute force;v without the device, the encrypted data would take
longer than the age of the universe to unscramble.
A historic precedent is at stake. Under the Communications Assistance for Law
Enforcement Act, telecommunications companies are required to comply with
government wiretap orders.vi The law, passed in 1994, has not been expanded to include
similar requirements for email or mobile device companies like Apple or Google (the
producer of Android), and the post-Snowden political climate all but guarantees that such
an effort would meet substantial opposition.
Why don’t smartphone companies create a “backdoor” to access users’ data and
provide it to intelligence or law enforcement agencies, in the same way
telecommunications companies do? The answer is that they can, but criminals and
2. foreign spy agencies could also exploit such a backdoor.vii In Operation Aurora, the
Chinese government hacked into Gmail’s servers by exploiting the access system Google
had designed to comply with U.S. government requests for user data.viii
So far, there is little evidence that encryption poses a major threat to government
investigations: in 2013, encryption precluded the U.S. government from reading suspects’
text messages nine times out of 3,576 authorized interceptionsix (approximately the same
percentage as in 2012).x Given Apple and Google’s move towards stronger encryption,
however, that number will likely increase in 2014 and 2015.
On June 25, 2014 in Riley v. California, the Supreme Court ruled unanimously
that the police need a warrant before searching a suspect’s cell phone. The decision
describes cell phones as so pervasive in daily life “that the proverbial visitor from Mars
might conclude they were an important feature of human anatomy.”xi Chief Justice John
Roberts’s opinion accounts for the possibility that phones could be remotely encrypted or
wiped, and grants an exception to the warrant requirement in circumstances where the
remote encryption or wiping threat is imminent.xii These stronger smartphone encryption
protocols turn Roberts’s decision on its head: given how pervasive cell phones are in
daily life, what happens now, that their strong encryption is the default? What are the
policy and legal implications if it takes over five years to act on a warrant for a suspect’s
iPhone?
Most importantly, these developments raise new questions about privacy as a
principle in modern society. Generally speaking, in the U.S., public servants and private
citizens agree we have a right to privacy unless and until that privacy endangers the well
being of others. If someone is a malicious criminal or a terrorist, we acknowledge law
3. enforcement’s need to search his home and vehicle, and to subpoena individuals in his
social network to testify against him. The exceptions to this government power have been
few and far between: safes rigged to explode if tampered with or criminal suspects
fleeing the country. Today, however, virtually anyone can opt into stronger, more
absolute privacy by simply purchasing a new smartphone and setting a strong password.
This capability has been available before – serious cryptography has existed for over a
centuryxiii – but it has never been so dispersed, entrenched and normalized before.
The shift to stronger smartphone encryption protocols underscores the necessity
for serious political dialogue about privacy and its limits in cyberspace. It is time to stop
treating privacy like a “pendulum,”xiv from 9/11 and the Patriot Act to warrantless
wiretap disclosures and the Snowden leaks. Our legislators must address citizens’ right to
privacy and the government’s capacity to act on warrants not in reaction to a terrorist
attack or a document dump, but as competing concerns in and of themselves. Addressing
these issues in a non-reactionary fashion will limit law enforcement and intelligence
agency overreach and enable our government to better represent the level-headed values
of the American people as a whole.
i Sanger, David, and Brian Chen. "Signaling Post-Snowden Era, New IPhone Locks Out
N.S.A." The New York Times. September 26, 2014. Accessed November 28, 2014.
ii Timberg, Craig. "Newest Androids Will Join IPhones in Offering Default Encryption,
Blocking Police." Washington Post. September 18, 2014. Accessed November 28, 2014.
iii Pelley, Scott. "FBI Director on Privacy, Electronic Surveillance." CBSNews. October
12, 2014. Accessed November 28, 2014.
iv Soghoian, Christopher, Twitter post, September 17, 2014, 6:36 p.m.,
https://twitter.com/csoghoian
v "IOS Security Guide Sept 2014." September 1, 2014. Accessed November 29, 2014.
https://www.documentcloud.org/documents/1302613-ios-security-guide-sept-2014.html.
vi "Communications Assistance for Law Enforcement Act." Federal Communications
Commission. November 24, 2014. Accessed November 28, 2014.
4. vii Green, Matthew. "The Real Reason Apple Won’t Unlock Your IPhone for the Police."
Slate Magazine. Accessed November 28, 2014.
viii Schneier, Bruce. "U.S. Enables Chinese Hacking of Google." CNN. January 23, 2010.
Accessed November 28, 2014.
ix "Wiretap Report 2013." United States Courts. Accessed November 29, 2014.
x Greenberg, Andy. "Rising Use of Encryption Foiled the Cops a Record 9 Times in 2013
| WIRED." Wired.com. June 30, 14. Accessed November 29, 2014.
xi U.S. Supreme Court. 2014. Riley v. California, syllabus, 573 U.S. 9.
xii U.S. Supreme Court. 2014. Riley v. California, syllabus, 573 U.S. 15.
xiii "One-time-pad." Cipher Machines and Cryptology. January 1, 2004. Accessed
November 29, 2014.
xiv Sanger, David, and Matt Apuzzo. "James Comey, F.B.I. Director, Hints at Action as
Cellphone Data Is Locked." The New York Times. October 16, 2014. Accessed
November 29, 2014.