The Manhattan district attorney's office in New York released an updated report denouncing smartphone encryption,...
but experts said the data was willfully misleading.
Cyrus Vance Jr., district attorney for New York County, released version 2.0 of the "Report on Smartphone Encryption and Public Safety." According to the report, the Manhattan DA's office has "423 Apple iPhones and iPads lawfully seized since October 2014 [that] remain inaccessible due to default device encryption." Vance said the number of inaccessible devices has been on the rise.
"While the Manhattan district attorney's office has been locked out of approximately 34% of all Apple devices lawfully recovered since October 2014, that number jumped to approximately 42% of those recovered in the past three months," the report said. "With over 96% of all smartphones worldwide operated by either Apple or Google, and as devices compatible with operating systems that predate default device encryption are becoming outdated, this trend is poised to continue."
Experts said there was important context information omitted from this portion of the report -- notably, how many total cases the Manhattan DA's office handled over that time period in order to understand the proportion of cases influenced by inaccessible mobile devices.
Rebecca Herold, CEO of Privacy Professor, said given the population and the amount of crime in the New York area, 423 inaccessible devices collected over two years "seems very low."
"Plus, for those 400 devices, how many were they able to get metadata, logs from associated cloud services and other data from that did help with their investigation?" Herold asked. "They should have provided those insights to support a balanced report."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the report also didn't mention the number of people protected by smartphone encryption.
"It's safe to estimate that the number of people protected from threat actors by iOS security is, by far, greater than the 400 devices in question by the Manhattan DA," Arsene said. "Encryption technologies have caused more good than harm when it comes to protecting privacy."
Matthew Gardiner, cybersecurity strategist at Mimecast, based in Boston, said "Apple sells approximately 50 million iPhones every quarter and has sold approximately 1 billion since the beginning of time. Increasing the vulnerability of the vast majority of those users to open up 400 phones is not a reasonable tradeoff."
The report said "approximately 10% of the impenetrable devices pertain to homicide or attempted murder cases and 9% to sex crimes," and Arsene said these distinctions were important.
"While 400 devices might not seem like a large number, it all depends to whom those devices belong and whether or not those individuals were involved in activities endangering national security," Arsene told SearchSecurity. "However, it's entirely possible that incriminating evidence involving terrorist or criminal activities could probably be procured from other sources, rather than relying on a single phone as a single point conviction."
Surveillance and privacy
The report discussed the potential other sources for gathering investigative data, but argued against the idea that we live in a "golden age of surveillance."
"The other sources of information may be incomplete, or unavailable to law enforcement," the report read. "They generally do not give as complete a picture of criminal liability, or as complete access to evidence relevant to a criminal investigation or prosecution, as would a mobile device."
Additionally, the report said the end-to-end encryption being added to communication apps like Facebook Messenger and WhatsApp "show that far from it being a 'golden age' for law enforcement, today's criminals have means of communication that are more secure from law enforcement's scrutiny than criminals had ever dared hope."
Experts pointed out this argument ignored two major sources of data available to investigators faced with smartphone encryption: metadata and cloud backups. Apple has admitted to providing law enforcement with metadata and iCloud backup data when presented with a valid warrant.
Arsene said there was no way to know if there was iCloud data associated with the devices in question obtained by the Manhattan DA's office, but he stressed that metadata can be valuable.
"Metadata is at the core of modern day information collection technologies, as it removes any personally identifiable information about the individual from the picture and focuses on his behavior, without infringing on his right to privacy," Arsene said.
Herold said strong encryption was not only available in the U.S., and "if a terrorist or criminal is bent on keeping their communications with others strongly protected, they have many options available elsewhere throughout the world they can use." Additionally, Herold said the constant argument for weakened encryption or backdoors has ultimately limited law enforcement from getting metadata for investigations.
"Requiring U.S. technology companies to build backdoors into encryption will result in criminals and terrorists using encryption tools from other countries, [and] will only hurt U.S. businesses by driving all consumers to other countries for such technologies and will not lead to measurably any more capabilities for their investigation purposes," Herold said. "In fact, investigators will now have less data, because those non-U.S. technology companies will not cooperate with U.S. investigators on cases where they could have gotten a lot of metadata, logs and other useful data beyond the encrypted data from a U.S.-based tech company, such as Apple, or any other tech business they seem focused on ruling over."
The Manhattan DA's office declined to comment on this story.
Getting around smartphone encryption
According to the report, the Manhattan DA's office "advocates enactment of a federal law that would require smartphone manufacturers and software designers whose software is used in smartphones to retain the ability to extract the information on the smartphones, if and when the manufacturer or designer receives a search warrant for that information. The proposed legislation would restore the status quo before Apple's iOS 8, and [it] would be no different conceptually than legislation that requires products to be safe, buildings to be constructed with exits and egresses that satisfy specific requirements, and roads to have maximum speed limits."
The "status quo" refers to the time before iOS 8 when full device encryption was not the default for Apple products. The report asserted "the actual benefits of iOS 8's default device encryption [has] not been demonstrated by Apple," and "default device encryption does not meaningfully increase smartphone users' protection from unauthorized hackers."
Experts widely disagreed with this assessment, and Herold pointed out the report referenced a decision in the Netherlands that contradicted the argument of the Manhattan DA's office.
In the list of actions from other countries, the report pointed out "in January 2016, the Dutch government announced that it would not require technology companies to share encrypted communications with security agencies."
The link in the footnote quoted the Dutch Ministry of Security and Justice, saying that allowing law enforcers to access protected data would make digital systems vulnerable to "criminals, terrorists and foreign intelligence services." It added "this would have undesirable consequences for the security of information stored and communicated and the integrity of [information and communication technology] systems, which are increasingly of importance for the functioning of the society."
Herold said, "That point summarizes the heart of the issue well: We need strong encryption for the peaceful and privacy-respecting functioning of our modern, digital society."
The report reiterated the various security claims made by Apple regarding iOS 7 in 2012. Specifically, it said before iOS 8, Apple maintained the ability to aid law enforcement with investigations and said "Apple's method of data extraction before iOS 8 was never compromised."
Arsene said Apple's advancement of iOS security was "not necessarily aimed at hindering law enforcement efforts, but at offering users more privacy and security features with the purpose of adding value to Apple's products."
"Good-enough security has never been best practice, especially since the digitalization of services and infrastructures has brought forward new attack methods and threats. Security is all about constantly developing and placing more barriers between you and the attacker, increasing the cost of attack and making it difficult for someone to gain access to your data," Arsene said. "Cybercriminals are more creative than we'd like to think, and relying on outdated or deliberately vulnerable technologies to protect and secure our data is not just bad practice, but also shortsighted."
Ultimately, the report said there was "an urgent need for federal legislation that would compel software and hardware companies that design or build mobile devices or operating systems to make such devices amenable to appropriate searches," but said all current attempts, including the Burr-Feinstein bill were inadequate. Because of this, the Manhattan DA's office has proposed legislation that "would require those who design operating systems to do so in a way that would permit law enforcement agents with a search warrant to gain access to the mobile devices."
Herold said "it is misleading, at best, to vilify the use of strong encryption," and said the Manhattan DA's office is asking for a smartphone encryption backdoor, just without using the word backdoor.
"Law enforcement has got to stop propagating the false narrative of encryption being all bad. They must balance the effect of encryption to also point out the significantly larger amount of good this effective technology tool does than any harm that they always seem to focus upon," Herold said. "Overall, their report is not balanced and is skewed to promoting fear, uncertainty and doubt within the public in an effort to get their way, and to, in effect, get access to everyone in the U.S.'s digital selves. If people cannot be compelled to speak in person, then they should not be compelled to have their digital voices revealed, either."
Learn more about how encryption legislation could affect enterprises.
Find out why experts say lawmakers don't understand encryption backdoors.
Get info on whether the feds needed Apple's help to bypass smartphone encryption.