Manhattan DA Cy Vance Makes His Annual Pitch For Anti-Encryption Legislation
from the Make-America-Insecure-Again dept
If the end of the year is closing in, it means it’s time for Manhattan DA Cy Vance’s Annual Anti-Encryption Spectacular! Gather the kids around because the 2017 edition of Vance’s annual plea for an encryption ban has just been published [PDF]. Don’t worry, Vanceheads, the core essence of the DA’s anti-encryption publication remains unchanged: encryption is for letting bad guys get away with crimes.
Vance’s state-of-encryption report leads off with the same assertion the FBI and DOJ have been making lately: every locked device contains a wealth of criminal evidence.
Traditional investigative techniques – searches of targets’ homes, physical surveillance, wiretaps on telephones – often fall short when it comes to gathering enough evidence to solve and prosecute today’s criminal activity. Unfortunately, much of today’s evidence exists in a space that, prior to 2014, was largely unheard-of: warrant-proof smartphones that have been designed to keep law enforcement out.
Two false assertions and we’re barely getting started:
1. At best, the “much of today’s evidence” is an assumption. Locked devices can’t prove or disprove this theory, but the biggest courtroom battle over encryption ended with a third party cracking the San Bernardino shooter’s phone and the device yielding up a whole lot of nothing.
2. Smartphone encryption is not “designed to keep law enforcement out.” It’s designed to keep everyone who isn’t the phone’s owner out. Law enforcement just happens to be in the “everyone who isn’t the phone’s owner” group. Maybe if people like Cy Vance stopped taking this so personally he might have more fruitful discussions with tech companies.
From there, Vance goes on to lament encryption workarounds as being expensive and impossible to scale. These lamentations are buttressed with assertions of lawful access: the theory that the presence of a warrant should immediately result in the production of all evidence law enforcement believes exists.
Vance also claims there’s been an “explosion” in the number of uncrackable devices seized by law enforcement. But in reality, the uptick has been slight since the advent of default encryption in 2015.
This is to be expected. The numbers cited by Vance are ultimately meaningless without greater context. A pile of uncracked cell phones can be evidence of thousands of unsolved crimes, or simply a bunch of ultimately useless devices containing nothing of interest. The truth lies somewhere in the middle, but everyone (like Vance himself) who engages in the press conference drama of piling up locked phones and dropping insinuations that criminals are walking free is being at least a little bit disingenuous. (That New York City’s crime rate continues to drop despite more device encryption [and the shutdown of stop-and-frisk] belies the implication that locked phones mean more criminals getting away with more criminal activity.)
Vance discusses recent court decisions, noting how most courts have found passwords to have some Fifth Amendment concerns whereas fingerprints do not. In this context, the shift to fingerprint security options should work out better for law enforcement. But Vance still claims encryption can’t be litigated around. According to the DA, courts aren’t coming to a consensus on compelled production of passwords quickly enough and a couple of Constitutional amendments (Fourth/Fifth) are keeping law enforcement from operating as efficiently as it would like.
[M]any devices are now accessible not only via their passcodes but also with the user’s fingerprint. And Apple’s newest technology eliminates the fingerprint identification in favor of facial recognition technology. As documented in the 2016 Report, biometric data like a fingerprint (and, presumably, a user’s face) is generally not considered to be protected by the Fifth Amendment. At least one court has held that a user can be ordered to unlock his device via the fingerprint sensor, and in some instances, law enforcement, including this office, has sought and obtained search warrants that include provisions ordering occupants of the target premises to use their fingerprints to unlock any Touch ID-enabled devices. However, even if this became standard practice for law enforcement, its utility would be limited, as iPhones require the entry of the passcode after 48 hours of inactivity, or when the phone restarts. Apple’s newest technology also undermines law enforcement’s ability to use fingerprints to unlock a Touch ID-enabled device.
More importantly, there is reason to believe courts may view these blanket orders with skepticism. A federal magistrate judge in Illinois recently denied a search warrant provision ordering occupants of a premises to unlock devices with their fingerprints, finding the government had not established probable cause to detain every person on the scene for the purpose of obtaining their fingerprints. While there was no “protectable Fourth Amendment interest” in the fingerprints themselves, the detention of all occupants for the purpose of getting their fingerprints was deemed a violation.
This brings us to Vance’s ultimate goal: anti-encryption legislation.
Default device encryption remains a significant public safety concern – it hamstrings law enforcement agencies in their efforts to investigate, solve, and prosecute crime. Recent developments in encryption workarounds have provided some measure of relief, but pitting law enforcement and the technology sector in an endless cat-and-mouse game is ill-advised, costly, and untenable. It also offers no remedy to the huge majority of law enforcement agencies that cannot afford to pursue “lawful hacking” solutions.
It is true that, as some commentators point out, if smartphone providers were required by law to comply with decryption orders issued by state and federal courts, some more sophisticated criminals might migrate to foreign providers, or employ additional encryption technology not subject to such regulations. But the fact is that criminals, like all users, prefer software and devices that are reliable and user-friendly, and most of them will continue to use iPhones and Androids for that reason. Indeed, for this same reason, search warrants executed on United States-based email accounts often yield critical evidence, even though criminals could choose to use foreign email providers who are not subject to U.S. legal process.
What’s being willfully ignored in this summary? The fact that backdoored encryption would also be a boon for “sophisticated criminals.” Leaving this necessary factor out is deliberate and misrepresents what’s at stake. It also portrays those that would take their business to foreign firms as “serious criminals,” deliberately ignoring the fact that many law-abiding citizens would do the same if the federal government backdoored/banned encryption.
To support this call for anti-encryption legislation, Vance cites — of all things — problematic concessions Apple has made to the Chinese government.
[A]pple’s refusal in recent years to accede to court orders and legitimate requests from law enforcement stands in stark contrast to its conduct in China. There – to the dismay of privacy advocates and others – Apple has recently complied with the government’s directives that businesses locate their servers within mainland China, and has taken other steps that pose threats to customer privacy… Notably, the Chinese government imposed these new requirements through legislation, not by seeking court orders, and Apple’s CEO Tim Cook, in defending Apple’s decisions in China, stated simply, “we follow the law wherever we do business.” In other words, the only way to resolve the encryption dilemma in the United States will be through legislation too.
The argument Vance is making — although he’s probably unaware he’s making it — is that the US should be more like China and control phone manufacturers with heavy-handed legislation and onerous demands. I suppose it’s unsurprising someone working so close to the police would find a shift towards to a more authoritarian government model a good idea, but it’s rarely expressed publicly.
I, for one, look forward to next year’s Cy Vance Pre-Christmas Anti-Encryption Extravaganza. Because every time the annual issue rolls out, it means one thing: no anti-encryption legislation has been passed.