Cy Vance Is So Sure Encryption Is Pure Evil He Thinks Over-The-Air Software Updates Are Just Encryption Backdoors Apple Won't Tell Him About
from the of-all-the-things-even,-this-one-i-can't-the-most dept
Manhattan DA Cyrus Vance is back on his anti-encryption bullshit. A Fast Company profile of his “$10 million cyber lab” for decrypting phones contains some really choice quotes from the DA — quotes that show he’s about as on top of all things “cyber” as former NYC mayor/alleged tweet hackee Rudy Giuliani.
The thrust of the piece is that breaking encryption is time-consuming and expensive. Hey, no one’s arguing otherwise. But the arguments made by Vance and other law enforcement officials in the article are disingenuous and… well… stupid.
Breaking encryption doesn’t scale. Sorry about that, LEOs. That’s a fact you’re all going to have to come to terms with. But it’s not impossible and there are more than a few companies offering to do the dirty work for cyber-strapped agencies that don’t have $10 million on hand to bootstrap their own brute forcing.
We’re also living in the golden age of surveillance, despite the arguments of a few candle bearers primarily interested in wandering around in the dark cursing. Almost everyone carries a tracking device with them wherever they go. Voluntarily. Reams of data are generated every day, a lot of which doesn’t even require a warrant to access. Cops are solving crimes using consumer DNA services, Apple wearables, and always-on smart devices that eavesdrop on conversations law enforcement normally wouldn’t have access to.
But let’s start with some numbers. I’m beginning to think the Manhattan DA’s office is no better at counting locked devices than the FBI is. As you may recall, the FBI spent a few years claiming it was sitting on an exponentially-increasing amount of encrypted devices… right up until it was forced to admit its counting software couldn’t count and it had severely overstated the amount of devices in its possession.
The same thing appears to be happening at the DA’s office. An increase like this is inexplicable. Here’s how many devices Cy Vance was complaining about in 2016:
Manhattan District Attorney Cyrus R. Vance Jr. said at a news conference that investigators cannot access 175 Apple devices sitting in his cybercrime lab because of encryption embedded in the company’s latest operating systems.
And here’s what Fast Company is saying in 2020:
On the day I visited the cyber lab, there were nearly 3,000 phones, most related to active criminal investigations, that Moran had not yet been able to access.
Even given Android’s dominance in the market, this seems like an incredibly dramatic increase over the past four years. And it seems even less likely given the fact that multiple vendors are capable of cracking older iPhones and Androids, if not the latest models (for now). Rolling your own decryption doesn’t seem like the most efficient use of resources, especially when time is of the essence, as Vance claims.
“If we seize a phone that is iOS 10 but can’t open the phone, maybe never, but, say, not for another two years, well, that’s not the timeframe in which cases move, particularly cases when they’re in court.”
Plea bargains are the norm, not trials. Even if we discount that depressing fact, pre-trial detention in New York City for felony charges is ~80 days. That’s people being locked up before they’ve even had their day in court (not counting arraignment). Even if Vance wasn’t pretending the city isn’t willing to lock people up indefinitely while his office pokes away at their phones, the fact remains his office could look to outside help to shorten the process. But it doesn’t. And the article (and Vance himself) never explains why.
Let’s move on to Vance and his incredible quotes. Behold the man so clearly convinced that device encryption is solely a middle finger extended to law enforcement, he actually seems to believe over-the-air software updates are proof Apple is lying about its ability to access the contents of encrypted phones.
Vance is skeptical that Apple doesn’t have a secret backdoor. “They get into my phone all the time because they upgrade my operating systems and they send me messages,” he says.
Just a friendly reminder, New Yorkers: this is an elected position. You don’t need to be represented by someone who sounds like an Infowars commenter.
Vance also appears unable to recognize why encryption matters. He claims phone makers used to be super-helpful. Companies like Apple would take a seized phone and return a jump drive full of data and communications a few days later. But that changed after the Snowden leaks revealed widespread, mostly-unchecked domestic and foreign surveillance. Apple and Google didn’t immediately respond, but when they did, they made use of their devices safer for everyone. The “everyone” Venn diagram includes a certain number of criminals. But the important thing was doing all they could to protect customers from thieves (something government officials routinely complained about) and malicious hackers.
It wasn’t about screwing US law enforcement. It was a reaction to the sheer power of governments (not just the United States government) to compromise devices and intercept data and communications.
Vance continues to take this personally. And in doing so, he’s developed a lot of blind spots. Here’s Vance stating he doesn’t think US tech companies should be able to decide what’s best for their customers.
In the end, Vance just wants prosecutors to have all the tools available to do their jobs. “You entrust us with this responsibility to protect the public,” he says. “At the same time, they”—Apple and Google— “have taken away one of our best sources of information. Just because they say so. It’s not that some third party has decided, this is the right thing for Apple and Google to do. They just have done it.”
So… third parties — Google, Apple, etc. — have not decided this. Other third parties (I guess the government?) should make this call. I mean, we know that’s what Vance thinks. But this statement makes zero sense. If companies shouldn’t be allowed to protect their customers from threats, who should be doing this? The government? Because I think if the lawmakers in Washington crafted a law designed to protect cellphone users, they’d come to the same conclusion — encryption works — even if it made things a little more difficult for law enforcement.
Let’s not forget the government is operating on power granted to it by the governed, not the other way around. If there’s been a slight decrease in evidentiary uptake since the spread of default encryption, so be it. Very few Americans are willing to trade their device security for incremental law enforcement gains, no matter how many law enforcement officials believe citizens are too stupid to know what’s good for them.
Not all communications belong to law enforcement, warrant or not. Since the beginning of criminal time, people engaged in illegal behavior have taken steps to reduce their exposure. Front businesses. Cranking up radios/TVs so conversations won’t be picked up by bugs. Off-the-grid, face-to-face meetings. And so on. To pretend phones are taking criminals to the next level ignores everything about criminal activity. Smart criminals play it smart. Dumb criminals are still dumb. Compelled decryption is still an unsettled issue, which means cops can roll the dice on court-ordered coercion. Fingerprints, faces, and irises can still unlock phones without much resistance, especially if one of the suspects is dead.
To call Vance’s anti-encryption disingenuous would strip that word of most of its power. Vance has an encryption problem. Maybe. But he doesn’t have an evidence problem. And he’s not making the most of what’s available to him, possibly deliberately. I’m sure he’d prefer an encryption ban or court precedent that makes compelled decryption legal. He probably will see neither of these in his lifetime. But until he’s out of office, he’s going to continue making incoherent complaints. The least publications covering his so-called plight could do is greet him with the skepticism he deserves.