Manhattan DA Cy Vance Makes His Annual Pitch For Anti-Encryption Legislation

from the Make-America-Insecure-Again dept

If the end of the year is closing in, it means it's time for Manhattan DA Cy Vance's Annual Anti-Encryption Spectacular! Gather the kids around because the 2017 edition of Vance's annual plea for an encryption ban has just been published [PDF]. Don't worry, Vanceheads, the core essence of the DA's anti-encryption publication remains unchanged: encryption is for letting bad guys get away with crimes.

Vance's state-of-encryption report leads off with the same assertion the FBI and DOJ have been making lately: every locked device contains a wealth of criminal evidence.

Traditional investigative techniques – searches of targets’ homes, physical surveillance, wiretaps on telephones – often fall short when it comes to gathering enough evidence to solve and prosecute today’s criminal activity. Unfortunately, much of today’s evidence exists in a space that, prior to 2014, was largely unheard-of: warrant-proof smartphones that have been designed to keep law enforcement out.

Two false assertions and we're barely getting started:

1. At best, the "much of today's evidence" is an assumption. Locked devices can't prove or disprove this theory, but the biggest courtroom battle over encryption ended with a third party cracking the San Bernardino shooter's phone and the device yielding up a whole lot of nothing.

2. Smartphone encryption is not "designed to keep law enforcement out." It's designed to keep everyone who isn't the phone's owner out. Law enforcement just happens to be in the "everyone who isn't the phone's owner" group. Maybe if people like Cy Vance stopped taking this so personally he might have more fruitful discussions with tech companies.

From there, Vance goes on to lament encryption workarounds as being expensive and impossible to scale. These lamentations are buttressed with assertions of lawful access: the theory that the presence of a warrant should immediately result in the production of all evidence law enforcement believes exists.

Vance also claims there's been an "explosion" in the number of uncrackable devices seized by law enforcement. But in reality, the uptick has been slight since the advent of default encryption in 2015.

This is to be expected. The numbers cited by Vance are ultimately meaningless without greater context. A pile of uncracked cell phones can be evidence of thousands of unsolved crimes, or simply a bunch of ultimately useless devices containing nothing of interest. The truth lies somewhere in the middle, but everyone (like Vance himself) who engages in the press conference drama of piling up locked phones and dropping insinuations that criminals are walking free is being at least a little bit disingenuous. (That New York City's crime rate continues to drop despite more device encryption [and the shutdown of stop-and-frisk] belies the implication that locked phones mean more criminals getting away with more criminal activity.)

Vance discusses recent court decisions, noting how most courts have found passwords to have some Fifth Amendment concerns whereas fingerprints do not. In this context, the shift to fingerprint security options should work out better for law enforcement. But Vance still claims encryption can't be litigated around. According to the DA, courts aren't coming to a consensus on compelled production of passwords quickly enough and a couple of Constitutional amendments (Fourth/Fifth) are keeping law enforcement from operating as efficiently as it would like.

[M]any devices are now accessible not only via their passcodes but also with the user’s fingerprint. And Apple’s newest technology eliminates the fingerprint identification in favor of facial recognition technology. As documented in the 2016 Report, biometric data like a fingerprint (and, presumably, a user’s face) is generally not considered to be protected by the Fifth Amendment. At least one court has held that a user can be ordered to unlock his device via the fingerprint sensor, and in some instances, law enforcement, including this office, has sought and obtained search warrants that include provisions ordering occupants of the target premises to use their fingerprints to unlock any Touch ID-enabled devices. However, even if this became standard practice for law enforcement, its utility would be limited, as iPhones require the entry of the passcode after 48 hours of inactivity, or when the phone restarts. Apple’s newest technology also undermines law enforcement’s ability to use fingerprints to unlock a Touch ID-enabled device.

More importantly, there is reason to believe courts may view these blanket orders with skepticism. A federal magistrate judge in Illinois recently denied a search warrant provision ordering occupants of a premises to unlock devices with their fingerprints, finding the government had not established probable cause to detain every person on the scene for the purpose of obtaining their fingerprints. While there was no “protectable Fourth Amendment interest” in the fingerprints themselves, the detention of all occupants for the purpose of getting their fingerprints was deemed a violation.

This brings us to Vance's ultimate goal: anti-encryption legislation.

Default device encryption remains a significant public safety concern – it hamstrings law enforcement agencies in their efforts to investigate, solve, and prosecute crime. Recent developments in encryption workarounds have provided some measure of relief, but pitting law enforcement and the technology sector in an endless cat-and-mouse game is ill-advised, costly, and untenable. It also offers no remedy to the huge majority of law enforcement agencies that cannot afford to pursue “lawful hacking” solutions.

It is true that, as some commentators point out, if smartphone providers were required by law to comply with decryption orders issued by state and federal courts, some more sophisticated criminals might migrate to foreign providers, or employ additional encryption technology not subject to such regulations. But the fact is that criminals, like all users, prefer software and devices that are reliable and user-friendly, and most of them will continue to use iPhones and Androids for that reason. Indeed, for this same reason, search warrants executed on United States-based email accounts often yield critical evidence, even though criminals could choose to use foreign email providers who are not subject to U.S. legal process.

What's being willfully ignored in this summary? The fact that backdoored encryption would also be a boon for "sophisticated criminals." Leaving this necessary factor out is deliberate and misrepresents what's at stake. It also portrays those that would take their business to foreign firms as "serious criminals," deliberately ignoring the fact that many law-abiding citizens would do the same if the federal government backdoored/banned encryption.

To support this call for anti-encryption legislation, Vance cites -- of all things -- problematic concessions Apple has made to the Chinese government.

[A]pple’s refusal in recent years to accede to court orders and legitimate requests from law enforcement stands in stark contrast to its conduct in China. There – to the dismay of privacy advocates and others – Apple has recently complied with the government’s directives that businesses locate their servers within mainland China, and has taken other steps that pose threats to customer privacy… Notably, the Chinese government imposed these new requirements through legislation, not by seeking court orders, and Apple’s CEO Tim Cook, in defending Apple’s decisions in China, stated simply, “we follow the law wherever we do business.” In other words, the only way to resolve the encryption dilemma in the United States will be through legislation too.

The argument Vance is making -- although he's probably unaware he's making it -- is that the US should be more like China and control phone manufacturers with heavy-handed legislation and onerous demands. I suppose it's unsurprising someone working so close to the police would find a shift towards to a more authoritarian government model a good idea, but it's rarely expressed publicly.

I, for one, look forward to next year's Cy Vance Pre-Christmas Anti-Encryption Extravaganza. Because every time the annual issue rolls out, it means one thing: no anti-encryption legislation has been passed.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 18 Dec 2017 @ 10:10am

    "every locked device contains a wealth of criminal evidence"

    When you treat the citizenry asking questions as 'terrorists' this makes total sense. But that's not the point.

    If he thinks encryption is so bad, why doesn't he give it up and make his bank transactions in the open? And if you believe only the good guys should have the keys for some 'responsible encryption' then how do you explain multiple data breaches due to improper setup, security flaws or plain old human error won't happen with that magic key as well? (for added lulz point to the many times the Govt itself screwed up)

    I will risk a prediction: he will react just like Trump: https://www.independent.co.uk/news/world/americas/donald-trump-wiretap-claims-walks-out-cbs-intervie w-john-dickerson-a7711856.html

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Dec 2017 @ 10:57am

    "Tradition"

    Traditional investigative techniques – searches of targets’ homes, physical surveillance, wiretaps on telephones – often fall short when it comes to gathering enough evidence to solve and prosecute today’s criminal activity.

    What evidence that used to be stored around the home has moved into phones? Most of the cases I've heard about involve evidence that would not have existed 20 years ago. Back then, you'd make your death threats in person or over the phone, and there'd be no records.

    Photographs are the only thing that comes to mind that used to be analog and are now digital. But there were a lot fewer analog ones. It must have been rare for a cop to search a suspect's home and get so lucky as to find one proving their guilt (without finding alternate evidence).

    reply to this | link to this | view in chronology ]

  • identicon
    tin-foil-hat, 18 Dec 2017 @ 10:58am

    Everyone's a criminal

    There are so many laws in the US that everyone is a criminal just waiting to be arrested. There's just too much at stake giving access to anyone other than the device owner. Constitutional rights are also the law of the land. Government entities have proven they just can't be trusted to resist the temptation to take a peek without proper legal authorization. The collective rights of the people should be always be a priority. Those include the right to defend themselves from victimization from criminals and the nefarious actions of rougue government entities that don't follow the rules. The latter who are also criminals BTW.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Dec 2017 @ 11:09am

      Re: Everyone's a criminal

      Exactly. Imagine if every defense attorney now had access to the browsing habits of the detective, prosecutor, jurors and judge involved in the case. Eventually the amount of information available about everyone will be so absurd, situations like this will come up if we don't stop it now.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Dec 2017 @ 11:15am

        Re: Re: Everyone's a criminal

        That's a good point, can discovery activities request the other parties cell phone data? How about the DA, or judge?

        reply to this | link to this | view in chronology ]

        • identicon
          tin-foil-hat, 18 Dec 2017 @ 1:06pm

          Re: Re: Re: Everyone's a criminal

          IANAL but I think a lawyer can attempt to subpoena anything they want as long as a judge allows it. The receiver or representative, and this includes any witnesses, can object including invoking their 5th amendment right against self-incrimination. in which case a prosecutor may offer immunity or some other incentive to get some or all of the information they are requesting.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Dec 2017 @ 10:58am

    Is it ok if the NYPD uses compromised encryption?

    Since he seems fine with requiring Backdoors in everything, I'm sure he will be fine with the NYPD and the DA's office having the same done with their servers.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Dec 2017 @ 11:17am

    I guess this is an official declaration by a government official stating that, officially, you are guilty until proven innocent. Many have thought this was the case for some time now, but now it is official. Wow

    reply to this | link to this | view in chronology ]

  • icon
    Peter (profile), 18 Dec 2017 @ 11:26am

    facial recognition technology must be a gift sent from heaven

    no more passcode, no more fingerprint - just wave the phone in front of the suspects face, and christmas comes early. Closest thing to unconditional surrender that Apple could give Mr Vance.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 18 Dec 2017 @ 11:33am

      Re: facial recognition technology must be a gift sent from heaven

      Only if the user goes with face recognition. As with iPhones with fingerprint sensors, you use a password instead.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Dec 2017 @ 12:04pm

    Full reciprocity

    Full reciprocity to any and all authorities information and procedures pertaining to the same matter. But then I doubt Vance would agree to that fishing expedition by the accused. We don't want to level the playing field that much. While we are at it how about personal financial damages assessed against the accuser for false accusations. That should help reduce court calendar log jams.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Dec 2017 @ 12:40pm

    So if encryption could be broken for them....

    I am betting that they would surely catch all the unprepared and "unsophisticated" criminals(it really isn't that hard to use a foreign provider)while all the "smart" criminals would surely be to difficult to investigate and thus ignored.

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 18 Dec 2017 @ 1:47pm

    Yo, Vance

    Backdoors in computers were already a well-documented security issue by the end of the 1960s. They were a common theme all through the '70s, '80s and '90s. They still show up regularly, from backdoors found in routers and smartphones and bundled software on PCs, to the NSA putting a backdoor in a common encryption standard.

    Digital Rights Management (DRM) systems almost by definition have backdoors, because you have to supply the end user - the attacker - with the keys. And so even DRM systems created by the best experts in the industry - like that built into Blu-Ray devices - are quickly cracked. And then EVERYONE has the keys to be backdoor. Including all the bad guys. The same happens if you put a backdoor in a phone's operating system.

    But suppose we lived in a fantasy world where a backdoor wouldn't be cracked open: Consider the "Stingray" cellular phone surveillance devices. Originally for anti-terrorism and anti-espionage. Now they're run by countless state and local police forces, and even jails. In many countries.

    Multiple federal agencies will demand the backdoor key. The NYPD and many other state and local police forces. Knowing that the backdoor exists, other countries will demand the keys too. From RCMP, CSIS, CSE and other agencies in Canada to Russia and middle-eastern dictatorships, er, "valued customers of American security companies." Do you trust ALL of them to not leak the keys?

    So:

    • There is no such thing as a backdoor for just the good guys. We've learned over and over since that dawn of the computer era that any backdoor will be discovered by the crooks and scammers.

    • By mandating a back door, you're announcing the existence of a back door. It's like mandating that doors to all homes MUST have a key under the doormat, and saying "but we won't tell the bad guys."

    • The "good guys" who have the backdoor key will consist of numerous agencies in America alone, plus more agencies in many other countries. Including some you don't trust.

    It ain't going to work.

    reply to this | link to this | view in chronology ]

  • identicon
    JLR, 18 Dec 2017 @ 3:18pm

    Two issues to back dooring encryption.

    1: Any company the complies with the "back door" requirements will demand full indemnity from the demanding authority - Federal, State, County, Municipality, etc.
    a: The encryption will be broken - by definition the hackers will spend tons of effort to break it.
    b: Once broken the original manufacturer will be required to re-engineer a new encryption with a new back door - expensive.
    Once re-created the software must be distributed to the entire user base - expensive.
    Then the clock starts again.
    This chaise the tail scenario will continues until the "entity" finally realizes that a "back door" is not worth the time, expense nor hassle.
    ---
    2: Encryption is not a secret, there are MANY ways to build an encryption software, and they ALL are designed from some mathematical algorithm.
    Most if not all are already in the hands of mathematicians in most if not all nations. What is to prevent some software maven from creating a encryption software application with out a back door - nothing. Once built and offered to the populous anyone can buy and use it. Proof - PGP! There is really no way to prevent this from happening.
    ---
    So much for Back Door!

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 18 Dec 2017 @ 11:52pm

    Well, now we know...

    Cy Vance wants to be backdoored.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 19 Dec 2017 @ 1:34am

    This reminds me of the philadelphia city council wanting to ban bulletproof glass in shops.

    Getting rid of what protects people from harm will surely stop all confrontations from now on, said no one ever.

    reply to this | link to this | view in chronology ]

    • icon
      Seegras (profile), 19 Dec 2017 @ 4:42am

      Re:

      I consider the notion to prohibit passive protection equipment to be totalitarian and fascist. It doesn't matter whether this is encryption, bulletproof glass and garments, gas-masks, helmets or condoms.

      The damage that will be done by all events together, seen macro-economically, will always be much greater when people aren't allowed to protect themselves.

      reply to this | link to this | view in chronology ]

  • identicon
    Hermes, 19 Dec 2017 @ 4:17am

    unquote

    Towards the end, a paragraph is italicised as a quote when it should be normal body text.

    reply to this | link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 19 Dec 2017 @ 11:10am

    Learn from the copyfights

    Because every time the annual issue rolls out, it means one thing: no anti-encryption legislation has been passed.

    Not really. We learned from the copyright maximalists that new laws are never enough. Even when the new laws are directly written by the guys demanding more laws, they will soon cry out again.

    The same goes for more law-enforcement powers. If you give them all they want, they will soon want more again. This call for governmental access to any and all communications goes the same way. It will never be enough.

    When rumours fly of pitchforks being sharpened, the best course of action is to give in to the plebs and live another day. Not everybody with a bit of power is that smart, though...

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.