The United States Senate Committee on Armed Services held a hearing about
the coming darkness cellphone encryption Friday morning. There was almost no attempt made to address both sides of the issue, most likely because Senator John McCain -- who headed up the "discussion" -- has already made up his mind on how this problem should be handled.
Testimony -- all from government officials -- was presented, with Manhattan DA Cyrus Vance leading off. Vance's tune hasn't changed. Encryption is still (apparently) an insurmountable problem and the only "answer" runs directly through Congress. Vance spent most of his speaking time [PDF] criticizing Apple and suggesting its decision to provide encryption by default on its phones was done purely to spite him and the government.
Given Apple’s own statements about the security of iOS 7, shortly after Apple’s reengineering of its phones to prevent search warrant access by law enforcement, I asked it in a letter dated March 2015, whether there was a bona fide security reason to make its new operating system, iOS 8, warrant-proof. Apple chose not to answer me, but in March of this year, the House Judiciary Committee compelled Apple to answer the same question. That Committee asked Apple the following question, in writing, “Was the technology you possessed to decrypt these phones”—and the clear reference is iOS7 phones and their predecessors—“ever compromised?” Apple’s written response was: “The process Apple used to extract data from locked iPhones running iOS 7 or earlier operating systems was not, to our knowledge, compromised.” (Emphasis added.)
Apple’s answer to this crucial question shows what we have long suspected: That Apple’s method of data extraction under iOS 7 posed no documented security problems. That being so, then there should be no unreasonable security risk going forward if we return to the procedure where court-ordered warrants can be honored by extracting responsive data off of smartphones.
In Vance's view, encryption protocols should not be altered until they've been compromised -- a view that aligns nicely with his presumption that the government should always have access to phone contents but runs counter to good security practices. Vance wants Apple to go back to holding the encryption keys and be on hand to unlock the door whenever the government asks.
Vance is still pushing his "encryption is a godsend to criminals" narrative -- based on little more than same single recorded prison phone call he referenced months ago. Vance may have a pile of cellphones law enforcement can't break into, but that hardly suggests a majority of criminals are gravitating towards encrypted services. The rise in the number of encrypted communications methods will benefit some criminals, but even high-profile terrorist attacks have been coordinated and planned using methods still open to interception and investigation.
The solution is legislation, according to the DA. Vance provides a list of prior legislation crafted to aid law enforcement as support for his theory the government should be allowed access to phone contents. However, his list covers only records collected and stored by third parties -- not the content and communications he's seeking access to.
Federal regulation is already important in the communications industry. When telephone companies went from using copper wires to using fiber optics and digital signals, the police could no longer use their old techniques of executing wiretap orders, and so Congress passed the Communications Assistance for Law Enforcement Act (CALEA), mandating that telecom providers build into their systems mechanisms for law enforcement to install court-ordered wiretaps. CALEA has worked. It has saved lives, and it has withstood Constitutional challenge. It has not stifled innovation, as its opponents feared…
Here are a few other examples: DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled. FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft. State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse. I could go on.
The point is that companies in nearly every industry are required by law to maintain voluminous customer records and produce criminal evidence when they receive a court order. When your introduction of goods and services into the stream of commerce overlaps with public safety, this is the price of doing business in the United States.
In other words: the government should have access to iPhone contents because it has access to other stuff. It's a clumsy comparison at best. At worst, it's a blueprint for unprecedented government intrusion. Vance may be trying to demonstrate that the government has historically had access to a wealth of information thanks to regulators and the Third Party Doctrine and should continue to be granted access, but this inept analogy is worse than apples-to-oranges. Connecting Vance's dots suggests he views personal data and communications as just another set of records "collected" by cellphone providers. He may not openly suggest these are nothing more than "third party" records, but he obviously believes private corporations "owe" this sort of access to the government.
Vance says he doesn't want a legislated encryption backdoor, but his solution is basically a legislated encryption backdoor.
My Office’s proposed solution is to enact a federal statute providing that data on any smartphone made or sold in the United States must be accessible—not by law enforcement, but by the maker of the smartphone’s operating system—when the company is served with a valid search warrant. And if a person or entity such as Apple offers encryption software, it has to have the ability to provide data in response to a judicial order.
The backdoor may be located at the company's headquarters, but it's a backdoor all the same.
His testimony also suggests more legislation might be needed to further subvert encryption. Like James Comey, Vance suggests harder nerding will make the impossible possible.
This solution is limited to data at rest on smartphones. It would not affect encryption of data in motion. I cannot at this time offer a technical fix to address data in motion. I am confident, however, that engineers from industry and government, working together in good faith, can find one.
"Good faith." That's hilarous. The only time law enforcement is interested in a "good faith" discussion is when it's trying to salvage an illegal search.
Vance -- like Comey -- believes all concessions must come from the private sector. That's how he defines "working together." He's also concerned a 12-month study from a Congressional committee won't address the issue fast enough.
Twelve months of taking testimony resulting in non-binding recommendations in a report will not adequately address the urgency of the problem that local law enforcement faces. Time is not a luxury that local law enforcement, crime victims, or communities can afford.
With a nod to civil liberties:
Our laws require speedy trials. Victims require justice. And criminals must be held accountable before they can reoffend.
I would think that if you don't have the evidence -- if it's on phones that can't be broken into -- you just don't have the evidence. I sincerely hope people aren't being locked up until Congress creates the backdoor Vance is looking for. Of course, we know that is happening, but hopefully not on the scale Vance suggests with his list of police-resistant devices still being held by law enforcement agencies (who assume they contain evidence of criminal activity).
The end result of the encryption study can't be determined at this point. But given the nature of this committee -- and its decision to only present one side of the issue -- it appears its greatest purpose may be nothing more than buying time until backdoor/ban legislation is reintroduced.
Vance's side hasn't budged an inch. While deference is continually paid to the "smart people" at tech companies, it's only done so under the assumption that they're just holding out on the government. The solution Vance, et al want is supposedly possible, even if it isn't. Any arguments to the contrary are continually treated as deliberate antagonism, rather than basic facts. Backdoored encryption -- no matter who holds the keys -- is a security problem. And it's not going to go away, no matter how many times the same arguments are repeated.