“While terrorism cases like San Bernardino have generated the lion’s share of the media coverage, the impact of default device encryption has been felt most profoundly on the local level, in the investigation of domestic crimes occurring every day across the U.S.,” Vance said in a speech at the Financial Crimes and Cybersecurity Symposium.
The district attorney’s office has released an update to its 2015 report on Smartphone Encryption and Public Safety and it highlights the “little progress” made in addressing default encryption.
In 2014, Apple said it would encrypt its devices by default meaning they would be secure enough that even the company would not be able to extract any data. Google quickly followed suit, and the move has been lauded by many security and privacy advocates. Law enforcement, on the other hand, has vigorously come out against it.
“To fight crime effectively in the 21st century, we have to make smartphones answerable to search warrants — just as they were until 2014,” Vance said. “Complying with judges’ warrants for smartphones never involved a government backdoor. It never meant that the government held a key to anybody’s phone. It never enabled access to real-time communications, and it never meant collecting bulk data on anyone. But perhaps most relevant for purposes of today’s symposium, warrant-proof encryption does nothing to protect us from the rising tide of cybercrime.”
Local police departments across the country have been struggling to find a way to unlock devices held in evidence lockers, but the conversation erupted on the national stage after two terrorists killed 14 people in San Bernardino, California, in 2015. One of the shooters, Syed Farook, left behind a locked iPhone. While Apple initially assisted the FBI, the company rejected a court order demanding the creation of a tool, or backdoor, to decrypt iPhone devices.
Vance wants the process to go back to the way things were pre-iOS 8. The report says the data extraction process used in previous iOS versions was not compromised and there was “no lack of security” in iOS 7. The report also concludes that Apple hasn’t “demonstrated that default device encryption materially enhances users’ security.”
The solution, Vance believes, is federal regulation — he points to the controversial bill introduced by Senators Richard Burr and Dianne Feinstein that has failed to gain any traction in Congress. The report says the bill would “address the problem,” but seeing as it may not make much headway, the district attorney’s office has proposed its own bill that would force companies like Google and Apple to make their operating systems “capable of being accessed … in an unencrypted form.”
“The majority of these agencies do not have the resources to train, let alone hire, staff members to ‘lawfully hack’ these devices; thus, any expectation that agencies could build their own in-house cyber labs is unrealistic,” according to the report.
You can read the full report here,and the transcript of Vance’s speech here.
