One of the top prosecutors in the U.S. is ramping up his war on encryption in the press, but now with the backing of other law enforcement figures worldwide and international companies eager to arm governments in the escalating cybergame of Spy vs. Spy.
But official campaigns against encryption — the now-routine practice of scrambling data to make it unintelligible even to the Internet companies themselves, thus making moot legal subpoenas and court orders — are running up against charges of government overreach, concerns about corporate profits and the other side of the cybergame.
Cyrus R. Vance Jr., the Manhattan district attorney, is the lead writer of a guest op-ed column this week in The New York Times titled “When Phone Encryption Blocks Justice.” Mr. Vance has sounded off against encryption before, including in The Washington Post last September. But his latest plea has his name appear alongside those of leading law enforcement officials from the U.K., France and Spain.
“We support the privacy rights of individuals,” the coalition wrote. “But in the absence of cooperation from Apple and Google, regulators and lawmakers in our nations must now find an appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes. The safety of our communities depends on it.”
The authors warn that encryption, when implemented properly, really does keep digital data safe from prying eyes. It’s no surprise, then, that privacy proponents are among the loudest to tout decisions from Cupertino to Mountain View last year to make encryption the default for major features on the iPhone and Android operating systems.
But companies such as Google are calling “Big Brother” against the arguments advanced in the Vance op-ed as the latest example of state spooks trying to learn private information about ordinary citizens.
“Plain and simple, this attack on encryption is government overreach. Let’s remind our governments that the stuff we keep online is as valuable to us as what we keep offline — and it deserves the same level of protection,” the company said in a statement posted on its website.
Security breaches like the ones suffered by entities ranging from the Office of Personnel Management to Target discount stores have reminded Americans of the risks in having their personal data compromised; leaked NSA documents exposing the scope of state-sponsored surveillance have caused all sorts to adopt new practices when operating online as well.
Those individuals, law enforcement noted, are sometimes criminal. Chinese cyberspies, anti-government hacktivists, child predators and the Islamic State are relying on cryptography to communicate, according to authorities, and must be brought to a halt.
In April, Mr. Vance said in a radio interview that Apple’s “unilateral decision” to enable encryption by default would let “homegrown violent extremists and terrorists to communicate with each other” in secret.
John J. Escalante, the chief of detectives for Chicago’s police department, told reporters in September that default encryption inevitably means that “Apple will become the phone of choice for the pedophile,” adding that “the average pedophile at this point is probably thinking, ‘I’ve got to get an Apple phone.’”
Nearly a year later, the authors of this week’s op-ed — Mr. Vance, Paris chief prosecutor Francois Molins, London Police commissioner Adrian Leppard and Javier Zaragoza, the chief prosecutor of the High Court of Spain — again proclaimed “encryption significantly limits” their capacity to investigate, and that pursuing rapes, cybercrime and other heinous activity, sans smartphone data, is the same as acting “with one hand tied behind our backs.”
In other words, University of Toronto’s Chris Parsons wrote on Twitter, “you either support backdoors, or you support the murderers and child abuser.”
Mandates that tech companies provide backdoors — secondary access points that can be secretly exploited in the event of criminal investigations — are what local police departments and national security officials want.
“I think that each company will have to evaluate the corporate risks associated with implementing any backdoors,” Mr. Parsons, a postdoctoral fellow who studies privacy and security at Citizen Lab, a division of the university’s Munk School of Global Affairs, told The Washington Times this week.
“While satisfying U.S. and U.K. government authorities might (temporarily) relieve pressure, the companies would suffer tremendous international criticism and suspicion were they to undermine the security of their products,” he continued, adding that a likely plummet in profits, if nothing else, “will buttress corporate principles and force companies (on their shareholders’ behalfs) to maintain their current security stances.”
The Second Crypto War, as venerable technologists have started to call it, has intensified in the past year, two decades since it first came under heavy government scrutiny in the 1990s.
The claims made in this week’s op-ed were laid out by Mr. Vance before the Senate Committee on the Judiciary a month ago.
James B. Comey, the director of the FBI, told reporters in September, as Apple and Google said they would make encryption the default setting on their devices, that these features were “worrisome” and would keep investigators from solving crimes like missing children cases.
He also decried the lionization of such hackers as WikiLeaks and Edward Snowden, saying that law enforcement was being cast too frequently as the bad guy.
“I get that the post-Snowden world has started an understandable pendulum swing,” Mr. Comey said then. “What I’m worried about is, this is an indication to us as a country and as a people that, boy, maybe that pendulum swung too far.”
Law enforcement has an ally in this fight — a kind of arms race between encryption and counterencryption — in private companies that make the code-breaking tools.
“Law enforcement has sounded the alarm regarding universal encryption, including encryption of mobile devices,” said a representative for Hacking Team, a Milan-based security firm that sells spying technology to clients the world over.
“This has been a concern for some time,” the company said in a statement to The Times this week, the likes of which it claims has piqued interest in its products “from law enforcement around the world.”
Hacking Team’s solution, the company said, is to be able to see data before the authorized user has a chance to encrypt or decrypt its contents.
This is the only mechanism currently available for defeating the encryption used by Apple, Google and others, according to the firm, so it’s no wonder that the Manhattan attorney’s office, overseen by Mr. Vance, had spoken with Hacking Team in the past, according to internal emails leaked last month.
The concern that law enforcement has over encryption has been growing, Hacking Team acknowledged. At the same time, however, the company said that “criminal attacks” against the surveillance sector, specifically Mr. Snowden’s leaks and the pillaging endured by Hacking Team itself last month, indicate law enforcement faces an uphill fight.
Even if big tech companies could find a way to give law enforcement access to encrypted data, Hacking Team said, other technologies and systems are constantly being developed to create alternate ways of staying hidden.
“We could also expect private systems to appear that would offer encryption for phones and essentially replace the systems in today’s mobile phone operating systems,” they said. Silent Circle, a Maryland-based manufacturer of such hardened mobile devices, said in October that they had sold “hundreds of thousands” of devices during their first four months.
Neither Google nor Apple has publicly responded yet to this week’s op-ed, but Mr. Parsons in Toronto says that it’s so far been promising to hear that law enforcement can’t crack a type of encryption that now comes standard.
“To a certain degree, it is reassuring that consumer-level encryption is sufficiently robust that even state authorities find it challenging to break. People and businesses entrust highly sensitive information and capabilities to their devices, and so this affirmation confirms that criminals who steal devices will have similar difficulties in using these against their owners,” he told The Times.
But it’s also reassuring, he added, “because the adoption of these strong standards is a result of companies acknowledging that law enforcement and other state agencies are overreaching in their access to customer data,” including federal and local security and law enforcement groups.
“Legal protections have simply not kept up with the people’s privacy expectations, and the adoption of these strong standards is an encouraging sign that companies are responding accordingly,” he said. “The reality is that, while this may close off one avenue of investigation to state agencies, these agencies now have access to more information with fewer legal restrictions than at any time in recent history.”