The FBI can get into your iPhone and they plan on helping local cops do the same.
“Going dark” is the code word government agencies use for encryption.
The words are meant to stir up emotions of fear and apprehension regarding the lines of code that hide our secrets within electronic devices, websites, and even software. It’s a distraction. While Americans debated whether they should even enjoy such a level of privacy, the FBI quietly bought an exploit to bypass the iPhone’s login security. The FBI plans to share this tool with local law enforcement.
Rep. John Conyers spoke during a recent Congressional hearing, saying “It is here in this committee room, where the house makes decisions on the tools and methods available to law enforcement.”
But that’s simply not true. The FBI doesn’t wait for authorization for all the tools it thinks it needs to hack in electronic devices. And it doesn’t hesitate to share them with state and local cops all over the U.S.
FBI director James Comey also testified during the hearing. He said, “It’s our job to investigate cases like San Bernardino and use tools that are lawful and appropriate. The second thing it is our job to tell the American people, that the tools you are counting on us to use to keep you safe are becoming less and less effective. It is not our job to tell the American people how to resolve that problem. We are owned by the American people, and we only use the tools given to us under the law.”
The primary guide for law enforcement is the Communications Assistance for Law Enforcement (CALEA). Under CALEA U.S. law enforcement, including the FBI, can use providers’ assistance to install wiretaps, set up a pen register, or conduct operations of trap and trace under the instruction of a court order. CALEA was updated to include digital solutions for things like packet switching and VoIP.
But the FBI goes far beyond the letter of the law, buying code to hack vulnerabilities in electronic devices from third parties. In practice, the code obtained by the FBI is similar to what malicious hackers and international spies use to access personal computers, smart phones, or enter secured corporate communications or data on a servers. The FBI holds all of these vulnerabilities under the cover of “that’s classified.” We don’t know how these tools are used, or if it they effect other types of security features within the software itself.
While the government encourages cooperation between state and private entities with sharing cybersecurity threats, the Vulnerabilities Equities Program allows law enforcement to classify and withhold the materials and methods used in an investigation. This means, the tool used to by-pass security features in the iPhone will not be disclosed to the public nor Apple. This vulnerability could affect all iPhones, a specific model, or even a specific software version. Since 2012, the FBI has spent $2 million dollars on tools to exploit vulnerabilities in software.
After the FBI obtained the code, it enthusiastically declared that it will help local law enforcement agencies with a tool that can potentially by-pass the security features on any iPhone. So this means, the iPhone vulnerability will remain classified – even when accessed by local cops.
Surprised?
The most overlooked part of the congressional hearing was when Cyrus Vance Jr. spoke about what the state and local law enforcement hopes to gather from hacked devices, especially the iPhone.
“Much of the discussion in the prior panel and the comments by the other speakers here has been about the federal government and cyber crime in the federal context, but its important for all of us to recognize that state and local law enforcement agencies handle 95% of the criminal cases each year around the country. So we have a very deep interest in the subject matter here today.
Apple and Google’s decision to engineer their devices, in essence, to be warrant proof, has had a real effect on the traditional balance of public safety versus privacy under our Fourth Amendment jurisprudence. And, I agree with the comments I think of every member of the house that we really need Congress to help solve this problem for us, and it is why it is so important that your undertaking of this effort.
But I think you are looking at this issue there are some basic facts from the state law perspective that are really very important to us in this debate but are not in dispute. And, number one, as Tim Cook said in his opening letter to his customers of Apple of February 16th of this year, smart phones led by iPhone, have become an essential part of our lives. Nothing could be more true. We are all using our cellphones for every aspect of our lives.
Number two is that smart phones are also essential to criminals. Our office investigates and prosecutes a huge variety of cases from homicides, to sex crimes, from international financial crime, and including terrorism cases. And, criminals in each of those cases use smart phones to share information, to plan and commit crimes. Whether it’s through text messages, or photographs, or videos.
Number three: Criminals know that the iOS8 operating system is warrant proof. Criminals understand that this new operating system provides them with a cloak of secrecy. And they are, ladies and gentleman, quite literally laughing at us. And, they are astounded that they have a means of communication totally secure from government reach. And, I don’t ask you to take my word for it. In one lawfully recorded phone conversation from Riker’s Island in New York, an inmate talking about the iOS8 default device encryption called it, and I’m quoting, “a gift from God”.
Number Four: The encryption Apple provided on its mobile devices prior to iOS8, that is before October 2014, was represented to be both secure for its customers and importantly was amenable to court authorized searches. We know this, because Apple told us this. Apple characterized it’s iOS7 operating system as the ultimate in privacy. It touted its proven encryption methods, and assured its users that iOS7 could be used with confidence in any personal and corporate environment.
During the time when iOS7 was the operating system, Apple also acknowledged, I think importantly, its responsibility to help, again in Apple’s own words, police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide. And, end quote. So Apple’s experience, I believe, with iOS7 demonstrated that strong encryption and compliance with court orders are not mutually exclusive.
Default device encryption has had a profound impact on my office and others like it. And, in November of 2015, my office published a white paper on public safety and encryption. At that time, there were a hundred and eleven iPhones in which we were locked out having obtained search warrants for those devices. Not two and a half month later, we submitted our written testimony for this committee the number 175. Today it is 205. Which represents more than one out of four of the approximate 700 devices that have been analyzed by our office’s own cyber lab since the introduction of iOS8. And, of course that problem isn’t just in Manhattan, prosecutors in Houston have been locked out of more than one hundred iPhones last year. Forty-six in Connecticut, 36 in Chicago since January. And, those are just a few of the thousands of phones taken into evidence each year around the country.
So centuries of jurisprudence that we’ve talked about today, have held that no item, a home, a file cabinet, a safe, or even a smart phone is beyond the reach of a court ordered search warrant. But, the warrant-proof encryption today gives two very large companies, we believe, functional control over the path to justice for victims of crimes, including who can be prosecuted, and importantly who may be exonerated.
So our point, Mr. Chairman, is that we believe the line being drawn between public safety and privacy is extremely important affecting our lives. It’s affecting our constituents lives, and we believe that you should be drawing it. We ask you to address this problem quickly. Time is not a luxury for state and local law enforcement, crime victims or communities, can afford. Our laws require speedy trials. Criminals have to be held accountable, and victims are, as we speak, in the audience asking for justice. “
FBI Law Enforcement Perspective
The FBI is dedicated to avoiding Congress to obtain forensic hacking tools. The FBI first sought out the All Writs Act to circumvent Congress and go through the courts instead. Throughout the Congressional debate, the Bureau repeatedly resisted the “power” of Congress to delegate how they can obtain evidence from encrypted devices.
Also, in 2006, it was found through documents obtained through a freedom of information act request, that the FBI circumvented CALEA by building a series of software components to wiretap, set up pen registers and conduct trap and trace without public knowledge.
Lastly, after the FBI testified it has gone through every channel to open the phone, it recently bought code to hack into phones. They then classified it, and fully intend to keep it from Apple and you.
Why?
When the US Congress has specifically set out in details which tools the FBI can use, it has limited which tool to use. So Congress instead, through Feinstein/Burr bill, criminalizes encryption.
State Law Enforcement Perspective
Cyrus Vance talks about the lack of tools needed for investigations, but hints that security within the software is indefinite. The tech community consider vulnerabilities in code an arms race. However, law enforcement is committed to double speak. While pretending older versions of software are still secure, they under the cover of darkness buying or sharing 0day vulnerabilites from federal agencies.
In fact, two states are trying to weaken encryption so that law enforcement may keep these expensive hacking tools they just bought a little longer. See here and here.
Can we do anything?
As Susan Landau testified, “Stealing your login credentials provides criminals and nation states the most effective way into your system and a smartphone provides one of the best ways of securing ourselves.”
What is needed is restrictions on the data sharing between local law enforcement and federal law enforcement. also we, as a people, need to know what tools are out there. Transparency is needed for defendants to understand the case brought against them. Also, tech companies need to know what security flaws are out there, so that everyone’s confidential information is secured. Weakening encryption makes us all less safe from lone malicious actors to mass surveillance by state agents.
We can promote strong encryption, ensure transparency and protect privacy at the state level.
- Federally Funded Tech Helps Police Seize Money from Prepaid Cards - December 6, 2016
- Following the Fourth Amendment Would Help Make America Great Again - November 28, 2016
- The Popular Vote: A Frivolous Statistic in the Presidential Race - November 25, 2016