In its war for encryption, Apple just found its latest battleground: New York. On Thursday, the Manhattan District Attorney’s Office released an updated Report on Smartphone Encryption and Public Safety, calling for Apple (and others) to return to operating systems that would allow the company to access the data, and make it easier to serve warrants for that data.
The report opens by explaining Apple’s shift to stronger security with the introduction of iOS 8 in September 2014. The key feature of the security updates in this version of iOS is that it would eliminate Apple’s ability to access and extract user data, even if it was ordered to do so, the report said.
The following statement from Apple was cited on the report: “Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
Of course, other tech companies then pursued similar measures in their own way, and this was a problem for law enforcement. According to the report, making that data more difficult to extract “would pose a significant risk to public safety, because it would allow law breakers, be they international terrorists or domestic criminals (e.g., thieves, fraudsters, drug traffickers, identity scammers) to plot, coordinate, arrange, recruit and conspire, without fear of law enforcement discovering their tracks.”
The report’s release coincided with the opening of the Manhattan DA’s new cyberlab. In the report it was revealed that New York has 423 iPhones and iPads confiscated during investigations into crimes such as homicides, larceny, drugs, and sex crimes. The report went on to give examples where device data was used to solve crimes in the past and called for federal legislation to “address the problem of smartphones whose contents are impervious to search warrants.”
One of the core arguments for legislating that OS manufacturers make their software more friendly to warrants was that it would not require a federally-mandated backdoor into the system. Additionally, the report said, it wouldn’t make smartphone users any less safe.
“Default device encryption does not meaningfully increase smartphone users’ protection from unauthorized hackers, and requiring the smartphone manufacturer or software supplier to maintain a key to the smartphones would not imperil those users,” the report said.
Of course, the public conversation around encryption came into the national spotlight during Apple’s standoff with the FBI over the data on an iPhone used by the San Bernardino shooter Syed Farook. The FBI was eventually able to unlock the phone with help from an outside source, which seemed to take the focus off of the topic for a while. Now, it’s back on center stage.
The issue presented by the FBI unlocking the phone apart from Apple proves that the data extraction isn’t impossible. However, using a third party could be more expensive, and take more time.
The New York DA’s call for legislation to limit the use of certain security measures brings about important matters that need to be discussed in corporate IT departments. Managers and administrators need to have conversations about what it means if your IT department is asked to decrypt something for an investigation. Companies should develop a set of guidelines to determine how they will approach such situations, and how their IT employees should handle them.
SEE: Encryption Policy Template (Tech pro Research)
Bob Gourley, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that this is not just something that should be left up to legislators and product vendors, though.
“Civilized society must make some key decisions here,” Gourley said. “Humanity has already decided murder, kidnapping and other violent crime is bad and must be stopped. Now, humanity must decide if we want to give criminals more advantage in the digital age. This report goes a long way in helping inform the debate we should all be participating in.”
On an individual level, there is a balance that must be struck between privacy and security, said John Pironti, president of IP Architects.
“If individuals want to protect their rights to privacy and security they have to be willing to accept that law enforcement may not be able to effectively support or protect them in their time of need,” Pironti said.
The 3 big takeaways for TechRepublic readers
- The New York district attorney recently released a report asking for legislation that would require smartphone OS developers to return to systems that make it easier for the manufacturer to extract user data.
- The legislation would then make it easier for governmental organizations to serve warrants for data to be used in criminal investigations.
- Much like Apple’s previous battle with the FBI over encryption, the New York DA’s report raises some concerns about user privacy regarding smartphone communications.