The US government should stop demanding tech companies compromise on encryption

In a tweet late Tuesday, President Trump criticized Apple for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.

It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.

The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.

The case has many on edge, amid concerns of another “crypto-war” with the government. Some fear that the case could escalate to a full-blown legal challenge, reminiscent of the Apple v. FBI case in 2017, which saw the agency demand Apple build a “backdoor” for a locked iPhone — only for the threat to be later dropped.

But the government’s case today is disingenuous and wrong. And if the government escalates its assault on encryption and wins, it will lead to a dangerous precedent that will put ordinary people at increased risk.

Encryption is not the enemy

Any security expert will tell you the same thing. Encryption is too important for modern security — ensuring your bank account is protected, your health records are secured and that your online shopping is safe.

In the case of modern phones, encryption scrambles data to make it unreadable to anyone without the device’s passcode.

In recent years, and largely in response to the Edward Snowden disclosures, tech companies like Apple and Google locked down the devices they sell to make it harder for criminals or anyone — including governments both domestic and foreign — to access user data if devices are stolen or hacked. Not even Apple or Google have the keys to the devices they build.

But governments say encryption hinders their ability to catch criminals accused of wrongdoing. Experts say the genie is out of the bottle.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, said last year that there’s no way to outlaw encryption now that the technology and software is out there.

“And even if law-abiding companies and individuals stopped using strong encryption, the bad guys wouldn’t,” wrote Pfefferkorn. “If strong encryption is outlawed, only outlaws will have strong encryption… meanwhile, the law-abiding users of law-abiding companies would have weaker tools available to protect ourselves.”

The government says it should be able to install a backdoor only its law enforcement officers can use. The idea of “key escrow,” where the government has access to the keys needed to unscramble encrypted data, has been tried before. But experts say that’s a fallacy, too. Any backdoor access could be found and abused by malicious hackers.

“There is simply no way for Apple, or any other company, to provide the FBI access to encrypted communications without also providing it to authoritarian foreign governments and weakening our defenses against criminals and hackers,” said Jennifer Granick, ACLU’s surveillance and cybersecurity counsel.

The government’s argument is a red herring

Four years ago, Apple and FBI squared off amid a similar dispute involving an iPhone belonging to a terrorist who killed 14 people in San Bernardino. Apple refused to build a backdoor then as it has today, saying in an open letter at the time that if the backdoor got into the wrong hands, it “would have the potential to unlock any iPhone in someone’s physical possession.”

The FBI dropped the case after it paid hackers to break into the device, leaving any answer to the legal challenge in limbo.

This time around, Attorney General Barr said the two phones belonging to the Saudi shooter “are engineered to make it virtually impossible to unlock them without the password.” But experts say that the shooter’s phones — an iPhone 5 and an iPhone 7 — are not as sophisticated as newer models, making them not as difficult to break into as the attorney general claims.

Will Strafach, an iOS security expert and chief executive at Guardian Firewall, said in remarks that it “wouldn’t call it child’s play, but it’s not super-difficult” to break into the shooter’s devices.

That’s because the government already has hacking tools (most of which are built by third-party companies like Cellebrite and startups like GrayShift) that are able to break into the devices, negating any need for a universal backdoor.

These companies play a cat-and-mouse game with Apple and other companies to find and exploit vulnerabilities in the software, giving them — and prosecutors — access to data they say they need. A recently discovered flaw, dubbed Checkm8, affects chips in iPhones released up until 2017 — including the iPhone 5 and iPhone 7 — allowing access to data that without it would be off-limits.

Yet, the Justice Department has not said if it has exhausted all avenues to get access to the data, such as employing third-party forensics and hacking tools.

To say Apple has refused to help — in Trump’s own words — is wrong. The company regularly and proactively contacts law enforcement to help extract as much data as it can — without compromising the security of the device (or any other device) with a backdoor. In 2017, the company “immediately” contacted the FBI to help agents obtain data from a Texas church shooter’s device. But the feds dragged their feet and scuppered their chances of obtaining crucial data.

“This rhetoric will push people to support a law that could undermine digital security at the detriment to journalists, advocates, and normal humans around the world,” said Amie Stepanovich, executive director at Silicon Flatirons, an innovation center designed to help entrepreneurs at the intersection of law, policy and technology.

“This could cost lives,” she said.

Experts overwhelmingly agree that the security benefits that encryption gives the wider population outweigh the rare cases where criminals use encryption to hide their tracks.

“Strong encryption enables religious minorities facing genocide, like the Uyghurs in China, and journalists investigating powerful drug cartels in Mexico, to communicate safely with each other, knowledgeable sources, and the outside world,” said Granick.

Barr has asked Congress to come up with a solution, but lawmakers have tried before and failed. Security experts say there is no compromise to be had. Will lawmakers finally take note?