An essay on Circumvention of Security Mechanisms for Lawful Reasons

We are presently living in transition phase which is quietly moving to an advanced information age where the usage of electronic devices per single person is increasing in a multiplicative way. The application of electronics devices whether it is for active usage like personal devices (example mobile phones, laptops, health devices etc) or for passive usage (example IOT devices, surveillance systems, access devices etc) is strongly entwined with our day to day life. And all these devices have one thing in common that they all generate digital data; this data can comprise personal, official, secret, business, confidential, etc. So, the aspect of protecting these data is a big one of the most pivotal point on which the device manufacturing companies banks on from selling as well as reputation point of view. And, off course for a good reason it is justified as no one would like to buy and use a mobile phone which is connected to their cloud storage and whose data security is compromised. Now, the conflict arises when the data extraction from these devices is required for legal reason.

The reasons driving IT vendors to refuse cooperation with the law enforcement:

Take for example the case of FBI–Apple encryption dispute in 2015 San Bernardino attack where the device in question was iphone 5c from the manufacturer Apple. One of the slain terrorists had this phone and FBI wanted Apple to create a backdoor program to unlock a work-issued iPhone 5C. The iphone was recovered without damage but was locked with a four-digit password and was set to eliminate all its data after ten failed password attempts. Apple declined to create a software and a litigation followed. Although, the case was dropped as FBI found a Third Party to unlock the phone and extract the contents but the question remained if national security should prevail over private data security and company reputation and if a regulation or a set of protocol needs to be established in such a scenario. In this paper, we shall investigate the context from both sides (law enforcement and device manufacturer) as well as try to propose a solution which would help liaise both the party to mitigate their conflicted area of interest.

Most device manufacturers in US including Apple shifted their response to an increased digital privacy following National Security Agency Edward Snowden’s confession. After Snowden, there was a change in public trust of government access to data. And for a tech company, appealing to that change in public trust is important. Digital privacy and personal data protection became one of the forefront attributes of a mobile device. And as such manufactures such as Apple keep on improving and updating their security standards which conversely made very hard for a forensic expert or an investigator to extract data from these devices. This is a very tricky situation from political point of view as manufacturer such as Apple is popular, and code is protected by America’s free-speech law. In addition, privacy advocates planned to gather at Apple stores across the US in support of the iPhone maker. To think of it from an individual point of view, no one wants their personal as well as privacy protected data be available to any agencies and if any mobile manufacturer fails to provide these protections, their credibility affects tremendously. From political point of view also, this case of San Bernardino is vital since if a judge validates the FBI’s use of the All Writs Act in this case, it will give the government sweeping authority to dictate how Silicon Valley builds products in the future. Most big companies like Google, Microsoft, Facebook also supported Apple’s stance. However, the case was withdrawn but the issue remained. Tech giants such as Google, Facebook stance on privacy matters most because of their business models. Since most people uses these devices, these companies build and retain complex profiles on us, including our behaviour and our relationships, our contacts, photos, personal as well as business documents, messages, videos, browser history and more. And, if there is any breach of data it directly impacts the image and trust of these organizations. Therefore, to provide a mechanism to access these data of an individual is unacceptable and almost a nightmare for them as it will incur huge financial losses, affect stock market and consumer database negatively. With respect to Apple’s business model, per company they say they have no need to persist user data, user behaviour, and user relationships on its servers. In addition, by virtue of the organization’s belief in privacy and security, it wants no part of our data. In its place, it collects no data if it doesn't absolutely have to, collects the minimum amount of data possible when it does have to, anonymizes and does not associate that data with any user accounts unless it absolutely has to, encrypts the data end-to-end during any and all transmissions of that data, and then keeps the data only as long as it absolutely has to. This is in fact in accordance with GDPR as well as many Data Privacy guidelines which is regulated to safeguard user data. Now as per Apple, if a national security agency comes up and request them to build a backdoor program so they can hack into the terrorist’s mobile device to extract information for possible contacts is no acceptable as there is every chance that the backdoor program can be exploited and be used on other people’s devices also and it might lead to data privacy crisis and, if at all, that happens the reputation of the company will be massively impacted leading to a huge financial loss and not to mention the face loss. Also, providing help to create a backdoor to access iPhone, Apple has also argued, could create a permanent way to bypass iPhone password protection for law enforcement officials or even the spy agencies of other countries. In addition, big IT organizations are being pushed for greater control over the encryption and security of technology for the devices sold in their country such as in China, EU region.

In most cases, tech companies do assists with national security agencies in their investigations but in cases such as San Bernardino it’s different. For example, an IT company which makes product-based software application and if the USP of these products is data security then it becomes very difficult to comply with requests such as made by FBI. Opening and misusing a vulnerability might help the investigation team acquire evidences swiftly but the same vulnerability can be exploited by hackers around the world which will ultimately tarnish the image of the company. Not to mention, public doesn’t want security agencies or government can get hold off their personal and private data. There was good point mentioned in one of the expert debates on Privacy vs National Security, Catherine Crump, acting director of Samuelson Law for the Berkeley School of Law, explains in her statement on the perils of providing a backdoor to any device to the government and anticipate it to only be used by the “good guys.”

She drew a parallel between handing the FBI a second master key to iPhones and recent worldwide WannaCry ransomware attack, which was launched using leaked National Security Agency (NSA) exploits.

“The problem with that is you cannot build a backdoor that works only for the U.S. government, good guys or other people with good motives," Crump argued. "If you build it for them, encryption will be weakened for everyone."

To some extent it is an undeniable fact that creating such programs which can exploit the security of devices will leave millions of users affected to data breach at an international level if the mechanism is leaked from government security agencies. And, if such an event happens the onus will shift to the companies and they will be penalized both financially and public distrust and the government will face a much graver situation if not tackled early. This is perhaps why companies such as Apple took a stance to oppose the security agency such as FBI in San Bernardino case.

The reasons driving law enforcement to get access to protected user data:

Any investigation that involves a national level threat such as terrorist activities requires swift actions in order to stop the perpetrators or arrest all the parties involved to avoid further damage or to extract their contact information to profile them. This swift action demands access of user devices. Terrorists are also like any others before committed crime and like a normal person they too use advanced devices systems, strong encrypted suits to hide their own malefic agenda. And, as such, consequently national security agencies will require special expertise to unlock these devices to extract all the relevant information to perform counter terrorism operation and go forward with the investigation. But, major tech companies like Apple refuses to comply with such kind of special requests. For example, a similar instance happened in the case of 2015 San Bernardino attack where one of the slain terrorists had an iphone 5c which needs to be unlocked to access user level information such as contacts, communication message, emails etc. The problem was once the device was secured and extracted; Apple’s strong encryption suite erases the entire data inside the device if the password is entered wrong 10 times in a row. So, in order to extract data, the investigative agency requested Apple to create a program which would allow them to log in and extract the relevant info. Apple considered that creating such a program would be similar to creating a backdoor entry which put all of their user base in peril if the same trick is exploited and thus refused the request from FBI and a court hearing was followed. Now, it is important to note from national security point of view that any information about the whereabouts of other suspected terrorists could have been extracted from the device had the FBI had assistance from Apple.

In many of the similar cases which is in context to National security: hard encryption, advanced security mechanisms and advanced personal data protection features hinders a successful investigation. In many ways, it makes the life on a forensic expert very hard and any mistake will cost the loss of data as in probable evidence or very useful information.

There are even security features where normal methods of standard encryption breaking mechanisms doesn’t work for example brute force doesn’t work in cracking iphone 5c since of the number of attempts crosses a threshold, the device auto erases everything and thus loss of evidential data. This put investigators in a very tight situation as they have been left with little option but to contact the manufacturer to provide a way to bypass security mechanism to extract probable evidential data. The reluctance of the manufacturer to provide assistance becomes crucial in such cases in order to forward the investigation.

While much of the focus has been on manufacturers and their products, it also needs to be noted that whether users have a right not to grant law enforcement access to the content of their encrypted devices. There have also been various court cases in the US concerning whether the Fifth Amendment (the right to remain silent) protects individuals from being legally compelled to disclose their passwords or passcodes, and from being required to unlock a device with biometrics (e.g. through Apple Touch ID). In such a scenario, investigators are in dire assistance from the manufacturer or service providers to break the device to obtain probable evidential information or any leads to the criminal offense. Needless to say, that any leads that can be generated to support a hypothesis to aid an investigation involving national security is of vital importance and sometimes in critical cases time plays a vital constraint. Since, in modern world almost all uses technical devices and thus every crime nowadays has a technology assisted component into it. And, this technology assisted component can be mobile, laptop, encrypted devices, cloud storages, etc and almost all these proponents involved advanced encryption methods. Now, to break the devices a forensic expert has to decrypt without affecting internal contents and extract relevant data. As easy as it sounds but in reality, it is much harder and sometimes impossible without manufacturer or service provider’s assistance.

A prime discussion on this issue can be drawn a discussion involving a panel of experts an Intelligence Squared debate hosted by the National Constitution Center on June 7. As Stuart Baker, former assistant secretary for policy for the Department of Homeland Security under the George W. Bush administration, argued in favor of company cooperation with law enforcement. He stated whenever possible companies should assists the security agencies— something he said technology companies like Apple have not been doing.

“Everybody is required to help law enforcement in the right circumstances,” Baker said. “If you have a unique ability to help law enforcement, and law enforcement can’t solve the problem on its own, you have an obligation to assist law enforcement. This has been true for hundreds of years, well before the United States was founded.”

Drawing a comparison to the obligations faced by a landlord presented with a warrant for a tenant’s apartment, that landlord is legally bound to use the master key to open the door to the apartment in question. In the 2015 Apple v. FBI San Bernardino case, where authorities sought access to the San Bernardino, Calif., shooter’s iPhone, Baker argued the company ignored this obligation by failing to comply with the FBI’s requests.

“It’s not different for tech companies — there is no Silicon Valley exceptionalism policy that applies,” he said.

The argument follows as such in case of nation security companies needs to cooperate with investigations to catch the real perpetrators so that the damage to life and property can be minimized. In a time when the threat of terror is arguably at its highest point, Berkeley Law’s John Yoo, a former attorney for the Department of Justice, said technology is increasingly being used by criminals and terrorist networks to communicate and coordinate. “It’s going to get worse, not better,” he stated. While he noted that stronger encryption might be a positive step in the larger national security picture, he said it shouldn’t be left to technology companies to decide when, how and if they cooperate. He argues the Legislature should make the final determination as to the balance of privacy and security. In order to expedite the process to counter terrorism activities, law enforcement and investigative agencies will be assistance in all form as much as possible when the context is national security. As technology advances, device security with advanced encryption methods, custom device security embedded with bio metrics are all getting better and more complicated to break. In such a scenario, security agencies need all help from technology companies to expedite the information collection when the context is national security.

Possible solution(s) taking into account concerns of both sides and challenges that make any such solution problematic at present.

As the technology grows, devices are getting smarted and data as well as hardware security is getting better and more complicated. Well it sounds good for a number of good reasons; the only backdrop is the process becomes much harder from a forensic expert to break into devices and extract relevant data. With the growing technology standards, technology assisted crime is inevitable and is on the rise. Terrorists have become well trained in to handle technical devices and in fact per NSA report they are trained on various encryption methods and how to implement the same in electronic devices such as laptop, mobiles etc. Now, the selling point of major tech companies such as Apple is based on their devices equipped with highest as well as latest security standards. This very feature is being used (rather passively) or sometimes actively) in conjunction by terrorists to carry out criminal activities. Investigative teams do need support from device manufactures to swiftly extract data to carry out their investigation without hindrance. But manufacturing companies do also need to protect user privacy and impose security standards to meet them in order to run their businesses as well as preserve the user data protection and rights to privacy.

Now we can see there is clearly a conflict of interest between the two parties. There has to be a framework through which investigative agencies and IT companies can both cooperate with each other without impacting user data privacy or data breach. People must not feel that their private data is easily accessible by government for what so ever the reason. The concerns must be addressed in a broader security context, one that takes into consideration the privacy and security needs of industry. Maybe the best example of the law enforcement community’s preferred solution is Australia’s recently passed Assistance and Access Bill, an overly-broad law that allows Australian authorities to compel service providers, such as Google and Facebook, to re-engineer their products and bypass encryption protections to allow law enforcement to access customer data.

While the bill includes limited restrictions on law enforcement requests, the vague definitions gives the Australian government extensive powers that ultimately weakens the security and privacy of the very citizens they want to protect. Major tech companies, such as Apple and Facebook, agree and have been working to resist the Australian legislation and a similar bill in the UK.

So, we can there is no simple solution as passing of such bill eventually challenges the very fabric of Right to freedom of expression and right to privacy. Questions arises such as what will government do if the very security loophole, they want to introduce in tech devices is exploited by hackers or terror groups? Who will consumers, or the government, blame when a government-mandated backdoor is used by hackers to compromise user data? Who will be responsible for the damage? It is evident that—a law enforcement officer should use every resource available to them to solve a case, or example in the San Bernardino terror attack case to ask Apple for a bypass program.

Decisions regarding these types of far-reaching powers should not and cannot be left solely to law enforcement. It is up to the private sector, and our government, to weigh competing security and privacy interests. Our government cannot sacrifice the ability of companies and citizens to properly secure their data and systems’ security in the name of often vague physical and national security concerns, especially when there are other ways to resolve the concerns of law enforcement. Both the parties should discuss in creating a protocol through they can cooperate with each other and solve the issue. There are other ways to resolve this conflict of interest but not at the cost of losing data security. It is time for all of us, in government and the private sector, to understand that enhanced data security through properly implemented encryption and data use policies is in everyone’s best interest and through cooperation issues arising through national emergencies can be resolved. The protocol can involve training investigators by IT companies to the respective product technologies such as iphone to get an in depth understanding of the device and underlying technology. This, with assistance from tech companies will provide a better understanding of the next step if they come across such devices.

Bibliography:

1.   https://techcrunch.com/2019/03/20/law-enforcement-needs-to-protect-citizens-and-their-data/ , Robert Anderson

2.   https://www.govtech.com/policy/Privacy-vs-Security-Experts-Debate-Merits-of-Each-in-Tech-Rich-World.html, Eyragon Eidam

3.   WHY LAW ENFORCEMENT OFFICIALS NEED TO GET THEIR HEADS OUT OF THE CLOUD AND 0BT AIN A WARRANT BEFORE ACCESSING A CLOUD NETWORK ACCOUNT, Sara J. Kohls, JOURNAL OF LAW, TECHNOLOGY& THE INTERNET· VOL. 4 · No.1 · 2012

4.   International Comparative Legal Guide's Corporate Investigations 2018

5.   Kloosterman, Ate & Mapes, Anna & Geradts, Zeno & van Eijk, Erwin & Koper, Carola & Berg, Jorrit & Verheij, Saskia & van der Steen, Marcel & Asten, Arian. (2015). The interface between forensic science and technology: How technology could cause a paradigm shift in the role of forensic institutes in the criminal justice system. Philosophical transactions of the Royal Society of London. Series B, Biological sciences. 370. 10.1098/rstb.2014.0264.