Simon Says – Musings of a Technology CTO

Jonathan Zdziarski posted an interesting blog last week detailing some of the changes in IOS designed to improve security, and reign in accessibility of data in the new IOS 8 release.

Historically, it’s been possible for legitimate law enforcement groups to pressure Apple into unlocking devices – Much like data requests sent to ISP’s about your browsing and network habits, Apple (and Google et all) were able to unlock “confiscated” devices so detectives could search them for incriminating evidence.

IOS8 makes that somewhat harder and puts Apple (and Google) squarely against what Law Enforcement and Governments want.  

The changes in IOS8, relating the data encryption to your user PIN, means that now, you are the only one who can unlock your device, well, you and any PC you paired your phone with that is.

Of course, the Law Enforcement community are not too happy about this – they are used to being able to get at data stored on phones without the owners assistance.

The Wall Street Journal reported the response from some lawmakers –

Andrew Weissmann, a former Federal Bureau of Investigation general counsel, called Apple’s announcement outrageous, because even a judge’s decision that there is probable cause to suspect a crime has been committed won’t get Apple to help retrieve potential evidence. Apple is “announcing to criminals, ‘use this,’ ” he said. “You could have people who are defrauded, threatened, or even at the extreme, terrorists using it.”

Of course, there are only a couple of situations where they would need Apple’s help to unlock a device – 1) when they don’t know who’s device it is 2) when the owner of the device does not want to cooperate.

Unfortunately, unlike the UK where RIPA forces people to disclose passwords under threat of imprisonment, so far the USA has defended the individuals right to prevent self-incrimination. In US v Kirschner the court agreed that compelling someone to give up a password was against the 5th Amendment.

This all has the same smell as US vs Phillip Zimmermann of the 90’s – where Phill, was accused of violating arms and munition export controls for making his encryption program, PGP available to the world. Since there was no domestic encryption control, and also no way to decode any PGP protected data without the owners assistance (sound familiar?), they went after the author with vengeance.

All this wrangling around exporting cryptography seemed to vansh in the early 2000’s, when the General Software Note, allowing the export of strong cryptography was approved by the signatories of the Wassenaar Treaty – basically “We’re not going to stop our friends using encryption we can’t break”.

So, if you can (legally) encrypt files and emails in a way that no government can read, why are law enforcement upset that now you do the same for things on your mobile device? 

It’s an interesting conundrum – for over 15 years, law enforcement have had no intrinsic right to decrypt data, and individuals have had the right to protect their data using strong encryption. Plus, in the USA at least, individuals also enjoy the right to not disclose passwords at their discretion.

Yes, this means that a “bad actor” can hide incriminating information from “the feds”, but it also means a CEO can protect sensitive information from hackers, it means private conversations stay private. It means when you loose your phone, or your laptop, you can (if you’ve enabled the pin, or installed software like McAfee Drive Encryption) be assured your photos, emails, documents, bank credentials etc won’t be published on the internet.

Personal data protection, and the legitimate interests of law enforcement are always going to be at odds, and I don’t believe in the naive response “If you’ve done nothing wrong, you have nothing to hide” – there are too many situations where cases of mistaken identity, fraud, identity theft etc have made innocents look guilty, and the zeal of law enforcement, facing a technological world moving faster than they can keep up have irreparably damaged the reputation of the wrong person.

Looks like the battle between your right to privacy, technology, and good old detective work is only going to get hotter.