Written by Nicholas A. Oliva
The intersection between an individual’s right to privacy and the need for law enforcement to access encrypted data caught national spotlight on December 2, 2015, when a group of co-workers gathered for training at the Inland Regional Center in San Bernardino, California. Suddenly, a door swung open, and a single masked person wearing all black, and carrying a firearm stepped inside the room. Without a word, he began opening fire. Pandemonium ensued. A second shooter joined the attack, and together they fired over 100 rounds before fleeing in a black SUV, leaving 14 people dead and 22 people injured.
Afterwards, police processed the crime scene and discovered a password-protected iPhone in the shooters’ car. Officials applied for numerous search warrants to search the digital devices and online accounts of the identified shooters, Syed Rizwan Farook and his wife, Tashfeen Malik. Even though they received the proper search warrants, officials were ultimately unable to bypass the phone’s password protection.
A legal battle pitting Apple against the FBI erupted in the courts and gained national attention.The FBI demanded Apple be compelled to assist their attempts to break the passcode protection of Farook’s iPhone. Apple resisted these efforts. The legal battle ended when FBI Director James Comey revealed that his agency no longer needed Apple’e services because it had hired a third party to successfully hack Farook’s phone for more than a million dollars.
Law enforcement is no stranger to this problem of password-encryption. In fact, the Manhattan District Attorney Cyrus Vance recently reported that in his jurisdiction, investigators had been unable to execute search warrants on smartphones in over a hundred cases that included homicides, attempted murders, sexual abuse of a child, sexual trafficking, assault and robbery.
What if I told you that this could all have been avoided? It can be, and it should.
Legislation. However, password encryption simply goes too far in preventing law enforcement from accessing crucial information in criminal prosecutions. In the past, the only thing an investigator needed was a proper search warrant. Now they also need the password. So, how do you get a tech-giant like Apple to restore the broad access law enforcement once enjoyed? Simple—it needs to make business sense. The answer is to pass new legislation that would include two key components: (1) a tax penalty on manufacturers of electronic devices such as Apple who design devices that are not search-warrant-compatible; and (2) cryptographic envelope security involvingtwo sets of keys that the FBI and Apple would need to use simultaneously in order to bypass passwords. Both legal innovations would strike a balance among the needs of law enforcement, the privacy of citizens and also the rights of companies such as Apple..
The tax penalty would mandate that ““[a]ny smartphone that is manufactured on or after [a certain date], and sold or leased in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider.” So, any smartphone that is not capable of being [unlocked] . . . by its manufacturer or operating system provider will be subject to a civil penalty of $2,500 per smartphone if it can be demonstrated that the seller ‘knew at the time of the sale or lease that the smartphone was not capable of being decrypted and unlocked.’” Essentially, this change in the law would operate by using basic cost-benefit analysis. Quite simply, it would not be profitable to create a phone that could not comply with legislation that would require smartphones to be unlockable.
Secondly, the legislation would require cryptographic envelope security. This type of security creates two keys, one held by law enforcement and one held by the device manufacturer such as Apple. Both keys would have to used in tandem in order to access password-encrypted information.
This scenario is analogous to a safety box at a bank. A safety lock box requires two keys to be accessed, one, belonging to the owner of the contents of the box, and the other, belonging to the bank where the box is stored and protected. The owner of the box must go to the bank, and ask for access to their lock box. When the person’s credentials are verified, the employee of the bank will bring them to their lock box, and insert the bank’s key. At that time, the owner of the contents of the lock box will insert their own key, thereby unlocking the box.
Cryptographic envelope security would help to ensure that a warrant that is to be executed would comply with the Fourth Amendment, and would address a core concern raised by Apple in its litigation dispute with the FBI, and that is law enforcement having an unbridled ability to access encrypted smartphones. The safeguards afforded by the cryptographic method would allow for the balance between the right of citizens to be secure in their private information stored on cell phones, as well as law enforcement’s ability to appropriately, and only with requisite authorization, access information that is suspected to be used in furtherance of criminal investigations.
Searching Smartphones in an Unencrypted World. In practice it would work like this: Apple, having been properly incentivized by Legislation to produce cell phones readily accessible by a search warrant under penalty of Law would be able to comply with either the FBI or another law enforcement agency who seeks to obtain access to specific information contained on an individual’s iPhone. Once approved by a judge, Apple and the FBI would then simultaneously enter their own “keys” that would unlock the iPhone’s privacy settings.
Problems such as those described by District Attorney Vance would become a thing of the past—and all without sacrificing any of the phone’s security and consumer appeal. Apple loses no value in its phones because it retains the same security abilities, and arguably creates a safer product that is conducive to law enforcement’s duty to provide security and prosecute criminals. Americans cannot afford to wait for the next tragedy to happen. These matters require our immediate attention. This legislative option provides a holistic solution strike the appropriate balance between privacy and security, and should, therefore, be adopted and implemented.