10 March 2017

State of encryption, part I: Cryptic laws

by Brad D. Williams

The past year has seen significant developments in encryption technology, policy and legal cases. With a new presidential administration and Congress, it’s timely to consider the current state of encryption and what the future could hold. This two-part series explores some of the core issues around encryption. Part I explores legal issues and the implications of recent cases on encryption. Part II will survey recent developments in and the current state of encryption technology and policy.

The terrorists were dead, and the FBI had one of their smartphones, but the device was encrypted.

U.S. law enforcement’s well-known goal is ready access to all electronic data that could prove useful during a criminal investigation — whether the data is at rest or in transit. The combination of strong encryption and Constitutional protections can inhibit that goal.

To enhance its investigative capabilities, the FBI has publicly advocated for at least two things: 

A method to bypass strong encryption, whether by technical means — via a back door — or mandated decryption, usually invoking the 1789 statute known as the All Writs Act; and 
The legal precedent to compel a technology maker to bypass its own encryption of data at rest, in the spirit of the 1994 Communications Assistance for Law Enforcement Act that applies to data in transit. 

“Cryptography is typically bypassed, not penetrated,” Adi Shamar, co-inventor of RSA public-key encryption

The FBI has a third option called lawful hacking, which has been used for nearly two decades, but the method has been characterized as time consuming and only sporadically successful — solutions that “may not be scalable,” according to Amy Hess, the FBI’s head of science and technology.

Congress has been unable to pass legislation that would effectively balance U.S. citizens’ Constitutional rights with law enforcement’s need to access encrypted data while investigating crimes. The FBI therefore needed a favorable legal ruling to compel a technology maker to unlock a device — essentially decrypting data — belonging to an American. If the FBI succeeded, it would set an important legal precedent, which the FBI could leverage in future cases to continue expanding the scope and scale of lawful data access.

The investigation into the December 2015 San Bernardino, California, terrorist attack looked to be a proving ground for the FBI. In February 2016, the FBI invoked the All Writs Act to compel Apple to unlock one of the dead terrorists’ iPhones. Who could possibly defend the privacy of dead terrorists with American blood on their hands?

The FBI was challenged by Tim Cook, CEO of Apple, a company with an equally strong — but opposing — interest to the FBI’s on the issue of its customers’ encrypted data. Cook wasn’t defending terrorists, terrorism or Constitutional rights. Cook was defending a core tenet of Apple’s (and much of Silicon Valley’s) business model. Data is the new oil, and data collection, storage and mining can be lucrative, but it all rides on consumers trusting Apple.

While the public feud between Apple and the FBI played out, a magistrate judge for a separate case in Los Angeles issued a warrant on Feb. 25, 2016 to compel Paytsar Bkhchadzhyan of Glendale, California, the girlfriend of a then-alleged Armenian gangster, to provide her “fingerprint to iPhone,” thereby unlocking the device. The Bkhchadzhyan warrant was not widely known to the public until Mar. 31.

A Virginia circuit court judge had already ruled in October 2014 that law enforcement can compel suspects to unlock devices with biometrics, but the ruling said the Fifth Amendment still protects citizens from providing a passcode.

On Feb. 29, 2016, the FBI again invoked the All Writs Act to access data on an iPhone in a separate drug case in New York, but a magistrate judge denied the FBI’s legal argument.

The Apple-FBI, Bkhchadzhyan and the New York drug cases were all separate and unrelated, except in their potential legal implications for smartphone encryption and compelled decryption.

On the eve of the court date, the U.S. government vacated its motion to compel Apple to unlock the dead San Bernardino terrorist’s iPhone and instead hired a third party to “lawfully hack” the terrorist’s device using an unknown vulnerability, which sparked a broader debate.

In September 2016, the Associated Press, Vice Media Group and Gannet, the parent company of USA Today, sued the FBI in the D.C. district court to release information on the hack of the San Bernardino shooters’ phone. In January, the FBI declined, citing the “security risk” of releasing the information. In February, the three media organizations narrowed the scope of their request, asking under the Freedom of Information Act only for the identity of the hackers and how much the FBI paid for the hack. The FBI has not yet replied to the latest request.

Initial reports said Israeli mobile forensics company Cellebrite performed the hack, but a later report disproved that. Nonetheless, several months later, the hackers were hacked. An unknown threat actor stole 900 gigabytes of corporate data from Cellebrite, representing the latest vigilante strike against companies such as Hacking Team and Gamma Group International that help governments surveil and gather data on phones.

On a crypto panel at the RSA Conference 2017 in February, Adi Shamar, a pioneer in modern cryptography, smiled while cautioning the audience, “You need to be careful about helping the FBI.”
Framing the Debate

The Apple vs. FBI encryption case reignited the most intense round of national debate on privacy and security since the 2013 leak by former NSA contractor Edward Snowden.

The security vs. privacy debate has always been complex. Adam Klein, senior fellow at the Center for a New American Society, summarized it aptly:

This is not an artificial debate in which one side is completely wrong and the other is completely right; it is an authentically difficult policy conundrum in which various legitimate interests are in tension with one another.

A new report by the Center for Strategic and International Studies (CSIS) summarizes the current dilemma as it applies to encryption:

It is in the national interest to encourage the use of strong encryption. No one we interviewed in law enforcement or the intelligence community disagreed with us. The crux of the problem is whether to restrict instant messaging and full-disk encryption that does not allow for recovery of unencrypted data without consent of the user.

Based on new data, CSIS contends:

The encryption issue law enforcement faces, while frustrating, is currently manageable. While encryption is growing rapidly, the share of traffic that is both of interest to law enforcement and unrecoverable is still relatively small. Our research suggests that the risk to public safety created by encryption has not reached the level that justifies restrictions or design mandates.
Rule 41 Amendment

In November 2016, Congress failed to block or delay an amendment to Rule 41 of the Federal Rules of Criminal Procedure, which guide federal criminal prosecutions. In April 2016, not quite a month after the FBI withdrew its case against Apple, the U.S. Supreme Court voted to pass the proposed amendment to Congress for approval.

Public debate on the amendment has been contentious for three and a half years. The amendment is relevant because it potentially impacts worldwide users of encryption-based technologies, such as virtual private networks and the anonymizing Tor browser.

The amendment grants:

A magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

Privacy advocates such as Access Now and the Electronic Frontier Foundation objected to the amendment because:

The change to Rule 41 isn’t merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials. If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws and they should be doing so in a matter that considers the privacy, security and civil liberties of people impacted. Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security.

The Judicial Conference of the United States (JCUS) rejected critics’ objections because, “Much of the opposition reflected a misunderstanding of the scope of the proposal. The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements.”

In a series of blogs, then-Assistant Attorney General Leslie R. Caldwell defended the amendment, arguing:

The amendments would not authorize the government to undertake any search or seizure or use any remote search technique, whether inside or outside the United States, that is not already permitted under current law. The use of remote searches is not new and warrants for remote searches are currently issued under Rule 41. In addition, most courts already permit the search of multiple computers pursuant to a single warrant so long as necessary legal requirements are met.

Susan Hennessey, managing editor of the Lawfare blog, analyzed the issues, siding with Caldwell and JCUS: “The character of the criticisms surrounding the rule change has, until now, been frivolous at best and actively disingenuous at worst.”

Hennessey argued, “Following the rule change, we are now in the far more desirable situation of having a clear mechanism by which law enforcement can seek a warrant — subject to constitutional constraints. That is a good thing.”

However, Hennessey also wrote that the Rule 41 amendment opens debate on a more complex, important set of “specific substantive concerns” involving legal, policy and international questions. Among them:

There are warrants which would have been impossible without the rule change that plainly satisfy all of these requirements, without any real controversy. Conversely, there are hypothetical warrants the government could possibly seek consistent with venue that unquestionably would violate constitutional requirements and which no judge would issue. Within those extremes are a great many shades of gray and the judicial branch will make the legal determinations based on specific facts of cases in controversy, as is their role and prerogative. No rule change, nor any statute, can alter those fundamental protections the Constitution offers.

What’s Next on the Legal Front?

In the absence of policy changes brought about by presidential executive order or congressional legislation, law enforcement will continue to work within the courts on a case-by-case basis to obtain access to data pertaining to criminal investigations.

James Baker, the FBI’s general counsel, recently told The Hill, “I am not aware of any policy change or even a determination at this point in time, given how soon we are into the new administration.”

Part II of this series will look at recent developments in encryption technologies, as well as how a new presidential administration and congress could affect encryption policy.

No comments: