The Trump administration is pushing hard for smartphone backdoors
The encryption that secures your phone doesnt come with a backup key. That may make you nervous if youre prone to forgetting your passcodes but it makes many law-enforcement and national-security types even more anxious when they contemplate permanently losing access to valuable evidence. They use the phrase going dark to describe the spread of hardware and software that can only be unlocked by their owners even if a court orders the companies behind those products to allow police access. Privacy advocates however see strong crypto without any extra keys or back doors as vital when both commercial and government attackers may want into your devices and the immense stores of data on them. Meanwhile companies like Apple (AAPL) and Google (GOOG GOOGL) increasingly treat strong encryption as a standard feature. As this debate escalates and as many observers think the Trump administration may try to move a bill mandating whats sometimes called exceptional access they continue to ship encrypted devices and apps that cant be whisked out of existence by any such bill. A new twist on the Apple-FBI fight The encryption argument got its most public airing two years ago when the Federal Bureau of Investigation went to court to compel Apple to write special software to disable the lockout system on an iPhone 5c used by one of the San Bernardino shooters. But a final ruling never came because the FBI dropped the case after saying it had successfully accessed that iPhones data. Subsequent reports pointed to the bureau hiring the services of an Israeli mobile-security firm Cellebrite that exploited a vulnerability in Apples iOS operating system. In March however the Justice Departments Office of the Inspector General issued a report suggesting the FBI hadnt tried too hard to get into that iPhone. That report found some FBI employees seemed more anxious to set a court precedent of requiring manufacturers to let in police than to get the San Bernardino shooters phone unlocked. It quotes the head of one FBI office voicing his disappointment that another had hired a contractor to hack the iPhone: Why did you do that for? What we saw was a breakdown of the FBIs argument explained Robyn Greene policy counsel and government affairs lead at New Americas Open Technology Institute. You can hack into every version of an iPhone; why do you need to back-door it? The biggest secret in phone unlocking in years: GrayKey Two weeks ago Vices Motherboard tech-news site revealed that one iPhone-unlocking tool a device offered by Atlanta-based GrayShift called GrayKey was far more widely used than even the OIG report implied. Details had surfaced about this apparatus in earlier reports by Forbes and the security firm MalwareBytes but reporter Joseph Cox found that numerous federal state and local law-enforcement agencies regularly used GrayKey. GrayKey works MalwareBytes reported by trying different passcodes until one workssomehow without invoking the self-defense feature that causes an iPhone to wipe its storage irreversibly after 10 incorrect tries. GrayKeys effectiveness and wide use surprised people on both sides of this issue who are still trying to figure out how it works and how many other such tools might exist. Its hard to know whether there are other undisclosed tools like it said Jamil Jaffer head of George Mason Universitys National Security Institute and an advocate of preserving law-enforcement access to encryption. Andrew Blaich head of device intelligence at the mobile-security firm Lookout suggested that market forces alone ensure that more GrayKey-like tools will be built. GrayShift has since provided its own unintentional warning of the risks of leaving back doors open: After a customer left some of its interface code exposed on the webunknown hackers downloaded it and demanded a ransom of two Bitcoin. GrayShift doesnt seem to have paid up. Congress complicates this The Trump administration has been more vocal about encryption than Obamas. I think the administration is increasingly getting spun up and looking for ways to address this problem Jaffer said. Last month the New York Times reported that the White House was considering pushing for legislation mandating law-enforcement access to encrypted devices. But so far the administration has offered little detail about what an exceptional-access system might look like. For instance former FBI director James Comeys instant bestseller A Higher Loyalty reveals that the Obama administration had developed a proof-of-concept plan. But officials under President Trump have only offered vague appeals for responsible encryption. The most common concept offered outside government is to have backup keys locked in a secure area of the phone to be unlocked only by a key or keys held by somebody besides the government. On Wednesday Wired published a report by Steven Levy outlining Lotus Notes founder Ray Ozzies proposal for a system called Clear in which a phone manufacturer would keep an archive of emergency private keys that law-enforcement investigators could after taking custody of a phone get with a court order to unlock a backup passcode permanently encrypted on the phone. Cryptography experts pounced on issues with Ozzies already-patented plan. Matthew Green a professor at Johns Hopkins University wrote in a post that such a vault of private keys would be both massive Apple alone would need to safeguard more than a billionand a massive target for every government and criminal enterprise in the world. Absent customer demand tech firms wont start building in exceptional-access mechanisms. But while Congress has done near zero for online privacy it hasnt shown much interest in passing such a sweeping mandate. After the Inspector General report and GrayKey news a bipartisan group of 10 House members asked FBI director Christopher Wray to explain why the FBI keeps complaining about locked phones if unlocking tools are so widespread. Its true that as President Obama warned at the SXSW conference in March of 2016 some horrible crime might push lawmakers not just to act but to mandate more access than could happen under concepts such as Ozzies. But even then nothing short of totalitarian controls on software distribution would stop people from using strong encryption in add-on apps like the open-source messaging appSignal. And in that scenario criminals could benefit more from strong crypto than citizens who play by the rules and stick with the default settings.