Apple's encryption to slow, not stop, snooping by cops, spies
WASHINGTON -- While the newest Apple and Google smartphones will automatically encrypt data stored on them, that won't keep U.S. law enforcement and intelligence agencies from obtaining evidence linked to the devices.
Marketing by the two companies in which they pledge to shield photos, documents, contact lists and other data from the prying eyes of government or hackers won plaudits from privacy advocates. It also drew condemnation from U.S. Attorney General Eric Holder, FBI Director James Comey and local police officials who say it will make it harder to investigate crimes ranging from child abuse to drug trafficking and terrorism.
Those assertions "are wildly exaggerated" because police can still obtain evidence through traditional court warrants while revelations about government spying show the National Security Agency can break or bypass encryption for terrorism investigations, said Jonathan Turley, a constitutional-law professor at The George Washington University Law School.
"Citizens should not assume that these encryption devices will necessarily prevent government from intercepting communications," Turley said in a phone interview. "If history is any guide, the government will find a way to penetrate these devices."
The issue has renewed tension between law enforcement and intelligence agencies and technology companies trying to stand up for the privacy rights of their users. Apple, Google and other companies have been trying to restore their reputations after revelations by former NSA contractor Edward Snowden that they cooperated with government spying programs in the past.
The companies announced in recent weeks that their new phones will automatically scramble data so that a digital key kept by the owner is needed to unlock it, making it harder for detectives to examine the content of suspects' phones without their knowledge or cooperation. Previously, such encryption was an option that required users to endure a time-consuming process to activate.
"This is going to have a very big impact on law enforcement," said Stewart Baker, a former general counsel for the NSA and now a partner at the law firm Steptoe & Johnson LLP in Washington. "There will be crimes that people get away with because this information is not available."
However, many traditional investigative methods will still work, he said.
"Wiretaps would still work. You can also get call-details records," he said. "That's available from the phone companies and it's not affected by this decision."
Anything sent from or to the devices can still be captured and investigators can hack software to collect evidence. That means there will likely be little change in the way text messages, emails, phone calls, location coordinates and other data are mined for terrorist communications and other threats.
Data stored in so-called cloud services, including photos such as the ones stolen from Jennifer Lawrence and other celebrities, would still be vulnerable to hackers.
The encryption feature offers users some confidence and is a selling point for the companies.
"There's a little bit of PR, there's a little bit of competitive pressure, and there's a little bit of honest effort to improve the security of the Internet as a whole," said Jon Oberheide, co-founder and chief technology officer of Duo Security. The Ann Arbor, Michigan-based company provides computer security.
Companies can be forced to turn over information stored in cloud services, Baker said. And governments with powerful spying tools such as the U.S. and China can bypass encryption on mobile phones by hacking into suspects' devices. Right now, a committee of U.S. judges is weighing a proposal that would give federal agents greater leeway to secretly access suspected criminals' computers in bunches not simply one at a time.
While the improved security of their smartphones is a challenge for law enforcement, the moves can help protect the privacy rights of users who haven't broken any laws, Turley said.
"Civil libertarians have long called for privacy speed bumps or barriers for the government," he said in a phone interview.
The NSA is "concerned about the proliferation of any technology that might allow international terrorists or other foreign intelligence targets to evade lawfully authorized surveillance," said agency spokeswoman Vanee Vines.
"As a general rule, NSA does not comment on specific, alleged foreign intelligence capabilities," she said.
A Google spokeswoman, Niki Christoff, said "People previously used safes and combination locks to keep their information secure -- now they use encryption."
"It's why we have worked hard to provide this added security for our users," she said in an email.
Apple spokesman Colin Johnson declined to comment on the impact of their encryption measures beyond pointing out a public statement by Apple CEO Tim Cook on the company's website.
"We have never worked with any government agency from any country to create a backdoor in any of our products or services," Cook wrote. "We have also never allowed access to our servers. And we never will."
The scope and force of secret government requests for data was highlighted last month when newly released documents showed Yahoo! Inc. might have had to pay millions of dollars per day in fines if it kept refusing to comply with U.S. requests for its users' Internet data. Yahoo complied on May 12, 2008, giving in to the NSA's Prism electronic surveillance program that had operated without public knowledge until Snowden exposed it. The company then went to court to win the right to release details of its fight against the order.
Apple, which has in the past cooperated with court orders and unlocked phones for law enforcement or provided data from its systems, described its new measures in a statement on its website on Sept. 17.
"Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data," the policy says. Apple is based in Cupertino, California.
Google, based in Mountain View, California, earlier in September said that it was making its encryption feature automatic after offering it as an option for more than three years.
The more aggressive focus on security has also put a spotlight on the ability of technology companies themselves to access users' data. One tool in particular, little-known outside of the security community, is known as a kill switch.
Built into mobile operating systems, kill switches give companies such as Apple and Google the ability to reach into users' devices remotely to delete malicious software and access content stored on them. Designed as a security feature, it's also a potential avenue for spying and it's not clear whether new encryption measures will close the door on it.
In 2010, Duo Security's Oberheide became one of the first people to goad Google into using its kill switch, successfully baiting it to delete his test app from 200 Android phones.
Overall, new data encryption measures represent important steps in raising consumer awareness about security and make mass surveillance harder, he said.
"If the NSA is coming after you, they will get you either way," Oberheide said. "But at least it will help prevent the inadvertent collection of information, which is where a lot of the outrage comes from about the NSA."