Law enforcement has become more aggressive because of encryption, and more eager to access details in investigations.
In a session at the Black Hat conference in Las Vegas, Stanford Center for Internet and Society director of Civil Liberties Jennifer Granick and Cryptography Fellow Riana Pfefferkorn, acknowledged that there is more information about us than ever before, with sensors both on and offline. All encryption is doing, they said, is removing a fraction of law enforcement.
Focusing heavily on the Communications Assistance for Law Enforcement Act (CALEA), Granick and Pfefferkorn pointed out that regulated entities do not have to decrypt, and no one is obligated to build in decryption capabilities.
Focusing on the FBI vs Apple legal case from earlier this year, Pfefferkorn called this an “aggressive demand” by the FBI, as it required custom software that would undo the security of the device.
“They referred to the 1977 New York Telephone case as in that case, the government successfully used a court order for the phone company to install pen register data, on what was going outbound and in-bound. But now many years later, the FBI is saying that this case from 1977 was a reason to make Apple give up access to its software, and that is a real technological leap from just gathering pen registered data...Cellphone manufacturers (unlike the phone companies) don’t have any ongoing connection to the data that is on the user’s phone, so that was the end of the story.
“Also, is it necessary for the company to help out? In Apple’s case, there are third party forensic tools out there to help get access to a phone. Why go to Apple to force them to rewrite their software to do that?
“Finally you want to ask if it is burdensome on the company to comply with this sort of demand, and that is an interesting technical burden, for business reasons as well. We don’t really know, even after this case was resolved, what counts as burden? Is that just engineering time, lost profits, or reputation? And we don’t really know if burden includes risk to people other than the company – like your customers.”
Granick and Pfefferkorn said that they followed the case as there may be cases of misuse. Looking at building backdoors into software, Granick said that there is “no obligation to build in a backdoor, and no obligation under CALEA to build in a decryption ability and only if you have means and keys, there is no legal obligation for prospective surveillance.”
Pfefferkorn said: “But if you do build in a backdoor, they will come and don’t be surprised if law enforcement want to use it.”