– Executive Summary –
An investigative tool often exploited by law enforcement to further investigations is analyzing target communications. These communications may be derived from telephone devices or various electronic means, and in some cases the investigations may be extremely time-sensitive, such as kidnapping or terrorism cases. However, law enforcement is currently encountering difficulties with providers or device creators who claim that they are unable to comply with court orders in providing the requested information.[1] The main issue is that the devices are being intentionally engineered to safeguard personal privacy and corporate intellectual property.[2] Engineers are designing evermore enhanced encryption that their own companies assert they cannot bypass.[3]
For many years law enforcement has relied on its ability to intercept and exploit subject communications in furtherance of investigations. The Communications Assistance for Law Enforcement Act (CALEA), which was passed in 1994, requires providers to furnish law enforcement with the means to intercept traditional telephone and Voice over Internet Protocol (VoIP) communications.[4] However, many new forms of communication continue to emerge that do not fall under the umbrella of CALEA, such as Skype peer-to-peer messaging, gaming consoles, social media, and BlackBerry encrypted email.[5] In addition, providers and electronic device designers, such as Apple and Google have begun engineering their products with enhanced encryption.[6]
Even when served with proper legal process, some companies claim that they cannot comply with court orders and provide law enforcement with the requested information or assistance, because they are unable to bypass the encryption designed by their own engineers.[7] Targets of investigation are drawn to communication methods that allow them to operate anonymously. Enhanced encryption techniques and the lack of adequate legislation to cover these emerging forms of communications hamper law enforcement’s ability to conduct investigations.[8]
A significant gap exists between what law enforcement believes is reasonable access to information it has been able to obtain since CALEA was enacted, albeit in a different format, and what privacy experts and technology companies perceive as continued government overreach. Following the Edward Snowden leaks, technology companies began to enhance encryption to safeguard their intellectual property and customer privacy.[9] Privacy experts assert that providing access to electronic devices by introducing vulnerabilities to assist law enforcement would unduly increase the risk to individuals and businesses alike.[10]
Government officials have offered suggestions for how CALEA could be amended to mitigate the deficiencies, but it is not known if sufficient legislative support exists to make any of these proposals a reality.[11] Privacy experts and technology companies argue against amending CALEA, contending that these emerging forms of communication should not be treated the same as standard voice intercepts as individuals tend to divulge more private information through these means.[12] In addition, many types of decryption techniques are currently available that could allow law enforcement to continue accessing the information it requires; however, privacy experts and technology companies fiercely oppose these methods.[13] The question this thesis attempts to address is, How can law enforcement access encrypted and emerging electronic communications to further investigations without compromising individual privacy and intellectual property?
The research and analysis for this thesis has culminated in five conclusions. The first conclusion is that newly drafted legislation or legislation amending CALEA is necessary to solve the “Going Dark” issue. The second conclusion is that due to the limitations of existing legislation, the private sector has acted in a manner that constrains law enforcement’s authority to conduct legal searches, even when armed with proper legal process.[14] The third conclusion is that prosecutors may inadvertently be doing the agencies they represent and law enforcement in general a disservice by delaying or underreporting wiretap statistics reported to the court. The reported statistics are passed on to Congress who evaluates them for various purposes, to include assessing the seriousness of the encryption issue.[15] When roughly one-third of the statistics are not reported in a timely manner, or at all, this may prove detrimental to garnering support to address the encryption problem.[16] The fourth conclusion is that despite protestations by privacy and security experts, it is possible to provide law enforcement with the access to communications it requires, while minimizing the risk to individual privacy and corporate intellectual property. Apple deployed their enhanced encryption following the Edward Snowden leaks.[17] However, the company admits that to their knowledge, their previous encryption and code had not been undermined.[18] This level of encryption provided adequate privacy protections, yet remained accessible to law enforcement with Apple’s assistance.[19]
The final conclusion is that out of the six decryption/access techniques analyzed, the two that show the most promise are: split-key encryption and the insertion of spyware also known as a State Trojan.[20] Employment of either option would require new or amended legislation. Both decryption/access options have advantages and disadvantages. Access to communications and device content is a complex issue. Perhaps the reason it has been so difficult to overcome is that it has traditionally been approached as a single issue, when in reality it requires a two-pronged approach. When law enforcement has the device in its custody, subsequent to an arrest, search warrant or court order, the focus will likely be on retrieving data at rest. Data at rest refers to all content stored on the device, not ongoing communications in real time.[21] In these instances, split-key encryption seems to be the best option for fulfilling law enforcement’s needs while still providing a level of security for individual privacy and corporate intellectual property. As this option relies on the private sector’s assistance, it would likely preserve the integrity of the data, withstand judicial scrutiny and keep governmental costs down.
Conversely, surreptitious monitoring of data in motion, communications occurring in real time, is a valuable tool used by law enforcement engaged in ongoing, long-term investigations. In these instances, the device remains in the hands of the subject, who is unaware of the electronic surveillance.[22] The installation of a State Trojan/spyware may be the most efficient method for law enforcement to monitor communications without having to rely on the private sector for assistance. Although spyware insertion is to date an untested method or at least not widely reported via open sources, it seems to have many advantages. The appropriate response to emerging communication platforms and enhanced encryption by law enforcement and legislators should include innovative techniques, and the insertion of spyware onto a target’s device is certainly revolutionary. Therefore, drafting legislation that addresses how law enforcement can obtain both data at rest and data in motion, using the techniques described above may provide the solutions necessary for these issues.
[1] John L. Potapchuk, “A Second Bite at the Apple: Federal Courts’ Authority to Compel Technical Assistance to Government Agents in Accessing Encrypted Smartphone Data Under the All Writs Act,” Boston College Law Review 57, no. 4 (2016): 1404–1405.
[2] Ibid.
[3] Ibid., 1405; “Apple Will No Longer Unlock Most iPhones, iPads for Police, Even with Search Warrants,” Washington Post, September 18, 2014, https://www.washingtonpost.com/business/tech
nology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html?utm_term=.0192bb7759ae.
[4] “Communications Assistance for Law Enforcement Act,” Federal Communications Commission, February 10, 2011, https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-divi
sion/general/communications-assistance.
[5] Christa M. Hibbard, “Wiretapping the Internet: The Expansion of the Communications Assistance to Law Enforcement Act to Extend Government Surveillance,” Federal Communications Law Journal 64, no. 2, art 5 (2012): 372–373, http://www.repository.law.indiana.edu/cgi/viewcontent.cgi?article=1617&context
=fclj,
[6] Potapchuk, “A Second Bite at the Apple,” 1403.
[7] Ibid.
[8] “Encryption and Cyber Security for Mobile Electronic Communication Devices,” Federal Bureau of Investigation, April 29, 2015, https://www.fbi.gov/news/testimony/encryption-and-cyber-security-for-mobile-electronic-communication-devices.
[9] Craig Timberg, “Newest Androids Will Join iPhones in Offering Default Encryption, Blocking Police,” Washington Post, September 18, 2014, https://www.washingtonpost.com/news/the-switch/
wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/?
utm_term=.7afa491b5834.
[10] Harold Abelson et al., Keys under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications (Cambridge, MA: MIT Computer Science & Artificial Intelligence Lab, 2015), 10, https://people.csail.mit.edu/rivest/pubs/AABBx15x.pdf.
[11] Hibbard, “Wiretapping the Internet,” 376.
[12] Ibid., 387.
[13] Kevin Schaul, “Encryption Techniques and the Access They Give,” Washington Post, April 10, 2015, https://www.washingtonpost.com/apps/g/page/world/encryption-techniques-and-access-they-give/
1665/.
[14] “Fourth Amendment,” Legal Information Institute, Cornell University Law School, February 5, 2010, https://www.law.cornell.edu/constitution/fourth_amendment; The Encryption Tightrope: Balancing Americans’ Security and Privacy—Hearing: Committee on the Judiciary, House of Representatives, 114th Cong. 2 (2016), https://judiciary.house.gov/wp-content/uploads/2016/02/114-78_98899.pdf.
[15] “FAQs: Wiretap Reports,” United States Courts, accessed August 21, 2017, http://www.uscourts.
gov/statistics-reports/analysis-reports/wiretap-reports/faqs-wiretap-reports.
[16] “Wiretap Reports,” United States Courts, accessed May 10, 2017, http://www.uscourts.gov/stat
istics-reports/analysis-reports/wiretap-reports.
[17] Susan Hennessey and Benjamin Wittes, “Apple Is Selling You a Phone, Not Civil Liberties,” Lawfare (blog), February 18, 2016, https://www.lawfareblog.com/apple-selling-you-phone-not-civil-liberties; Timberg, “Newest Androids.”
[18] H.R., Encryption Tightrope, 190.
[19] District Attorney, New York County, Report of the Manhattan District Attorney’s Office on Smartphone Encryption and Public Safety: An Update to the November 2015 Report (Manhattan, NY: District Attorney, New York County, 2016), 13, http://manhattanda.org/sites/default/files/Report%20on
%20Smartphone%20Encryption%20and%20Public%20Safety:%20An%20Update.pdf.
[20] Schaul, “Encryption Techniques”; “Growing Opposition in Germany to New Surveillance Measures,” Homeland Security Newswire, June 26, 2017, http://www.homelandsecuritynewswire.com/
dr20170626-growing-opposition-in-germany-to-new-surveillance-measures.
[21] Nate Lord, “Data Protection: Data in Transit vs. Data at Rest,” Digital Guardian (blog), June 13, 2016, https://digitalguardian.com/blog/data-protection-data-in-transit-vs-data-at-rest.
[22] Lord, “Data Protection.”