Apple recently won their case against the FBI, and the FBI cracked the iPhone in question anyway, with the help of Cellebrite, a government contractor that provides “forensic extraction” tools to investigative agencies. Their new methods in securing evidence have bordered closer to hacking, bringing the legality of them into question.
The federal investigative agency has shown a pattern of reluctance to release their data acquisition methods, including refusing an order from a Federal Judge to reveal how they hacked the Tor anonymizing network during the investigation of an online child pornography ring. Their refusal has been the subject of some controversy, and while they argue that releasing these methods may lessen their effectiveness in the future, it also sets a disturbing precedent for the status of our 4th Amendment rights.
Encryption Matters Less If the State Endorses FBI Hacking
Traditionally, the burden of investigative methodology falls on law enforcement to ensure citizens’ rights are not violated. At least in the States, law enforcement is barred from searching a person’s belongings without probable cause. If the FBI does not need to disclose their methodology in obtaining their information in digital investigation, then the current debate over civilian encryption is largely a moot point.
There are plenty of ways to circumvent privacy-minded practices being used by Law enforcement that fall under the umbrella of hacking – the digital equivalent of breaking and entering. Many of them may be violating probable cause and employing malware to collect data on suspects. The encryption debate challenges some of the assumptions that are generally made about private and sensitive data as property, but the discussion largely omits these novel “forensic” methodologies used increasingly by law enforcement to gain questionably legal access to that data. Furthermore, hacking is a prosecutable offense if carried out by a private citizen, just like B&E. It’s all well and good that the FBI took down a pedophile ring, and can access a domestic terrorist’s mobile device, but if they are violating the chain of custody or probable cause to build their cases, something is clearly wrong.
Even assuming a best case, by-the-book methodology, refusal to release their exploits is problematic for security application developers because they leave legitimate users vulnerable. The rhetoric circulated by law enforcement is that the “bad guys” would start using them, which is entirely false. Malicious actors exploit security vulnerabilities every day to conduct illegal activity, which is precisely why the security community shares info on them. The sooner the exploits are well known; the sooner software developers can patch holes that put their users at risk.
By keeping mum about their software exploits, the FBI is writing every malicious actor on the planet with knowledge of the vulnerability a blank check, because the developers of the software being abused can’t fix their problems until they reach critical mass on the black market. The FBI is enabling cyber-crime to further their agenda. Even worse, they have stated a willingness to cooperate with local law enforcement to do the same, exposing their methods to a much larger, more leak-prone community.
It doesn’t matter if you’re taking down pedophiles, drug lords, or common street criminals. Excusing the shady practices being used to build cases against them is a slippery slope, and the FBI is assuming they’ll get away with it because people don’t understand the technology in play with these cases. In doing so, they leave the security community and software developers in the dark, and allow malicious hackers to ape their methods and act with impunity.
Data encryption is a powerful tool that is utilized for many legitimate applications, ensuring source safety among them. If state actors are allowed to circumvent tools like encryption and Tor using malware and methods illegal in the private sector, then using those tools just treats symptoms of a systemic problem. What’s to stop the government from rooting out confidential sources that start unfavorable press or violating dissident privacy to discredit them? The moral arguments against tools like encryption are a thin veneer over unacceptable methodologies in modern law enforcement, and conceding to them is giving the state more ground to operate outside of their jurisdiction, and the legal protections private citizens enjoy.
Thoughts on law encforcement practices in the digital realm? Let us know in the comments!
Image courtesy of Cellebrite.