In rebuking Apple and Google for their new smartphone encryption polices on Thursday, FBI Director James B. Comey became the latest law enforcement official to evoke worst-case scenario arguments: What of the child predator, the murderer, the terrorist? Wouldn’t you want police to be able to get into their phones?
This type of argument can be brought into even sharper relief by posing the hardest imaginable case: What if the FBI got its hands on Osama bin Laden’s iPhone?
Though it requires a stretch of imagination – especially given that SEAL Team Six killed bin Laden in 2011, and he didn't use a cell phone in his final years – this example illuminates the complicated new legal and technical terrain created by Apple’s decision to release a mobile operating system that is so thoroughly encrypted that the company cannot unlock its devices for police, even if they have a search warrant. (A similar form of automatic encryption is coming for Google’s Android newest operating system as well, though it will reach most consumers much more slowly).
To dispense quickly with the legal issues: Bin Laden, as a non-U.S. citizen residing abroad, would get little or no constitutional protection, despite the Supreme Court’s ruling in June that police searches of cell phones in most circumstances require warrants in the United States. And even if he wasn’t a foreigner, bin Laden’s role in the mass murder of thousands of Americans would make it easy for law enforcement to get court approval to search his iPhone, in any way they wanted to.
What would that include?
Apple itself, according to its new privacy policy, would be no help in cracking into the device itself. The encryption used in iOS 8, released this month, is so total that the company has no way unlock it for police or anyone else. But there are third-party decryption tools that can work, and the government would be free to try them.
These tools have an easy time with devices that have short passcodes – especially if they have only four digits. With each added digit, the amount of computing time required to crack the encryption grows steeply, gradually reaching into the years. The better cracking tools also employ what are called “zero days,” software flaws that are not publicly disclosed but can give a skilled attacker access to an electronic device’s most basic controls. “Zero days” – which are named for the number of days (zero) since a particular flaw has been publicly reported – are marketed for serious money. A “zero day” for an iPhone reportedly can command many hundreds of thousands of dollars.
Then there is iCloud, the popular cloud service that iPhones use to back up data, including pictures, Web browsing history and other records that law enforcement would consider valuable. Bin Laden, or anyone else, could turn off the iCloud backups to his iPhone, but in practice few do.
Carriers, meanwhile, have records of calls, most texts and the general location of users, all of which are typically available to authorities – even if they don’t have access to the iPhone itself. Likewise, the most sophisticated law enforcement agencies have ways to deliver malicious software to smartphones, either over the Internet or using IMSI catchers, the surveillance devices that mimic cell towers. Once they do, some IMSI catchers can deliver spyware capable of a range of intrusive tricks, such as secretly turning on a camera or microphone. Again, the government would not need the actual iPhone in hand to make this work.
And finally, there is the substantial, undisclosed universe of digital tricks available to the National Security Agency. Security experts have long believed that the NSA is among the most avid customers for effective "zero days." Plus, even a casual reader of the disclosures made by former NSA contractor Edward Snowden would conclude that the NSA is remarkably tenacious and creative in collecting whatever data it deems important to its mission.
But even with all these possible ways to get data from bin Laden's iPhone, there’s no denying that extracting evidence from mobile devices is getting much harder and that this trend is likely to continue. The impact almost certainly will be felt most heavily by state and local police detectives, and by the FBI when they are working criminal cases. Even for the feds, the most powerful and intrusive search tools are pulled out for only the biggest and most urgent cases, such as bin Laden’s theoretical iPhone.
As routine government access to iPhones – and eventually Android devices – dwindles, police will undoubtedly have to work harder. Some cases almost certainly will remain unsolved that otherwise might have been closed. And it also seems likely that a certain, tech-savvy brand of criminal will learn all the tricks – get iOS 8, turn off iCloud backups, use long passcodes and thwart detectives. That’s what made John J. Escalante, Chicago’s chief of detectives say, “Apple will become the phone of choice for the pedophile.”
Many civil liberties activists, no matter how much they may detest pedophiles, can live with that tradeoff. They want surveillance limited as much as possible, to particular, high-priority cases. They’re happy to have the government get into bin Laden’s iPhone -- and into the smartphones used most of the world's most serious criminals -- just not at the price of giving police what amounts to a skeleton key to everyone else's.