Sign In

Communications of the ACM

ACM News

Law Enforcement’s Ongoing Problem with Mobile Encryption


A 'locked' smartphone.

The U.S. Federal Bureau of Investigation and other law enforcement organizations have great difficulty accessing data on encrypted smartphones.

Credit: Peter Dazeley/Getty Images

In 2015, 14 people were killed in a mass shooting at the Inland Regional Center in San Bernardino, CA. The two perpetrators were killed hours later by police, and the attack and its motives were anything but easy for law enforcement to understand. In fact, the U.S. Federal Bureau of Investigation (FBI) drew heat—and a legal case—for trying to compel Apple to grant access to one of the suspects' iPhones.

The FBI eventually enlisted a third party to crack the phone; Even then, it was a rare success. According to the BBC, FBI director Christopher Wray has said the organization was unable to extract data from almost 7,000 mobile devices over an 11-month period. Wray said getting at that data had presented a "huge, huge problem" for the Bureau.

The San Bernardino case and others have raised a thorny issue for law enforcement in the U.S.: why do organizations charged with keeping the public safe have such a tough time cracking the public's tech devices?

Better, faster, stronger

If you have seen any movie or television show in the last 20 years, you'd be forgiven for thinking U.S. law enforcement is all-powerful. In fiction, local and national law enforcement organizations catch criminals with ease in the age of the Internet, employing sophisticated hacks and digital detective work to identify and arrest perpetrators and glean their motivations. However, while law enforcement organizations have plenty of tech tools at their disposal, the reality is a little more complex.

In the case of the FBI trying to crack the San Bernardino shooters' phone, says the BBC, the problem was that many "smartphones encrypt their contents when locked, as standard—a security feature that often prevents even the phones' manufacturers from accessing data."

This is not by accident, says Alan Woodward, a cryptography expert at the University of Surrey in Guilford, U.K. In fact, he explains, many phone manufacturers now employ end-to-end encryption (E2EE) on their devices precisely because of situations like San Bernardino, where companies like Apple may be put in compromising positions by law enforcement.

"It's not that mobile communications are so good, but rather that true end-to-end encryption has emerged from various messenger providers," says Woodward. "The perception is that [mobile providers] have somehow introduced a new factor; not so."

Strong end-to-end encryption like the type on commercial mobile devices, says Woodward, has existed for many years. It was the case of Edward Snowden, who leaked information about the U.S. National Security Administration's data surveillance programs, that made tech giants worry. "[They] were concerned their global user base would take issue with the U.S. government [having] access to their communications by obliging the tech companies to cooperate," explains Woodward.

"By introducing E2EE, the tech companies were able to truthfully say that they could not decrypt users' messages even if they wanted to or were being compelled to. E2EE, if done correctly, provides an extraordinary level of security of the content of communications."

Removing the middleman

End-to-end encryption is so secure because it removes a major security concern: the tech company itself.

"Normal" encryption offers security because it requires a key to decode encrypted messages between two users. As noted in Wired, "In many cases, the [tech] company itself holds the cryptographic key data that lets it decrypt your messages." The problem is that as a result, so "does any hacker who comprises the company," and so does any law enforcement body that compels the company to relinquish the key.

End-to-end encryption, however, aims to solve this problem using a cryptographic technique called public-key encryption. "In public key crypto systems," says Wired, "a program on your computer mathematically generates a pair of keys." You have a private key that only decrypts the things others send to you. Others have a public key that encrypts what is sent to you, but that key is "designed so only the corresponding private key can decrypt those messages."

The result: communications that cannot be cracked by compelling the messaging company to cough up the encryption keys.

That does not mean E2EE is uncrackable; lots of other ways exist to potentially crack these messages, including hacking the end-users themselves. However, it does mean that law enforcement organizations run into a big problem, as the FBI has already encountered: many tech companies are unable to give up user data, even if they wish to comply.

"Even with the resources of a nation-state, you cannot decrypt the messages," says Woodward. "The laws of mathematics trump the laws being applied by the government."

Logan Kugler is a freelance technology writer based in Tampa, FL. He has written for over 60 major publications.


 

No entries found