Data Encryption and Law Enforcement Investigation: Overview
Data encryption plays a crucial role in safeguarding personal information, particularly in the context of smartphones that store sensitive data such as contacts and location history. Law enforcement agencies often seek access to this encrypted data during investigations to track and apprehend suspects, raising complex legal and ethical questions about privacy and security. Historically, governments have attempted to gain such access through various means, including the controversial push for "backdoor" methods that would allow authorities to bypass encryption protections. The debate intensified following high-profile cases, such as the 2016 FBI lawsuit against Apple, which aimed to unlock an iPhone linked to a terrorist incident, reflecting the tension between public safety and individual privacy rights.
As encryption technology advances, many tech companies are increasingly resistant to government requests for backdoor access, citing potential risks to user security. This ongoing discourse is further complicated by emerging hacking capabilities and the proliferation of forensic tools used by law enforcement that can extract data from devices often without warrants. Legislative efforts, such as the proposed EARN IT Act, highlight the push for greater access to encrypted communications, especially in cases involving serious crimes like child exploitation. The balance between the need for effective law enforcement and the protection of civil liberties remains a contentious issue, requiring careful consideration from policymakers, tech companies, and civil rights advocates alike.
Data Encryption and Law Enforcement Investigation: Overview
Introduction
From cracking encrypted messages during World War II to installing hardware chips on early cell phones in the 1990s, governments have long sought access to protected data in the name of public safety and national security. As smartphones became ubiquitous in the early twenty-first century, these devices often stored information about personal contacts, location, and correspondence. When someone commits a crime, law enforcement officials often seek to access that information to track, apprehend, and prosecute the person. However, such sensitive data must also be protected from hackers who seek to exploit it for illegal purposes. Therefore, the needs of law enforcement must be weighed against the dangers of allowing "backdoor" access to defeat security measures.
In 2016, the Federal Bureau of Investigation filed lawsuits to order iPhone developer Apple to override its security system and give the government access to private data on the smartphones of two suspects in criminal investigations. This sparked an ongoing public conversation about how to balance the needs of law enforcement with the need for data security.
Understanding the Discussion
Backdoor: A means of accessing encrypted data that bypasses built-in security measures like passwords.
Brute-force attack: In decryption, a method used to guess a password or other security code by using trial-and-error to test every possible combination.
Decryption: The process of decoding an encrypted message.
Encryption: The process of encoding a message so it can be read only by a person or system that possesses the necessary "keys," such as a password or string of numbers and letters.
History
Governments have long sought to access protected data on the grounds of promoting public safety and security, in situations ranging from enforcing the law to waging war. From the mid-1990s on, more and more people transferred and stored data using phones, and so US law enforcement had increasing occasion to seek backdoor methods to circumvent such devices' data protection systems. An early example was the Clipper Chip, introduced in 1993 by the National Security Agency (NSA). The government tried to encourage manufacturers to build this chip into their cell phones, as it would allow law enforcement with the proper warrant to access to data stored on smartphones without the knowledge or cooperation of the phone's user. The idea was widely unpopular and the chip was never adopted, but the government continued its efforts to gain access to encrypted data for law enforcement purposes.
As smartphones became more commonplace, people increasingly used them to store sensitive information such as personal contacts, location data, and financial information. Manufacturers such as Apple and Google implemented a variety of protection methods, including encryption and passwords, to keep that data secure. But a significant shift came in 2013, following NSA contractor Edward Snowden's leak of documents disclosing widespread surveillance activity conducted by governments around the world. In particular, Snowden's documents showed that the NSA and the British Government Communications Headquarters (GCHQ) had accessed user data in iPhones, BlackBerrys, and Android phones, and were capable of reading text messages, location data, e-mail, and notes stored in almost any phone available on the market at the time.
In response to this disclosure, both Apple and Google developed new technologies to increase the data security on their products. The US government mostly stayed out of the companies' encryption efforts, as long as both Apple and Google remained able and willing to help law enforcement officials break into suspects' cell phones when presented with a warrant or court order. The companies largely did so, cooperating with investigators on dozens of cases under the All Writs Act, a legal statute from 1789. However, as encryption technology continued to improve with later generations of smartphones, manufacturers began to resist prosecutors' attempts to unlock devices.
The issue came into the spotlight in February 2016 when the FBI filed a federal lawsuit against Apple. The suit demanded that Apple create a "backdoor" in its iOS operating system that would allow the FBI to circumvent the password and encryption protection to access data stored in locked Apple iPhones. The lawsuit was motivated by an iPhone 5C running iOS 9 recovered intact after Syed Rizwan Farook, one of the gunmen in a December 2015 terrorist attack in San Bernardino, California, died during a standoff with the police. Upon recovering the phone, the FBI wanted to access the contacts and other information stored in it; however, it was protected using not only a password but auto-erase features that would erase all the stored data after ten unsuccessful login attempts, thereby precluding brute-force attacks.
The FBI argued to US Magistrate Judge Sheri Pym in California that it required Apple's assistance to unlock the phone; Apple opposed the order. In a public statement, Apple CEO Tim Cook stated that the company would fight to protect data stored on cell phones because "compromising the security of our personal information can ultimately put our personal safety at risk." He explained that Apple complied with valid subpoenas and search warrants in the past and similarly did so in the San Bernardino case. However, in this case, the government tried to order Apple create a new piece of software—essentially a "backdoor" program—that would allow data to be read from any iPhone regardless of any enabled security features. While the FBI insisted the tool would be applied only in special law enforcement cases, Cook insisted that it was not possible to promise this. Once created, he explained, the proposed software could be used on any iPhone, by anyone who managed to get their hands on it. This would put all users' data at risk. Cook also worried about the dangerous precedent that a court decision such as this could set for data privacy in all situations.
The San Bernardino case came to an abrupt end in late March 2016, when the government withdrew its case because it had found a third party that could access the phone data; however, the government would not elaborate on the technique used to gain that access. Data security analysts suggested that this raised important questions about the security of the iPhone. FBI director James Comey argued that Apple's refusal to cooperate is what led to third parties so avidly working to break Apple's security system in the first place and that, had the company complied with the government's request, the system might have remained secure. Leading data security experts Kevin Bocek and Peter Tran agreed that others might be inspired to try to hack the iPhone now that the government had claimed that it could be done.
News outlets reported that Apple's lawyers sought more information about how the phone was cracked, partly to confirm that the phone was indeed cracked and partly to patch any potential holes in their security technology. The Los Angeles Times reported that a multiagency task force, led by the White House, weighs the pros and cons of disclosing discovered security flaws to companies, partly based on how likely it is that someone else will discover the flaw. The government alleged that it generally favored disclosure, but in some instances, it chose not to, such as when the NSA and the FBI used bugs in internet browsers and flaws in web data transfer protocols to identify and track suspected criminals. Meanwhile, it emerged that the phone at the center of the case contained no useful information about the terrorist attack.
The outcome of the San Bernardino case also had implications for other, similar cases. In March 2016, the Justice Department sought an order for Apple to extract data from an iPhone 5S running iOS 7 used by Jun Feng, an alleged drug dealer involved in a methamphetamine conspiracy in Brooklyn, New York. The government argued that it needed the data to determine whether others were involved in the conspiracy, but US Magistrate Judge James Orenstein ruled that Apple was not legally required to comply. However, in late April, the federal government dropped this case as well, claiming it was able to retrieve the data after obtaining the password from an unnamed source.
Data Encryption and Law Enforcement Investigation Today
The public debate around the San Bernardino case continued for years after the case itself ended. In 2018, a US Justice Department inspector general's report on the FBI effort to unlock the phone was released, bringing renewed interested in the issues at play. By that time, the hack used to access the phone—reported to have cost the FBI over $1 million—was obsolete due to ongoing software updates from Apple. Other technology companies, including social media giant Facebook, also increasingly emphasized privacy through encryption. The inspector general's report indicated that nearly eight thousand devices involved in FBI investigations in 2017 were inaccessible to investigators due to passwords or encryption. At least one FBI official also indicated the agency was divided over what hacking methods could or should be used for domestic criminal cases versus cases involving national security (though other officials contested that view).
Many officials continued to argue that technology companies should create backdoors that would allow law enforcement access as needed. Various cases involving encryption and criminal investigation emerged. For example, in January 2020 the FBI noted it had requested Apple's cooperation to access iPhone data from devices belonging to the attacker in a December 2019 shooting at a Florida naval base. Observers suggested the case could reopen many of the same issues seen in the San Bernardino case.
Hacking capabilities also continued to evolve, though the true extent of FBI or other law enforcement capability to circumvent encryption was often unclear. The technology justice advocacy group Upturn reported in late 2020 that mobile device forensic tools (MDFTs) used to hack into smartphones and other devices had been purchased by over two thousand US law enforcement agencies across the country. Such tools had allowed hundreds of thousands of instances of data extraction over a five year period, and in many cases with no warrant. Activists noted that such searches were conducted even in cases of minor offenses such as shoplifting or graffiti. The American Civil Liberties Union (ACLU) filed a lawsuit in December 2020 seeking FBI Electronic Device Analysis Unit records that might clarify the agency's capabilities and therefore support or undermine calls for a built-in backdoor.
In 2020, the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, was introduced in Congress. The bill would remove blanket immunity for technology platforms and service providers for violations of laws related to online child sexual abuse materials. While not directly relating to data encryption, the EARN IT Act posed the possibility of requiring companies to provide access to encrypted communications when dealing with online child sexual abuse allegations. The bill was reintroduced in 2023.
In 2024, the FBI began working with the University of California, Berkley, to create a lawful-access solution to the growing inability to collect evidence of crimes like terrorism and online child abuse due to improvements in data encryption.
Balancing the needs of public safety and data privacy remains a complicated question that requires careful consideration. Many experts suggest that piecemeal answers rooted in litigation are ineffective, and broader legislative and regulatory solutions must be developed. Debate continues with those who favor some level of government access to encrypted information in the interest of public safety, and those who argue that any such access creates a slippery slope toward loss of privacy and civil rights.
These essays and any opinions, information, or representations contained therein are the creation of the particular author and do not necessarily reflect the opinion of EBSCO Information Services.
Bibliography
"Apple All Writs Act (NY)." Electronic Frontier Foundation, www.eff.org/cases/re-order-apple-all-writs. Accessed 7 Nov. 2024.
"Apple vs. the FBI: A Complete Timeline of the War over Tech Encryption." Digital Trends, 3 Apr. 2016, www.digitaltrends.com/mobile/apple-encryption-court-order-news/. Accessed 7 Nov. 2024.
Benner, Katie, and Eric Lichtblau. “U.S. Says It Has Unlocked iPhone without Apple.” The New York Times, 28 Mar. 2016, www.nytimes.com/2016/03/29/technology/apple-iphone-fbi-justice-department-case.html. Accessed 7 Nov. 2024.
Dave, Paresh. “Apple Wants the FBI to Reveal How It Hacked the San Bernardino Killer’s iPhone.” Los Angeles Times, 29 Mar. 2016, www.latimes.com/business/technology/la-fi-tn-apple-next-steps-20160330-story.html. Accessed 7 Nov. 2024.
Kharpal, Arjun. “Apple vs. FBI: All You Need to Know.” CNBC, 29 Mar. 2016, www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html. Accessed 7 Nov. 2024.
Levine, Mike. "As More Criminals Hide Behind Encryption, the FBI Teams Up with a University It Once Targeted." ABC News, 13 Sept. 2024, abcnews.go.com/US/criminals-encryption-avoid-law-fbi-teams-unexpected-partner/story?id=113619427. Accessed 7 Nov. 2024.
Nicas, Jack, and Katie Benner. “FBI Asks Apple to Help Unlock Two iPhones.” The New York Times, 7 Jan. 2020, www.nytimes.com/2020/01/07/technology/apple-fbi-iphone-encryption.html. Accessed 7 Nov. 2024.
"The Ongoing Debate Over Law Enforcement and Encryption." Kent State Online, 29 Nov. 2021, onlinedegrees.kent.edu/blog/the-ongoing-debate-over-law-enforcement-and-encryption. Accessed 7 Nov. 2024.
Vittoria, Andrea. “ACLU Request for FBI Records Opens New Front in Encryption Debate.” Bloomberg Law, 14 Jan. 2021, news.bloomberglaw.com/tech-and-telecom-law/aclu-quest-for-fbi-records-opens-new-front-in-encryption-debate. Accessed 7 Nov. 2024.
Zetter, Kim. “The FBI Drops Its Case against Apple after Finding a Way into That iPhone.” Wired, 28 Mar. 2016, www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/. Accessed 7 Nov. 2024.