FBI expresses concern about Apple’s lack of access to customer data in iOs8
Fri 26 Sep 2014
We wrote only last week about how the growing policy of ‘provider ignorance’ is likely to cause increasing friction between law enforcement agencies and consumers. The practice of organisations storing encrypted customer data without having any ability to decrypt it is an obvious mani puliti response to increasing customer concern about the availability to authorities of private and personal data.
But as far as law enforcement is concerned, client-side encryption threatens to turn the lights out on what was promising to be a fruitful new era of deskbound online investigation techniques.
The issue has manifested with unexpected clarity today as FBI director James Comey gave a press conference during which he expressed ‘concern’ about the unilateral security access that Apple have built into iOs8, the new version of its mobile operating system.
According to Comey, various tech manufacturers’ plans to adopt unilateral encryption by default risked to endanger the efficacy of future law enforcement investigations. Comey remarked “I’d hate to have people look at me and say, ‘Well how come you can’t save this kid?’ ‘How come you can’t do this thing?'”
The 53 year-old FBI head also revealed that he was in discussions not only with Apple but also with Google, which is planning similar ‘clean hands’ encryption policies among its own range of mobile devices.
As with the Edward Snowden-recommended SpiderOak online storage system, private information on Apple’s iOs8 devices is unlocked by the customer’s encryption key, which is derived from the customer-invented pass-code used to access their device. Under iOs8 Apple is no longer able to honour subpoenas or other institutional demands for user information, since it no longer has any way of decrypting the customer information that ends up stored on its servers. It has simply thrown away the keys and told agencies and the public to sort it out between themselves.
Fearless of the public criticism that tends to erupt when law enforcement organisations equate good security with malfeasant intentions, Comey said: “What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law.”
In last week’s article we commented on the proposed amendment by the U.S. Department of Justice to Rule 41 of the Federal Rules of Criminal Procedure, which would render anyone using online encryption techniques (such as VPN) or software (such as TOR) a fair target for ad hoc investigation. Unilateral encryption effectively institutionalises a practice that law enforcement now openly wants to ban. But it hardly seems surprising that large corporations might want to divest themselves of the role of ‘police informer’ in the investigation of their own customers, since publicity over warrant-led seizures impacts so negatively on their client base.