The last refuge of the criminal: Encrypted smartphones
Digital devices are increasingly the main instruments with which crimes are planned, perpetuated and memorized.
By CATHERINE DE BOLLE andCYRUS R. VANCE, JR.
As law enforcement authorities, we owe it to the victims of crimes, and their families, to pursue every available lead, seek out all evidence and stop at nothing until we ascertain the truth. Over the past several years, however, we have been running into a new obstacle: encrypted digital devices that keep evidence locked out of reach of investigators.
Technology is moving quickly, and the criminal abuse of it is no exception. Digital devices are increasingly the key instruments with which crimes are planned, perpetuated and memorialized; and they often hold evidence necessary to solve a crime. All too often, however, inside a smartphone that evidence is inaccessible — not by chance but by technological design.
As our two agencies work to protect citizens on both sides of the Atlantic, we have come to conclude that the single most problematic barrier to doing so stems from unregulated encryption. To be clear, we both support strong encryption, just not unregulated encryption. No sector — in this case, the tech industry — should be allowed to dictate the rules of access to digital data for all of society, with limited regard to the wider impact those rules might have.
Organized crime, terrorists and child abusers are all drawn to devices and communication platforms that are designed to be technically impossible for law enforcement to lawfully access. This is not just an American or a European problem, it is a global problem. Every day we see criminals using encryption to facilitate their crimes. And as law enforcement, we are losing the ability to keep people safe.
Encryption has become a serious investigative challenge in virtually all areas of criminality. Ransomware, for example, is currently one of the biggest cybercrime threats in terms of economic damage and its capability to disrupt global businesses and critical infrastructure. Ransomware criminals not only use encryption to hide their identity and financial transactions or to protect the infrastructure used to control the malware; the technology lies at the core of their multi-billion-dollar criminal enterprise.
Access to data locked away in digital devices can mean the difference between solving crimes and letting them go unpunished. Just last month a global coalition of agencies from several countries carried out Operation Trojan Shield, one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities. By developing and operating an encrypted device company, an international coalition of law enforcement agencies was able to access intelligence from more than 300 criminal syndicates operating in over 100 countries.
And yet, Operation Trojan Shield remains the exception. For the most part, the situation is only getting worse. Unregulated encryption, together with other privacy-enhancing technologies, is allowing for warrant-proof technology which increasingly impedes our criminal investigations.
The Manhattan District Attorney’s Office was hampered in accessing evidence in a recent child sex trafficking case, which should have provided important leads that could have saved additional trafficked children and found potential co-conspirators. A judge independently determined that the target’s phone contained evidence of criminal activity and issued an order for lawful access to that information. Nevertheless, the contents of the phone remain inaccessible because it is locked with a code and fully encrypted.
Where tools are available to unlock encrypted devices, however, they are often expensive. For agencies with fewer resources, funding expensive decryption techniques is impossible. And even with the best tools in the global marketplace, law enforcement still has less than a 50% chance of accessing a device and obtaining all the necessary evidence.
Because of this, criminal investigations now contain an element of chance — something that is unacceptable for law enforcement, for victims and for society as a whole. Indeed, agencies often have to prioritize cases not by their severity but by the likelihood of getting access to encrypted evidence.
Victims of crime simply deserve better. It is unsustainable to keep delegating encryption standards to private technology companies. Regulation is necessary — and urgently so. Solving this problem will require a delicate balance between privacy on the one hand and public safety on the other. Simply prioritizing one above the other is not an acceptable solution.
In the end, technology problems created by mankind must be solved by mankind. As President John Kennedy once said, “[a]ll problems created by man can be solved by man.” Crime victims think so too. They are expecting and waiting for leaders to rise and get this done. /Politico.eu/