- FBI, N.Y. prosecutor look to stop suspects from `going dark'
- Proposal seeks only `data at rest' and requires search warrant
Apple Inc. and Google Inc. face renewed calls to create a workaround for smartphone encryption in the wake of the Paris attacks as Manhattan District Attorney Cyrus Vance Jr. proposed a compromise that seeks to mollify privacy advocates.
Vance and FBI Director James Comey echoed recent comments by CIA and Justice Department officials who cite the need for access to stay a step ahead of terrorists who may use encryption to hide planned attacks. Underlining their point, French authorities said predawn raids in a Paris suburb were triggered by information gleaned from a discarded mobile phone.
"The line to protect the public should not be drawn by two companies who make smartphones,” Vance said Wednesday at a cybersecurity conference in New York where he unveiled a 42-page white paper on the issue. His plan would require companies to download data for investigators with a warrant, rather than providing the government with a “backdoor.”
Comey spoke after Vance at the event, held at the Federal Reserve Bank of New York. He described how the Islamic State, which has taken responsibility for the Paris attacks, recruits over social media and moves discussions to direct messaging via Twitter if they find “a live one.” While authorities have access to that information by way of a court order, they are blocked from seeing information on smartphones that use encryption technology implemented last year by Apple and Google.
Authorities haven’t disclosed whether such technology was used by perpetrators of the Paris attacks.
When ISIL finds someone they think might kill, “they move them to a mobile messaging app that’s end-to-end encrypted,” Comey said. “At that moment, the needle we’ve been searching the whole nation to find, and have found, goes invisible to us. That is the going dark problem."
Vance said his proposal could assist law enforcement investigating a wide range of criminal conduct, noting his office has 111 cases in which encryption has prevented access to phone data.
“Photos and videos of child sexual assault; text messages between sex traffickers and their customers; even a video of a murder victim being shot to death -- these are just a few of the pieces of evidence found on smartphones,” his office said in the white paper.
Earlier this week, New York Police Commissioner William Bratton put the standoff with tech firms in stark terms, saying that unless they help investigators, they are “working against us.”
Aaron Stein, a spokesman for Mountain View, California-based Google, declined to comment on Vance’s proposal. Representatives of Cupertino, California-based Apple didn’t respond to telephone calls or e-mails.
At the conference, Vance sought to shame Apple and Google, citing other technology companies that have assisted those affected by the attacks and their aftermath. He pointed to Facebook’s “safety check,” which allows users to let contacts know they are okay in an emergency, AirBNB Inc.’s sheltering of stranded Parisians and Uber Technologies Inc.’s suspension of surge-pricing.
“I hope the same spirit of public-mindedness will lead smartphone makers to negotiate a solution,” Vance said.
The encryption technology was developed after revelations of mass U.S. surveillance by former National Security Agency contractor Edward Snowden. Privacy advocates have defended such protections as a necessary bulwark against government snooping.
Vance sought to address such concerns, saying his proposal would only cover “data at rest” -- information contained on mobile phones in possession of authorities, obtained as part of an arrest, for example. It wouldn’t cover “data in motion,” thus not allowing for unlawful eavesdropping, he said.
“We do not want a government backdoor,” Vance said. “We do not want a key for the government and we don’t want to collect data on anyone.”
The American Civil Liberties Union immediately assailed the proposal, saying Vance’s report doesn’t provide evidence encrypted devices have undermined crime fighting.
Vance’s changes would “compromise the security of Americans by making their personal information and communications more vulnerable to cyberattack and theft,” ACLU counsel Neema Singh Guliani said in a statement.
The report said that the heightened encryption does nothing to protect users from "large scale institutional data breaches or spyware” and that Apple and Google never explained why their prior systems were vulnerable to hackers.
Vance also urged Congress to pass legislation requiring any designer of an operating system for a smartphone or tablet made or sold in the U.S. ensure that data is accessible under a search warrant.
Action from Washington may not come for some time. Senate Intelligence Committee Chairman Richard Burr, a North Carolina Republican, said Tuesday that Congress isn’t ready to pass a law limiting the use of encryption, but lawmakers are on an “exploratory route to determine what options we have.”
Comey also laid out the Federal Bureau of Investigation’s strategy for keeping up with cyber criminals who have “shrunk the world to the size of a pin.” He said the agency would focus on the biggest, most international crimes, and deploy agents based on expertise rather than geography.
“We have to get to a place where we push information to each other at a pace that moves with the speed of the threat,” Comey said.
After Snowden revealed that Apple, Google, Yahoo Inc. and others had been compelled to cooperate with U.S. spying programs following the Sept. 11, 2001 attacks, technology firms announced “full-disk encryption” for a new generation of phones, automatically scrambling data so a digital key kept by the owner is needed to unlock it.
Vance said in a Washington Post op-ed that the companies, whose operating systems run on 96 percent of smartphones worldwide, were helping criminals. This summer, he testified before a Senate Judiciary Committee, saying that the Fourth Amendment allowed for “reasonable searches” of devices by the government.
Vance said at the time that his office had sent letters asking the companies if there was a way to encrypt their data without sacrificing security, and had yet to receive a response.
The issue of privacy versus security on mobile phones has only been partially tested in U.S. courts. It was weighed by the U.S. Supreme Court last year, which said a warrant is usually required to access data on a phone held by someone arrested. It’s also the subject of a lawsuit in Brooklyn, New York, where Apple is fighting the Justice Department’s demand for access to data on an iPhone seized during a drug probe.
Vance also faced off against Twitter Inc. on similar issues of whether the maker of the technology is responsible for providing law enforcement with information. In 2012, shortly after New York’s Occupy Wall Street protests, a judge ruled the social media company had to hand over information about protesters’ posts, comparing the duties of social media sites to witnesses of a street crime.