Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/30/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

Hacking Phones: How Law Enforcement Is Saving Privacy

It's no longer true that society must choose to either weaken everybody's privacy or let criminals run rampant.

As a staunch privacy advocate, I am excited that law enforcement now has access to tools to decrypt locked smartphones! But, wait! Isn't that the opposite of privacy? Well, no, if you consider the bigger picture.

There is a battle raging right now with many governments wanting to broadly undermine privacy by weakening allowable algorithms so they can decrypt communication messages over networks and undermine device protections. The primary justification for this has been to track down terrorists and prosecute criminals. Governments contend that without any other means, bad people would be able to communicate and do illicit activities without law enforcement able to gather necessary evidence. The downside is that all people, including the innocent, would be surrendering their privacy and greatly weakening the security of everyday information.

Many people, including political representatives, are openly maneuvering to enact such laws, which, in my opinion, would weaken everybody's privacy because all communications could remotely be captured, analyzed, and stored. Additionally, purposely weakening encryption algorithms would undermine the necessary digital security controls that protect our personal, financial, health, employment, and intellectual property. We all need the best security on the Internet to keep cybercriminals at bay. These proposed laws are far-reaching and represent a very dangerous path to pursue as the world continues to embrace digital technology. To intentionally weaken encryption opens the door to many unintended consequences. As Ben Franklin opined: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

The argument by proponents of more rigid security controls is that society must choose to either to weaken everybody's privacy or let criminals run rampant. This is a false argument because there are other options. We currently have laws and checks and balances that allow law enforcement to monitor suspects when sufficient evidence has been presented and approved by the judicial branch of government. Wiretaps, search warrants, and evidence collection are a few allowances, but these are very specific powers and must be granted with oversight and accountability. We don't let police invasively surveil the entire general populace and inspect their property without due cause and approval. However, we do let them investigate individuals when probable cause is present. The key is that they investigate only those who are doing something suspicious and not infringing upon law-abiding citizens.

Tech to the Rescue
With today's technology, law enforcement has the tools to conduct pinpoint investigations and gather evidence from devices they collect during the normal investigative process. This largely invalidates the need for broadband surveillance as it restores their powers to previous limits. They can get a warrant to search and seize evidence, including bypassing locks on smartphones, to further their investigation.

Cellebrite, the infamous Israeli company that specializes in hacking hardware that can unlock smartphones, has been providing devices to law enforcement that can unlock all Android and iPhones since last year, including the latest versions, according to some reports. This allows police departments to hack into phones directly for forensic investigation, even when they are locked. In the past, for the devices that could be hacked, agencies had to send the phones directly to Cellebrite but with the new premium hardware, law enforcement agencies are able to do the work themselves, under controlled conditions. This opens up a whole new level of flexibility for criminal investigations.

This capability also has natural boundaries, which limits the potential of abuse. The agencies are vetted, so distribution is limited. The cost is somewhat prohibitive, so there will not be too many devices out there. Additionally, as a requirement from the vendor, the agency must agree to have a designated secure room where the decryption will take place. This means patrol cars won't have them and wouldn't be able to break into your phone during a traffic stop, for example.

Most importantly, the phone must be in the physical possession of the agency. This is not a tracer, bug, or surveillance capability that will remotely monitor thousands or millions of users on a continuous basis. Decryption is directly tied to a specific phone in possession by law enforcement.

We all want and have a right to privacy, but we also want law enforcement to be able to investigate suspected criminals and have the ability to gather the necessary evidence to prosecute them.

The solution is clear: Keep encryption strong for everyone but allow law enforcement officers the tools to investigate pinpoint situations — for example, where they have a suspect's phone in custody as part of a legitimate search and seizure. In doing so, we avoid unnecessarily expansive surveillance capabilities and all the problems that accompany weaker digital security for our privacy, finances, and information security. The balance of freedom, justice, and liberty must be preserved.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Real Reasons Why the C-Suite Isn't Complying with Security."

Matthew Rosenquist is a cybersecurity strategist who actively advises global businesses, academia, and governments to identify emerging risks and opportunities.  Formerly the cybersecurity strategist for Intel Corp., he benefits from 30 years in the security field. He ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewfOP
100%
0%
AndrewfOP,
User Rank: Moderator
11/1/2019 | 10:28:35 AM
Freedom vs. Justice
"Keep encryption strong for everyone but allow law enforcement officers the tools to investigate pinpoint situations... The balance of freedom, justice, and liberty must be preserved."

Agreed.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.