Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/30/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

Hacking Phones: How Law Enforcement Is Saving Privacy

It's no longer true that society must choose to either weaken everybody's privacy or let criminals run rampant.

As a staunch privacy advocate, I am excited that law enforcement now has access to tools to decrypt locked smartphones! But, wait! Isn't that the opposite of privacy? Well, no, if you consider the bigger picture.

There is a battle raging right now with many governments wanting to broadly undermine privacy by weakening allowable algorithms so they can decrypt communication messages over networks and undermine device protections. The primary justification for this has been to track down terrorists and prosecute criminals. Governments contend that without any other means, bad people would be able to communicate and do illicit activities without law enforcement able to gather necessary evidence. The downside is that all people, including the innocent, would be surrendering their privacy and greatly weakening the security of everyday information.

Many people, including political representatives, are openly maneuvering to enact such laws, which, in my opinion, would weaken everybody's privacy because all communications could remotely be captured, analyzed, and stored. Additionally, purposely weakening encryption algorithms would undermine the necessary digital security controls that protect our personal, financial, health, employment, and intellectual property. We all need the best security on the Internet to keep cybercriminals at bay. These proposed laws are far-reaching and represent a very dangerous path to pursue as the world continues to embrace digital technology. To intentionally weaken encryption opens the door to many unintended consequences. As Ben Franklin opined: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

The argument by proponents of more rigid security controls is that society must choose to either to weaken everybody's privacy or let criminals run rampant. This is a false argument because there are other options. We currently have laws and checks and balances that allow law enforcement to monitor suspects when sufficient evidence has been presented and approved by the judicial branch of government. Wiretaps, search warrants, and evidence collection are a few allowances, but these are very specific powers and must be granted with oversight and accountability. We don't let police invasively surveil the entire general populace and inspect their property without due cause and approval. However, we do let them investigate individuals when probable cause is present. The key is that they investigate only those who are doing something suspicious and not infringing upon law-abiding citizens.

Tech to the Rescue
With today's technology, law enforcement has the tools to conduct pinpoint investigations and gather evidence from devices they collect during the normal investigative process. This largely invalidates the need for broadband surveillance as it restores their powers to previous limits. They can get a warrant to search and seize evidence, including bypassing locks on smartphones, to further their investigation.

Cellebrite, the infamous Israeli company that specializes in hacking hardware that can unlock smartphones, has been providing devices to law enforcement that can unlock all Android and iPhones since last year, including the latest versions, according to some reports. This allows police departments to hack into phones directly for forensic investigation, even when they are locked. In the past, for the devices that could be hacked, agencies had to send the phones directly to Cellebrite but with the new premium hardware, law enforcement agencies are able to do the work themselves, under controlled conditions. This opens up a whole new level of flexibility for criminal investigations.

This capability also has natural boundaries, which limits the potential of abuse. The agencies are vetted, so distribution is limited. The cost is somewhat prohibitive, so there will not be too many devices out there. Additionally, as a requirement from the vendor, the agency must agree to have a designated secure room where the decryption will take place. This means patrol cars won't have them and wouldn't be able to break into your phone during a traffic stop, for example.

Most importantly, the phone must be in the physical possession of the agency. This is not a tracer, bug, or surveillance capability that will remotely monitor thousands or millions of users on a continuous basis. Decryption is directly tied to a specific phone in possession by law enforcement.

We all want and have a right to privacy, but we also want law enforcement to be able to investigate suspected criminals and have the ability to gather the necessary evidence to prosecute them.

The solution is clear: Keep encryption strong for everyone but allow law enforcement officers the tools to investigate pinpoint situations — for example, where they have a suspect's phone in custody as part of a legitimate search and seizure. In doing so, we avoid unnecessarily expansive surveillance capabilities and all the problems that accompany weaker digital security for our privacy, finances, and information security. The balance of freedom, justice, and liberty must be preserved.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Real Reasons Why the C-Suite Isn't Complying with Security."

Matthew Rosenquist is a cybersecurity strategist who actively advises global businesses, academia, and governments to identify emerging risks and opportunities.  Formerly the cybersecurity strategist for Intel Corp., he benefits from 30 years in the security field. He ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
AndrewfOP
100%
0%
AndrewfOP,
User Rank: Moderator
11/1/2019 | 10:28:35 AM
Freedom vs. Justice
"Keep encryption strong for everyone but allow law enforcement officers the tools to investigate pinpoint situations... The balance of freedom, justice, and liberty must be preserved."

Agreed.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.