There has been an ongoing debate between privacy advocates and the government over access to encrypted data of private citizens. This relates to whether or not the government should have the ability to access that data, in cases when it may aid in the solving of a crime, or in the preventing of a terrorist attack. This has recently been highly publicized in the case of the FBI vs Apple. While the issues of security, privacy, economic competitiveness, and government access to information are huge discussions on their own, the outcome of the court order has the potential to shape the future of encryption in mainstream consumer products in the United States for years to come.
At the heart of the issue is the government’s inability to access data from an encrypted iPhone 5c running iOS 9 without risking to destroy the data or, in the best case scenario, if the wipe feature is not activated, obtain the data in a timely manner. Apple has designed the iOS 9 to encrypt data through a combination of two components; the user assigned passcode and the unique 256-bit key which is embedded in the Apple device at time of manufacture. Without both of those components it is difficult for a third party to decrypt the encrypted contents.
Aside from the encryption hurdle alone, the difficulty of decrypting the data is amplified by the non-encryption security features which Apple has implemented to protect the phone from being opened by anyone without the passcode. There is an auto-erase function that deletes a phone’s content after 10 incorrect passcode entries, a delay between entering passcodes when a certain number of attempts have failed, and the passcodes need to be entered manually instead of being entered automatically by a computer.
The FBI wants Apple to circumvent those security features by having Apple generate a tool or software image file, that has the Apple certificate signature, which when placed on the device or booted from, would turn off the auto erase function, allow for the electronic submission of passwords and remove the delay between authentication attempts. In essence, allowing the FBI to perform a brute force attack on the device through a “backdoor.”
While the government states that this is only a request for the “subject device” and suggests making the recovery bundle tied to the UID specific to the device, it does set a legal precedent and would likely not be the last time that a court order of this type is invoked. One can foresee many different law enforcement entities making this type of request from any manufacturer for a number of legal reasons when faced with an encrypted product, citing the Apple case as a legal precedent for compliance.
There is an instance in recent memory which has similar elements and was inadvertently created out of the desire for public safety. This is the case with the Transportation Security Administration. The TSA is charged with security of the traveling public in the US, and as such, is responsible for the security screening of luggage. The TSA authorized special security locks to be manufactured for which the TSA holds the master keys. The public is required to purchase the approved TSA secure locks if they do not want their non-TSA approved locks to be destroyed during the screening process. In this case the master keys are used to provide TSA employees with “backdoor” access to the commercial locks for luggage screening. Unavoidably, the master keys became used for criminal purposes and the shape of the designs were leaked to the public.
The encryption debate raises difficult questions about security and privacy. Whether you take sides with the government from a position of national security; believing that providing access to encrypted communications to help prevent terrorism and investigate crime would help society, or you believe that our civil liberties trump the government’s right to gain access to communications under statutory standards of the Fourth Amendment. However you stand on the issue, it is important to have this conversation as the future of our safety and privacy depend on it. If you have questions about encryption as it relates to your environment, reach out to TNS to learn more.
By: TNS Engineering Team Member, The TNS Group