I am writing this editorial from my iPhone, which has apparently become the most secure personal computing device available today. The highly publicized dispute between Apple and the FBI involves an intractable conundrum of modern society e how to provide a mechanism for lawful access to computers without exposing it to potential misuse.
The simple answer is that you cannot. The more constructive answer is that computer manufacturers and governments must exercise mutual understanding and respect in order to protect society, and that modern crimes must be solved with the assistance of increasingly complex digital forensic methods.
Who doesn’t want security?
Since 2014, when Apple announced that their iOS 8 operating system implements security measures that prevent them by circumventing the user set password, the tension between personal privacy and public safety has grown. Around that time I was using a Windows Phone, which was touted as being secure. However, in my casework and research, I found this to be only partially true.
In fact, I was able to recover substantial amounts of information from Windows Phones, as well as from Android and Blackberry devices. The proliferation of malware and the increase in data breaches has raised my concerns for identity theft and personal security, motivating me to avail of stronger information security measures wherever possible. As a result, my personal preferences gravitated towards the iPhone. However, I have worked in this field long enough to know that there is no such thing as perfect security.
Anti-government or good business?
In 2014, there were growing international concerns about government surveillance and criminal data breaches, and Apple announced that encryption would be the default on all future releases of iOS. As part of their publicity at the time, Apple specifically stated that their new security implementation would prevent them from responding to government warrants for the extraction of information from devices running iOS 8 and above.
The marketing of enhanced security in the midst of rising privacy concerns undoubtedly improved Apple’s sales, including my own move to iPhone. At the same time, the increased security of iOS has certainly hampered digital investigations, preventing recovery of evidence related to serious crimes. Given these already tense circumstances, it is no surprise that an explosive debate erupted when a judge in California ordered Apple to alter their security measures to help government investigators access information on an iPhone used by Syed Farook, one of the perpetrators of the shootings in San Bernardino in September 2005. On the one hand, governments could lose crime fighting opportunities.
On the other hand, Apple could lose business. The San Bernardino iPhone debate has created significant consternation and confusion, as well as untold suffering for the families of the victims, so let us take a step back from the specifics of this case, and consider some general principles of privacy, national and international security, and criminal investigation.
When I began my digital forensics career in 1996, I thought it reasonable to expect manufacturers of computing devices to design their technology to make it easier to investigate criminal activities. After all, digital investigators have a responsibility to protect society against harm, so why not make our jobs easier However, after tilting at that windmill for a number of years, I learned some valuable lessons. Consumers prefer computing devices that they perceive are more secure and better protect their privacy.
In simple terms, security sells, and the marketplace motivates manufacturers to satisfy consumer demand for stronger security. Furthermore, if a mechanism exists to facilitate evidence collection on acomputing device, it may be misused to cause harm. For instance, criminals and oppressive governments could utilize such a security weakness for nefarious purposes.
Strong privacy protections support freedom, personal safety, and homeland security in our society. At a time when governments, businesses, and hackers have unprecedented access to personal data, more attention needs to be given to strengthening information security, rather than introducing bypass mechanisms. Digital investigators have to deal with the world as we find it, doing everything in our power to recover digital evidence within the bounds of law.
Skinning an iPhone
There is more than one way to obtain information about an individual’s use of their iPhone. Under certain conditions, it is possible to exploit a security vulnerability to access a locked device, as detailed in this Journal by Jonathan Zdziarski (“Identifying back doors, attack points, and surveillance mechanisms in iOS devices,” Volume 11, 2014). For many years, Zdziarski has provided law enforcement with free methods to acquire digital evidence from iPhones.
In some situations, it is feasible to guess the password of the device in order to gain access to its contents. However, some smartphone manufacturers, including Apple and Blackberry, have added features to thwart such brute force attacks against user passwords. When an iPhone is paired with a computer, it typically leaves information that digital investigators can use to unlock the device. Furthermore, remnants of iPhone activities may exist in iTunes backups, on various cloud services used for communication and file sharing, and through telecommunication network providers.
All of these approaches are available to law enforcement, but in the wrong hands could lead to significant harm to free society. Rather than compelling manufacturers to compromise security on mobile devices, it is safer for a democratic government to develop its own closely held techniques for extracting data from locked mobile devices for lawfuluse.
Alternate avenues of investigation
Because a smartphone can contain substantial amounts of forensically valuable information, there is a tendency to focus on it during a digital investigation. It is important to remember that digital evidence is only one element in the corpus delicti. When people commit crimes using technology, they usually leave both physical and digital clues. If one avenue of investigation hits a roadblock, such as an inaccessible smartphone, there might be another nondigital path to follow.
It is tragic when criminals escape justice, particularly when they cause further harm. Digital investigators are driven to prevent such injustices, for the good of society. A safe, free society depends both on those who investigate wrongdoing and on those who protect privacy; let us all strive to strengthen both and prevent either one from weakening the other.
Currently, technology companies have more resources and capabilities to create strong security measures than law enforcement agencies have to find ways around security. One measure to alleviate this disparity is to increase funding for research and development to help digital investigators extract evidence from secured computing devices.
Furthermore, digital investigators need expanded training on how to think outside the device. User activities on mobile devices generate substantial amounts of data that are stored on other computers and third party networks, which are often accessible with legal authorization. These off-device sources may provide digital investigators with the evidence they need in a case, effectively side stepping the barrier of on-device security
Author: Eoghan Casey