Manhattan District Attorney Cyrus Vance Jr. waded into the renewed debate over government access to smartphones, proposing a compromise to Apple and Google that may mollify privacy advocates while preserving the ability to retrieve data with a warrant.
Vance and FBI Director James Comey Wednesday echoed comments by CIA Director John Brennan, who cited the need to stay a step ahead of terrorists who may use encryption to hide planned attacks like those in Paris last week. Helping to make their point, French media reported predawn raids in a Paris suburb Wednesday were triggered in part by information gleaned from a discarded mobile phone.
“The line to protect the public should not be drawn by two companies who make smartphones,” Vance said at a cyber-security conference in New York, adding that his office has 111 cases in which encryption prevented access to phone data.
His proposal, part of a 42-page white paper unveiled Wednesday, would require companies to download data for investigators with a warrant, rather than providing the government with a “backdoor.”
Earlier this week, New York Police Commissioner William Bratton also called on technology firms to help investigators, saying that otherwise, they are “working against us.” Niki Christoff, a spokeswoman for Google, and representatives of Apple didn’t immediately respond to requests seeking comment on Vance’s proposal.
Vance seeks easier law enforcement access to data such as texts and e-mails stored on mobile devices, a position long met with resistance from privacy advocates. The prosecutor, who has previously urged Apple, Google and Twitter to cooperate with his investigators, said his proposal could assist law enforcement across the spectrum of criminal investigation, not just terrorism.
“Photos and videos of child sexual assault; text messages between sex traffickers and their customers; even a video of a murder victim being shot to death – these are just a few of the pieces of evidence found on smartphones,” his office said in the white paper.
Vance’s solution would only cover “data at rest” – information on phones in physical possession of authorities. He also said Congress should pass legislation requiring any designer of an operating system for a smartphone or tablet made or sold in the US ensure that data is accessible under a search warrant.
“We all support legitimate privacy concerns while giving law enforcement the data that’s necessary to fight crime and defeat terrorism,” Vance said. “We do not want a government backdoor, we do not want a key for the government and we don’t want to collect data on anyone.”
Action from Washington may not come for some time. Senate Intelligence Committee Chairman Richard Burr, a North Carolina Republican, said Tuesday that Congress isn’t ready to pass a law limiting the use of encryption, but lawmakers are on an “exploratory route to determine what options we have.”
“The reality is we don’t expect this to be received very well from companies who market their products on the ability to provide end-to-end encryption,” Burr said.
Comey, speaking after Vance at the conference held at the Federal Reserve Bank of New York, said “a wind has blown that has chilled cooperation between government and the private sector.”
The director of the FBI warned that encryption technology is already in use by the Islamic State, or ISIL, which claimed responsibility for the attacks in Paris that killed 129 people and injured more than 300. He said the group’s recruiters move to direct messaging if they get “a live one” and then seek to communicate through encrypted methods.
“With lack of cooperation, we are left with 50-foot-high walls on either side,” Comey said. “We have to get to a place where we push information to each other at a pace that moves with the speed of the threat.”
Comey said in the wake of the latest terrorist attacks, law enforcement will focus on the “biggest, most international” aspects of cybersecurity, deploying agents internationally based on expertise because criminals have “shrunk the world to the size of a pin.”
After former National Security Agency contractor Edward Snowden revealed companies including Apple, Google and Yahoo were compelled to cooperate with US spying programs, technology firms announced stronger privacy protections, known as “full-disk encryption.”
The new generation of phones automatically scramble data so that a digital key kept by the owner is needed to unlock it. The move made it harder for investigators to examine the contents of suspects’ phones without their knowledge or cooperation.
Shortly after Apple and Google made their encryption change, Vance said in a Washington Post op-ed that the companies, whose operating systems run on 96 percent of smartphones worldwide, were helping criminals. This summer, he testified before a Senate Judiciary Committee, saying that the Fourth Amendment allowed for “reasonable searches” of devices by the government.
Vance said at the time that his office had sent letters asking the companies if there was a way to encrypt their data without sacrificing security, and had yet to receive a response.
Privacy advocates have misconceptions about law enforcement’s position on encryption, Vance contends. His proposal would cover individual mobile phones for which there was a court order, asking companies like Apple and Google to retrieve information, and wouldn’t allow data collection without possession of the device. Nor would it cover “data in transit,” which could allow eavesdropping on live communication.
Putting it more bluntly in an August op-ed published in the New York Times, Vance said the switch to full-disk encryption wouldn’t have stopped the NSA’s mass surveillance as revealed by Snowden. The column was co-written by Paris Chief Prosecutor Francois Molins, City of London Police Commissioner Adrian Leppard, and High Court of Spain Chief Prosecutor Javier Zaragoza.
Vance’s office, which formed a cybercrime unit in 2010, said it’s also trying to respect privacy as part of the Global Cyber Alliance, an effort with Leppard and the Center for Internet Security, or CIS, announced Monday. The alliance, based out of both London and New York, will not collect any “personal identifiable information, and will only possess what is voluntarily provided — data that describes or identifies the attackers’ information, such as location or infrastructure, and the threats associated with them,” according to a statement.
“We must get the right legislation to find the right balance between the right to privacy people have in society and the right you have to be protected by law enforcement agencies,” Leppard said Wednesday at the conference in New York.
The issue of privacy versus security on mobile phones has only been partially tested in US courts. It was weighed by the US Supreme Court last year, which said a warrant is usually required to access data on a phone held by someone arrested. It’s also the subject of a lawsuit in Brooklyn, New York, where Apple is fighting the Justice Department’s demand for access to data on an iPhone seized during a drug probe.
In that dispute, the government argued Apple had complied with at least 70 similar court orders and the company’s position represented “a stunning reversal” of past policy. Lawyers for Apple told the judge that the request goes beyond the boundaries of the law and that the government needs more authority from Congress to back such requests.
Vance also faced off against Twitter on similar issues of whether the maker of the technology is responsible for providing law enforcement with information.
In 2012, shortly after New York’s Occupy Wall Street protests, a judge ruled Twitter had to hand over information about protesters’ posts, comparing the duties of social media sites to witnesses of a street crime. Twitter had argued it shouldn’t be responsible for its users’ activities under the federal Stored Communications Act, a law enacted in 1986 which governs disclosure of electronic communications.