The FBI's struggle to unlock a mobile device that belonged to man responsible for a mass shooting in Texas has renewed a national debate over encryption and law enforcement.
In early November, the Bureau sent the gunman's phone to its lab in Quantico, Virginia to see if researchers could find a way to unlock the device.
The FBI believes the phone could reveal crucial information about the events leading up to a mass shooting in Wilson County, Texas.
On 5 November 2017, Devin Patrick Kelley, 26, of neighboring Comal County, Texas walked into the First Baptist Church in the small town of Sutherland Springs. He then opened fire, killing 25 individuals as well as an unborn child. NBC News reports that law enforcement and a citizen thereafter pursued the shooter and found him dead after running his car off the road.
Agents with the FBI attempted to unlock Kelley's phone after recovering the device. However, a passcode prevented them from doing so. They could have attempted to brute force the passcode using available software, but they ultimately decided to send the device to the lab for fear of erasing the phone's data.
FBI special agent Christopher Combs said this is a persistent problem when it comes to encryption and law enforcement investigations. As quoted by NPR:
"With the advance of the technology and the phones and the encryptions, law enforcement, whether that's at the state, local or federal level, is increasingly not able to get into these phones."
This isn't the first time the FBI has found itself in this predicament. In late 2015, investigators recovered the iPhone of one of the individuals responsible for the San Bernardino shooting that killed 14 people and injured 22 others. The Bureau attempted to pressure Apple into creating a workaround that would allow them to bypass the iPhone's passcode attempt limiting mechanism so that they could brute force their way into the device without risking the deletion of its data. Apple refused, thereby sparking a national debate over encryption and government access to private data.
Those at the FBI eventually unlocked the device using a method that did not involve Apple.
More than a year later, privacy advocates and government officials are once again debating if there are any conditions under which technology companies should grant access to encrypted data on mobile devices.
Information security writer Kim Crawley doesn't think so:
"I think if technology companies decrypt any data belonging to a suspect for a law enforcement investigation, it opens a Pandora's Box. Ultimately, law enforcement and intelligence should be able to investigate crimes without violating the privacy of those who haven't been found guilty of anything. My answer at this time in our history is a definitive NO!"
Matt Pascucci, security architect, privacy advocate, and security blogger, agrees. He feels governments themselves could abuse access granted by an encryption backdoor to spy on ordinary citizens:
"This aside, approving an encryption backdoor or allowing another entity to decrypt a device leaves not only that device but all other devices of its kind in jeopardy. If a government is able to decrypt a device, the protection of your personal data and even life could be at risk (depending on the country you live in). This also leaves these devices open to attack now that a hole has been introduced. In the long run, this will be more harmful than helpful to the protection of our citizens. With this hole in place, there’s nothing to stop governments from snooping on citizens when they feel it’s appropriate or even compromising individuals with a more malicious intent."
Pascucci also worries about the U.S. government's track record of securing sensitive information. If a group of attackers were to learn the details of an encryption backdoor, they could use it to target users with malware and other digital threats.
Bev Robb, information technology consultant, weighs in on this possibility:
"The Shadow Brokers' leak of NSA hacking tools clearly demonstrates that the government was unable to protect and secure its own classified tools. This inability in part facilitated WannaCry and furthered the spread of Petya. This is only one example of many 'government classified misadventures' gone bad. It’s frightening to consider the possibility of technology companies granting the government access to encrypted data on mobile devices when we only need to revisit recent history to realize the end result would be catastrophic."
After learning of the FBI's struggle to open the Texas shooter's phone, Apple contacted the Bureau to confirm whether the device was an iPhone. When the FBI verified that it was, the tech giant offered to assist the FBI by suggesting that investigators obtain the dead shooter's fingerprint to unlock the device. But after 48 hours, that option expired.
Peter Swire, a professor of law and ethics at the Georgia Institute of Technology, told NPR that investigators should do a better job of leveraging such help and options before it's too late:
"People lose phones, and then they can take measures to try to get in. If it's in the first 48 hours, you assume it's the real person doing it," Swire says. "To leave it open forever to that fingerprint, for instance, means that you could go after somebody whose phone you've stolen, get a fingerprint off their glasses weeks later ... break into their house and get their fingerprint. And that would be a huge security vulnerability."
Even in the event that crucial window has closed, Swire notes that the police can gather evidence from other sources including apps, the cloud, and physical locations like the suspect's workplace and place of residence.
Pascucci agrees with this assessment:
"Police are still able to request phone records, texts, web history, social media accounts, and mail records to review what the Texas shooter was doing while on his device. The issue of reading and accessing data stored on the phone does slightly limit investigations, but by no means does it cripple a case."
Going forward, the FBI should train their agents on how they can use technical options to access a suspect's information without compromising their privacy individually or demanding the creation of an encryption backdoor.
Find out why you need machine identity management
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.