Apple and Google announced in short succession that they will be
turning on encryption by default for all of their devices and the
reaction from law enforcement (and some press elements who pander to
them) is nothing short of incendiary. The nexus of national security,
organised crime, think-of-the-children and technology concpepts barely
understood by laypeople is fascinating to watch but one thing stands out
that makes this posturing baffling: Law enforcement already knows what
the limitations are of modern cryptography on mobile devices, and
they're borderline lying when they decry this latest move.
Encryption on Android devices at least is very strong relying on the deep structures in the Linux kernel and associated tools to create and manage encrypted storage devices. Apple have improved things a bit
in iOS8 but they've a ways to go. The announcements change nothing
about the capabilities of these devices that law enforcement don't
already worry about but that hasn't stopped them from launching a PR
push in an attempt to show they're actually doing something - anything -
to tackle the problems under their purview.
There is a
serious flaw in this. The announcements merely indicate the starting
position of the state of a new device, in that existing methods for
securing the device will be turned on by default. Any savvy user who
cares for their privacy (and unscrupulous ones probably more so) will
have long ago figured out how to activate these features. In the grand
tradition of DRM, where normal users were left exposed or under-served
while underhanded consumers found the best release schedules by simply
downloading as they wanted, viewing on devices that pleased them, and
avoided limitations like being forced to watch ads or in formats
sub-optimal; regular users of mobile devices were left woefully
underprotected despite the facility being there to enhance their device
security for the good while the security conscious (and I will keep
admitting not always those with high-minded intentions) could exploit
these features for their own protection.
Law enforcement knows this. Their hand-waving (and predictable, think-of-the-childrenness)
responses are at best facile and at worst outright lies. If they did
not know these devices were already capable of encryption then they are
not competent, and if not but think this default setting changes the
landscape for law enforcement then they are certainly dishonest -
someone choosing to hide data from law enforcement already has those
tools. These decisions are security for the rest of us.
This
is not new. I used to have respect for Dianne Feinstein, the present
(as of October 2014) chair of the US Senate Select Committee on
Intelligence. She once remarked that Edward Snowden should have come
forward with his concerns privately, even directly to her, rather than
disclosing his information to the public; that this would still have
resulted in the reforms and protections now underway at the NSA, CIA and
other intelligence bodies in the US. Again, either incompetent in
thinking the level of scandal this information would cause would be
outweighed to safeguard individual rights in an environment of total
secrecy (it won't) or posturing for effect and misleading the public
about what she knows to be a false tale of her and her colleagues'
desires to curtail intelligence gathering if it infringes those rights
(it would never). Cue outrage when the CIA is found to be violating
those rights, this time hers. She cannot be taken seriously.
Neither
can any government official who says that the two largest smartphone OS
vendors are hurting law enforcement because of a non-technical change.
They are posturing, lying or showing incompetence (at best because of
bad advice, but unlikely). They would like to intentionally leave us
exposed to data theft, privacy violations based on the flimsiest of
evidence, insufficient safeguards for that data and abuse by criminals
who use government and law enforcement's own tools and methods.
I
don't blame them for this as it's their job to pretend we're all at
risk, that their job is hard, and that we should trust them. I know this
and can't fault them (too much) for it.
My true outrage is with media outlets that don't just blindly parrot their talking points, but add on their own ill-informed scaremongering flourishes.
None of these articles mention the present availability of these
techniques, and in the omission imply that this is a new level of
crime-friendly protection with no benefit for ordinary users. If these
tech journalists stand by their stories and insist government needs to
take action to cripple security or mandate backdoors, history has a lesson for you, as do real tech journalists.
