Just over a week ago Apple announced that devices running its new iOS 8 mobile operating system will be encrypted by default, and because the encryption key is held by the user (not Apple), only the user can access an iPhone or iPad’s photos, emails, recording, documents, etc.
In the past Apple has cooperated with legally binding requests for users’ data by law enforcement agencies, but this will now longer be possible,
‘Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data, so it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.’
It should be noted that data stored elsewhere, such as on its iCloud or Mail services, is not so protected, so users very concerned about privacy should prevent auto-uploading of photos and videos, use an alternative secure email service, etc.
Users should also note that as Apple software is proprietary, we have to simply trust it when it says that it does not keep a copy of users’ keys. This means that if you are doing something the NSA might be very concerned about, it would be unwise to completely trust Apple device encryption. However, for most purposes this is a great move by Apple.
Just a day later, Google announced that it will follow Apple’s lead and also implement default encryption in its upcoming Android L release,
‘For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement. As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.’
As with iCloud, data stored in Gmail accounts, Google Cloud, or with many third party services, is not protected with user-held encryption keys, and so can be handed over to the authorities. Unlike iOS, Android is (technically) Open Source, but we would still not advise those of a more paranoid disposition to 100 percent Google trust with their data protection.
Despite these various shortcomings, this is all great news for data privacy, and comes on the back of a US Supreme Court ruling in June, which established that police can usually obtain search warrants for access to phone data, which companies such as Apple and Google must comply with. With phones fully encrypted and the keys held by users (only), they will now no longer able to comply.
It comes as little surprise then, to learn that police are really not happy about the situation,
‘One Justice Department official said that if the new systems work as advertised, they will make it harder, if not impossible, to solve some cases. Another said the companies have promised customers “the equivalent of a house that can’t be searched, or a car trunk that could never be opened.”
Andrew Weissmann, a former Federal Bureau of Investigation general counsel, called Apple’s announcement outrageous, because even a judge’s decision that there is probable cause to suspect a crime has been committed won’t get Apple to help retrieve potential evidence. Apple is “announcing to criminals, ‘use this,’ ” he said. “You could have people who are defrauded, threatened, or even at the extreme, terrorists using it.”
The level of privacy described by Apple and Google is “wonderful until it’s your kid who is kidnapped and being abused, and because of the technology, we can’t get to them,” said Ronald Hosko, who left the FBI earlier this year as the head of its criminal-investigations division. “Who’s going to get lost because of this, and we’re not going to crack the case?’
The same Mr Hosko also expressed his concerns to The Washington Post,
‘Ronald T. Hosko, the former head of the FBI’s criminal investigative division, called the move by Apple “problematic,” saying it will contribute to the steady decrease of law enforcement’s ability to collect key evidence — to solve crimes and prevent them. The agency long has publicly worried about the “going dark” problem, in which the rising use of encryption across a range of services has undermined government’s ability to conduct surveillance, even when it is legally authorized.
Our ability to act on data that does exist . . . is critical to our success,” Hosko said. He suggested that it would take a major event, such as a terrorist attack, to cause the pendulum to swing back toward giving authorities access to a broad range of digital information.’
What this does show is that Edward Snowden’s revelations are having a profound effect, and that as ordinary people’s security concerns continue to grow (and tech companies, whose reputations have been badly damaged rush to shore up public confidence in their services), the ‘surveillance society’s’ worst nightmare is coming true – more and more people are ‘going dark’, which for advocates of privacy and freedom can only be good thing…
Update 19 September 2014: A Tweet is doing the rounds on reddit, saying…
… which sounds very ominous!