The changes that both Google and Apple have made to their mobile operating systems to encrypt the data on users’ devices have generated praise from the security and privacy communities and vitriol and criticism from the law enforcement and political worlds in equal measure.
The changes to iOS and Android mean that devices running the most recent versions of the operating systems are protected by encryption and can’t be decrypted by Apple or Google. The companies don’t hold the decryption keys and so they don’t have anything to hand over to governments, even with a warrant. This has led some in the law enforcement community to warn that the encryption schemes will make protected smartphones havens for criminal data and hamper criminal investigations.
FBI Director James Comey told the Washington Post that Google and Apple are marketing “something expressly to allow people to place themselves beyond the law.” But security experts say that this line of reasoning doesn’t consider the whole picture and is dangerous in some respects.
“Law enforcement has been complaining about “going dark” for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they’re about to try again,” cryptographer Bruce Schneier wrote.
“We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention.”
As Schneier points out, the FBI itself recommends that user employ strong encryption, and the changes that Apple and Google made can be traced, at least in part, to the revelations of the last 18 months regarding government surveillance and interception of communications. Those revelations have prompted many large technology companies to consider the way that they use encryption in many aspects of their businesses. Google accelerated plans to encrypt the links between its data centers, Yahoo earlier this year made the same move and now both Apple and Google have extended their use of encryption on their mobile platforms.
Apple’s new encryption system automatically enables disk encryption once the user sets a passcode on the device. Google’s new system for Android is similar. Both platforms have had disk encryption available before, but the stronger default option now gives users better protection with less effort on their end.
“Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legal restrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple’s lead and make encryption the easy-to-use default. And let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security,” Schneier said.