Faced with encrypted devices, cops choose warranted smash and grabs
High-tech, meet no-tech.
Faced with the increasing popularity of encryption, law enforcement in Europe and the U.S. are turning to a decidedly non-digital solution: Physical force.
Over the summer, police in the United Kingdom obtained a warrant and “mugged“ a suspect—one cop grabbed his phone, the other officers then tackled him—in a credit card fraud case in order to separate him from his iPhone while he made a call. In that moment, the phone was unlocked, unencrypted and unprotected. The tactic, which the BBC called a “lawful ‘street robbery,'” yielded a vast store of communications used as evidence in the investigation. The suspect pleaded guilty and was sentenced to five and a half years in prison.
The same tactic has been used in the United States. Ross Ulbricht, the former operator of the Silk Road dark net market, was sitting in a San Francisco public library in 2013 when a host of cops silently surrounded him. Steeped in security, Ulbricht was using a laptop that would encrypt when closed. To circumvent that, police created an elaborate distraction, shoved Ulbricht away from his device, and grabbed it for themselves. They kept it open and used the laptop’s contents as evidence to devastating effect in Ulbricht’s criminal trial. He was convicted and is now serving two life sentences. An appeal is underway.
The American legal landscape a year later with the landmark 2014 Supreme Court decision, Riley v. California, which unanimously held that a warrantless search of the digital contents of a cell phone is unconstitutional. Full on searches of phones can’t legally happen without a warrant. Once the judge gives the go ahead, however, the question of how to circumvent encryption is open. The legal order in which this all takes place is less clear.
It’s not clear how widespread the tactic is in either the United Kingdom or United States. California-based criminal defense attorney Jay Leiderman says he’s seen the tactic before and that “it’s actually not at all uncommon.”
“I wouldn’t be surprised at all to learn police were trained to separate encryption from the user,” Leiderman told CyberScoop.
Leiderman explained a scenario he’s seen over and over again: Police wait for a suspect to flip their phone on “because they’re out of it, their attention is divided, they’re sucked into their phone so they’re not noticing the four or six people around them closing in about to tackle them. That’s also smart policing.”
In the wake of Riley, cops can look at what’s on a seized phone’s screen, keep the phone unlocked, and may be able to get a warrant to fully search the contents of the device.
The encryption debate that dominated headlines last year is widely expected to return to prominence under President-elect Donald Trump. How federal agents—and law enforcement at all levels—will deal with the challenge remains to be seen.
This is “the kind of police work I think we expect law enforcement to engage in, rather than things like bulk interception or hacking of users,” Joseph Lorenzo Hall, Chief Technologist at the Center for Democracy & Technology, told CyberScoop. “This seems like legitimate police work, highly retail (it doesn’t scale well)… However, after ‘Riley’ they will need a warrant which should narrowly prescribe for what and where the police can look on a device seized in this manner.”
Although it’s extremely potent, an opportunistic smash-and-grab is far from a panacea for all the challenges encryption puts in front of law enforcement, nor is it the end of the strong privacy protections encryption provides for the rest of us. Maybe most importantly, necessitating a more physical confrontation puts everyone involved and even civilians nearby at greater risk of injury, as former NSA counsel Susan Hennessey argued.
The idea that physical force can beat encryption is not new. “Rubber hose cryptanalysis” is a three-decade old sardonic euphemism about how torture and coercion can be used to obtain passwords that will render encryption useless. If the human being is the weakest point in cybersecurity, that goes double for cryptography. The techy webcomic XKCD tackled the idea six years ago.
“When they raid a place, that’s the first thing they try to do,” attorney Tor Ekeland told CyberScoop. “They try to stop you from locking your stuff. That’s why they’ll come in really quick or they try to get you generally early in the morning. I think that’s a common practice.”
One counterpoint to this police tactic is layered security.
Signal, the increasingly popular secure messaging app, encrypts text messages from one phone to another. If a law enforcement agent or criminal or spy was to physically separate a Signal user from their unlocked phone, however, the entirety of their communications would be open to them. At least, that was the case up until somewhat recently.
Last year, security researcher Runa Sandvik, who directs information security at the New York Times, asked Signal developers to implement app specific passwords. There was a back and forth about the possible benefits but Sandvik won out in the end. Today, the app allows for password protection and encryption on the device. So, if you password protect Signal, even being physically separated from your unlocked device would not expose your communications unless you had specifically unlocked the Signal app. A user could also enable screen security, so messages aren’t visible on the lock screen; and disappearing messages, a feature that deletes messages after a set time period, for yet another layer of security and tidiness.
Specific app passwords would, in theory, reset the situation to exactly where it had been: Encryption protecting data with the phone still out of the owner’s possession.
“My clients that listen to me, that’s what you’ll find them doing,” Liederman said. He admits, however, that only 10 or 20 percent of his clients follow his security advice.
“Certainly, [this kind of police tactic] will leave exposed anything that doesn’t have an additional layer of authentication required,” Hall explained, “and apps like banking, password managers, and Buffer that allow the option of fingerprint scanning for authentication could be compelled or fooled with fake fingers. So people with law enforcement in their threat models may want to rely on numeric PIN numbers for those apps.”
For everyday users, this might be a bridge too far in the name of security. The crux of Signal’s fast rising popularity is that it’s as easy to use as any other messenger but with exponentially more security. Adding passphrases or deleting archives adds a complicating wrinkle. But for security-sensitive users—businesspeople, journalists, activists, lawyers, etc.—these are the kinds of options that come into play as physical force becomes a more commonly used tactic to beat popular default encryption. For developers, it becomes yet another threat model to take into account.
“At this point in the game, technology is moving faster than the law,” Liederman explained. “It’s not really about having answers, it’s about asking the right questions. However, we simply don’t have answers to them at this point.”
Of course, even if you manage to keep the sensitive stuff on your phone locked, the FBI might just buy a way to unlock it anyway if they deem it worth the considerable cost.