There are now more mobile devices in the world than people. In our mobile devices we keep the most intimate details of our lives—our financial information, our medical history, our family memories. Consumers demand, and rightfully expect, that their personal information on their devices is protected.
At the same time there is a growing demand that law enforcement keep our society safe. We want to be sure that law enforcement can secure our airports, our train stations and that our families and friends are safe. Therein lies the fundamental tension within the encryption debate – a debate which continues to intensify.
Since the emergence of Edward Snowden, the pendulum has swung in a direction that has created an important debate about privacy and yet, recent events appear to be causing things to swing back. A recent survey from Morning Consult found that 71 percent of registered U.S. voters now support requiring that companies give the government access to their personal data to support national security interests, and 76 percent think those companies should help the government in investigations related to terrorism.
However, what has been largely lost in a debate cast in black and white terms is the presence of a third way to satisfy the concerns of both security and privacy.
Very few, if any, people disagree with the notion that law enforcement should be able to access a device it has in its possession where they have a legal reason for doing so. The debate is over whether solutions that may be needed to overcome the current encryption will cause more harm than good. This dilemma demands a new solution which would enable access while not eroding the personal security of devices globally. Fortunately, there is a new proposal which has been circulating in Congress which would use Asymmetric encryption and common sense, to do just that.
Asymmetric encryption is a common cryptographic method that uses different keys to encrypt and decrypt data. It consists in this case of two keys and the phone itself. The encryption key is public, while the decryption key is kept private. The only way to reach the content in the phone is to physically have the cell phone and the two encrypted keys in the same place.
To achieve maximum security, the government could distribute the private key in a smart card. The government could then also ask for a smart card is returned within a certain time. The card contains the key in a non-extractable form and performs decryption internally. The smart card can contain additional security measures such as an individual PIN that must be entered for activation. One would need both key pairs to extract data from the mobile device. Hacking into this type of system to obtain a key would be of no use. Since one would need to have physical possession of the phone to enable the system, there is no conceivable way this system could be used for mass surveillance or Internet hacker attacks.
The lesson to take from the FBI’s hack of the San Bernardino iPhone is that the latest exploits can be short lived. As more exploits are found and as manufacturers race to patch them, we now find ourselves in digital forensics “arms race-- whereby mountains of financial and intellectual capital will be spent on both sides. The value of the exploit from San Bernardino, and the importance of the new legislation, is that they can serve as leverage to bring the parties to the table to create a strategic, technology-driven solution that empowers the privacy and the security of our citizens.
The problem we face is not a Constitutional one – it is a technical one. As such it can be solved using a technological solution. Law enforcement, the digital forensics industry, Apple and its’ allies should come together to make this common-sense, easy to implement, secure solution a reality for the common good.
Joel Bollö is the CEO for Micro Systemation, MSAB, a provider of forensic technology for mobile device examination. MSAB's software is used by the law enforcement, military and government agencies in more than 100 countries worldwide.