A Year After San Bernardino And Apple-FBI, Where Are We On Encryption?

Enlarge this image Jaap Arriens/NurPhoto/Getty Images Jaap Arriens/NurPhoto/Getty Images

The debate over encryption and government access to secured communications dates decades back. But for many Americans, it grabbed their attention in the early months of this year, in the aftermath of the Dec. 2, 2015, mass shooting in San Bernardino, Calif.

It was a saga that unraveled over weeks. Looking for leads on the terrorist's iPhone, the FBI wanted to crack the PIN code on the device. The bureau got a court order and demanded that Apple write special software to thwart security measures that otherwise threatened to erase its content if muscled through. Apple refused to help and took its case public.

The two sides battled it out in court, in Congress and in the media. Apple argued such software amounted to a master key and would encourage other countries, like China or Russia, to make similar demands for other iPhones. The law enforcement community said that increasingly secure encryption was making devices "warrant-proof."

The conversation about encrypted devices quickly merged with that about encrypted communications.

Ultimately, the FBI paid a mysterious third party and unlocked the phone without Apple's help. Over the following months, several bills appeared and faded in the outgoing Congress. The heat has subsided. The conversation moved on. Or so you might think.

A few weeks ago, Manhattan District Attorney Cyrus Vance Jr. — a vocal opponent of insurmountable encryption — renewed his call for new laws to make sure that law enforcement has a way to extract the content of locked iPhones.

"In (Manhattan) alone, 423 Apple iPhones and iPads lawfully seized since October 2014 remain inaccessible due to default device encryption," the report from Vance's office says, arguing later:

"There is an urgent need for federal legislation that would compel software and hardware companies that design or build mobile devices or operating systems to make such devices amenable to appropriate searches."

From a technical perspective, it's essentially a plea to turn back time.

During and since the Apple-FBI standoff, the push for stronger encryption has been marching on. On the newer devices, Apple says it's just not technically feasible for the company to unlock passcodes or otherwise extract data, warrant or no warrant.

Google, despite its struggle to push updated software to the fragmented market of various Android devices, is also promoting default encryption. WhatsApp, the most popular messaging platform, has doubled-down on encryption and has even introduced secured video chat. The list goes on.

"I don't see a situation where the government ... is going to force Apple to roll back encryption of the iPhone. I think that ship's sailed," says Christopher Soghoian, principal technologist at the American Civil Liberties Union. "Law enforcement has to deal with the fact that we live in the world of encryption. And the way the feds are dealing with it is embracing the hacking."

Soghoian explains that encryption doesn't completely shut down surveillance but pushes it further out from the networks that deliver the communications — where they are scrambled — to the devices where it gets unscrambled for the user.

That's one of the reasons why internationally instant messaging apps and communications platforms have, for the first time, emerged as "the most routinely targeted tools" by governments. That's according to this year's Freedom of the Net report by the Freedom House, which found WhatsApp being the most restricted app around the world.

Earlier this week, judges in the U.S. gained wider power to authorize government hacking of digital devices well beyond their districts.

Reuters has reported that the newly re-elected Republican Sen. Richard Burr, who chairs the Intelligence Committee, is likely to reintroduce his encryption legislation requiring companies to build "back doors" into their products for the government — but this time, with the support of the incoming Trump administration.

So far, none of Donald Trump's picks for security posts are experts on cyber, and details of his stance are relatively hard to surmise. During the Apple-FBI debate, Trump called for a boycott of Apple to pressure its compliance with the FBI's demand. But he hasn't voiced a specific position on encryption.

Also unclear is Trump's plan for the post of FBI director, occupied now by James Comey, who led the bureau's fight against Apple but also played a prominent role during the campaign-season controversy about Hillary Clinton's use of a private email server.

One likely possibility, Soghoian says, is a behind-the-scenes push for the right of government authorities to compel app or device makers to deliver specially created software to particular phones.

Also possible is an effort to make companies retain more data they collect about their users — including, for instance, unencrypted metadata, such as time and length of a conversation, rather than its content. This becomes even more relevant in the era when more and more things get connected to the Internet without being particularly secure.

And finally, there's the matter of state and local law enforcement. Investigations across the country have struggled with the lack of technical expertise and budget to tackle crimes involving tech devices.

Soghoian worries that when the surveillance or hacking tools begin to trickle down, abuses will be particularly visible. For now, he expects prominent voices like Manhattan's Cyrus Vance to continue making their case.