Pat Kerpan sent in a link to this useful article in the MIT Review, 6 Ways Law Enforcement Can Track Terrorists in an Encrypted World by Nathan Freitas about the current state of encryption and the privacy of our digital phone and data communications and files. Nathan is a mobile app developer, and much of what he has to say relates to efforts to provide encrypted apps on mobile phones and the challenges in doing so. Nathan Freitas leads the Guardian Project, an open-source mobile security software project. His work at the MIT Berkman Center focuses on tracking the legality and prosecution risks for mobile security app users and developers worldwide. However, I found his other main points really useful, particularly for those of us who don't routinely use encrypted communication apps. Nathan writes: [Emphasis my own]
"The phrase 'the terrorists are going dark' has come back in vogue after the Paris attacks, referring to assertions that encryption is somehow enabling the communication of future attackers to go undetected. But the public is being presented with a false choice: either we allow law enforcement unfettered access to digital communications, or we let the terrorists win. As always, it is not that simple.
There is still a great deal of data available that is not fully encrypted or even encrypted at all—data that allows for the kind of digital detective capabilities that law enforcement seek to catch the bad guys. It is disingenuous on all sides to pretend it does not. Some call this metadata, but considering the volume and detail of data available, there is nothing meta about it.....Not all of the approaches to data gathering and intercept are clearly legal."
Nathan enumerates 6 ways in which even so-called encrypted communications are vulnerable. I selected three of them to highlight here:
"If someone is carrying a mobile phone, their every movement, phone call, and use of the Internet access is being tracked and logged by the mobile service provider. Accessing that data often does not require a warrant, just a phone number and a contact at the phone company."
"Full storage encryption of smartphones is not on by default for Android, and only in effect on iOS when the device is powered off. Most of these apps are not password-protected on the device itself. Get access to a phone with the screen unlocked, or crack the screen lock app itself, and you are in....."
"Most cloud data is only encrypted to protect it from outside attackers, and not from the service provider themselves. Some services say, 'We encrypt data at rest in the cloud,' but they mean they do so with an encryption key that they hold, not one the user holds. Rather than backdoor the messages in real time, just get access to a cloud backup of all the messages, contacts, calendars, photos, location data, and more that users often unwittingly store there."
My take-away is that this is an honest assessment of where we are with digital communications. My concern is that this is not good enough. Our communications are not private, haven't been for quite a while, and may never be again. I'm not in the camp that says "Get over it." I believe that privacy and freedom from criminal trespass and government surveillance are both human rights.
Nathan Freitas summarizes the current state by saying:
"Whether we like it or not, the opportunities for targeted surveillance of digital communications are vast and deep, within both clearly legal and legally gray areas. I am not encouraging legalizing criminal hacking by the police or promoting surreptitious methods for infringing on freedom and privacy. In fact, I am a firm believer that more encryption is needed, to strengthen our personal privacy and defend against actual cybersecurity threats."