The Obama administration has apparently decided not to support exceptional access proposals that would provide law enforcement with the means to access data on iPhones and other personal devices.
As I argued previously on Just Security, instead of pursuing exceptional access, policymakers should seek to build a durable legal structure that would provide the FBI with the authority, under appropriate oversight, to exploit software vulnerabilities. Because these vulnerabilities already exist, lawful hacking, as this is sometimes called, can help get law enforcement what it needs without introducing the additional security risks associated with exceptional access. It is worth revisiting this issue now that the administration has seemingly reached a decision regarding its encryption policy.
The law scholars I have subsequently spoken with disagree about whether the legal structure exists today to support lawful hacking. Although there are a few excellent treatments of the subject (for example, here and here), the issue seems to me to be under-examined.
But putting the legal questions aside, I want to highlight two other outstanding issues that require further consideration in order to put lawful hacking on a sound footing.
First, growing use of lawful hacking may limit transparency into law enforcement activities. We’ve now built a significant infrastructure around providing transparency into the scope and types of government requests for data. One of the primary mechanisms for this is company transparency reports. The current level of transparency into government data requests will decrease if law enforcement authorities resort to lawful hacking. Consider the obvious case of Apple, which began releasing transparency reports in 2013that include requests for device information. Now, imagine that the FBI develops the means to hack into encrypted data sitting on an iPhone, a capability it might deploy after getting a warrant. When the FBI uses this capability, that activity will never be documented in Apple’s transparency report, as it would have been previously.
Read the full post at Just Security.