The Many Things Wrong With the Anti-Encryption Op-Ed in the New York Times

Manhattan District Attorney Cyrus Vance Jr. and his counterparts in Paris, London and Madrid took to the New York Times op-ed page to pose a flawed argument against default encryption of mobile phones.

Photo: Stan Honda/AFP/Getty Images

Manhattan District Attorney Cyrus Vance Jr. and his counterparts in Paris, London and Madrid took to the New York Times op-ed page Tuesday morning to pose a flawed argument against default encryption of mobile phones, a service being commercialized and implemented gradually by Apple and Google.

The op-ed misstated the extent of the obstacles to law enforcement, understating the many other ways officials bearing warrants can still collect the information they need or want — even when confronted with an encrypted, password-protected device.

The authors failed to acknowledge the value to normal people of protecting their private data from thieves, hackers and government dragnets.

And they demanded — in the name of the “safety of our communities” — a magical, mathematically impossible scenario in which communications are safeguarded from everyone except law enforcement.

Apple and Google are attempting to provide strong, reliable and user-friendly encrypted systems for their customers. A user who has installed iOS 8 on an iPhone automatically encrypts text messages, photos, contacts, call history and other sensitive data simply by using a passcode.

Android devices also include a system that encrypts downloaded files, application data, and other data with a PIN or passcode. But contrary to what the op-ed stated, that is not the default setting for most Android phones.

It’s true that when law enforcement asks for information that is encrypted with the user’s passcode, Apple and Google cannot actually deliver it. But that’s typically not the whole story.

For one: Apple, for instance, copies a lot of that data onto its own cloud servers during Wi-Fi backups, where the company can in fact access it and turn it over to law enforcement.

Plenty of other data is still available from the phone companies: SMS text messages, phone numbers called and phone calls received, and location information.

And then there’s the ability to break in. Responding to Tuesday’s op-ed, ACLU technologist Christopher Soghoian tweeted: “If law enforcement can’t hack the hundreds of millions of Android phones running out-of-date, vulnerable software, they’re not trying.”

Following the rollout of iOS 8, Lee Reiber, a cell phone forensics expert at AccessData, told Mashable that “As secure as the device can be, there’s always going to be some vulnerability that can be located and exploited.” Reiber said it’s “cat and mouse.”

The authors of the op-ed launched their argument by citing an Evanston murder investigation that they claimed was stymied by law enforcement’s inability to access the data on two phones that were found at the scene.

Unlike the laughably pathetic examples FBI Director James Comey cited in October in his argument against encryption of mobile devices, the Evanston case does actually appear to feature the rare combination of factors in which data on the phone might indeed have helped the investigation.

Ray C. Owens was shot and killed in his car in broad daylight in Evanston, Illinois, in June. Police found two phones near his body. They belonged to Owens — not the killer.

One was an iPhone 6 running on Apple’s iOS 8 operating system, the other a Samsung Galaxy S6 Edge running on Google’s Android operating system. When investigators served search warrants on Apple and Google to unlock the phones, the companies said they were unable to, because both had been password-protected.

According to Commander Joseph Dugan of the Evanston Police Department, investigators were able to obtain records of the calls to and from the phones, but those records did not prove useful. By contrast, interviews with people who knew Owens suggested that he communicated mainly through text messages — the kind that travel as encrypted data — and had made plans to meet someone shortly before he was shot.

The information on his phone was not backed up automatically on Apple’s servers — apparently because he didn’t use Wi-Fi, which backups require.

And the gun recovered two blocks away when a man fleeing police dropped it was not the gun that fired the fatal bullets, Dugan said.

So the Evanston police were stymied. “There doesn’t appear to be anything coming in the near future as far as charging anyone,” Dugan told The Intercept.

But Dugan also wasn’t as quick to lay the blame solely on the encrypted phones. “I don’t know if getting in there, getting the information, would solve the case,” he said, “but it definitely would give us more investigative leads to follow up on.”

The op-ed’s conclusion calls for an “appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes.”

But experts say there’s either a doorway in or there isn’t. And if there is, lots of other people, including criminals, can use it too.

Caption: Manhattan District Attorney Cyrus Vance Jr. at a 2014 press conference.

Join The Conversation