Don’t Speed … and … Could I have your phone?

By Ashish Lall | January 20 2021, 01:30 PM SGT
Photo by melissa mjoen on Unsplash

Incumbent firms almost always feel threatened by new technologies, at least in the first instance. Protagonists of new technologies add to these fears by using words such as ‘transformational’ and ‘disruptive’. It’s no wonder the post office thought that it would be destroyed by email. Publishers were afraid of e-books, although many are now priced almost as much as the printed versions – so much for zero marginal costs of producing digital products. The list goes on… and right now of course we are all afraid because AI and robotics are going to replace us.

It’s not just businesses. Law enforcement and intelligence agencies indicate that the law has not kept pace with technology and they are ‘going dark’ in their fight against terrorists, paedophiles, drug dealers and money launderers. They want access to ‘data at rest’, or what is stored on our encrypted devices and ‘data in motion’, or our encrypted communications on messaging apps.

This is version 2 of the so called ‘Crypto Wars’. Version 1 took place in the United States (US) in the 1990s when technology shifted from analog to digital. Cryptographic software was on the US munitions list and subject to export controls. Today, these ‘munitions’ are everywhere, and help protect data that we send, receive and store using our devices. They secure Bluetooth connections, Wi-Fi networks, messaging, online commerce, banking, payments and cloud services.

In 1994, Congress enacted the Communications Assistance for Law Enforcement Act (CALEA) which mandated that telecommunications carriers assist law enforcement agencies to conduct authorized surveillance. Media reports indicate that after 9/11 AT&T, BellSouth and Verizon facilitated warrantless wiretapping for the Bush administration. AT&T installed surveillance equipment on at least 17 of its internet hubs and its engineers were the first to try out new surveillance technology developed by the NSA. Since they already have our internet traffic, V2 is about phones.

In 2016, the US government sought to compel Apple to unlock an iPhone 5C belonging to a dead terrorist. In this much publicized San Bernardino case, the District Court of California ruled for the government. Apple CEO Tim Cook responded in a public letter:

 

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers… from sophisticated hackers and cybercriminals.

 

The US government later withdrew the case and media reports indicate that the FBI paid around $1.3 million to an unknown third party to hack the iPhone. According to a recent report by the non-profit Upturn. The problem of accessing ‘data at rest’ or accessing and interpreting the contents of a smartphone and as many as 181 apps is now solved and at a much lower cost. Dropbox, Box, Office 365, WhatsApp, Slack, Uber, Lyft… no problem!

The ‘data in motion’ debate continues, with reasonable arguments on both sides. Of course law enforcement and intelligence agencies need to do their jobs using the best available technology and information. But companies worry about compromising privacy and eroding trust, which is central to their business relationship with customers. And cooperation between government and Big Tech is even more worrisome. Eventually there will be a technological solution for this as well or countries could take the Australian route of legislation which is not without controversy.

The Upturn report finds that 2000 local and State law enforcement agencies in the US have purchased mobile device forensic tools (MDFTs) sold by companies such as Cellebrite, Grayshift and Magnet Forensics. Agencies “have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant”. The problem is temptation – why stop at major crimes? MDFTs have been used to investigate petty theft, shoplifting, graffiti and car crashes.

Upturn has recommended banning consent searches of mobile devices, audit logs, data deletion requirements and public logging of law enforcement use of MDFTs.

Some Tech companies may think they are more powerful than States. They are deluded. We should all be afraid of the coercive power of the State.

 

Ashish Lall has taught at both Nanyang Business School (NTU) and the LKY School of Public Policy (NUS) and is presently Senior Advisor at PS-engage Global Government Relations. 

 

Posted in

Related Articles

Indonesia’s Jeopardized Digital Freedoms – A Case Study in Spyware

By Grey Pilarczyk Indonesia has long had a mixed human rights record, particularly regarding the online activity of Indonesians. In recent years, political activists and independent media outlets in the country have faced a barrage of digital threats and cyber-attacks. On May 1st, Amnesty International released a stunning report detailing Indonesia’s use of highly invasive […]

Unpacking the EU AI Act: An ASEAN Perspective

By Nigel Hee The European Union (EU) recently unveiled the Artificial Intelligence Act, a novel piece of legislation that aims to regulate the development, deployment and use of artificial intelligence (AI) systems within the EU. The Act is predicated on a risk-based approach, classifying AI systems into different risk categories and imposing corresponding obligations and […]

Digital Sovereignty in ASEAN

By Mackenzie Gunther With large tech companies owning significant amounts of data, geopolitical tensions, the risk of critical data leaks, and the rising importance of self-reliance in the eyes of world leaders, the concept of who controls data is becoming a high priority.   The global context over the past decade has set the scene for […]