UK Police Circumventing Cellphone Encryption By 'Mugging' Suspects While Their Phones Are Unlocked
from the snatch-and-grab dept
UK police are experimenting with a new brute force technique to defeat cellphone encryption:
Undercover surveillance officers trailed Yew and waited for him to unlock his phone to make a call - thereby disabling the encryption.
One officer then rushed in to seize the phone from Yew's hand - just as would happen in a criminal mugging. As his colleagues restrained the suspect, the officer continually "swiped" through the phone's screens to prevent it from locking before they had downloaded its data.
So, it's come to this: lawful mugging. Still, it's not a terrible solution to the problem. Sometimes the best methods are lo-tech, as anyone swinging a $5 Password Acquisition Tool can tell you.
This method will work in the UK. It may not in the US. UK law enforcement would likely find compelling a suspect to unlock a device a long and possibly fruitless endeavor, but there's no Riley decision standing in the way of seizing/searching phones on the hoof (as it were).
Courts here in the US have interpreted the Supreme Court's Riley decision in diverse ways, but a motion to suppress evidence might succeed if US law enforcement began engaging in this novel form of encryption circumvention. In one case, a judge found that simply opening a flip phone constituted a search under Riley. Keeping a phone "alive" until evidence can be retrieved from it might run afoul of the Fourth Amendment, even if the seizure itself is completely lawful.
It's still a better idea than making encryption backdoors mandatory or requiring device manufacturers to make a second set of keys for the government. The solution isn't elegant but it works. And it will only work in certain circumstances, so there's not much potential for abuse. It might encourage rougher arrests than usual, if only to separate the cellphone from the suspect, but the small number of arrests where this process would work shouldn't result in a sharp uptick in excessive force deployment.
This is a technique US law enforcement should definitely look into. While I'm sure most agencies would prefer a precedential court decision compelling decryption or a legislative mandate, this alternative would allow police officers to end up with fewer inaccessible phones.
There are other benefits as well -- some that could positively affect community relations. The arrest of a suspect in conjunction with the seizure of potential evidence could make related searches far less destructive. With the suspect out of the way, searches of homes/places of business wouldn't necessitate a barrage of flashbang grenades and the tearing of new entryholes by predawn raiding parties in SWAT gear. Sure, this less violent approach to serving search warrants won't appeal to officers who find the real military too restrictive but still harbor a desire to carry a gun and pretend they're participants in a war. But that's actually a good thing.
In addition, arrests of suspects out in the open should lower the chance of violent resistance. People tend to expect the arrival of police officers at their residence -- not so much when they're going about their daily, noncriminal business.
If efforts to keep seized phones alive until a search warrant arrives (or: novel idea -- get one first!) adhere to the Riley decision, the "going dark" problem isn't quite as all-encompassing as it's frequently been portrayed. (Even without this method, the "threat" of phone encryption has been greatly overstated.) It's tough to believe "mugging" might be the lesser of law enforcement's desired anti-encryption evils, but that's the reality of the situation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, mugging, police, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
GREAT IDEA!
I want to be the first person to patent (I know, evil word here) a bluetooth device that locks the phone automatically when the phone is moved more than X feet from the device.
Problem solved. Police come... grab your phone, it locks automatically as you are moved away!
Also, a new feature on the phone - the phone can no longer be unlocked by a fingerprint, but the finger must remain on the phone for it to remain unlocked.
Inconvenient, but enough of those measures start appearing and the legal mugging becomes mute.
[ link to this | view in chronology ]
Re: GREAT IDEA!
[ link to this | view in chronology ]
Re: Re: GREAT IDEA!
https://play.google.com/store/apps/details?id=net.syntaxblitz.plucklock
"The application will run in the background, constantly monitoring the accelerometer to determine if the phone has been taken from your hand."
[ link to this | view in chronology ]
Re: Re: Re: GREAT IDEA!
[ link to this | view in chronology ]
Re: Re: GREAT IDEA!
[ link to this | view in chronology ]
Re: Re: GREAT IDEA!
[ link to this | view in chronology ]
Re: Re: Re: GREAT IDEA!
[ link to this | view in chronology ]
Re: GREAT IDEA!
No need for that. Just make a button/pressure switch on the side of the phone, in a place where the user's fingers would normally be while holding the phone. This button needs to be depressed to unlock the phone, and needs to remain pressed to use it. Take your finger off the button and the phone instantly locks itself.
[ link to this | view in chronology ]
Re: GREAT IDEA!
Pretty sure the idea was to stop those annoying friends that snatch your phone to read your latest text, but it would work just as well in this case.
[ link to this | view in chronology ]
Re: Re: GREAT IDEA!
>There are actually already apps to handle this situation. Solution I like was one that watched the sensors on the phone to detect a sudden acceleration, like when phone is snatched from you, and it locks the phone.
>Pretty sure the idea was to stop those annoying friends that snatch your phone to read your latest text, but it would work just as well in this case.
Or to foil snatch and grab thieves, no matter what colour they are wearing.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
So this conversation is now reallity:
- Oh.... what has the world come to? That is pretty terrib...
- Terrific? Yes! Now they don't have to destroy everyones digital security and our whole online infrastructure.
This is indeed a sad day when we find positive things in socalled "lawful mugging". That silver lining is starting to look very thin.
[ link to this | view in chronology ]
Re: So this conversation is now reallity:
None of this will stop until the police are treated as what they are - a criminal conspiracy.
[ link to this | view in chronology ]
Re: So this conversation is now reallity:
This.
Good point. Still disturbing, but a good point.
[ link to this | view in chronology ]
Re: Re: So this conversation is now reallity:
[ link to this | view in chronology ]
The phone automatically locks itself at the end of any phone call. Police snatch my phone while I'm on a call. The person I'm talking to thinks it's a mugging and hangs up to call the police. Since the call ended, the phone is now locked.
Maybe a voice command to lock the phone. Call it an anti-mugging feature and have the voice command also dial 911 (or whatever your countries emergency services number is)
Or the phone has multiple levels of how locked it is. For example, there is very little data on the phone that I need to start a call. Once the call is connected, that data isn't useful so can be locked away.
[ link to this | view in chronology ]
I don't see a problem with this, with a warrant
It could even be a regular part of an arrest warrant, if the investigators have probable cause that specific evidence related to the activity for which the warrant is issued is on the phone.
But this sounds as if the police are arresting someone in order to do a fishing expedition on everything the phone can access. They want not just the phone and text history, but unfettered access to all online accounts.
[ link to this | view in chronology ]
Re: I don't see a problem with this, with a warrant
The guy was already under investigation, likely they would have got a warrant. That seems wholly reasonable to me.
[ link to this | view in chronology ]
Re: Re: I don't see a problem with this, with a warrant
But is it necessary? This is the UK. If you unlock your phone in a public space, don't they already have your password on several cameras?
[ link to this | view in chronology ]
Re: Re: Re: I don't see a problem with this, with a warrant
[ link to this | view in chronology ]
Re: I don't see a problem with this, with a warrant
[ link to this | view in chronology ]
Re: Re: I don't see a problem with this, with a warrant
Dont the cops have to ID themselves? Screaming "we're the cops" as they attach you will lead to a cop being killed. I would consider that as self defense for the perp.
Probably not a problem in the (unarmed - even the police) UK where this happened.
Perhaps a big issue in the (armed to the teeth) US.
[ link to this | view in chronology ]
Re: I don't see a problem with this, with a warrant
> warrant arrives (or: novel idea -- get one first!)
That sounds to me like they don't have a search warrant first.
So the police will mug someone, steal their phone, and search through it to "keep it alive" until the presumed warrant arrives. But what if the warrant doesn't arrive? Is this assault and battery by the police?
What happens if the victim of the mugging, or one of their friends, uses deadly force against one of these muggers only later to discover they are the police?
One other observation: The police seem to wonder why they have a problem with the public not trusting them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Mabye...
I don't know about UK law, but what is up with the rhetoric?
Without exception, any seizure of property by government authority IS ALWAYS lawful mugging. But since it is lawful, we usually like to call it something else.
Here in America this is constitutional, so long as said officer has a warrant to do so. Any attempt to seize property outside of a warrant will remain unconstitutional regardless of how creative they try to get with fuzzy logic.
[ link to this | view in chronology ]
Re: Mabye...
[ link to this | view in chronology ]
Shame on you.
Sorry, but I find nothing to celebrate in this. The "but they are going to break our encryption if they don't do that", doesn't work on me.
In the end, it's the same excuse as "if we don't break your encryption, terrorists are going to break our country", just that applied in a different way.
Btw, I guess that people will come up with solutions to that fast enough.
And it just would be an anti-theft measure, btw. I guess that criminals do that already (stealing your phone while you're using it, then keeping it live so that it can't get locked).
And if they don't do it, they will learn from this to do the same, particularly now that phones are being used to pay shit and that.
Btw, this puts you at risk of being accused of resistance to authority. If I get caught by surprise by someone I think it's mugging me, first thing I will do is resist with any means I have at hand, because I don't fucking know who was the one who attacked me.
Until they identify themselves, at least.
And I guess that they are going to use this technique by default, whether they have a warrant or not.
And yet, you're celebrating this...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Until they identify themselves, at least.
No
"Until they identify themselves to your satisfaction"
which is a much higher hurdle to get over.
[ link to this | view in chronology ]
Nothing wrong with this
Win win.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Riley wouldn't be a problem if the police got a warrant for the phone beforehand, right? They should be doing that anyway, if they have actual reason to believe the phone is evidence. (As opposed to just taking the phone because it *might* have evidence.)
On the other hand, it's probably a little more dangerous for the general public if the guy resists. And I'm not sure we should train the public that a bunch of plainclothes people mobbing a guy and taking his phone is typical police behavior, unless you want a sudden rash of violent phone-theft.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Better yet...
Or you could make an app that geo-locates the phone itself and auto wipes when it is taken into certain locations like police stations.
Or make one that unlocks into a shell UI loaded with fake information - call logs to elected officials with their contact information, contacts for local VIPs and prostitutes, location tracking information for Topeka Kansas instead of locally, fun stuff like that.
Maybe one that executes on verbal command - "Siri - wipe!" :D
Personally, I'll just try to avoid breaking the law, but since that's pretty impossible in the current surveillance/selective prosecution culture we have, it would be nice to have some level of privacy protection.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re: Siri
Doesn't mean jack as long as I keep carrying around my own personal tracking device, but I try to minimize my exposure while realizing that it's ultimately pointless.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
How about 'NO'?
It's tough to believe "mugging" might be the lesser of law enforcement's desired anti-encryption evils, but that's the reality of the situation.
Which is kinda like saying "Sure they could have shot you dead, but instead they only broke your leg, so progress!"
If they can't force someone to unlock a device through legal means, then the correct response is not 'Well have you tried mugging them?', it's 'Too bad, guess you don't get everything you want, now back to actually doing your job rather than expecting everyone else to do it for you.'
Their actions here are wrong, that it's slightly better to have the cops mugging people rather than breaking encryption wholesale doesn't make it any better.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Even if it is meant as satire just feels wrong to call it that.
Why not just call it a criminal act instead of putting the word "lawful" in front of it.
Been bothering me to see this lately. Almost legitamizes the act by not calling it for what it is. A crime.
[ link to this | view in chronology ]
This method will work in the UK. It may not in the US.
Why not?
If it does happen in the US, do you realistically expect the cops involved to be punished for it?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This is already legal in the US
http://arstechnica.com/tech-policy/2015/05/sunk-how-ross-ulbricht-ended-up-in-prison-for-lif e/
[ link to this | view in chronology ]
Already solved..
https://f-droid.org/repository/browse/?fdfilter=plucklock&fdid=net.syntaxblitz.plucklo ck
has been around for years.. So this problem is solveed already.. People just need to protect themselves.
[ link to this | view in chronology ]