Cy Vance Is So Sure Encryption Is Pure Evil He Thinks Over-The-Air Software Updates Are Just Encryption Backdoors Apple Won't Tell Him About
from the of-all-the-things-even,-this-one-i-can't-the-most dept
Manhattan DA Cyrus Vance is back on his anti-encryption bullshit. A Fast Company profile of his "$10 million cyber lab" for decrypting phones contains some really choice quotes from the DA -- quotes that show he's about as on top of all things "cyber" as former NYC mayor/alleged tweet hackee Rudy Giuliani.
The thrust of the piece is that breaking encryption is time-consuming and expensive. Hey, no one's arguing otherwise. But the arguments made by Vance and other law enforcement officials in the article are disingenuous and… well… stupid.
Breaking encryption doesn't scale. Sorry about that, LEOs. That's a fact you're all going to have to come to terms with. But it's not impossible and there are more than a few companies offering to do the dirty work for cyber-strapped agencies that don't have $10 million on hand to bootstrap their own brute forcing.
We're also living in the golden age of surveillance, despite the arguments of a few candle bearers primarily interested in wandering around in the dark cursing. Almost everyone carries a tracking device with them wherever they go. Voluntarily. Reams of data are generated every day, a lot of which doesn't even require a warrant to access. Cops are solving crimes using consumer DNA services, Apple wearables, and always-on smart devices that eavesdrop on conversations law enforcement normally wouldn't have access to.
But let's start with some numbers. I'm beginning to think the Manhattan DA's office is no better at counting locked devices than the FBI is. As you may recall, the FBI spent a few years claiming it was sitting on an exponentially-increasing amount of encrypted devices… right up until it was forced to admit its counting software couldn't count and it had severely overstated the amount of devices in its possession.
The same thing appears to be happening at the DA's office. An increase like this is inexplicable. Here's how many devices Cy Vance was complaining about in 2016:
Manhattan District Attorney Cyrus R. Vance Jr. said at a news conference that investigators cannot access 175 Apple devices sitting in his cybercrime lab because of encryption embedded in the company’s latest operating systems.
And here's what Fast Company is saying in 2020:
On the day I visited the cyber lab, there were nearly 3,000 phones, most related to active criminal investigations, that Moran had not yet been able to access.
Even given Android's dominance in the market, this seems like an incredibly dramatic increase over the past four years. And it seems even less likely given the fact that multiple vendors are capable of cracking older iPhones and Androids, if not the latest models (for now). Rolling your own decryption doesn't seem like the most efficient use of resources, especially when time is of the essence, as Vance claims.
"If we seize a phone that is iOS 10 but can’t open the phone, maybe never, but, say, not for another two years, well, that’s not the timeframe in which cases move, particularly cases when they’re in court."
Plea bargains are the norm, not trials. Even if we discount that depressing fact, pre-trial detention in New York City for felony charges is ~80 days. That's people being locked up before they've even had their day in court (not counting arraignment). Even if Vance wasn't pretending the city isn't willing to lock people up indefinitely while his office pokes away at their phones, the fact remains his office could look to outside help to shorten the process. But it doesn't. And the article (and Vance himself) never explains why.
Let's move on to Vance and his incredible quotes. Behold the man so clearly convinced that device encryption is solely a middle finger extended to law enforcement, he actually seems to believe over-the-air software updates are proof Apple is lying about its ability to access the contents of encrypted phones.
Vance is skeptical that Apple doesn’t have a secret backdoor. “They get into my phone all the time because they upgrade my operating systems and they send me messages,” he says.
Just a friendly reminder, New Yorkers: this is an elected position. You don't need to be represented by someone who sounds like an Infowars commenter.
Vance also appears unable to recognize why encryption matters. He claims phone makers used to be super-helpful. Companies like Apple would take a seized phone and return a jump drive full of data and communications a few days later. But that changed after the Snowden leaks revealed widespread, mostly-unchecked domestic and foreign surveillance. Apple and Google didn't immediately respond, but when they did, they made use of their devices safer for everyone. The "everyone" Venn diagram includes a certain number of criminals. But the important thing was doing all they could to protect customers from thieves (something government officials routinely complained about) and malicious hackers.
It wasn't about screwing US law enforcement. It was a reaction to the sheer power of governments (not just the United States government) to compromise devices and intercept data and communications.
Vance continues to take this personally. And in doing so, he's developed a lot of blind spots. Here's Vance stating he doesn't think US tech companies should be able to decide what's best for their customers.
In the end, Vance just wants prosecutors to have all the tools available to do their jobs. “You entrust us with this responsibility to protect the public,” he says. “At the same time, they”—Apple and Google— “have taken away one of our best sources of information. Just because they say so. It’s not that some third party has decided, this is the right thing for Apple and Google to do. They just have done it.”
So… third parties -- Google, Apple, etc. -- have not decided this. Other third parties (I guess the government?) should make this call. I mean, we know that's what Vance thinks. But this statement makes zero sense. If companies shouldn't be allowed to protect their customers from threats, who should be doing this? The government? Because I think if the lawmakers in Washington crafted a law designed to protect cellphone users, they'd come to the same conclusion -- encryption works -- even if it made things a little more difficult for law enforcement.
Let's not forget the government is operating on power granted to it by the governed, not the other way around. If there's been a slight decrease in evidentiary uptake since the spread of default encryption, so be it. Very few Americans are willing to trade their device security for incremental law enforcement gains, no matter how many law enforcement officials believe citizens are too stupid to know what's good for them.
Not all communications belong to law enforcement, warrant or not. Since the beginning of criminal time, people engaged in illegal behavior have taken steps to reduce their exposure. Front businesses. Cranking up radios/TVs so conversations won't be picked up by bugs. Off-the-grid, face-to-face meetings. And so on. To pretend phones are taking criminals to the next level ignores everything about criminal activity. Smart criminals play it smart. Dumb criminals are still dumb. Compelled decryption is still an unsettled issue, which means cops can roll the dice on court-ordered coercion. Fingerprints, faces, and irises can still unlock phones without much resistance, especially if one of the suspects is dead.
To call Vance's anti-encryption disingenuous would strip that word of most of its power. Vance has an encryption problem. Maybe. But he doesn't have an evidence problem. And he's not making the most of what's available to him, possibly deliberately. I'm sure he'd prefer an encryption ban or court precedent that makes compelled decryption legal. He probably will see neither of these in his lifetime. But until he's out of office, he's going to continue making incoherent complaints. The least publications covering his so-called plight could do is greet him with the skepticism he deserves.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cy vance, encryption, going dark, iphones, over the air updates
Companies: apple
Reader Comments
The First Word
“If Cy Vance truly believes encryption is evil, he should put his money where his mouth is and use an unencrypted phone for all matters both business and personal.
Subscribe: RSS
View by: Time | Thread
Christ. "A series of tubes" was more technically literate.
[ link to this | view in thread ]
Just what is the issue?
What are the odds that Vance's logical mind is encrypted, and he has lost the key, leaving his illogical mind available to speak?
Really, that high?
/s
It would be interesting to know, short of idiots who keep child porn on their phones, how much evidence, evidence that has been used to convict someone (or even the attempt to convict) has ever been found on a cellphone. That is, evidence that could not be found elsewhere, as we know phone companies keep an awful lot of data on calls made and received, and once the other end of a communication is know, there is potential that that other end will cough up the 'evidence' (if it is in fact evidence of something).
Seems like a study that could get some legal and statistical scholars some publishing credits (though I recommend they steer clear of Elsevier).
[ link to this | view in thread ]
Vance is right... but in the wrongest of ways
So Vance is right in that Apple does 'get into his phone all the time' by patching his OS (to make him and everyone else safer). He is just asking for Apple to use that mechanism to get into Terrorist Bob's phone. Why couldn't they? It is possible, Apple could design an update to do just that.
But what he fails to realize is EVERYONE GETS THAT SAME UPDATE. Instead of just compromising Terrorist Bob's phone, they compromise everyone's phone. He's trying to fish with dynamite because Terrorist Bob's search history is worth more than the digital protection of all of Cy Vance's constituents...
[ link to this | view in thread ]
Firmware updates and operating updates insert backdoors.
Apple can access the phones as long as they accept the update before they are locked and confiscated by the police.
Cyber garbage from china CAN access all our stuff and if no one in his lab can do the same it is due to an incompetence issue.
This is one of your more disappointing articles as it ignores how normal computer operation works.
I am currently typing from a windows computer that you cannot change the operating system options on after/during a long cyber incident and doesn't reset to factory anymore. It only resets to a hacked piece of crap.
[ link to this | view in thread ]
Re: Vance is right... but in the wrongest of ways
Not to mention, even if apple can push a software update, there is no guarantee that the phone has automatic updating enabled. The iPhone requires a code be input to update. Automatic updates aren't on by default and my phone occasionally trips up on permission to update even when I've told it manually to update. There is no guarantee they could force the phone in question to update without the passcode and still retain the non-backed-up data Law enforcement is looking for.
[ link to this | view in thread ]
The art of good crypto design is to make breaking it as expensive and time consuming as possible,
[ link to this | view in thread ]
If Cy Vance truly believes encryption is evil, he should put his money where his mouth is and use an unencrypted phone for all matters both business and personal.
[ link to this | view in thread ]
Re: Just what is the issue?
Hmmm, actually having his brain be encrypted via some very advanced encryption technology would explain a lot.
I mean the goal of encryption is render the data indistinguishable form random noise.
[ link to this | view in thread ]
Re: Vance is right... but in the wrongest of ways
That's not fishing with dynamite: that's flushing your toilet with dynamite.
[ link to this | view in thread ]
'No see, I'll just throw it really carefully...'
He's trying to fish with dynamite because Terrorist Bob's search history is worth more than the digital protection of all of Cy Vance's constituents...
To expand upon the metaphor it's like trying to get a single fish with a stick of dynamite and not caring that it is absolutely surrounded by other fish within the blast radius, not to mention several boats directly above on the surface. Even with perfect aim that manages to catch the desired fish in the blast it's guaranteed to also hit lots of others, both in the water and on top of it.
[ link to this | view in thread ]
Re:
Unencrypted phone, bank account, personal computer... if it's really such a terrible tool then it seems he should stop using it as quickly as possible, unless he wants to admit to being a massive hypocrite who only hates encryption when other people use it but has no problem using it himself.
[ link to this | view in thread ]
Ah good old 'they're all out to get me' paranoia...
Were he not a gorram DA his paranoid fearmongering would be downright hilarious, attacking companies for making their devices more secure to protect the public simply because it makes his desire to be able to browse through them on a whim harder/impossible, and throwing out wild conspiracies that ignore reality along with the idea that the government should be able to decide just how 'secure' someone's property is.
Sadly he is a DA, so until people vote in a sane alternative his incoherent delusions do need to be taken seriously, if only to repeatedly show why they are not only wrong but dangerously so.
[ link to this | view in thread ]
Uploads
When he brings up software updates - is he asking phone makers to add a feature that uploads all of your data from your encrypted phone to a remote server? I think that's already a thing...
Maybe it's just too much work for him to learn about it and figure out how it works for law enforcement.
[ link to this | view in thread ]
Re:
"Firmware updates and operating updates insert backdoors."
I imagine this is possible but is there any evidence of its occurrence?
"Cyber garbage from china CAN access all our stuff"
Not when it is in the microwave.
"how normal computer operation works"
How do normal computer operations work and what computer operation was ignored? Please be specific because computer operations can be misunderstood.
[ link to this | view in thread ]
Re:
For time sensitive data, only as expensive as is necessary.
[ link to this | view in thread ]
Re: Re:
Yeah, doing support (actually trying to help as a volunteer, not being a tier 1 script-reading knob at some company) with people like this is always a hoot, even when they do have some genuine problem at the heart of it. They know everything! Except how to fix simple issues, somehow. Must be one of those idiosyncrasies of genius Like with Vance.
[ link to this | view in thread ]
I thought wow, it's believable, but the title is a little over the top.
Then i read the article.
[ link to this | view in thread ]
I'm surprised this fuckwit hasn't announced encryption is actually the work of Satan before he takes over the world.
[ link to this | view in thread ]
CYRUS
10 out of 10: he would brick his own computer if he touched it again.
[ link to this | view in thread ]
CYRUS
“You entrust us with this responsibility to protect the public”
No I don’t lol
[ link to this | view in thread ]
Re: Re:
That rule only applies for manual encryption where better encryption takes longer to use. For mixed sensitivity use, like a phone, use as the strongest encryption available, as nobody notices the differences in CPU time, and it avoids mistakes in choosing the encryption level to use.
[ link to this | view in thread ]
Re: Vance is right... but in the wrongest of ways
Terrorist Bob - some guy who parked in Vance's reserved sapce once.
He's like Lance Vance's even more stupid brother.
[ link to this | view in thread ]
Re: Re: Vance is right... but in the wrongest of ways
And of course, he’s completely wrong about using messages as a backdoor. Why he thinks that would work is completely beyond me. It doesn’t decrypt anything, nor could it. It can’t be used to change or access the data already on your phone. If it could, Apple would be working to fix that problem because that is a massive security flaw that could be easily exploited by anyone aware of the issue.
[ link to this | view in thread ]
Re:
First of all, you’re missing the point. For one thing, Apple cannot update just one phone. That same update will be sent to every iPhone. See, the fundamental issue is that there is no way to break into a single iPhone that wouldn’t compromise—at a minimum—every iPhone of the same model and/or with the same version of iOS, and there is no way to prevent that same tool from being used for unlawful purposes once it exists. Apple is refusing to permanently risk all of their customers’ safety, security, and privacy just to break into a single iPhone. This was never about whether Apple could, theoretically, find a way into the iPhone at all. It’s that doing so is not trivial and would irreparably compromise everyone.
Second, you’re assuming that all phones automatically update without any additional user input every time Apple sends an update. That is not true. iPhones require the user to either have already opted in to the option to automatically update or manually accept the update, which itself requires both that the iPhone be unlocked and a password authorizing the update be entered (and if you had all that there would be no need for a backdoor), before the update will begin. Furthermore, it also requires the phone to have enough space to download the update. I had one iPhone that I couldn’t update because I didn’t have enough free memory to download it.
Also, “before they are locked and confiscated by police”? Before that happens, there would be no need to break into the phone to begin with. The issue is trying to break into locked phones that have been confiscated by police without breaking into or compromising phones that have not been confiscated by police. If they aren’t locked, no additional measures to access the contents of the phone are needed. If they haven’t been confiscated by police, then there is no lawful reason to try to break the security to begin with.
First, [citation needed]. Second, China doesn’t have any interest in protecting the privacy, safety, or security of its citizens or anyone outside the country. They also don’t have the same rights that we have against things like government intrusion without a lawful warrant.
[ link to this | view in thread ]
Re: Re:
Evidence gathered from the chinese national security letter associated with the foreign warrant is not a valid document in the United States. China doesn't have the same respect for certain rights that the US does, which is why the "general warrant" for the entire United States issue has come up in the past.
[ link to this | view in thread ]
Re: Vance is right... but in the wrongest of ways
Correct.
Not necessarily correct.
Theoretically? An update could look for particular characteristics of a phone (say, ISMI) and change the OS in particular, unique ways (say, remove the 'wrong password lockout').
In practice?
a) Apple would have to send out an update for every single new access request. Likely tens of times per day, even if they gang them.
b) There is no guarantee that one or another of these updates would not affect phones other than those explicitly targeted. And the more updates, the more errors.
c) As stated, EVERYONE would get these (unequal) updates. That's a lot of bandwidth to target a single phone out of millions. Buyers would not long stand for that.
and, of course, d) Apple wants to do targeted upgrades no more than Lavabit wanted to give out crypto keys. "Your phone is encrypted unless we remove it" is not a selling point, after all. But it's still an expensive legal battle that Apple is also not particularly eager to have.
But no. It IS technically possible to do this thing. It's just not feasible.
And lastly, if congress (and the president) passed a law banning encryption on phones, you bet Apple would fight it. ... but I wouldn't put money down on your phone being encrypted while the lawsuit is going on.
[ link to this | view in thread ]
Re: Re: Re:
Well, yeah. That’s what I said. Do you have a point?
[ link to this | view in thread ]
Re: Re: Re:
"China doesn't have the same respect for certain rights that the US does"
That is a funny way to put it, are you trying to be funny or was it coincidence?
[ link to this | view in thread ]
Re: Re: Vance is right... but in the wrongest of ways
Also, criminals would turn off automatic updates pretty quickly.
[ link to this | view in thread ]
Re: Re: Vance is right... but in the wrongest of ways
Except Apple already does this with SHSH blobs. Yes, those blobs use device specific info. Theoretically Apple already has the capability in place to do broken encryption upgrades, they just use it to prevent downgrades for those who want to use Cydia instead.
This also means A and B are irrelevant, as only an update signed for the specific device requesting it will install. Even if autoupdates is turned on, unless Apple creates an SHSH blob it's a no-go. Plus, it's trivial to change the update server to look for a specific device ID and give it a different firmware URL when it runs an update check. I'd be surprised if this didn't exist already for testing versions of iOS before release.
As for C that's already present anyway. If using a different URL when given a specific device ID is already implemented at Apple (and it's trivial to do so if it isn't.) there's no difference in traffic levels.
Your entire argument depends on an issue that has already been solved by the Geniuses at Apple. Congrats. As Vance has pointed out correctly, yes it can be used for such things. Is it used for such things is the real question.
[ link to this | view in thread ]
Re: Re: Re: Vance is right... but in the wrongest of ways
You are looking at one request, Apple looks at the results of granting that request. If they give in to one law enforcement agency, they will end up having to do the same for every law enforcement agency in the world, and then be expected to provide wire taps to any phone and messaging system on demand, and then to exfiltrate to the data on any phone, without alarming the user.
This is not so much a fight over decrypting one phone, but rather a fight to prevent governments turning electronic devices into their all seeing and hearing eyes and eras.
[ link to this | view in thread ]
Re: Re: Re: Vance is right... but in the wrongest of ways
There are a number of questions and issues I have with all that, but first I’d like to ask one that I genuinely don’t know the answer to: is this device-specific info that can supposedly be used to narrow the target of a wireless update (note: I believe that auto-update can only be done wirelessly) available to someone attempting to access a device that is locked using an unknown passcode? I honestly don’t know the answer and want to learn it.
As for testing updates, I’m pretty sure that they either use devices specifically configured to accept beta updates or use over-the-wire updates to do that, neither of which are options for a device to which access is blocked. An exception might be for new devices that haven’t been released, but then they might just use updates targeting a specific model (which is trivial and is known to be done) but not necessarily a specific device.
But regardless, this is still missing the point. Once a tool to break encryption via updates has been developed, there is no putting the genie back in the jar. The encryption of every device of the same make and model has been unreversably compromised. After all, the update thing is not a feature that would reasonably be removed, so if anyone else is able to take that tool, they could break into any device with ease. And there is no way to guarantee that others won’t be able to gain access to the tool in the future, nor is there any way to create another update that would fix this hole in the future.
[ link to this | view in thread ]
So, breaking encryption is time consuming and expensive? Gee... How useful would it be if it were fast and cheap to break?
[ link to this | view in thread ]
If you've got money Cy Vance will sell you a get out of jail free card:
https://www.newyorker.com/news/news-desk/how-ivanka-trump-and-donald-trump-jr-avoided-a-crimin al-indictment
[ link to this | view in thread ]