Gun Trafficking Investigation Shows The FBI Is Still Capable Of Accessing Communications On Encrypted Devices

from the so-dark-we-could-only-get-everything-we-needed dept

It's been clear for some time that the FBI and DOJ's overly dramatic calls for encryption backdoors are unwarranted. Law enforcement still has plenty of options to deal with device encryption and end-to-end encrypted messaging services. Multiple reports have shown encryption is rarely an obstacle to investigations. And for all the noise the FBI has made about its supposedly huge stockpile of locked devices, it still has yet to hand over an accurate count of devices in its possession, more than two years after it discovered it had been using an inflated figure to back its "going dark" hysteria for months.

An ongoing criminal case discussed by Thomas Forbes for Fortune provides more evidence law enforcement is not only finding ways to bypass device encryption, but access contents of end-to-end encrypted messages. This isn't the indictment of Signal (a popular encrypted messaging service) it first appears to be, though. The access point was the iPhone in law enforcement's possession which, despite still being locked, was subjected to a successful forensic extraction.

In the Signal chats obtained from one of [the suspect's] phones, they discuss not just weapons trades but attempted murder too, according to documents filed by the Justice Department. There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off. An iPhone in this state is more susceptible to having data inside extracted because encryption keys are stored in memory.

Seizing a phone in this vulnerable state allows investigators to obtain evidence from "locked" phones by using forensic tools like those sold by Cellebrite and Grayshift. Signal's encryption works. But that encryption doesn't matter -- not if law enforcement has access to the device. Encryption protects against message interception but even the strongest forms of encryption can't secure communications on a partially unlocked device. In this state, it's as simple as hooking up a phone to an extraction device and letting the device do the work.

It's not clear which forensic option was used, but it does show encryption isn't making phones and communications "warrant-proof." A locked device (rather than one in an "after first unlock") is going to be tougher to crack, but it's far from impossible. And if it is indeed impossible, a wealth of information can be recovered from cloud backups, unencrypted communications platforms, social media services, and any number of third parties that collect information and location data from cellphone users. In only the rarest cases will investigators have almost nothing to work with.

Even in those cases, there are options. Investigators can roll the dice on Fifth Amendment challenges and hope a court orders arrestees to unlock their devices. They can also seek consent to a search -- something that's never a one-and-done thing when law enforcement has both suspects and their devices in its possession.

This case shows multiple layers of encryption are mainly a hassle at this point. It's enough to keep people's devices secure in case of loss or theft, but it's not much of an impediment to investigators with powerful forensic tools at their disposal.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: access, doj, encryption, evidence, fbi, going dark, law enforcement