Fair or foul? New forensics tools raise privacy concerns

Companies develop technology to retrieve data from mobile devices

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When the FBI could not per­suade Apple to help them hack into the phone of the San Bernardi­no, Cal­i­for­nia, ter­ror­ist shooter—not even with a court order—the agency went to Plan B: It paid an out­side par­ty to do it for them.

The feds aren’t say­ing who did the hack­ing, or how the hack­er did it. He or she might very well have sim­ply used an off-the-shelf hack­ing tool designed express­ly to extract sen­si­tive data buried deep inside a smartphone.

It turns out there is a thriv­ing cot­tage indus­try of com­pa­nies devel­op­ing pow­er­ful tech­nol­o­gy to locate sensitive—potentially incriminating—data from where it increas­ing­ly resides: on our smart­phones and in our web mail and social media accounts.

Alexan­dria, Vir­ginia-based Oxy­gen Foren­sics, for instance, sup­plies a prod­uct called Oxy­gen Foren­sic Detec­tive, that can bypass screen-lock pass­codes, locate pass­words to encrypt­ed back­ups, extract data from secure appli­ca­tions, and recov­er delet­ed information.

While such tech­nolo­gies can help law enforce­ment find and pun­ish crim­i­nals, they also stir pri­va­cy con­cerns. U.S. Jus­tice Louis Bran­deis once described pri­va­cy as “the right to be left alone,” a prin­ci­ple by which Europe staunch­ly abides.

Con­sumer and pri­va­cy advo­cates wor­ry that U.S. law enforce­ment and fed­er­al intel­li­gence agen­cies will not be able to resist over­reach­ing with such tools, and tram­pling the basic pri­va­cy rights of law-abid­ing citizens.

Wor­ry­ing about the wrong thing

Alan Butler, Electronic Privacy Information Center senior counsel
Alan But­ler, Elec­tron­ic Pri­va­cy Infor­ma­tion Cen­ter senior counsel

Alan But­ler, the senior coun­sel at the Elec­tron­ic Pri­va­cy Infor­ma­tion Cen­ter, says con­sumers, though, should “be much more con­cerned with com­pa­nies that are rou­tine­ly col­lect­ing their per­son­al infor­ma­tion online to build detailed per­son­al pro­files than with com­pa­nies pro­vid­ing foren­sic ser­vices to law enforce­ment in indi­vid­ual cases.”

EPIC, which aims to pro­tect con­sumer pri­va­cy, pri­mar­i­ly focus­es on law enforce­ment com­pli­ance with con­sti­tu­tion­al law and cor­po­rate com­pli­ance with pri­va­cy and data-pro­tec­tion laws.

Under a 2013 Supreme Court rul­ing, But­ler says, law enforce­ment offi­cers must obtain a war­rant before search­ing a cell phone.

In the case involv­ing the iPhone of San Bernardi­no shoot­er Syed Rizwan Farook, who par­tic­i­pat­ed in killing 14 peo­ple and wound­ing 21 oth­ers, the U.S Jus­tice Depart­ment was grant­ed a search war­rant to seize Farook’s cell phone, and then the agency request­ed a dis­trict court to order Apple to assist in decrypt­ing the phone.

EPIC and oth­er con­sumer orga­ni­za­tions filed a court brief stat­ing that Apple shouldn’t be forced to com­ply. The Jus­tice Depart­ment lat­er said it would not need Apple’s assis­tance, because an out­side par­ty had pro­vid­ed a method to unlock the phone.

Relat­ed: Apple’s fight with FBI rekin­dles pri­va­cy controversy

A war­rant is nec­es­sary to search the phone,” But­ler says, “but a war­rant does not guar­an­tee that a law enforce­ment offi­cer will have the tech­no­log­i­cal capa­bil­i­ty to search or decrypt the phone. A war­rant ensures oversight—not access.”

Tech­nol­o­gy allows access 

Mean­while, access to a smartphone’s mem­o­ry is more viable than ever, thanks to tech­no­log­i­cal innovation.

Ear­li­er this sum­mer, Oxy­gen Foren­sics announced that it has expand­ed its foren­sic capa­bil­i­ties for cell phone apps. The com­pa­ny says it now can extract What­sApp data in iCloud stor­age or on any mobile device using the iOS, Android, Win­dows Phone 8 or Black­ber­ry 10 platform.

Accord­ing to the lat­est sur­veys, What­sApp is the most pop­u­lar app in the world, and it is very impor­tant to Oxy­gen Foren­sics to be able to offer our cus­tomers the abil­i­ty to foren­si­cal­ly extract mes­sages and oth­er What­sApp data when nec­es­sary,” says Lee Reiber, the COO of Oxy­gen Forensics.

Oxy­gen Foren­sics exec­u­tives say they have direct­ed their prod­uct devel­op­ers to con­tin­ue adding mobile appli­ca­tion data extrac­tion capa­bil­i­ties, because mobile users are increas­ing­ly using apps—instead of phone calls and text messages—to com­mu­ni­cate with one another.

Moth­er lode of data on phones

Smart­phones con­tain more infor­ma­tion about their own­ers than per­son­al com­put­ers, Oxy­gen Foren­sics offi­cials say, but obtain­ing infor­ma­tion on smart­phones has become more dif­fi­cult because of encryp­tion, com­plex pass­words and bio­met­rics, such as thumbprints.

Oxy­gen Foren­sics’ soft­ware prod­ucts are vital for 21st cen­tu­ry law enforce­ment, Reiber says, because law offi­cers are faced with a grow­ing num­ber of dig­i­tal cas­es and an increas­ing amount of data that needs analysis.

With more mobile devices in the world than human beings, it is impor­tant to give our cus­tomers, pri­mar­i­ly law enforce­ment, a solu­tion to help mit­i­gate this ever-increas­ing prob­lem,” Reiber says. “With indus­try lead­ing app sup­port along with pow­er­ful ana­lyt­ics, law enforce­ment can cor­re­late, iden­ti­fy and report on mis­sion-crit­i­cal data in seconds—not hours. When ter­abytes of data are com­mon­place at every crime scene today, time is often a four-let­ter word.”

What about privacy?

Extract­ing data from per­son­al cell phones also may elic­it some choice four-let­ter words from pri­va­cy advo­cates. They say the secu­ri­ty of cell phones is impor­tant to mil­lions of con­sumers who rely on the devices to pro­tect their most sen­si­tive per­son­al data.

But­ler says EPIC believes com­pa­nies should fol­low a sim­ple rule per­tain­ing to per­son­al infor­ma­tion. “If you can’t pro­tect it, don’t col­lect it,” he says.

A lot of “good work” is being done by Apple and oth­er media com­pa­nies to increase pro­tec­tion of data on users’ elec­tron­ic devices, But­ler says, and the work shouldn’t be com­pro­mised by law enforce­ment demands.

Reiber, of Oxy­gen Foren­sics, says he doesn’t want to com­ment about the Apple-Jus­tice Depart­ment iPhone tus­sle but says, “it could have been avoided.

Foren­sics on mobile devices is always a cat and mouse game. When these types of events hap­pen with pri­vate indus­try and gov­ern­ment, the reper­cus­sions to the foren­sic soft­ware devel­op­ers are mas­sive and can push devel­op­ment we spent years on to the waste bin.”

Pri­va­cy experts, Reiber says, do not oppose Oxy­gen Foren­sics’ prod­ucts, because they aren’t used to secret­ly col­lect mobile device data. The prod­ucts col­lect data “legal­ly obtained in the course of law enforcement’s job,” he says.

More sto­ries relat­ed to privacy:
Apple has good rea­son to pro­tect your privacy
Pri­va­cy Shield aims to bridge EU-U.S. dig­i­tal pri­va­cy gap, but ques­tion marks remain
Com­pa­nies must not for­feit pri­va­cy in march of technology

Posted in Data Privacy, Featured Story