Fair or foul? New forensics tools raise privacy concerns
Companies develop technology to retrieve data from mobile devices
By Gary Stoller, ThirdCertainty
When the FBI could not persuade Apple to help them hack into the phone of the San Bernardino, California, terrorist shooter—not even with a court order—the agency went to Plan B: It paid an outside party to do it for them.
The feds aren’t saying who did the hacking, or how the hacker did it. He or she might very well have simply used an off-the-shelf hacking tool designed expressly to extract sensitive data buried deep inside a smartphone.
It turns out there is a thriving cottage industry of companies developing powerful technology to locate sensitive—potentially incriminating—data from where it increasingly resides: on our smartphones and in our web mail and social media accounts.
Alexandria, Virginia-based Oxygen Forensics, for instance, supplies a product called Oxygen Forensic Detective, that can bypass screen-lock passcodes, locate passwords to encrypted backups, extract data from secure applications, and recover deleted information.
While such technologies can help law enforcement find and punish criminals, they also stir privacy concerns. U.S. Justice Louis Brandeis once described privacy as “the right to be left alone,” a principle by which Europe staunchly abides.
Consumer and privacy advocates worry that U.S. law enforcement and federal intelligence agencies will not be able to resist overreaching with such tools, and trampling the basic privacy rights of law-abiding citizens.
Worrying about the wrong thing
Alan Butler, the senior counsel at the Electronic Privacy Information Center, says consumers, though, should “be much more concerned with companies that are routinely collecting their personal information online to build detailed personal profiles than with companies providing forensic services to law enforcement in individual cases.”
EPIC, which aims to protect consumer privacy, primarily focuses on law enforcement compliance with constitutional law and corporate compliance with privacy and data-protection laws.
Under a 2013 Supreme Court ruling, Butler says, law enforcement officers must obtain a warrant before searching a cell phone.
In the case involving the iPhone of San Bernardino shooter Syed Rizwan Farook, who participated in killing 14 people and wounding 21 others, the U.S Justice Department was granted a search warrant to seize Farook’s cell phone, and then the agency requested a district court to order Apple to assist in decrypting the phone.
EPIC and other consumer organizations filed a court brief stating that Apple shouldn’t be forced to comply. The Justice Department later said it would not need Apple’s assistance, because an outside party had provided a method to unlock the phone.
“A warrant is necessary to search the phone,” Butler says, “but a warrant does not guarantee that a law enforcement officer will have the technological capability to search or decrypt the phone. A warrant ensures oversight—not access.”
Technology allows access
Meanwhile, access to a smartphone’s memory is more viable than ever, thanks to technological innovation.
Earlier this summer, Oxygen Forensics announced that it has expanded its forensic capabilities for cell phone apps. The company says it now can extract WhatsApp data in iCloud storage or on any mobile device using the iOS, Android, Windows Phone 8 or Blackberry 10 platform.
“According to the latest surveys, WhatsApp is the most popular app in the world, and it is very important to Oxygen Forensics to be able to offer our customers the ability to forensically extract messages and other WhatsApp data when necessary,” says Lee Reiber, the COO of Oxygen Forensics.
Oxygen Forensics executives say they have directed their product developers to continue adding mobile application data extraction capabilities, because mobile users are increasingly using apps—instead of phone calls and text messages—to communicate with one another.
Mother lode of data on phones
Smartphones contain more information about their owners than personal computers, Oxygen Forensics officials say, but obtaining information on smartphones has become more difficult because of encryption, complex passwords and biometrics, such as thumbprints.
Oxygen Forensics’ software products are vital for 21st century law enforcement, Reiber says, because law officers are faced with a growing number of digital cases and an increasing amount of data that needs analysis.
“With more mobile devices in the world than human beings, it is important to give our customers, primarily law enforcement, a solution to help mitigate this ever-increasing problem,” Reiber says. “With industry leading app support along with powerful analytics, law enforcement can correlate, identify and report on mission-critical data in seconds—not hours. When terabytes of data are commonplace at every crime scene today, time is often a four-letter word.”
What about privacy?
Extracting data from personal cell phones also may elicit some choice four-letter words from privacy advocates. They say the security of cell phones is important to millions of consumers who rely on the devices to protect their most sensitive personal data.
Butler says EPIC believes companies should follow a simple rule pertaining to personal information. “If you can’t protect it, don’t collect it,” he says.
A lot of “good work” is being done by Apple and other media companies to increase protection of data on users’ electronic devices, Butler says, and the work shouldn’t be compromised by law enforcement demands.
Reiber, of Oxygen Forensics, says he doesn’t want to comment about the Apple-Justice Department iPhone tussle but says, “it could have been avoided.
“Forensics on mobile devices is always a cat and mouse game. When these types of events happen with private industry and government, the repercussions to the forensic software developers are massive and can push development we spent years on to the waste bin.”
Privacy experts, Reiber says, do not oppose Oxygen Forensics’ products, because they aren’t used to secretly collect mobile device data. The products collect data “legally obtained in the course of law enforcement’s job,” he says.
More stories related to privacy:
Apple has good reason to protect your privacy
Privacy Shield aims to bridge EU-U.S. digital privacy gap, but question marks remain
Companies must not forfeit privacy in march of technology