Why the Cops Hate the New Apple and Google Phones

The police are upset about Apple and Google’s latest smartphone advances.

The problem is the encryption in both the iOS 8 and Android Lollipop operating systems. It is turned on by default, and there is no master key that Apple or Google can give to investigators, even if they have a warrant.

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” Apple brags on its site. “So it’s not technically feasible for us to respond to government warrants.”

Google is not as direct in its security sales pitch for Android 5.0 Lollipop, shipping on the Nexus 6 and (slowly) coming to other devices: “Full device encryption occurs at first boot, using a unique key that never leaves the device.”

What Apple and Google tout as a feature, police see as a bug, and not the kind they can use to listen in on the bad guys.

“Encryption threatens to lead all of us to a very dark place,” FBI Director James Comey warned in a speech last month. “Justice may be denied because of a locked phone or an encrypted hard drive.”

Crypto warsTo understand why Comey and others are upset, consider how cryptography works. Intensely complicated math yields a digital lock that cannot be picked in any reasonable period of time. If you want to see the communication, you either get the password, or you give up.

Digital encryption is at work right now, as you read this: Yahoo Tech (and all Yahoo sites) use encryption that scrambles the data flowing between it and your browser. And your Web-mail service is increasingly likely to use encryption, too, so your messages can’t be read if they are intercepted.

How iOS 8 or Android Lollipop differ from most encryption is where the key goes. Instead of appearing on multiple servers, it’s a snowflake of a secret, unique and isolated to one device. It’s generated and kept on the device; even the manufacturers cannot get the key to decrypt a phone.

Comey and other law enforcement veterans want Apple and Google to relax the robustness. As former U.S. Attorney General Michael Mukasey put it an event in Washington last month: “The toothpaste needs to get back in the tube.”

What if it isn’t put back, and we’re in a world where unbreakable crypto is widely available and used?

We don’t need to speculate, because that world has existed since the 1990s. Pretty Good Privacy — an open-source crypto program the government tried to quash by investigating developer Phil Zimmermann for violating weapons-export laws — also doesn’t offer any “golden key” for the police.

PGP is not the easiest app to set up, but Apple’s FileVault has been in OS X since 2011, while Microsoft’s BitLocker has been in some Windows releases for even longer. And there’s no evidence of either Apple or Microsoft having built in back doors that police officers or other agencies can use.

Resorting to other tricksYet police investigations still catch the bad guys. At one extreme, investigators have used court orders to plant malware on suspects’ machines to record passwords. At the other, there’s traditional police work: The Intercept’s Dan Froomkin and Natasha Vargas-Cooper noted that encryption had nothing to do with solving three of the four cases Comey cited in his speech.

For the law-abiding among us, encryption is a good thing — as the FBI notes in its advice to business travelers. But even if you never leave the United States and have no corporate foes, knowing that your data can’t be sucked out of your phone or computer should give you comfort.