By John Ahearne, Forensic Analyst When data is is needed for use as evidence, it…
Proposed Encryption Legislation and What it Means
By Scott Moyer, DriveSavers President
Unless you are just this moment rejoining society after months spent stranded on a technology-free desert island, you are well aware of the recent controversial disagreement between the FBI and Apple involving an iPhone 5C that once belonged to San Bernardino shooter, Syed Rizwan Farook.
Amidst this highly publicized dispute, Sen. Richard Burr, R-N.C., and Sen. Dianne Feinstein, D-CA., have begun preparing a bill to be proposed to the U.S. Senate. If passed, the law will be titled the “Compliance with Court Orders Act of 2016.”
We’ve read through a draft of the bill in circulation in order to determine how it may affect DriveSavers. Here’s our take.
What the Bill Proposes
If passed, this Act would require that all original manufacturers of hardware (devices) and software (programs) recover readable data from any device when served a court order to do so. It also requires that this be completed in “a timely manner.”
The bill does not require that manufacturers provide the government or any government entity with the tools or knowledge used to access encrypted devices or software, just that encrypted data be rendered unencrypted and readable in a timely fashion whenever a court order is served. As we understand this bill, any methods could remain secret and proprietary to the manufacturers themselves.
Reading Between the Lines
Current encryption technology has been developed so that only the owner of a device has access to that device. Just like a construction company does not have keys to each building it has built, not even a manufacturer can pick up an encrypted laptop or smartphone and just open it up without the owner of the device providing the key. And just like with a building, the owner can change that key and lock any time.
If a construction company wanted to maintain a way into a building even after it has been sold, the company would need to build a secret door that even the owner of the building does not know the location of. Otherwise, the new owner of the building could simply change the lock and the construction company would not be able to get in. The issue of manufacturers accessing encrypted devices after sale is similar.
At DriveSavers, we believe there is theoretically a way into any device, regardless of the quality of the encryption technology. However, the way into most encrypted devices has not yet been discovered, even by the companies that created them. If the way in is not already known, it could take years of research and development to figure it out, and years longer to actually complete implementation and then access the decrypted data.
Requiring that manufacturers access data from a device quickly any time a court order is served means that, like a construction company that wants to be able to freely enter buildings after they have been sold, manufacturers must begin building secret ways into their encrypted devices and software. Secret decryption paths, known as “backdoors”, would then allow them timely entry to devices whenever court orders are served.
As stated above, the bill does not require that manufacturers provide the government or any government entity with the tools or knowledge to use any backdoor built into encrypted devices or software, just that encrypted data be rendered unencrypted and readable in a timely fashion whenever a court order is served. As we understand this bill, any backdoor could remain secret and proprietary to the manufacturers.
It is important to note that the mere existence of a backdoor, whether the details are public or not, increases the likelihood that non-manufacturers could discover this method of accessing an encrypted device through standard research and development. It is also important to note that each new release of a device, software or operating system could theoretically carry with it a different backdoor from the previous, making it more difficult—but not impossible—for an outside party to decipher the way into such a device.
What About Currently Existing Devices and Software?
Will manufacturers be required to develop backdoor solutions for devices already in the market? Or only for those not yet available to the public? This is just one question that this proposed bill raises.
We do not know if all currently existing encryption technologies can have backdoors programmed into them. True, software encryption could theoretically be changed through a software update; however, what about hardware encryption? For example, hard drives currently exist that require separate physical components be brought together (referred to as a “handshake”) in order to decrypt the data they hold. Can a backdoor be built to enter these super secure devices? If not, will manufacturers be held accountable anyway?
We speculate that firmware could theoretically be updated to accept a different handshake, but we don’t know for certain that this is true or how the firmware could be injected into a locked device.
How Data Recovery and Digital Forensic Firms may be Affected
Third parties would not likely be directly served this type of court order. Instead, data recovery and digital forensic companies may only be approached in cases where there is physical damage to a device that a manufacturer does not have the tools to bypass. In such instances, a third-party data recovery or digital forensic firm would likely be hired to pull a complete image from the device, still encrypted. This encrypted image would then be provided back to the manufacturer to unlock using their built-in backdoor.
There are a couple ways this bill may affect those of us with robust research and development teams, such as DriveSavers. If a backdoor is built into a device or software, we can potentially discover and open it, allowing us greater opportunities for data recovery in the, unfortunately, common situation where a family is trying to access a deceased loved one’s device. This bill would also present greater opportunity for companies like DriveSavers to help law enforcement in identifying and prosecuting criminals.
Of course, if there’s something we can figure out, there are likely others out there with the potential to also figure it out—sometimes, people who we wish wouldn’t. As with everything, there’s a good side and a bad side to this bill. We’ll just have to wait and see where it leads.