By District Attorneys Cyrus R. Vance Jr., Jackie Lacey and Bonnie Dumanis
The FBI paid six figures for a hacking tool to get into San Bernardino shooter Syed Farook’s iPhone 5C after Apple refused to unlock it.
That’s one down, more than 1,000 lawfully seized phones to go.
As recently as 18 months ago, Apple and Google — whose operating systems run 96.7% of the world’s smartphones — would comply with judicial orders to extract evidence from mobile devices and send the data to prosecutors. In 2014, however, the companies reengineered their operating systems to make their devices encrypted by default. They could no longer unlock their own products.
Since then, 230 inaccessible Apple devices have come into the Manhattan District Attorney’s Office’s Cyber Lab pursuant to judges’ warrants. The Los Angeles County Sheriff’s Department is sitting on 150 warrant-proof devices, and the Los Angeles Police Department now has more than 300. San Diego and Riverside Counties have 11 connected to murder cases.
Hundreds more smartphones line the shelves of police and prosecutors’ offices across the country. Each is believed to contain evidence crucial to the investigation and prosecution of serious state offenses including homicide and child sex abuse. Each corresponds to a real crime against a real victim who may never receive justice. Others conceal evidence, without which prosecutors cannot hold defendants accountable for their wrongdoing, or can charge them only with lower-level crimes. Some hold information that would exonerate the wrongfully accused.
Hundreds of criminal investigations will remain stalled until Congress intervenes. The lawful exploit employed by the FBI to open Syed Farook’s iPhone only works on that model and operating system, and Apple could patch the flaw exploited at any time. Moreover, tools of the kind used to open that phone cost far more than most local agencies can afford.
Data encryption is leading to a rare level of internecine conflict between American law enforcement and American industry. A technological arms race between the government and Silicon Valley is in no one’s interest. Technology companies don’t want their products used to protect criminals. Judges don’t want their search warrants rendered meaningless. And victims of crime don’t want evidence-free zones.
Centuries of jurisprudence hold that no item is beyond the reach of a court-ordered search warrant. In the past, criminals stored evidence of their crimes in safes, file cabinets, and closets. Today, that evidence is found on smartphones. Our laws haven’t kept pace with this evolution in technology, and in the void, large technology companies have rendered themselves — not judges — gatekeepers of the data necessary to solve crimes.
Last month, Senators Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) proposed a way forward. They released a draft bill that would require technology companies to provide law enforcement with decrypted data, or the technical assistance to get it, when ordered by a court to do so. The bill restores the authority of judges, requires firms to be compensated for their assistance, and leaves tech companies free to decide how to design their operating systems – so long as the company can comply with court orders. No draft bill is perfect, which is why the senators have requested that stakeholders — including technology companies — simply discuss it.
State and local prosecutors stand ready to advance that discussion with data, real-life case examples, legal briefs and testimony that document the impact mobile device encryption is having on public safety and victims of crime. At the same time, we continue to ask tech companies to provide their own metrics to quantify the purported trade-offs in personal data security if the Burr-Feinstein proposal were enacted. To start: did Apple’s routine compliance with court orders until 2014 ever lead to anyone getting hacked?
While government agents and Silicon Valley engineers engage in a cat-and-mouse game over encryption, unapprehended criminals remain out there, free to reoffend. While Apple and Google work to stay ahead of the budding cottage industry of lawful hacking consultants, statutory time limits for prosecutions tick away.
Congress, not Silicon Valley, must determine the balance in our society between personal privacy and public safety. It should start by considering the Burr-Feinstein proposal without delay.
Cyrus R. Vance, Jr. is the Manhattan District Attorney. Jackie Lacey is the Los Angeles County District Attorney. Bonnie Dumanis is the San Diego County District Attorney.
This commentary was originally published by the Los Angeles Times on May 11, 2016.