Jump to content

New Report Says The Feds' Focus On Device Encryption Is Holding Local Law Enforcement Back


Recommended Posts

from the get-what-you-can-instead-of-dreaming-about-an-all-access-pass dept




CSIS (Center for Strategic and International Studies) has just released another report [PDF] on device encryption. But there's a difference: this one isn't so much about encryption but what law enforcement isn't doing to access the wealth of digital data available to it. (h/t Robyn Greene)


What CSIS found is there are plenty of powerful tools and options available. The problem -- especially at the local level -- is law enforcement appears to be unsure of how to proceed when seeking digital data. This results in a couple of problems, the latter of which has definite civil liberties implications.


Our survey of federal, state, and local law enforcement officials suggests that challenges in accessing data from service providers—much of which is not encrypted—is the biggest problem that they currently face in terms of their ability to use digital evidence in their cases. Specifically, the inability to effectively identify which service providers have access to relevant data was ranked as the number-one obstacle in being able to effectively use digital evidence in particular cases.


Following closely after that is the difficulty of obtaining data and evidence from service providers if agencies do manage to narrow down where it's located. While there are a variety of federal resources available to train and educate law enforcement investigators about seeking digital evidence, they're underfunded and underutilized.


This lack of education and overall uncertainty is leading to unfortunate results -- both in terms of targeted citizens and the law enforcement agencies hoping to hold onto whatever evidence they may obtain. Overbroad warrants are routine and it's not always the result of a "collect it all" philosophy.


Law enforcement claims... they often lack enough information to know what data is and is not available and make the kind of relevancy determination needed. Put simply, unless law enforcement officials are adequately informed about what kind of data providers have available, they are not in a position to know what there is to ask for—let alone determine if it is relevant. Law enforcement officials also point out that in many cases it is appropriate to ask for “any and all data,” particularly when the universe of available data is sufficiently limited—for example, if the request is directed toward “any and all data” about a particular account and during a specific time horizon.


These broad requests result in pushback from tech company recipients (who, unfortunately, likely understand the law better), which further strains the relationship between service providers and law enforcement agencies. The problem with the law enforcement side is the numbers don't support this perception.


The number of law enforcement requests, at least as directed at the major U.S.-based tech and telecom companies, has significantly increased over time. Yet, the response rates have been remarkably consistent.


The increase in requests has led to an increase in rejected requests as a whole -- which fuels the perception service providers are giving lawmen the figurative finger -- but the percentage of rejected requests (around 20%) has remained constant.

It's not just law enforcement personnel needing more training and info. The lack of training leads to broad warrant requests and subpoenas from law enforcement. These requests should be receiving pushback before they're delivered to service providers. But far too often, they're not receiving enough scrutiny at the judicial level. This is also an education/information problem.


[R]esources should be invested in training judges, in addition to law enforcement officials engaged in the investigative and prosecutorial functions. Judges serve as crucial intermediaries in the request process, ensuring that data requests are lawful and appropriately tailored. Resources should also be expended to train defense attorneys, who also need the ability to access and interpret digital evidence in order to mount an adequate defense.


The broad requests that do make it through post additional issues that are rarely discussed. While FISA court orders authorizing surveillance (including domestic surveillance) stress minimization of non-target info, demands for data from service providers aren't subject to these restrictions. Data/communication dumps can expose a lot of info about non-targets and there's almost zero recourse for non-targets whose privacy has been violated. "Incidental" collection isn't just something the NSA does. It's the inevitable byproduct of overbroad requests and few, if any, rules governing the collection and use of this info.


The report details a large number of deficiencies in the process which has made law enforcement's job far more difficult than it needs to be. Tech advances don't solely benefit crafty criminals. They also aid law enforcement, but there's been no cohesive effort made by the federal government to ensure local agencies can make the most of the tools available. Until this is nailed down, worrying about defeating or bypassing encryption is a waste of time.


That the FBI's director has decided that's how he's going to use his time and energy, suggests the agency -- the most frequent contact for local agencies seeking tech help -- isn't going to prioritize sharing knowledge over seeking legislative mandates. The FBI is hurting itself and others by limiting their ability to do everything they can right now in hopes of getting a law enforcement-sized hole drilled in encryption at some point in the next few decades.



Link to comment
Share on other sites

  • Replies 1
  • Views 499
  • Created
  • Last Reply

Police Are Seeking More Digital Evidence From Tech Companies


Study finds companies reject 20% of law enforcement requests


Agencies made 130,000 requests for evidence from six companies

U.S. law enforcement agencies are increasingly asking technology companies for access to digital evidence on mobile phones and apps, with about 80 percent of the requests granted, a new study found.


The report released Wednesday by the Center for Strategic and International Studies found local, state and federal law enforcement made more than 130,000 requests last year for digital evidence from six top technology companies -- Alphabet Inc.’s Google, Facebook Inc., Microsoft Corp., Twitter Inc., Verizon Communications Inc.’s media unit Oath and Apple Inc.


If results from telecom and cable providers Verizon, AT&T Inc., and Comcast Corp. are added in, the number jumps to more than 660,000. The requests covered everything from the content of communications to location data and names of particular users.


“The number of law enforcement requests, at least as directed at the major U.S.-based tech and telecom companies, has significantly increased over time,” the Washington-based think tank found. “Yet, the response rates have been remarkably consistent.”


The FBI and other law enforcement agencies continue to demand that tech companies help them obtain location data, browsing history and encrypted communications on devices when they’re investigating suspected criminals and terrorists. In 2016, the FBI served Apple with a court order demanding that it help break into an iPhone used by a terrorist. The FBI dropped that case without resolving the issue when it successfully defeated the encryption with a tool it bought from a private company.

Training, Tools

The report sidestepped that controversy, calling instead for a National Digital Evidence Office to establish national policies and support training programs on digital evidence collection as well as the development and distribution of analytical tools.


The new study was based on surveys and interviews with federal, state and local law enforcement officials, information from companies and other source materials about the challenges facing law enforcement in accessing digital evidence.


Thirty percent of law enforcement respondents said their department had trouble identifying which service providers have access to digital evidence they want, and 25 percent cited difficulty obtaining relevant digital evidence from providers once the right company was identified.


There is “a real creditably gap between law enforcement and service providers,” Jennifer Daskal, one of the study’s authors and a professor at the American University Washington College of Law, said in an interview. “Law enforcement expressed real frustration about not knowing what evidence service providers had.”


Daskal said police agencies’ lack of knowledge about digital evidence can lead to requests for information that seem overly broad to tech companies.


The report, accompanied by endorsements from former law enforcement officials including former CIA Director John Brennan, is being released as some of the rules on data collection are being rewritten. This year, Congress passed a measure aimed at clarifying how international law enforcement groups obtain data stored by U.S.-based companies.





Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...