The debate over encryption and backdoors for law enforcement has long had a surplus of opinions and a deficit of data. On Wednesday, however, New York district attorney Cyrus Vance offered one actual number into the mix: The Manhattan DA's office has encountered 74 iPhones whose full-disk encryption locked out a law enforcement investigation.
In a Senate Judiciary Committee hearing, the FBI, Justice Department and Manhattan DA's office all asked for action from Congress to persuade or compel companies like Google and Apple to add law enforcement backdoors into their operating systems' encryption. But only District attorney Vance put a number to what he described as the growing problem that iPhone security represents for his office's investigators. Vance testified that in a total of 92 cases involving an iPhone running iOS 8, 74---or about 80 percent of all cases where an iOS 8 phone was involved---had been locked such that law enforcement couldn't access the phone's contents, thanks to Apple's full-disk encryption upgrade, which it put into effect in September of last year. (A spokesperson for the Manhattan DA's office clarified in an email that those 74 cases took place over the nine months ending on June 30.)1
"If that’s my experience in one office in Manhattan, it’s going to be a parallel experience across the country," Vance told the panel of Senators. "I don’t believe that the option we should pursue when faced with inaccessibility to locked smartphones...is to say from a law enforcement perspective, 'there’s nothing we can do.' There has to be something we can do."
Those 74 cases likely represent an increase from prior years, before Apple's late-2014 decision to no longer maintain decryption keys that it could use to unlock iOS 8 devices on behalf of law enforcement. But considering that the Manhattan DA's office says it deals with around 100,000 total cases a year, iPhone encryption nonetheless represents a vanishing small obstacle to cops' work, argues Nadia Kayyali, an activist with the Electronic Frontier Foundation who followed the hearing. Even extrapolating those encryption numbers to account for a full year, they would still represent less than a tenth of a percent of the office's total cases.
"It's an incredibly low number, and I think that’s really key," says Kayyali. Even in these few cases, she argues, it's not clear whether the encryption truly prevented the investigation from moving forward. Investigators locked out of a phone may still be able to access its data by compromising its iCloud account, for instance. "The focus in all this testimony is how important this data is. But we have no numbers about how many cases in which this is essential information, how many times does the encryption itself stop the investigation."
In the hearing, Vance didn't offer any specific examples of New York City cases dead-ended by encryption, though he did highlight a robbery and murder case from Illinois in which iPhone and Android smartphones found at the scene couldn't be accessed due to encryption. Instead, he pointed to the opposite situation, describing an example of a shooting victim who had recorded video of his assailant on an iPhone running iOS 6. After the victim's death, police were able to retrieve the video from the phone and convict the murderer. "If that had been iOS 8, when the phone dropped, the passcode would have died with its user," Vance told the hearing.2
Earlier in the hearing, both FBI director James Comey and deputy attorney general Sally Yates made similar arguments for maintaining backdoors in both Internet communications and the stored communications of mobile devices. Comey told the Senators that the threat posed by ISIS in particular required access to encrypted communications. While the FBI has so far managed to thwart ISIS plans to attack Americans, he warned that with rising encryption use, “I cannot see me stopping these indefinitely.”
In a paper published the day before the hearing, a group of 15 renowned cryptographers called for the U.S. government to reconsider any attempt to mandate backdoors in Internet communications or computing devices. They pointed to the inability to control who could access those backdoors, potentially damaging national security. And they argued that the backdoor requirements would merely drive privacy seekers to other countries' technologies, wounding the U.S. economy while failing in its goal of bolstering security.
"Such access," the cryptographers wrote, "will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict."
Unlike Manhattan DA Vance, neither Comey nor Yates countered those arguments by offering any new data to prove that encryption is hampering law enforcement or national security investigations. In fact, an annual report from the Department of Justice to the judiciary published last week counted just four cases in which encryption had foiled a law enforcement wiretap, despite 25 cases in which it was encountered out of a total of 3,554 investigations. That's actually down from 2013, when the DOJ reported that encryption blocked a wiretap 9 times.
To be fair, those numbers may not fully represent the effect of encryption on law enforcement. Deputy Attorney General Yates argued that in some cases, investigators don't seek a warrant when they know communications are encrypted. But when Senator Al Franken asked her for a better count of the total number of cases in which investigators had encountered encryption, she said it wasn't something the Justice Department had tracked.
Considering the stakes of the unfolding crypto debate, the Justice Department will need more than vague threats and anecdotes to convince privacy advocates that backdoors are warranted, says the EFF's Nadia Kayyali. "'We don't have that data' is not an acceptable answer," she says, "when you're doing something that experts have made clear is going to undermine security for everybody."
1Correction 7/8/2015 4:20pm: An earlier version of the story stated that FBI, DOJ and Manhattan DA witnesses to the hearing asked for required backdoors in internet communications and smartphone. In fact, they didn't explicitly ask for new regulations or requirements.
2Correction 7/8/2015 4:20pm: A previous version of the story stated that Vance hadn't given any examples of cases foiled by iPhone encryption. In fact, he gave an example of a case in Illinois, though no cases among the 74 he referred to from his own Manhattan DA's office.
