A third way between Apple and FBI

Joel Bollö

Last December, Syed Farook and his wife, Tahfeen Malik, brutally shot 14 people to death in San Bernardino in California. As part of the crime investigation, the FBI wanted to access information from Farook’s company iPhone, but Apple refused to help.

For most observers it would seem that we must choose between privacy or security. But this is not the case.

There are now more mobile devices in the world than people. The most intimate details of our lives — our financial information, our medical history, our family memories — reside on these devices. As such, mobile phone users must continue to trust that their personal information is protected.

A recent survey from Morning Consult found that 71 percent of registered U.S. voters now support requiring companies to give the government access to their personal data to support national security interests, and 76 percent think those companies should help the government in investigations related to terrorism. The current situation creates unprecedented challenges for law enforcement as they work to confront new and complex threats to our security.

Police can get information from a wide array of mobile phones with the help of technical solutions thanks to the tools that our industry provides. But newer, stronger mobile phone encryption and security features can make it hard to access new models and operating systems. Although the FBI managed to enter this phone this time, the main problem remains — as Apple is very likely already working to create a patch for the bug that enabled access in the San Bernardino case.

So where, in the face of rising global threats, does this leave us?

We propose a solution that is based upon the existing modality for lawfully accessing data on mobile devices when the device is in the physical possession of law enforcement. The system meets the principal needs for both privacy protection and law enforcement agencies’ legitimate demand of access to information.

The solution uses different key pairs to encrypt and decrypt data. In this case, in addition to requiring physical possession of the phone, two key pairs are created. One key pair is generated by the government and one key pair generated by the phone manufacturer. The keys used to encrypt data is public, while the private keys used to decrypt the data is held within the system (for the operating system), or in a controlled and auditable access card (for law enforcement).

One would need both key pairs to extract data from the mobile device. Hacking into this type of system to obtain a key would be of no use. As one would need to have physical possession of the phone to enable the system, there is no conceivable way this system could be used for mass surveillance or Internet hackers.

The use of the latest exploits can be short lived. This in turn will lead to a digital forensics “arms race” whereby mountains of financial and intellectual capital are spent in finding and patching future exploits. The exploit from San Bernardino can serve as leverage to bring the parties to the table to create a long term strategic solution to empower the privacy and the security of our citizens.

Joel Bollö is the CEO for MSAB, a pioneer in forensic technology for mobile device examination.