Access denied

The government needs to engage with Internet companies directly for encrypted data

May 25, 2017 12:02 am | Updated 12:05 am IST

An iPhone used by Abu Dujana, said to be among the Lashkar-e-Taiba’s commanders in Kashmir, which fell into the hands of security forces, could be a valuable source of information for the National Investigation Agency (NIA). The odds that the agency is able to break into the device are, however, slim. For now, the government has sent the iPhone to the U.S., seeking assistance from its federal agencies. The government’s strategy of shipping it abroad to decipher its contents is unsustainable. But for some political agreements signed after the 26/11 attacks, there is no legal obligation on the U.S. to provide any assistance in this matter to India, even though the company that manufactured the device is American.

Moreover, U.S. security agencies have themselves struggled to extract information from devices like the iPhone, in the face of resolute opposition from companies to decrypt their own products. If Apple could successfully resist a U.S. court order to help the Federal Bureau of Investigation (FBI) unlock an iPhone used by a terrorist involved in the 2015 San Bernardino attacks, what hope can the NIA have?

Walled by encryption

In the eight years since its creation, the NIA has grown into a competent organisation, with interception abilities comparable to top law enforcement bodies in the world. But NIA officials themselves rue that the online chatter they intercept is increasingly encrypted. Thus far, Indian intelligence agencies have relied on ‘zero days’ — vulnerabilities that exist in the original design of a software — to break into encrypted devices, but Internet companies now promptly patch their flaws, diminishing the utility of such tools.

Take the case of Abu Dujana’s iPhone 7. While dealing with secure devices, law enforcement agencies usually have two options to unlock them. The first is to “brute force” the user’s password or PIN into the phone repeatedly, until it finally cracks open. But iPhones limit the number of false entries, killing the phone altogether after several failed attempts. In the San Bernardino case, the FBI was probably able to trick the iPhone — an older version, the iPhone 5c — into believing the limit was never reached. With newer models from Apple, this has become altogether impossible, because an isolated processor within the phone keeps a running count of all consecutive false attempts. The second option is to modify the ‘Touch’ sensor in phones that use fingerprints-recognition technology, so that a third party is grafted in as the legitimate user. Last year, however, Apple issued a software update that disables all iPhones where the Touch button had been “unofficially” modified. The company later allowed users to restore dead devices, but only after confirming their identity on other Apple platforms like iTunes.

The reality is that a lot of online content is today out of the reach of law enforcement officials. Platforms like WhatsApp and Telegram are ‘end-to-end’ encrypted, making it difficult for police at the State and local level — who don’t have access to zero days — to register cases based on information contained in them. The distinct trend towards greater adoption of encryption poses a dilemma for Indian policymakers. Strong encryption protocols increase consumer confidence in the digital economy, but the Indian government fears a scenario where criminals or terrorists can easily “go dark” behind secure channels.

In this case, Apple could build firmware that allows agencies to clock any number of attempts to unlock an iPhone. Technical details aside, the lesson here is that Apple may tightly secure its devices, but it also guards the “keys to the kingdom”. Similarly, Telegram does not disclose to government officials if it has an office in that country, to “shelter” them from data requests. Emerging markets have struggled to deal with data giants — Brazil’s judiciary, for example, suspended WhatsApp on three occasions in 2016 for non-compliance with government requests — that operate on quasi-sovereign principles.

The need to deal directly

Finally, legal solutions to electronic data access for law enforcement agencies are outdated. Governments are no longer the custodians of data, but every Indian request for electronic content is required to be vetted by the U.S. Department of Justice. In Abu Dujana’s case, if he has backed up his data on Apple’s iCloud service, an Indian request to share its content will take months to be processed, by which time the cloud data would have already been erased through another device. The current process of information-sharing through the India-U.S. Mutual Legal Assistance Treaty suffers from almost irreparable hurdles, ranging from bureaucratic delays on both sides to inconsistencies in domestic legal standards. Perhaps the solution lies in a bilateral data-sharing agreement to help the Indian government engage with Internet companies directly, rather than routing requests through the U.S. government. Both sides have begun negotiations on this issue, which Prime Minister Narendra Modi should also flag with U.S. President Donald Trump when he visits Washington D.C. next month.

Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.