Open Letter to Congress on Encryption Backdoors

To the Honorable Congress of the United States of America,

I am a proud American who has had the pleasure of working with the law enforcement community for the past eight years. As an independent researcher, I have assisted on numerous local, state, and federal cases and trained many of our federal and military agencies in digital forensics (including breaking numerous encryption implementations). Early on, there was a time when my skill set was exclusively unique, and I provided assistance at no charge to many agencies flying agents out to my small town for help, or meeting with detectives while on vacation. I have developed an enormous respect for the people keeping our country safe, and continue to help anyone who asks in any way that I can.

With that said, I have seen a dramatic shift in the core competency of law enforcement over the past several years. While there are many incredibly bright detectives and agents working to protect us, I have also seen an uncomfortable number who have regressed to a state of “push button forensics”, often referred to in law enforcement circles as “push and drool forensics”; that is, rather than using the skills they were trained with to investigate and solve cases, many have developed an unhealthy dependence on forensics tools, which have the ability to produce the “smoking gun” for them, literally with the touch of a button. As a result, I have seen many open-and-shut cases that have had only the most abbreviated of investigations, where much of the evidence was largely ignored for the sake of these “smoking guns” – including much of the evidence on the mobile device, which often times conflicted with the core evidence used.

On the surface, and as Hollywood would have you believe, a “smoking gun” sounds like a good thing, however the standard of evidence has suffered greatly because of the notion that a single piece of evidence is sufficient to close a case. Evidence in a digital world is often without context, and I have watched numerous cases press on with an alleged “smoking gun” that was out of context, unsubstantiated, and ultimately based on false assumptions about how data and metadata evolves on devices. As one example, consider incriminating images found on an iPhone, in the camera roll. There are, unbeknownst to many investigators, a number of ways these images could wind up on the camera roll without having been taken with the device’s camera (for example, it could be AirDropped to the device, without the recipient being completely aware of all the content being pushed to the device, along with other methods). Cases investigated by less-than-seasoned law enforcement personnel are often pushed through quickly, based on minimal evidence such as this, and without fully investigating all of the data on the device. Often, the evidence on a personal device presents only enough of an illusion that the examiner paints their own story without adequately completing their investigation. As a result, you end up with a very abbreviated forensic examination and a number of criminal charges that are borderline fabricated, based on neglect by the examiner. Certainly, not all investigators conduct their job like this, however the forensics tools that have been made available make it all too easy for an investigator’s skill set to slowly devolve to this point. I have seen an alarming increase in the number of investigations that have succumbed to this “easy way out” over the past few years.

Also consider that a number of these so-called forensics tools are quite frankly poorly written, and not written by forensics experts, but by software engineers with no background in criminal justice. Many tools often create ambiguous information that is misinterpreted by investigators, or sometimes even misrepresent data because the developers made numerous assumptions about the evidence that a trained forensics expert would not make. This taints the entire investigation. As one example, I refer you to US v. Brig. Gen. Jeffrey Sinclair, which I assisted with: This case was about to press forward to convict a man based on evidence that I later found to be misrepresented by three different forensics tools, and once I brought my findings to the attention of the prosecutor, the much more serious charges were found to be based on inaccurate evidence (note: I was working for the prosecutor’s office at the time). Nevertheless, the FBI and the military were both ready to put a man behind bars for decades based solely on the information these “push button forensics” tools provided.

This brings me to the point of my letter: The FBI today is looking for the easy solution, and that easy way out is also the reason we have such poor police work in today’s field of law enforcement. The claim that law enforcement needs access to on-device content to prosecute crimes is a farce. While handing over all of the evidence on a platter sounds like the right thing to do, I have found that it often leads to poor investigative skills and ultimately the easy way out of a case. Simply pushing a button to find a smoking gun is not in the best interest of police work in this country, and often compromises the entire investigative process. You will find this also holds true in the current NY case with Apple, where neither metadata nor content was ever acquired from Apple, from third party Internet service providers, or other third parties. IP addresses were never looked at, and much of the evidence in this case was largely ignored, yet the government is arguing that Apple should, under the All Writs Act, unlock the device to take the easy way out for the government to analyze a case that has already been successfully prosecuted.

There is a wealth of information external to a mobile device that often can shed more light on a case than the actual content. Apple has used the FBI’s poster example of a kidnapping case, and cited a kidnapping case that was solved simply by examining the IP logs. IP logs, email content, third party service provider metadata, cloud content, tower data, call records, voicemail, texting records, and much more information can often provide crucial evidence for any case involving a mobile device, and much of that can be, and often is, ignored by investigators when they are provided with a push button forensics tool.

You have no doubt heard the arguments about the intimacy of the data that is stored on people’s mobile devices. Until the advent of the smart phone, conversations were ephemeral in nature. That is no longer the case: A person’s entire life, including intimate thoughts, correspondence, photos, and other content that is completely unrelated to any criminal investigation, are stored on the device, and unfortunately cannot be teased apart from the information subject to a warrant. Lawyers, doctors, and journalists have all been subject to unconstitutional searches in this country, which is why Congress enacted laws to attempt to prevent such abuses from ever happening again – Congress recognized the searches already going on were wrong, and so they acted to protect such privileged information. In addition to this, our warrant system still often suffers from abuse – no legal system is perfect, and we must consider what is at stake by abuse of any legal system (including those of foreign governments) if we are to consider legislation affecting a person’s privacy.

I urge you, the Congress, to consider what is at stake not only in the invasion of privacy that would put Americans at risk by new backdoor legislation, but also what’s at stake in the continued de-evolution of core competency in police investigations. Push button forensics is not the solution we want our law enforcement agencies relying on. This has shown to lead only to shorter and poorer quality investigations that ignore crucial evidence. The proof of this can be found in the FBI’s case of Syed Farook: Had FBI been adequately investigating all of the metadata from providers, they should have already known that there would be no crucial evidence contained on Farook’s work phone. Americans deserve due process, and this should extend to a complete and unbiased investigation of the evidence used by the prosecution. A thorough investigation is just as important as an effective one, and contrary to popular belief, handing over mobile content ends up leading to a less complete investigation because most of the evidence (including much of that on the phone) ends up ignored in favor of what “looks like” a smoking gun, but often times isn’t. The evidence to prosecute a vast majority of cases can already be found by doing good detective work and analyzing the smorgasbord of metadata and service provider content that is already available to law enforcement with a proper warrant. In all of my experience working with law enforcement, it has been extremely rare to find a case that has relied solely on the evidence found on an electronic device, except where no other evidence has been looked at.

I urge you to protect the rights of Americans to keep their most intimate thoughts secret. We do not allow our government to perform narco-investigative methods (such as sodium pentathol), nor do we permit our government to perform mind mapping techniques (that exist) to produce evidence, or force polygraphs onto defendants to use as evidence. We do not force a defendant to give out their passwords, or to testify against themselves, because we respect the Fifth Amendment of our Constitution. This “black box” that Americans use stores many core thoughts, questions, and other intimate intellectual content, even as we type it, that most people are unaware of. While an electronic device undoubtedly holds evidence that might be useful to law enforcement, it has also become so closely integrated with our persons that it has become an extension of our mind, and those parts of the black box must be protected as much as we would protect the rights of a person to their own thoughts.

What our country needs, at this crucial moment in time, is protection from the massive invasion of privacy that we all stand to face should law enforcement agencies be permitted carte blanche access to our electronic devices with a warrant. Our most private thoughts and ideas are subject not only to the embarrassing exposure of our lives laid bare before the government, but also our lives become placed in a fish bowl for poor quality police investigations, with our futures at the mercy of a push button forensics tool.

Sincerely,

Jonathan Zdziarski