Why is the world turning to encrypted messaging apps like never before?

It’s been said that “trust takes years to build, seconds to break, and forever to repair.” In today’s fast-paced world where we’re bombarded with sound bites, media hype, and information from all sides, it’s hard sometimes to know who to trust. These days, that lack of trust is manifesting itself in many ways.

Sadly, according to Pew Research, only 20% of Americans say they trust the government. Edelman’s 2021 Trust Barometer found all-time lows in CEO trust and trust of social media, owned media, and traditional media during what has been dubbed the “infodemic” — the worldwide digital deluge of misinformation that has characterized much of the last few years.

In the business world, the cybercrime alert level is high, and for good reason. The recent SolarWinds attack showed just how pervasive these can be, and a close call with a Russian hacker at Tesla was a reminder that nation-state-level, government-to-government cyberattacks are only getting more sophisticated and dangerous. Unsurprisingly, all this makes any professional dealing with sensitive information or trade secrets nervous as well. Are my messages really private? Who can access them? Who can read them?

All individuals just want to feel like they have their privacy — encrypted messaging helps them feel secure. In business, the stakes can be even higher in both financial and informational terms, and using encrypted messaging seems like an obvious choice for those concerned about sensitive data. Millions and millions are joining new and legacy encrypted app services to feel more protected. Add to all of this record social unrest, a global pandemic, and a huge increase in digital activity and crime as people are stuck at home — and it’s no surprise that this has become the era of encrypted messaging.

The Debate: Privacy vs. Protection and Law Enforcement Efficacy

From a different perspective, fully-encrypted messaging available to everyone could be seen (and publicized) as a triumph: for private consumers, a guarantee of absolute privacy and no worries about what tech companies or the government are doing with their personal data. For the tech-forward Silicon Valley crowd, it might be considered a leap in consumer-centric design and implementation. 

One way to build public trust is to educate citizens on the process by which data is collected and emphasize that lawful collection of data is always done under a warrant that limits the scope of what can be examined.

Research firm IDC, identifying “Social Media Platform Data and the Rise of Encryption” as a major trend with ramifications on public safety, succinctly summarizes the crux of the problem: “Moving to default encrypted social media content would effectively hide all of that information from investigating agencies.”

Therein lies the problem: digital evidence, whether in the form of pictures, communications, documents, and more, is now used in just about every criminal case that goes to trial. When almost all communication happens digitally, it is common sense to conclude that’s where a huge amount of evidence comes from as well. End-to-end encryption exists with the goal of making any and all communications completely private — and never able to be accessed by anyone other than the intended recipients.

For law enforcement, it’s akin to imagining that DNA evidence became inadmissible — or completely inaccessible overnight. The looming challenges that law enforcement could face as encrypted messaging rises in popularity are potentially a huge issue for agencies and governments around the world. And it’s not just law enforcement that is worried . . .

In the world of enterprise business, investigating fraud or locating a data breach can be very difficult when everything is hidden away behind encryption. In cases of corporate espionage or intellectual property theft, investigations often follow the lines of communication between suspects to reconstruct what actually occurred. Without those breadcrumb trails, enterprises will face a much harder task in identifying and guarding against IP theft at the corporate level.

Issues Already Occurring Worldwide

Unfortunately, this is not a prediction — these issues are already happening, worldwide. There has been cooperation in fighting international terrorist groups using encrypted apps, with Europol and Telegram working together to take down propaganda and recruiting groups. French police have used clever malware of their own to access private, encrypted messages, in effect “never letting the lock close” on specific encryption apps. 

Police and law enforcement around the world have now gained the expertise to access some encrypted chat channels. According to Fox News, in a gun-trafficking case in New York, the FBI appears to have acquired the capability to view encrypted chats. But problems and blind spots still exist: in the failed kidnapped plot of Michigan governor Gretchen Whitmer, the FBI testified that some evidence may never be seen as it is encrypted and is stored on servers overseas, where domestic agencies have little chance of ever recovering it.

The Basics of Law Enforcement’s Approach to Encrypted Messengers

How then does law enforcement lawfully gather evidence from encrypted messaging apps?

First and foremost, searching for digital evidence requires a warrant, regardless of its format, location on a device, or whether it resides in the Cloud. And just like warrants used in physical searches, they require specific scope: what is law enforcement looking for, where is it most likely to be found, and where does it make sense to look? Any mistakes or errors in procedure in the first steps of an investigation can be irredeemable for the case, so one of the most important foundations is the legal scope and warrants that enable law enforcement to leverage different methods used in lawfully obtaining evidence even from encrypted messaging apps.

There are two methods for overcoming encryption, which can be most simply put as a) having the key to the lock, or b) making sure the lock never closes in the first place. Tools that use brute force or other clever methods to decrypt can be considered the former. A variety of purpose-built tools try to replicate “the key,” and many have proven effective. A common approach is “brute forcing,” which uses powerful graphics processing units (GPUs) that can often try applying tens of thousands of keys per second until the encryption has been broken. However, the power and complexity of encryption increases at the breakneck pace of technology, and no method stays relevant for long.

Permanent “backdoors” to encrypted apps can be considered in cases in which the lock has effectively never actually closed. It can be simple: for some apps, if the phone is accessed, the app is effectively accessible as well, meaning it could be opened and messages viewed if the user has left it open and logged in. For others, the maker of the app may be the only one with a backdoor — and in some cases, even they might not be able to decrypt once encryption has occurred.

There is legal recourse as well: in the UK, under the Regulation of Investigatory Powers Act of 2000 Section 49, law enforcement has the authority to compel people to provide passwords for encrypted data with a maximum two-year imprisonment if they fail to do so. But Detective Inspector David Greenhalgh of the Leicestershire Police says technical know-how and tech company cooperation are not the only ways to access encrypted data: “As a practical example, most people use the same passwords across multiple devices and accounts. It might seem low-tech, but it is probably the most common way we access encrypted data.”

Law Enforcement and Big Tech

Tech companies cannot claim ignorance when it comes to how people use their encrypted messengers. While personal privacy is paramount, especially in a digital environment with so many threats and a global environment of mistrust, these companies are acutely aware that protecting all messages means they are invariably protecting some criminals and criminal behavior. It is an increasingly small fraction, but it is a real threat that needs to be addressed, nonetheless.

While large corporations have internal teams that can assist in investigations, they may not be able to move fast enough to protect lives and accelerate justice.

Most big companies have professional legal and security teams with protocols for assisting law enforcement, especially in urgent cases or even crimes-in-progress, where access to encrypted information could prevent loss of life. But in the cases where they may not be able to move fast enough, it is left to law enforcement to use their own methods, as outlined above, to protect lives and accelerate justice while preserving data privacy.

Cellebrite has a robust and transparent framework to govern the lawful use of our technology and maintain an appropriate balance between the interests of public safety and personal privacy. As always, it’s important to remember that we’re talking about the lawful access and collection of data in a forensically sound manner under a legal warrant.

Our solutions can only be used lawfully—pursuant to a local jurisdictions’ laws, a court order, or warrant—and we are steadfast in ensuring that only licensed and trained customers use our offerings for the lawful and necessary purposes of serious investigations. 

A Global Perspective on the Rise of Encryption

Encryption is, of course, an international law enforcement issue, as technology knows no borders and an increasingly connected populace can access just about any application from just about anywhere on the planet.

Globally, law enforcement balances their need to perform digital investigation with their privileges under the national rule of law and a respect for the privacy of its citizens. “Scope of search” has become an important factor in investigations involving encrypted data. Just as law enforcement officers are trained on warrant scope for physical searches, they are likewise being continually trained to manage scope in digital investigations. As DI Greenhalgh of the Leicestershire Police puts it: “When these tactics are considered, we must work through the proportionate, lawful, necessary, and ethical steps to ensure we have the correct authorities in place to take action.”

Kevin Levy, Commander of the Mobile Police Department’s Cyber Division at the Gulf Coast Technology Center (GCTC), expands upon the complexities: “It’s simply not enough to just lawfully seize the device itself: there needs to be a virtual, cloud, and global perspective in the hunt for the investigative evidence. Oftentimes applications are merely portals which allow digital access to data and images actually stored on servers thousands of miles away, or as part of virtual cloud environments.”

Regardless of the challenges, law enforcement remains committed to the bottom line: justice. As Tuan Liang Lim, Director for Digital and Information Forensics for the Home Team Science and Technology Agency (HTX) of Singapore’s Ministry of Home Affairs says, “The rise of encrypted apps is not surprising given the increasing demand for privacy, mistrust in law enforcement, and misinformation. Law enforcement always responds to such challenges head-on, relying on hard work and collaboration with like-minded partners. Our mission to deliver justice is what continues to drive us forward.”

How will the Legal, Law Enforcement, and Governmental Response to Encryption Evolve?

It’s easy to predict that consumers will demand even more privacy and security in the coming years. In response, private companies will produce more varied and powerful encrypted messaging apps. At the same time, legislators will be demanding accountability from both tech companies and law enforcement, all while expecting law enforcement to continue to do its job preventing and solving crimes and ensuring justice is served. But even as they value privacy, tech and law enforcement must work together to educate the general public on how technology can be lawfully used to protect and save lives, accelerate justice, and preserve data privacy in fighting crime and stopping the worst criminals.

“Scope of search” has become an important factor in investigations involving encrypted data. Law enforcement officers need to be continually trained to manage scope in digital investigations just as they are trained on warrant scope for physical searches.

As a digital society, we need to find a balance between legislation, cultural expectation, technological limits, and our own personal desires for safety and privacy. It is a complicated balance to strike, but we are all safer and more secure the more we know and understand the back-and-forth of a world with so many encrypted messengers offering so many different corners to hide in.

Law enforcement must continue to evolve with future-facing training and an ongoing commitment to both the technical and logistical side (i.e., the tools and methods that allow them to directly tackle encryption and ensure good outcomes in all cases involving digital evidence), and above all, a continuation of the fruitful partnerships with governmental agencies, legislators, and the tech industry.

For institutes like the GCTC, this work has already started. GCTC is seeing a dramatic increase in requests to lawfully access and recover digital evidence from encrypted and secure virtual environments. It is their primary rationale behind investing in R&D for cutting-edge law enforcement technology to allow cyber-investigators and analysts increased accuracy through refined digital forensic practices and solutions.

At Cellebrite, we are committed to helping our customers solve their encryption challenges and obtain access to data in criminal investigations within the law. We live in an evolving world where privacy and security must continually be counterchecked and balanced against the need for international law enforcement agencies to quickly and efficiently carry out their duty to protect the public and uphold the laws and mores that allow society to continue to make these incredible technological leaps and bounds. 

About the Author: Mark Gambill oversees Cellebrite’s global marketing organization which includes product marketing, advertising, promotions, analyst and public relations, field marketing, digital and social media, marketing operations, brand management, and corporate events. Mark has over 20 years of executive marketing experience across a diverse set of technology sectors with concentrations in Big Data, AI, Machine Learning, and Augmented Analytics. Prior to joining Cellebrite, he served as the CMO at MicroStrategy and has held executive marketing leadership positions in both private and public companies over the course of his business career. Mark holds a Bachelor of Science degree from Florida State University and has completed graduate course work at INSEAD.

Share this post