Below is an excerpt from the written testimony of New York County District Attorney Cyrus R. Vance, Jr. before the United States Senate Committee on the Judiciary in December 2019.
The single most important criminal justice challenge in the last ten years is, in my opinion, the use of mobile devices by bad actors to plan, execute, and communicate about crimes. Just as ordinary citizens rely on digital communication, so do people involved in terrorism, cyber fraud, murder, rape, robbery, and child sexual assault.
For this reason, lawful, court-ordered access to these communications has become essential for us to prevent crime, to hold people accused of crimes accountable, and to exonerate the innocent.
Until the fall of 2014, Apple and Google routinely provided law enforcement access to their mobile phones when they received a court-ordered search warrant. That changed when they rolled out their first mobile operating systems that, by design, often make the contents of smartphones completely inaccessible. In doing so, Apple and Google effectively upended centuries of American jurisprudence holding that nobody’s property is beyond the reach of a court-ordered search warrant.
My Office is not anti-encryption. Far from it. We routinely use encryption in the course of our daily work, whether in guarding our city’s critical infrastructure against cybersecurity threats or soliciting tips on crimes against immigrant New Yorkers, and we recognize its value in our society and across the world. That does not mean encrypted material should be beyond the law when a judge signs a search warrant – especially when we’re talking about evidence tied to a child sex abuse case or a potential terrorist attack. Apple and Google have maintained their absolutist position that no form of lawful access can be reconciled with privacy concerns. Yet they have not demonstrated to law enforcement leaders what, if any, damaging effects to user privacy their pre-2014 cooperation with law enforcement caused.6 Further, they have decided for their own private business interests that the Fourth Amendment grants a right, not just to privacy, but to anonymity. This is wrong, and it upends the careful balance our Constitution strikes between privacy and public safety interests.
So how has default smartphone encryption affected law enforcement and crime victims? Let me answer these questions with two brief examples from my own Office.
The first involves child sexual abuse. A babysitter at a local church in Manhattan was identified as having shared images of child sexual assault online. Pursuant to a search warrant, his encrypted mobile phone and other devices were seized. Over time, we opened the devices using technology from a paid consultant. We then discovered the suspect was, not only sharing images of child sexual assault, but sexually abusing children himself, and recording the abuse as well. Based on this evidence, we charged him and a jury convicted him of predatory sexual assault of children. He was subsequently sentenced to 100 years to life in prison.
In the second example, we were not so lucky. My Office was investigating a case of sex trafficking and obtained an encrypted phone from a suspect who was incarcerated on a different case. In a recorded telephone call from prison, the suspect told an accomplice that he hoped his phone had the newest encrypted operating system.
The inmate said to his friend, “Apple and Google came out with these software that can no longer be [un]encrypted by the police … [i]f our phone[s are] running on iOS8 software, they can’t open my phone. That may be [a] gift from God.”
In fact, we were never able to view the contents of his phone because of this gift to sex traffickers that came, not from God, but from Apple. As a result, our investigation of sex trafficking was blocked by encryption.
Finally, Facebook CEO Mark Zuckerberg announced in March planned privacy changes involving end-to-end encryption for Facebook Messenger, WhatsApp, and Instagram. In doing so, Zuckerberg conceded that, with billions of people using these services, there would be some who would use these newly encrypted services for “truly terrible things like child exploitation, terrorism, and extortion.”
Law enforcement leaders from the U.S., the United Kingdom, and Australia have since signed an open letter publicly opposing these changes.
In 2018 alone, Facebook was responsible for 16.8 million reports of child sexual exploitation and abuse to the U.S. National Center for Missing and Exploited Children. The National Crime Agency estimates these reports resulted in more than 2,500 arrests, with 3,000 children brought to safety. Yet Zuckerberg’s announced changes would dramatically restrict the ability to generate these reports: again, because a private company has made a business decision to render its products inaccessible to itself or law enforcement. Simply put, Facebook’s planned end-to-end encryption will make it harder to detect – and stop – child abuse and similar crimes.
It’s deeply troubling to think the overwhelming majority of these reports would cease if child sex predators were able to “go dark” because of Facebook’s business decision. My Office, which is one of the leading anti-trafficking agencies in America, frequently relies on Facebook messages obtained through appropriate judicial process to build cases against traffickers. A world in which children can be recruited and groomed on Facebook – with no hope of law enforcement intervention – is a world in which we, collectively, are failing our children.
It’s vital for Google, Apple, Facebook, and more to pursue socially responsible encryption efforts that do not flout the law.