A more concise version of this appeared in tl;dr sec 84.
Like many security professionals, I enjoyed Signal thumbing their noses at Cellebrite a few weeks ago. While it’s important to help law enforcement fight criminals, I’m a fan of privacy, and not a fan of selling security tools to repressive regimes.
But I’m not a lawyer and I don’t spend much time thinking about the legal or policy implications of my security work.
Which is why I found this lengthy article by Stanford Internet Observatory Research Scholar Riana Pfefferkorn really interesting.
It’s worth reading the whole thing, but here are a few key points I took from it:
- It seems unlikely that Signal will carry out it’s implicit thread of randomly giving users files that exploit Celebrite. Why? Hacking police systems and spoiling evidence are crimes, so not great for the phone user or Signal if it occurs.
- This likely won’t have that much impact on trials in practice.
- Some defense attorneys may try to use this demonstration cast doubt on data collected Cellebrite. However, this doesn’t mean it will actually sway a judge or jury, as you’d need to show evidece that this Cellebrite device and this data have been compromised, not just “it’s possible that in theory Cellebrite’s data could be untrustworthy.”
- Also, there are other similar tools, so the police could just compare multiple tools’ output to determine if tampering has occurred.
- There’s also a law doctrine that essentially boils down to saying, “OK, there was unreliable evidence. If it hadn’t been admitted, would the verdict be the same?” If not, the guilty conviction will stand.
- Oftentimes there is a variety of evidence beyond just your phone’s data (witnesses, paper trails, website or cellular data, etc.).
- The hack was still important to hold vendors for law enforcement accountable to reasonable security practices.
- The timing was suboptimal, as Cellebrite devices were used in many of the criminal cases against the Capitol rioters, to extract data from their phones after they were arrested. It’s still early days in those criminal prosecutions, those cases are still ongoing, and there are hundreds of them.
- The Signal stunt was poorly done, if your goal is to impact judges and lawyers
(vs. impress your hacker friends).
- The unserious tone and lack of clarity around what’s a joke vs serious tends not to go over well with judges.
- There’s war going on against E2EE, and this doesn’t help.
Despite the looming existential threat to end-to-end encryption, the heart and soul of the Signal app, it seems like Signal’s blog post was tailor-made for the FBI director to read it into the record the next time he testifies to Congress about the need for backdoors in both device encryption and E2EE messaging services. Top officials from the FBI and DOJ like to give speeches where they accuse companies that offer strong encryption of being irresponsible and un-American, because according to their view of the world, they’re just doing it to screw with law enforcement. Now Moxie has confirmed that talking point for them.
Like it or not, Cellebrite is a safety valve. The existence of Cellebrite devices has served as, I think, a safety valve to keep backdoor mandates from being imposed on smartphone manufacturers in the U.S. to date, despite the occasional effort to do so.