The American Civil Liberties Union (ACLU) is suing the Federal Bureau of Investigation (FBI) over the ability to break into encrypted phones and laptops so that the public can finally know exactly how the decryption is facilitated. The encryption breaking is allegedly done by a forensic unit of the FBI’s EDAU (Electronic Device Analysis Unit). Public documents have alluded to the fact that the EDAU either already has possession of software or is in the process of acquiring encryption breaking software on modern phones and laptops. Previously, such as in the San Bernardino case, the FBI used third party software such as GrayKey to do the encryption bypassing. The ACLU explained in a statement announcing the legal action:
“The FBI is secretly breaking the encryption that secures our cell phones and laptops from identity thieves, hackers, and abusive governments, and it refuses to even acknowledge that it has information about these efforts — even though some details have been filed publicly in federal court.”
Whether the FBI are simply bypassing encryption or is broken and exploiting a vulnerability, it major security implications for the global community. If taxpayer dollars are being used to do this, the information about it should be public.
BREAKING: We’re suing the FBI.
The agency is secretly breaking into encrypted devices. We need answers.
— ACLU (@ACLU) December 22, 2020
Law Enforcement actively looking for a backdoor into encrypted email communications and messaging apps
While the FBI was publicly given the cold shoulder in 2016 when it requested the pin to an iPhone of a convicted criminal, the agency has since purchased tools from multiple vendors that have afforded it to gain access to encrypted devices. Even as Apple plugs the vulnerabilities, law enforcement has allegedly contracted with multiple companies to continue to gain access to encrypted cominications.
It was earlier this week when the Israeli security intelligence firm, “Cellebrite,” which is often used by law enforcement for breaking into locked devices, falsely claimed on a blog post that is found a backdoor into the popular end-to-end encrypted messaging app, “Signal.”
“Cellebrite Physical Analyzer now allows lawful access to Signal app data. At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives.”
Signal later followed up with a blog post after the mainstream media also falsely reported that the encrypted app had been compromised.
If you’ve seen people confused by the inaccurate reporting concerning Cellebrite FUD, please help by sharing this with them: https://t.co/QKtTVIgI5B
— Signal (@signalapp) December 23, 2020
ACLU sues FBI to reveal decryption abilities
Initially, the ACLU filed a Freedom of Information Act (FOIA) request with the FBI and the Department of Justice (DOJ). In response, the ACLU received what’s known as a “Glomar” response. That’s when the FBI tells you that they can neither confirm nor deny the mere existence of the information in question. The Glomar response has been deemed facetious and is rarely used correctly, as the ACLU notes:
“The problem with the FBI’s Glomar response is that, as detailed above, we already know records pertaining to the EDAU exist because information about the unit is already public. The fact that all of this information is already publicly known deeply undercuts the FBI’s Glomar theory. The FBI itself has made clear that it is attempting to access and decrypt personal electronic devices, so the claim that it can’t even acknowledge whether these records exist is implausible.”
The ACLU has now filed a complaint for injunctive relief for violation of the Freedom of Information Act with a US district court in California. They have stated that this information needs to be in the public, it is potentially compromising the security and privacy of everybody. The FBI thinks they can keep breaking into encrypted devices while various other government departments encourage encryption backdoors – we cannot let this happen when our privacy and security are at stake.