Search

Editors

Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

FCPA Blog Daily News

« Event: A Journey To The Dark Side of International Business (Washington, DC - May 4) | Main | Bill Waite on Unaoil: Certification versus Investigation »
Wednesday
Apr132016

Can any compliance officer overcome the encryption problem?

Encryption is great for users of devices and apps. It keeps personal details private, credit cards secure, and other sensitive information safe from hackers by allowing practically impenetrable communication.

But increased security for users means a reduction in transparency and ability to audit communications for governments and companies.

San Bernardino shooter Rizwan Farook’s work phone was a government-issued iPhone 5c.

Apple famously took a stand early this year against the FBI’s order to decrypt Farook's iPhone. The FBI couldn’t break the passcode and didn’t want to risk destroying data. iPhones have an optoin to erase all data after 10 failed passcode attempts.

The Washinton Post reported yesterday that the FBI paid Gray Hat hackers -- independent researchers for hire -- to "create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data."

Earlier reports said the FBI bypassed Apple by contracting Israeli firm Cellebrite Mobile to unlock the phone.

The FBI has admitted the method used to hack into Farouk’s iPhone, either by Cellebrite or the Gray Hats, won’t work on the iPhone 5s, which was released in 2013. That model and newer ones have a secure enclave. The secure enclave is a small piece of hardware in every iPhone that acts as a local safe, matched to individual iPhones uniquely.

The secure enclaves in iPhones work so well that Apple itself can’t break into iPhones equipped with it.

Only the correct set of fingerprints or passcode can unlock the device.

Communications apps are using encryption too. Facebook-owned WhatsApp quietly enabled end-to-end encryption for all users by default last week.

An in-depth explanation of end-to-end encryption can be found in WhatsApp’s security document. Essentially it creates an environment where messages between WhatsApp users are protected so that third-parties (including WhatsApp) can't read them.

Messages can only be decrypted by the recipient. Apple's iMessage works in a similar way.

Apple's iMessage encryption structure

Security technology that protects users and consumers have come a long way, and are necessary. Without ecnryption, no one could shop online, book airplane tickets, or do the millions of other things that require encryption to be safe and secure.

But just like Facebook’s Messenger app, great tools can always be used for illegal purposes, including bribery.

No paper trail, no record, and no way for companies or governments to access the information if the key is thrown away.

_____

Harry Cassin is the CEO of Recathlon LLC, owner of the FCPA Blog and other publications. He can be contacted here.