• By Tzeng Chun-chiao 曾春僑

The functions of smartphones are constantly being reinvented, augmented and refreshed. In addition to their role as a conventional cellphone, apps for personal organizers, Internet browsers, GPS navigation, online gaming, instant messaging, e-payments, digital photography and audio recording are just some of the capabilities crammed into the average smartphone. While these apps make life convenient, they can also be exploited by malign actors.

For example, criminals could use smartphones to obtain illegal information, monitor a person through GPS, encrypt data to hide it from authorities, access online gambling sites, transmit data through instant messaging, or trade narcotics with e-payment services or a cryptocurrency such as bitcoin to evade police detection.

In such cases, obtaining and decrypting access to a suspect’s mobile phone has become essential to solving crimes.

As people become more aware of the importance of data security, smartphone manufacturers have developed novel ways to keep users’ data confidential. This includes the implementation of graphical passwords, biometric authentication such as Apple’s Touch ID fingerprint reader or Face ID facial recognition, dual-boot operating systems, and multi-biometric voice-fingerprint authentication. Research is even under way into using the unique amino acid profiles found in skin secretions and heartbeat patterns as methods of authentication.

However, there has always been a trade-off between protecting confidential information and user convenience, and it is often difficult for manufacturers to strike the perfect balance between the two.

One of the problems of modern crime detection facing law enforcement officers is the way in which criminals quickly adapt their methods to exploit new technology and equipment that is not yet addressed under the law. Digital tools allow criminals to cover their tracks and wipe evidence, and make reverse tracing difficult.

When law enforcement agencies need to unlock a smartphone, they must expend a significant amount of time performing system calculation simulations and analyzing the database structure of a device to break through its encryption. Many cases go unsolved because the password of a suspect’s device could not be obtained in the early stages of an investigation.

Coast guard officials say that their job is made much harder if a suspect smashes their cellphone or drops it into the sea before being arrested, uses a less common instant messaging app, or uses a so-called cryptophone produced by one of several niche foreign manufacturers.

Such devices were discovered as part of operations “Venetic” and “Eternal,” led by the British National Crime Agency and the London Metropolitan Police respectively, when members of organized crime rings used cellphones running an operating system designed to automatically “burn” the device — meaning to wipe its data — after several attempts to unlock it.

In such a situation, if investigators are unable to quickly obtain access to information on seized phones, the investigation hits a serious roadblock.

Another difficultly is that different smartphone brands use different types of encryption, while models are also constantly being updated. This means that law enforcement agencies must expend a considerable amount of resources on password analysis.

For this reason, criminals often arrange to wipe incriminating evidence from their digital devices if there has been no communication with their counterpart after a set time.

If legislators reviewing the draft technology investigations bill have any worries about its content, they should pause to reflect on how they should go about resolving all the investigative difficulties facing law enforcement.

As the system stands, during an investigation that hinges on access to a mobile phone, if there is no way to immediately analyze or extract data from it and the suspect has set up the device to destroy its data or can remotely delete data from it, authorities would hit a major obstacle in pursuing the government’s drug policy of chasing upstream suppliers, and criminals would be able to continue to hide in the shadows.

According to article 205-2 of the Code of Criminal Procedure (刑事訴訟法), investigators can “for the purpose of investigating the circumstances of an offense and collecting evidence” gather fingerprints, handprints, footprints, height data and take pictures of an arrested suspect.

If the targeted device is equipped with facial recognition or fingerprint authentication and one or both of these functions has been enabled, then, based on the wording of the act, it should in theory be possible for law enforcement authorities to request that the suspect cooperate in unlocking the device using their face or fingerprint.

However, the law does not specify this procedure and, as such, it could be deemed illegal by a judge.

These types of dilemmas are common throughout the world. In addition to pulling out all the stops to try to find a technical solution, it is becoming increasingly vital to amend legislation to allow investigators to do their jobs.

On Oct. 1, 2018, the Customs and Excise Act went into effect in New Zealand, permitting customs officials at airports to search the electronic devices of an individual if there are grounds for reasonable suspicion. This includes mobile phones, iPads, Android tablets, hard drives, notebook computers and digital cameras.

The law also gives New Zealand customs officials the power to request that an individual under examination provide limited access to their electronic devices or other assistance, including codes, passwords, encryption key or any other information required to gain access when there are reasonable grounds to do so.

If the person under investigation does not have reasonable grounds to refuse to cooperate, they can be fined up to NZ$5,000 (US$3,343).

Although the law is limited in its scope to border-related crimes, it provides a useful reference for Taiwanese policymakers. Similar powers, could be applied to serious crimes or emergency cases, so that a defendant or suspect is obliged to hand over passwords or provide other assistance to law enforcement officials to access digital devices in their possession.

If the individual in question refuses to cooperate, the law could permit officials to use other means to decrypt mobile phones to obtain important criminal information. Decisionmakers must strike a balance between technology and the rule of law to improve the accuracy of criminal investigations.

Tzeng Chun-chiao is an associate professor in the Taiwan Police College’s Department of Technology Crime Investigation.

Translated by Edward Jones

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.