Should police be able to force you to hand over your digital passwords?
CBC News/Toronto Star demo a $450 device that cracks iPhones to explore existing investigative capabilities
Police, Power and Privacy is a special five-part investigative series that looks at why police across the country want new powers to track tech-savvy suspects, and why privacy advocates say they should be denied.
A father is charged with sexually assaulting his child and recording the attack on his iPhone.
Investigators have the child's testimony, but they know the video is crucial to the Crown's case.
They have a warrant, they have the phone, but there's one major problem: the device is locked.
Investigators can't access the evidence they're convinced is on it.
The father has refused to provide the code and police and the courts have no power to compel him to do otherwise.
This, police say, is but one example of why they need the power to compel suspects to hand over cellphone passwords and computer encryption codes in serious crime cases where potential evidence is hidden behind digital walls.
But the proposal has not only provoked an outcry from civil liberties advocates, it has even caused division among police leaders.
The idea is being floated in a federal government discussion paper and was endorsed by the Canadian Association of Chiefs of Police (CACP) as one measure to help investigators collect evidence on tech-savvy suspects who hide their identities and activities.
"This is not anything about a police officer pulling somebody over and demanding their cellphone and demanding the password," said Ontario Provincial Police Det. Supt. Dave Truax, who worked to pass the CACP resolution back in August.
He points to Canada's allies that have passed legislation similar to what the police chiefs want.
"The U.K. has legislation where a court can compel an individual to provide an encryption key or password in order to decrypt the data," he said. "There is legislation that has been passed in New Zealand that goes back almost 15 years now."
'Right to remain silent'
But legal and civil liberties advocates warn that a law to compel the surrender of passwords flies in the face of the right to remain silent enshrined in the Charter of Rights and Freedoms.
Micheal Vonn, policy director of the BC Civil Liberties Association, called it a "a very radical proposal in Canadian law."
"It really strikes at the fundament of one of the most basic principles of the criminal law system, which is your right not to self-incriminate and your right to be silent," she said. "So it is a very tricky proposition and as I say, a novel one in Canadian law."
RCMP Chief Supt. Jeff Adam says the CACP resolution equates surrender of passwords and encryption codes to laws that allow courts to order suspects to surrender DNA, or police to demand a roadside breath sample.
"[It's like] a demand for impaired driving, where Canadians have decided that this is a scourge and it needs to be stopped," Adam said. "There's checks and balances on these. It is under lawful authority. It is scrutinized heavily by the courts. Every single time. This would be no different."
But not all police leaders are convinced, including Adam's boss, RCMP Commissioner Bob Paulson.
"We're going to order someone to give us their password?" the top Mountie told CBC News and the Toronto Star in an exclusive interview. "I don't know. I don't see that. I don't see a state where, you know, the police are ordering people to give up information. It would be like ordering a statement.
"I'm not a lawyer, but I do know, and I do understand, the dangers of conscripted evidence, and the idea that the state is forcing one of its citizens to say or do anything, right? That's at odds with how I understand what we do."
In fact, in the late 1990s, both Industry Canada and a Senate committee conducted reviews of encryption issues during which they heard from privacy advocates, industry, police and intelligence agencies. The government of the day ultimately chose not to create a law to require people or businesses to hand over encryption keys.
Police hacking codes
Obtaining a suspect's passwords is only one way for police to access encrypted devices. Critics say law enforcement has developed many other techniques to bypass passcodes and data protections on encrypted phones.
"I'm skeptical of police claims, of limitation, of their ability," said defence lawyer Alan Gold, who told CBC News he's been directly involved in cases where the RCMP has bypassed encryption on BlackBerry devices.
"Because assuming they have the ability to break encryption, are they really going to advertise it? Wouldn't they be better off letting criminals and ne'er-do-wells thinking that the encryption was unbreakable so they would use it?"
- RCMP can spy on your cellphone, court records reveal
- Police use 'chip-off' technique to crack mobile phones
In the U.S., the FBI is reported to have spent more than $1 million to hire a private forensics firm to break the password protections on the iPhone 5C of one of the San Bernardino shooters.
CBC News and the Toronto Star asked a local data forensics expert who has worked closely with law enforcement to demonstrate how he can use a device to get past a password.
Marty Musters, director of Forensics at Computer Forensics Inc., paid $450 for an "IP Box" manufactured in China that's designed to exploit a vulnerability in certain models of iPhones. It can bypass some security protections and bombard screen sensors with combinations of numbers to guess the correct passcode and open the device.
Using this "brute-force" technique, Musters was able to crack into an iPhone 4S running IOS 7.1.2. He says the device can get into all iPhone models up to a 6S running versions of IOS 8. Even still, he doesn't believe the IP Box is up to cracking the San Bernardino shooter's 5C iPhone, which was likely running more up-to-date Apple software.
"Generally speaking, [IP Boxes] work on older model phones," Musters said. "I would say that we're probably, let's say, 12 months out."
Musters says manufacturers are constantly updating devices and software to tighten security in a never-ending cat and mouse game with hackers — and law enforcement, who try to find new ways to access devices.
"So the manufacturers are always finding an exploit or a vulnerability, and let's say Apple is patching them. So it's a cycle that goes on, but it's a 12- to 18-month cycle that, we're behind. So the latest phone with the latest operating system, no, you can't get in. But generally speaking, 12- to 18-month-old phones, you can."
Police, Power and Privacy: A five-part series
He argues that while investigators are constantly finding new techniques to access evidence, there should be greater public debate over whether police should be using them, and if so, under what circumstances.
"If it's a terrorist-related activity, and there are many, many lives at stake, I would love the police to be able to do anything that they can," he said. "At the same time, I'm not OK with that if it's a lesser crime — let's say a break and enter."
"I think it's depending on the severity of the crime. Where's the threshold? And I don't know the answer to that. But that's the debate."
With files from Matthew Braga