Tallinn University of Technology

Author: Dr Matthew Sorell is the Adjunct Professor of Digital Forensics at the Centre for Digital Forensics and Cyber Security in the Tallinn University of Technology and the Senior Lecturer of Telecommunications and Multimedia Engineering at the University of Adelaide, Australia.

Whether it runs Android, iOS or one of the more obscure operating systems, it’s hard to imagine how we stayed organised before we started carrying around a personal assistant in our pocket.

Recently a lot of attention has been given to how much personal information we leak to Google, Apple, Facebook, TikTok and many others, just by carrying around a smart phone.

The value of this personal information – what you effectively pay in return for a range of free information services – is partly about you, and it’s partly about cohort data. This is how Google and Apple Maps keep track of traffic congestion. There’s nothing new about this – it is also how credit cards and loyalty programs gain market intelligence.

The mobile phone does so much more than your credit card

The powerful computer in your pocket is more than a window into services delivered by cloud servers.  Your phone is a powerful suite of sensors – the microphone and camera are familiar, but your phone also contains a GPS location receiver, accelerometer and gyroscope for motion measurement, and other advanced systems.

If you wear a fitness band or smart watch, the sensors in this device are linked to your phone, and your fitness data may also be uploaded for processing in the cloud.

And finally, your phone is connected to radio communications pretty much anywhere you go, whether that is wifi, 3G, 4G and now 5G, and interactions between your phone and such networks are logged at both ends.

Putting this all together, you are carrying a pattern-of-life recorder in your pocket. This recorder can be relevant in criminal investigation, and this motivates research to calibrate the sensors in phones and wearable devices for use as forensic evidence, whether the sensors are worn by the suspect or the victim. Investigations include narcotic use, missing persons, sexual assault and murder. Times, activities and locations (or “When, What and Where?”) are critical forensic questions in a criminal investigation.

Technical challenges

Calibration of such sensors is challenging, because consumer fitness devices are designed to suit a diverse range of people, and settings may adapt to suit the wearer’s behaviour. Logs summarise health activity statistics on an hourly, daily or weekly basis. Testing has previously been done by fitting wearable devices to athletes or a group of volunteers, but this approach is difficult to repeat and requires ethics approval.

And there is a bigger problem, because technology changes rapidly. New products are introduced on a regular basis, and upgrades to firmware can change the behaviour of existing devices. This has inspired our research work to design a calibration platform and protocols, so that new and updated devices can be profiled against repeatable experiments.

A criticism of the experimental calibration approach is the perception that interested investigators can approach the manufacturer of a device and request performance specifications. There are three counter-arguments to this approach.

The first is that the sensor configuration and underlying firmware is proprietary and sensitive commercial intellectual property, which evolves rapidly in the form of both hardware and firmware updates. The second is that wearable devices are designed for a different purpose (personal health and fitness monitoring) than forensic analysis, and so any information provided is unlikely to address the specific characteristics of interest. And thirdly, even with perfect and complete design specifications, the behaviour of a device is determined by its environmental stimuli which will often fall outside the assumed usage models applied to the design and validation of the product.

Our work will standardise the process for calibrating and cataloguing the behaviour of phone and wearable fitness sensors, and will support testing a particular device from a crime scene and the repeatable re-enactment of motion events.

Legal challenges

All of this assumes that access can be gained to your personal data, which is a matter of privacy, consent, and justice. And this is where commercial policies come into conflict with state laws and personal will.

The high profile FBI-Apple dispute in 2015 and 2016 centred around attempts to compel Apple to assist data extraction in criminal investigations and prosecutions. Apple is well known for opposing, on legal, technical and commercial grounds, the development of security backdoors. Tim Cook, CEO of Apple, is quoted as saying “We have a responsibility to protect your data and your privacy. We will not shrink from this responsibility.”

Countries such as Australia have introduced the “Assistance and Access Act” which aims to “enhance the existing ability of Australian agencies to undertake targeted, proportionate and independently oversighted surveillance activities”, but also notes that “nothing in this legislation can require industry to break encryption.”

However, the IT industry is alarmed by Australia’s laws as the weakening of cyber security measures for one government means that encryption technologies are weakened for the benefit of all governments, and for the benefit of organised crime. This was not helped by the then Australian Prime Minister, Malcolm Turnbull, saying “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

However there are, without question, circumstances in which it is desirable for encryption to be bypassed. Encryption keys and passwords can go to the grave and passwords can be forgotten, losing access to treasured photographs, important letters, and cryptocurrency.  And in the case of serious crime, timely access to encrypted communications can save lives.

It is strange, also, that many people regard their electronic communications as sacred private data, but will happily share a spare key to their house with a friend or neighbour.

Working is ongoing in this area

In Europe, the Horizon 2020 programme has funded the FORMOBILE project to research mobile phone evidence from crime scene to court, and it is a project for which I have been appointed to the Scientific Advisory Committee. Our mission is to create an end-to-end mobile forensic investigation chain, striving to improve digital safety and security in the EU, while respecting fundamental rights.

Estonia is recognised as a world leader in internet freedom, and the Estonian constitution guarantees the right to the confidentiality of messages sent or received.

Speaking as an outsider, I find the pragmatic and transparent approach to digital government to be refreshing, because the tension between personal privacy and the effective delivery of services is well understood. This means that a discussion about privacy and encryption in Estonia can be well considered and mature, unlike in many other countries such as Australia. It is a difficult balance to get right.

The article was published in Edasi.org in August 2020.