PIN Escrow

The FBI has dropped their request to require Apple to write code to unlock the terrorist iPhone.  Supposedly a third party offered a way in.  Yesterday the FBI said they did get in, so they no longer need Apple’s help.

For those whose first instinct is to distrust the government, this looks like the Justice department realized they were going to lose in court and hastily discovered a way out. “Never mind”.  This preserves their option to try again later when public opinion and perhaps law would be more on their side.  I am a little reluctant to think Justice would outright lie to a federal judge, but it wouldn’t be the first time.

This morning on NPR there was a different sort of heartbreaking story.  A woman and her baby were murdered, and there might be evidence on the woman’s phone, but it can’t be unlocked.  So what to do?

My idea is “PIN Escrow”.  Everyone should have a letter written with a list of their accounts and online passwords, to be opened by someone in the event of death or disappearance.  Everyone should have a medical power of attorney and so forth as well, to give a family member or trusted friend the power to act for you in the event of a sudden disability.  Just add your smartphone PIN to the letter,

In the alternative, one could write an app that encrypts your pin with the public key of an escrow service and sends it off.  This facility could even be built into the OS, with opt-in (or even opt-out, after a sufficient public debate), so it would automatically track changes.  The government could operate such a service, or it could be private.  There could be many such services.  Some could be offshore.  Some could use key-sharing for the private key, so PIN recovery could not be done in secret.

Let’s leave it up to individuals whether they want someone to have the power to unlock their phone in the event of an emergency.

From a security perspective, a PIN escrow service would be a dangerous and attractive target, so such a thing would have to be well designed in order to be trustworthy.  It should be kept offline, with no network connection.  The private key should be in a hardware key module.  Several people would have to collude in order to unlock a key, and there ought to be hardware safeguards to prevent bulk PIN recovery.

This is not a general back door for government surveillance, it wouldn’t grant remote access to a phone.  It wouldn’t be useful for hacking into criminal’s or terrorist’s phones (if they are smart), but it might help in cases where the phone owner is the victim of tragedy or accident.

And if you change your mind about having your PIN escrowed?  Just change your PIN.


Leave a Reply

Your email address will not be published. Required fields are marked *