Cyrus Vance, Manhattan’s District Attorney, thinks that encryption is a murderer’s tool. He has testified before Congress about how encryption hurts law enforcement. At the same time, his office is running a biased survey for law enforcement agencies on encryption, a survey that uses obviously leading questions and has an obvious security flaw.
Though it’s only meant for law enforcement, Vance’s office left the survey URL open to the general public: Anyone can access it and submit answers, which means that anyone can impersonate a police officer, prosecutor, or other law enforcement official.
The unsecured, public Survey Monkey poll is supposed to gather data on how smartphone encryption hurts cases in law enforcement departments across the country. The office created the survey last fall before the International Association of Chiefs of Police conference, and it is still actively gathering information.
Although Survey Monkey provides options for private polling, the DA’s office didn’t use it. When I asked how the office weeded out fake submissions, I received a vague response.
“All submissions by members of law enforcement have been independently verified by our Office, which has been working to compile statistics on the national scope of the problem,” Manhattan DA Director of Communications Joan Vollero said in a statement to Gizmodo.
I asked Vollero how the office independently verifies that the answers come from actual officers—whether it emails, calls, or tracks IP addresses. The DA’s office declined to comment.
It seems very odd that the office would rather sift through responses and double-check their authenticity using opaque methods than simply send out a private survey to the agencies it wanted to take it.
As it is, the survey is out for anyone to see—and people are noticing. Recent News CEO Declan McCullagh tweeted about it last week, which brought another bizarre aspect of the survey into focus: the survey is set up so that a responder is unable to submit answers without listing one way that Apple’s encryption has damaged an investigation or prosecution.
Even if a law enforcement agent specifies that Apple’s encryption has not impeded an investigation, they are required to fill out one way that it has. If you don’t fill answer #5 out, for instance, you can’t submit the survey:
Setting the survey to public was dumb—but designing that survey to provoke answers that help anti-encryption messaging is plainly manipulative. These are the tactics of government officials who want to dismantle our digital security. They’d be scary if they weren’t so desperate.
[h/t: Recent News CEO Declan McCullagh]