Winnipeg police stymied by encryption on alleged child sex predator's electronic devices
Despite thousands of attempts, police can't crack 3 of Marshall Ruskin's devices
Newly unsealed court documents give a glimpse into the challenges the Winnipeg Police Service faced trying to uncover the contents of an accused child sex abuser's electronic devices.
The devices were seized in a 2019 search warrant at Marshall Ruskin's Garden City home.
Ruskin, 63, is wanted on three arrest warrants in the Philippines for his alleged involvement in a child sex-trafficking ring led by Australian national and notorious pedophile Peter Scully.
Winnipeg police seized 10 electronic devices from Ruskin's home, and returned seven of them after they were able to open and examine them.
A 4-digit pass code can have 10,000 different combinations. A 6-digit pass code can have 1,000,000 different combinations.- Lawrence Trinidad, Winnipeg Police Service
However, investigators in the Winnipeg police technical crimes unit (TCU) have been trying for three years to crack open the remaining three — an iPhone, iPad and Macbook – to see whether charges might be warranted in Canada.
They say the encryption is too good and, so far, outside agencies including the RCMP have been unable to help.
Last Tuesday, Manitoba Court of Queen's Bench Justice Vic Toews told police they could hang onto the devices for three more years.
Those three extra years will give Winnipeg police time to catch up with the technology, a security researcher told CBC News.
"What was very difficult to gain access to 10 years ago, five years ago, is very easy to gain access to now," said Christopher Parsons, senior research associate at the University of Toronto's Citizen Lab.
"The odds are in their favour that they will eventually gain access to those devices."
Officers allege Ruskin sent more than $3,000 Cdn to Scully's girlfriend in the Philippines to watch the live sexual abuse of an 11-year-old girl over the internet through the teleconferencing app Skype, according to a 2019 sworn affidavit to get authorization to search his home.
Police believe he recorded these Skype sessions on his electronic devices.
Over 100K attempts made to access Ruskin's devices
In affidavits filed in court between November 2021 and February 2022 as part of a police application to keep Ruskin's electronic devices, investigators explained why they haven't yet been able to see what's on them.
The affidavits were unsealed last week after Ruskin abandoned a publication ban that had been previously ordered by Toews.
Lawrence Trinidad, a technical crimes investigator with Winnipeg police, says officers don't have access to any of the pass codes required to get into Ruskin's devices.
The technological crime unit [TCU] has more than 50 years collectively of computer forensic experience, and has access to the top encryption solutions in the computer forensics industry, Trinidad wrote in a Jan. 28, 2022 affidavit to the court.
However, that's still not enough to crack into these devices.
He said some devices allow the unit to try thousands of pass codes per second, "which results in the pass code being obtained very quickly, while other devices prevent pass codes from being tried quickly and only 100 codes per day may be attempted."
"A 4-digit pass code can have 10,000 different combinations. A 6-digit pass code can have 1,000,000 different combinations," Trinidad wrote.
The investigators have tried nearly 30,000 different pass codes to get into Ruskin's iPhone alone, he wrote.
A further 72,000 attempts and counting have been made to access the contents of Ruskin's iPad, police say.
The Macbook is another story – Trinidad says they have "no available solution" to access the computer's contents.
"There is currently no available solution known to TCU that will allow access to this device in its current state and configuration," Trinidad wrote. "TCU is continually monitoring advancements so that if a solution becomes available action will be taken to access the device."
Apple encryption keeps out law enforcement
Internet child exploitation investigator Det. Chad Black said the computer has what's called a "File Vault 2" encryption and there's no way to bypass it, according to a November 2021 affidavit.
FileVault2 is Apple's encryption tool, which encrypts data on a Mac computer. It prevents unauthorized access from anyone who doesn't have the decryption key or the user's account credentials.
"In certain cases devices can be sent to companies whose expertise is to decrypt encrypted devices. However, these companies are not able to decrypt FileVault 2 encryption at this time," Black wrote in November 2021.
He says with new training and software the encrypted items would likely be able to be analyzed.
"The expectation is that technology will advance and the Winnipeg Police Service will be able to … examine the electronic devices for evidence of child sexual-abuse material," Black said.
Without being able to look at what's on Ruskin's devices, he says, the investigation cannot progress.
A spokesperson for Apple Inc. did not respond to questions from CBC News, but sent a 16-page document that explained its legal guidelines for law enforcement when seeking information on Apple devices.
Takes years to find 'vulnerabilities' in Mac: expert
Parsons says a security chip that is built into the Mac's operating system is designed to protect its information from third-parties – however that also includes law enforcement.
"[It] prevents law enforcement or forensics companies from rapidly testing passwords, with the result being it can take months, years, or centuries to determine a password," he told CBC News.
This means law enforcement or an outside forensic company must rely on finding "vulnerabilities" in the operating systems to access its data – and Parsons said this is a slow process.
"The longer that the police have a device, the more vulnerabilities will be discovered and exploited by the forensics companies," he said.
"Thus increase the likelihood that police will eventually gain access to the information stored on devices in their custody."
Winnipeg police asked RCMP for help, got none
The police say in court documents, they have even tried asking other law enforcement agencies for help with the FileVault2 encryption.
This includes the Royal Canadian Mounted Police National Child Exploitation Crime Centre in Ottawa.
"[I] was not provided any further resources," wrote Det. Chad Black in a November 2021 affidavit of his request to the Mounties.
RCMP said in an email to CBC News it cannot comment on ongoing investigations and that it "remains committed to working with our municipal partners to assist on investigations."
Black says Winnipeg police's internet child exploitation unit has previously turned to the U.S. Department of Homeland Security and Federal Bureau of Investigation for help cracking into Apple's FileVault encryption program on other devices.
Black says police are still waiting on the results.
He said in the affidavit that as technology continues to evolve it has allowed police to access devices they weren't able to five years ago.
"As devices age and newer expertise, techniques or technologies are developed, agencies establish advancements allowing them to 'crack' the encryption and access data," he wrote.
"The complexity of this investigation, having regard to the difficulty of examining the things seized, is extensive and the data is sensitive, therefore the possibility of assistance from outside agencies and time are essential."
Ruskin abandons fight for devices
Ruskin filed an application with the court asking a judge to return his belongings in January.
In February, he won a publication ban on the details of the police investigation, which prohibited CBC News from continuing to report on information obtained in the yet untested search warrant documents.
The ban was overturned last week.
Ruskin argued at one point police had his devices illegally for 2½ months because the order to detain them had expired and they had applied to the wrong court for an extension.
In a January motion brief, Ruskin accused police of dragging their feet during their investigation.
The brief said police have provided no evidence as to what training, if any, police have taken since they executed a search warrant on his home or what training might still be required.
"The WPS' failure to adequately train its investigative team, notwithstanding that it has been aware that further training is required for more than 2 years, constitutes delay, procrastination and 'foot dragging'," the document said.
"Further, while the WPS has made a vague assertion that 'efforts have been ongoing to attempt to access the devices', no evidence has been adduced as to what these 'ongoing efforts' are or how much time has been dedicated to these efforts."
In the end Ruskin consented to the further detention of his devices for three years, but didn't say why he changed his position.
Police had argued they couldn't give Ruskin the devices back if they contained any child sexual-abuse images or videos on them.
None of the allegations against Ruskin have been tested in court.
with files from Vera-Lynn Kubinec