|Privacy, Data Protection and Security|
|Tuesday, 23 February 2016 18:22|
By. Arthur M. Freyre
The debate over encryption took an interesting turn this past week. The federal government obtained a warrant directing Apple to assist in obtaining information from the iPhone of one of the San Bernardino terrorists. In response, on Monday, Apple has urged the government to withdraw its court order.
The problem at hand is that the iPhone has an auto erase program. The auto erase program will be activated after ten unsuccessful attempts to access the iPhone. No one knows if the program has been activated or not. However, in an abundance of caution the government filed a petition ordering Apple to assist the government. The court agreed with the government’s position and issued the order.
The order does state that Apple would need to develop a “software image file” (SIF) that is “coded with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE”, (i.e. the phone in question).
FBI Director James Corney released a statement on February 21, stating, “The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly.”[ii] Public opinion seems to be in supportive of this view as seen in a recent poll conducted by SurveyMonkey with 51% in agreement with the FBI.[iii]
Apple, however, claims that the FBI through this order is calling “…[for] a new version of the iPhone operating system, circumventing several important security features and install it on an iPhone recovered during the investigation. In the wrong hands this software, which does not exist today, would have the potential to unlock any iPhone in someone’s physical possession.”[iv]
Apple and its supporters argue that this would not only weaken Apple’s encryption codes, but will also create precedent for other foreign governments such as China, Iran, and others to force companies to develop or provide that same key. Both sides have legitimate concerns, however, both sides need to have an honest assessment of the world around them. Apple needs to recognize that this matter is not just a criminal case, but also one involving national security.
Consider a scenario in which a terrorist attack causes a catastrophe on a much larger scale. A government agency may make a similar request to the FBI, and what will Apple do? The pressure to comply fueled by grief and anger will be enormous. Will Apple stick to its conviction to the point of consumer boycotts and the possibility of closing shop?
At the same time, the US government needs to understand that the power they are requesting has the potential for great abuse. The image of a federal government agent or official that has little or no accountability monitoring phone conversations, whatever the motivation, is not comforting. The temptation to rely on backdoor encryption is too strong for any government agency or official to withstand.
Recently, members of Congress have expressed their frustration with Apple. Some have called for a commission to study the encryption issue much further. While the idea of a commission is great, there is concern as to who will be making up such a commission. House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA) are expected to introduce legislation to create a national commission to investigate police use of encrypted data and protection of privacy.[v] The Senate Intelligence Committee is also working on a bill regarding encryption, with efforts led by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA).[vi]
Ideally, any legislation concerning encryption should balance an individual’s right to privacy and the security of our Nation. There should be no reason why this cannot become a “both and”, instead of an “either or” scenario. Any encryption legislation should recognize that encryption technology is a unique business product that provides relief from customers’ fears that their emails will not be hacked resulting in the loss of personal or business information. At the same time there should be strong accountability measures (i.e. criminal or civil penalty) for any government agent or official that abuses the backdoor encryption or the access to the encryption key.[vii]
If the debate becomes only a privacy issue or only a national security issue, then we as a nation lose. We need to reconcile those two interests simultaneously in order for this to be successful.
[ii] See https://www.fbi.gov/news/pressrel/press-releases/fbi-director-comments-on-san-bernardino-matter (last accessed Feb. 23, 2016).
[iii]See “In Apple vs. the FBI, Americans Want the Phone Unlocked” from http://blogs.wsj.com/digits/2016/02/20/in-apple-vs-the-fbi-americans-want-the-phone-unlocked/ (last accessed Feb. 23, 2016).
[v] See http://thehill.com/policy/cybersecurity/266354-lawmakers-set-to-introduce-encryption-commission-bill (last accessed Feb. 23, 2016).
[vi] See http://thehill.com/policy/national-security/264185-senate-intel-chair-its-time-for-encryption-legislation (last accessed Feb. 23, 2016).
[vii]A "backdoor" in computing is a method of bypassing the normal method of authentication. Backdoors are usually inserted into a program or alogorithm before it is distributed widely. They are often hidden in part of the design of the program or alogorithm. In cryptography specifically, a backdoor would allow an intruder to access the encrypted information without having the correct credentials (from stanford.edu)