Category: The PT Law Blog

The order calls for Apple to provide “reasonable technical assistance.”  Reasonable technical assistance is defined by the following:[i]

• “…Bypass or disable the auto-erase function…”
• “Enable the FBI to submit passcodes to the [iPhone] for testing electronically; and
• “Ensure that when the FBI submits passcodes to the [iPhone] software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.”

The order does state that Apple would need to develop a “software image file” (SIF) that is “coded with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE”, (i.e. the phone in question).

FBI Director James Corney released a statement on February 21, stating, “The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly.”[ii] Public opinion seems to be in supportive of this view as seen in a recent poll conducted by SurveyMonkey with 51% in agreement with the FBI.[iii]

Apple, however, claims that the FBI through this order is calling “…[for] a new version of the iPhone operating system, circumventing several important security features and install it on an iPhone recovered during the investigation. In the wrong hands this software, which does not exist today, would have the potential to unlock any iPhone in someone’s physical possession.”[iv] 

Apple and its supporters argue that this would not only weaken Apple’s encryption codes, but will also create precedent for other foreign governments such as China, Iran, and others to force companies to develop or provide that same key. Both sides have legitimate concerns, however, both sides need to have an honest assessment of the world around them. Apple needs to recognize that this matter is not just a criminal case, but also one involving national security.

Consider a scenario in which a terrorist attack causes a catastrophe on a much larger scale. A government agency may make a similar request to the FBI, and what will Apple do? The pressure to comply fueled by grief and anger will be enormous. Will Apple stick to its conviction to the point of consumer boycotts and the possibility of closing shop?

At the same time, the US government needs to understand that the power they are requesting has the potential for great abuse. The image of a federal government agent or official that has little or no accountability monitoring phone conversations, whatever the motivation, is not comforting. The temptation to rely on backdoor encryption is too strong for any government agency or official to withstand. 

Recently, members of Congress have expressed their frustration with Apple. Some have called for a commission to study the encryption issue much further.  While the idea of a commission is great, there is concern as to who will be making up such a commission. House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA) are expected to introduce legislation to create a national commission to investigate police use of encrypted data and protection of privacy.[v] The Senate Intelligence Committee is also working on a bill regarding encryption, with efforts led by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA).[vi]

Ideally, any legislation concerning encryption should balance an individual’s right to privacy and the security of our Nation. There should be no reason why this cannot become a “both and”, instead of an “either or” scenario. Any encryption legislation should recognize that encryption technology is a unique business product that provides relief from customers’ fears that their emails will not be hacked resulting in the loss of personal or business information. At the same time there should be strong accountability measures (i.e. criminal or civil penalty) for any government agent or official that abuses the backdoor encryption or the access to the encryption key.[vii]   

If the debate becomes only a privacy issue or only a national security issue, then we as a nation lose. We need to reconcile those two interests simultaneously in order for this to be successful. 

Due to the universal applicability of encryption technology, the general public also makes use of such programs. Based on the widespread use it is safe to say hackers, terrorists, and other criminals are using this technology to protect incriminating information that may be monitored by governments. The debate over ethical use of encryption technology is expected to be one of the dominating issues the Congress will face in 2016.

The current dispute among legislators calls in to question the extent to which federal agencies should have access to encrypted information without requiring probable cause or permissions.[i] The argument in favor of government access points to the fact that the terrorists responsible for the attacks in Paris used encryption technology in shielding communications with each other during the initial planning stages. Government officials argue that by having access to the encryption technology they will have an upper hand in pro-action and prevention of similar assaults in the United States.

Many in the technology industry strongly oppose this view. They believe that by granting the federal government this access it will increase opportunity for temptation for agencies to unnecessarily monitor private and personal communications here in the United States. Many point to the consequences of public disclosure of classified information by former CIA employee Edward Snowden and his observations regarding the National Security Agency and it’s ability to conduct global surveillance.

The concerns on both sides are substantial and legitimate. On one hand, the federal government is faced with infinitely evolving challenges as technology plays a crucial role in national security. Following the devastation of both the September 11 attacks and recent tragedy in Paris, prevention has become essential in combating terrorism. Yet, the idea of enabling government authority to indiscriminately override encryption keys for intelligence operations without instituting requirements ensuring honest oversight can be worrisome.

A third possible option, balancing preventative measures and the right to privacy, can be defined by regulatory humility. Regulatory humility is a term used by members of the Federal Trade Commission (“FTC”) regarding regulations and necessary use of current technology. It calls for a framework providing flexibility in establishing guidelines across various agendas instead of relying on a one-size-fits-all approach. The combination of authority, accountability and information collection allow for more rapid reaction and response to policies, which may become obstructive as conditions evolve.[ii]

Though it may sound like a simple solution, reflection can be increasingly difficult in times of trepidation, where reservations are high and the desire to maintain authority is confronted with acknowledging weakness that will require change.

Regulatory Humility can be achieved, however, once bias and insecurity are eliminated. The Congress is very capable of this and should focus on establishing a more flexible framework. As threats to national security become more serious we must provide federal intelligence agencies with the tools necessary in effectively combating terrorism while, at the same time, respecting privacy and maintaining accountability for those tempted by power and authority.

Instead of waiting until after the damage of a data breach has been done, companies should begin the process of assessing the data that they have stored in their systems and start keeping an up-to-date inventory of such information.  Assessing the data includes reviewing the following items:

• The network;
• The information stored; and,
• The access to the information.

Assessing the network includes not only your current system, but also any old computers and/or external hard drives that your company may have in storage. If your company has old computers in storage, it is important to see what information is stored in those systems. You may be surprised to find what may be sitting on those hard drives.

Assessing the information stored focuses on the content of the information and the purpose of the information. The content of the information may be considered to be personal identifiable information that is considered to be the subject of data protection statutes. If the information is considered personal identifiable information, then you are under an obligation to provide measures to protect that information. Your obligation to protect that information depends on the state that your business is incorporated.

Besides reviewing the content of the information, you must also review the purpose of the information. The purpose of the information answers the questions, “Why do I need this information?” and “How long do I need this information saved?” 

Finally, the issue of accessing the information focuses on the question of “Who needs to have access to this information?” If the information is of a personal nature, then access to that information must be limited. Another question to consider is “How much information should that person have access to?”  In other words, “How much access would that person need to complete their work?”

Suppose you own an accounting office. The executive assistant may need a client’s name and address because that person is mailing something. On the other hand, the accountant working on a matter for that client may need access to said client’s financial information, in addition to the client’s name and address. The access is dependent on the employee’s role.  

Assessing your network, the content of the information, and who has access is a crucial step in developing a data privacy policy.  Answering those questions allows you to implement and develop a data privacy policy that addresses your corporate needs, instead of having a one size fits all approach.

Please do not hesitate to contact us to discuss how we can help you assess your data security needs as well as implement a data privacy policy that fits your corporate needs.

This past September, the Online Trust Alliance, an industry group focused on e-commerce, released a report assessing the safety of presidential campaign websites.[i] The report focuses on the following three aspects of online campaign platforms: site security, consumer protection, and privacy.

Site security addresses whether or not the campaign website is the actual website and not directed to a counterfeit source. This category also includes factors on the investment of technology such as, firewalls and encryption technology, and other programs that make hacking more difficult.

Consumer protection scores are calculated by evaluating the “adoption of email authentication and associated technologies to help protect consumers from receiving fraudulent email purporting to come from candidates, their PACs or political parties.”[ii]  In other words, the political campaigns are assessed on how well they protect their websites and emails from hackers, who could create a false website and illegitimate emails.

Site Privacy compared methods of data storage, security of stored information, and actual use of the information received from political donors and volunteers. Content of a site’s “privacy policy” and accessibility of such disclosures also attributed to the assessment.

Online Trust praised the campaigns overall for their use of technology in the areas of consumer protection and site security; however, many presidential campaigns were given failing grades for their lack of implementing a data privacy policy. Six campaigns (out of twenty-three total campaigns assessed) had sufficient data privacy protection in place that sufficiently passed Online Trust’s assessment.[iii]

Many of the campaigns received low marks in these areas for not having privacy policies, or the policies disclosed were inadequate, or because the campaigns “claimed the right to share data with ‘like minded entities’ or unidentified third parties or anyone or even sell the data.”[iv] OTA shows this as a negative factor, because the person providing the information has no ability to consent whether or not their information can be sold, despite the terms of the privacy policy. Third-party data sharing is also in contrast to the generally accepted Fair Information Practice Principles (FIPPS).[v]

A major reason for the low marks in privacy is attributed to the use of micro targeting by both Democratic and Republican campaigns. Micro targeting[vi] involves collections of data and statistics from voter populations that is assessed for predictive voting trends, which allows political parties to tailor their messages based on the voters’ preference of issues and streamline campaign resources to potential supporters.

The report provides us with two important lessons. First, companies need to invest in technology that will protect their websites from cyber-criminals, viruses, and other forms of malware. It may not be as extensive as a presidential campaign, but as seen in the cases of Target, the Internal Revenue Service, and the Office of Personal Management, it is evident that no information technology system, even the “best of the business” is safe from attacks.

Secondly, companies need to develop a data privacy policy focusing on the security, storage and privacy of consumer information. Although no one has successfully hacked into a presidential campaign website, that we know of, the potential risk of bad publicity stemming from compromised donor and volunteer information is more than enough to end a campaign. That kind of negative publicity is equally devastating for businesses and organizations utilizing online platforms.

For more information on how to assess your own data privacy needs, please visit our website.