The U.S. government’s attempt to invoke a centuries-old law to obtain a court order to require Apple to create a program that would allow it to break the security safeguards on the iPhone used by a San Bernardino terrorist has sparked an enormous outcry from the technology, privacy, and security communities.
For U.S. officials, a terrorism related rationale for creating encryption backdoors or weakening user security represents the most compelling scenario for mandated assistance. Yet even in those circumstances, companies, courts, and legislatures should resist the urge to remove one of the last bastions of user security and privacy protection.
This case is about far more than granting U.S. law enforcement access to whatever information remains on a single password-protected iPhone. Investigators already have a near-complete electronic record: all emails and information stored on cloud-based computers, most content on the phone from a cloud back-up completed weeks earlier, telephone records, social media activity, and data that reveals with whom the terrorist interacted. Moreover, given the availability of all of that information, it seems likely that much of the remaining bits of evidence on the phone can be gathered from companies or individuals at the other end of the conversation.
As Apple and other technology companies have recognized, scratch below the surface and you find a case that is fundamentally about establishing legal precedent that can be wielded to require companies to establish backdoor access to devices, break encryption, or weaken security measures. In fact, despite claims that it is a one-time request, there are already reports of at least nine other cases involving Apple in the U.S. alone.
The problem with such a precedent extends beyond the “slippery slope” argument. Creating security vulnerabilities leaves everyone more vulnerable since there is no mechanism to limit weakened security measures or backdoors to the “good guys.” If the U.S. government can get it, so too can other foreign governments or criminal organizations.
Moreover, the case enhances the role of government and law enforcement in the design of security safeguards within consumer devices. Ironically, the U.S. government has recognized the danger of its approach in other venues. For example, it has pointed with approval to provisions in the Trans Pacific Partnership that purport to restrict the ability of governments to impose conditions on products that contain encryption, claiming those restrictions will allow companies and individuals to “use the cybersecurity and encryption tools they see fit, without arbitrary restrictions that could stifle free expression.”
That is a laudable goal, yet the TPP contains its own backdoor provision that allows law enforcement to use the courts to require access to unencrypted communications. The Apple case highlights how the TPP will ultimately do little to address the issue, with the U.S. example paving the way for foreign governments to demand similar access to otherwise secure devices.
While the Apple case may take months to resolve, it has already placed the spotlight on the near-complete erosion of privacy within our modern communication system. Telecom transparency reports have revealed how law enforcement is able to use our everyday communications to create detailed maps of our movements and communications habits. Our reliance on cloud computing services for email, photographs, and document storage grants centralized access to data that previously only resided on harder-to-access personal computers.
The last line of defence may be our portable devices, where access can be secured through passwords, data can be encrypted from prying eyes, and security settings can thwart would-be hackers. Yet should Apple lose this case, those safeguards will be gone, escalating fears that in today’s Internet-enabled, smartphone world, privacy is gone too.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at firstname.lastname@example.org or online at www.michaelgeist.ca.