Information security by Ervins Strauhmanis (CC BY 2.0) https://flic.kr/p/umPu7S

Information security by Ervins Strauhmanis (CC BY 2.0) https://flic.kr/p/umPu7S

Columns

Why the FBI’s Apple iPhone Demands Are Rotten to the Core

The U.S. government’s attempt to invoke a centuries-old law to obtain a court order to require Apple to create a program that would allow it to break the security safeguards on the iPhone used by a San Bernardino terrorist has sparked an enormous outcry from the technology, privacy, and security communities.

For U.S. officials, a terrorism related rationale for creating encryption backdoors or weakening user security represents the most compelling scenario for mandated assistance. Yet even in those circumstances, companies, courts, and legislatures should resist the urge to remove one of the last bastions of user security and privacy protection.

My weekly technology law column (Toronto Star version, homepage version) argues that this case is about far more than granting U.S. law enforcement access to whatever information remains on a single password-protected iPhone. Investigators already have a near-complete electronic record: all emails and information stored on cloud-based computers, most content on the phone from a cloud back-up completed weeks earlier, telephone records, social media activity, and data that reveals with whom the terrorist interacted. Moreover, given the availability of all of that information, it seems likely that much of the remaining bits of evidence on the phone can be gathered from companies or individuals at the other end of the conversation.

As Apple and other technology companies have recognized, scratch below the surface and you find a case that is fundamentally about establishing legal precedent that can be wielded to require companies to establish backdoor access to devices, break encryption, or weaken security measures. In fact, despite claims that it is a one-time request, there are already reports of at least nine other cases involving Apple in the U.S. alone.

The problem with such a precedent extends beyond the “slippery slope” argument. Creating security vulnerabilities leaves everyone more vulnerable since there is no mechanism to limit weakened security measures or backdoors to the “good guys.” If the U.S. government can get it, so too can other foreign governments or criminal organizations.

Moreover, the case enhances the role of government and law enforcement in the design of security safeguards within consumer devices. Ironically, the U.S. government has recognized the danger of its approach in other venues. For example, it has pointed with approval to provisions in the Trans Pacific Partnership that purport to restrict the ability of governments to impose conditions on products that contain encryption, claiming those restrictions will allow companies and individuals to “use the cybersecurity and encryption tools they see fit, without arbitrary restrictions that could stifle free expression.”

That is a laudable goal, yet the TPP contains its own backdoor provision that allows law enforcement to use the courts to require access to unencrypted communications. The Apple case highlights how the TPP will ultimately do little to address the issue, with the U.S. example paving the way for foreign governments to demand similar access to otherwise secure devices.

While the Apple case may take months to resolve, it has already placed the spotlight on the near-complete erosion of privacy within our modern communication system. Telecom transparency reports have revealed how law enforcement is able to use our everyday communications to create detailed maps of our movements and communications habits. Our reliance on cloud computing services for email, photographs, and document storage grants centralized access to data that previously only resided on harder-to-access  personal computers.

The last line of defence may be our portable devices, where access can be secured through passwords, data can be encrypted from prying eyes, and security settings can thwart would-be hackers. Yet should Apple lose this case, those safeguards will be gone, escalating fears that in today’s Internet-enabled, smartphone world, privacy is gone too.

4 Comments

  1. Devil's Advocate says:

    No doubt, they’re after a precedent that would then enable them to order a tech company to circumvent its own products.

    It should also be noted, the phone in question may contain the remaining evidence of the government’s own involvement, in what is quickly turning out to be another false flag event.

    People need to wake up, before it’s too late.
    (It may already be too late.)

  2. Captain555 says:

    The FBI has a 18 minutes gap where they have no idea where the terrorist went and they would like to know. They are hoping that the GPS info in the phone could tell them. Personally I think the FBI are right to ask and Apple should help them. But Apple choose to make a PR campaign out of this. I never like the way Apple does business and this certainly doesn’t help me find a reason to like them. I have never given a single penny of my hard earn money to Apple and never will.

  3. This is totally about PR!

    If Apple hacks this iPhone how long do you think before every other phone manufacturer starts advertising “if you want security buy our phone – not an iPhone!” I’m pretty sure those ads are ready to go! And Apple knows this. I’m sure they want to help the FBI and want to protect lives, but the FBI is essentially asking Apple to ruin their reputation and destroy their business. Did they seriously think Apple would do that without a fight?!