The crypto debates are nothing new. We had a major round in the 1990s with the Clipper chip, and we’ve been immersed in it since the Snowden revelations. But this week, the crypto debates have reached a fever pitch - potentially becoming an election issue in the U.S. and affecting the way governments around the world attempt to access personal information from technology companies.
On Tuesday, a U.S. federal judge ordered Apple to technically assist the FBI in unlocking the iPhone of one of the San Bernardino shooters. Within hours, Apple CEO Tim Cook said the company would not comply with the order and followed up with a direct letter to Apple customers explaining its reasoning.
Technologically speaking, the FBI is not asking Apple to break its encryption, but is asking for help accessing the specific phone in three ways: to disable the auto-wipe function for password entry; allow the FBI to enter passwords electronically; and ensure there be no additional delay between password attempts. All three requests are in response to specific security requirements Apple has purposely built into its products.
The phone in question is actually owned by the San Bernardino County Department of Public Health and was set up by the agency to maximize its security. Ten failed password attempts will prompt the operating system to erase the phone’s contents. Obviously, the FBI wants to avoid this. As such, it wants Apple to create a special version of its iOS to help it efficiently bypass the three obstacles cited above so that it can brute force the phone’s PIN code. (For a more detailed explanation of this, I recommend you check out Dan Guido’s excellent Trails of Bits Blog post here.)
Additionally, as Guido points out, Apple could conceivably further customize iOS to only work on that specific phone, so technically speaking, he argues, it is feasible for Apple to comply with the court order. The FBI is even willing to physically send the subject phone to Apple so the company can upload the customized iOS without it ever leaving the premises.
Since this is clearly a targeted case, and not part of any indiscriminate bulk surveillance, what’s wrong with the FBI’s request?
For Apple, it’s simple: Once it creates this customizable iOS for this specific case – a move that specifically weakens the decades worth of security developments it's placed in its product – what prevents the government from coming back for other specific requests? Or, for that matter other countries around the world? If they can do it for this iOS, why not future iOSs? Doesn't this ultimately pull the rug from under their security engineering?
In a Lawfare post, Nicolas Weaver, a computer security researcher, argues that this move "is not a tip-toe down a slippery slope, but a direct leap into a dangerous world, one which would compromise all our security under an incredibly ambitious reading of the law."
Really, this fight Apple has taken on will set a major precedent for the entire Internet ecosystem.
For one, if the FBI can compel Apple under the All Writs Act of 1789, it can compel other companies to do the same. And it’s not just the major Silicon Valley tech companies that would be affected. Think about all the Internet-of-Things devices that are popping up around the world. Heck, the NSA just admitted last week that it can use IoT devices to spy on people. Why couldn’t they compel makers of these devices to do the same?
Plus, if the U.S. government can compel the world’s richest company to help it access the phone’s contents, who’s to say that China, Russia, Iran or any repressive regime around the world wouldn't demand the same workaround? Sen. Ron Wyden, D-Ore., said, "This move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russian and China a blueprint for forcing American companies to create a backdoor?"
Perhaps most importantly, having strong security and privacy engenders trust. This is something that Apple and Tim Cook have emphasized for quite some time now. Microsoft is doing the same in its court battle with the Department of Justice, and most savvy companies around the world recognize and cultivate the essential value of consumer trust.
Significantly, Europe is paying close attention. Bulk surveillance by the U.S. is a major sore point for many in Europe. U.S. government access to personal data is what ultimately invalidated the Safe Harbor agreement, prompting the need for entirely new data-transfer regime, the establishment of which has yet to be finalized. Though Apple’s case likely won’t have any effect on the Privacy Shield, there’s no doubt Europeans will watch this fight closely. This is dollars and - ahem - sense for Apple.
In the U.S., this fight could become an election issue. On Wednesday, Presidential Candidate Donald Trump went on Fox & Friends to disparage the move. “I agree 100 percent with the courts,” he said. “In that case, we should open it up.”
Other Republican candidates spoke about the issue during CNN's town hall event. Sen. Ted Cruz, R-Tex., said Apple should comply and create a backdoor.
.@tedcruz: Apple should create a backdoor to unlock the #SanBernardino shooter's phone https://t.co/QcAalYCoal https://t.co/czaU6r1emJ
— CNN Politics (@CNNPolitics) February 18, 2016
Sen. Marco Rubio, R-Fla., said Silicon Valley and the government are going to have to work together to find a solution.
.@marcorubio discusses #SanBernardino shooter's phone: "I don't have a magic solution" https://t.co/Sq7l7ObAjn https://t.co/kqpLP0Dm0D
— CNN (@CNN) February 18, 2016
Sen. Tom Cotton, R-Ark, didn't hold back his vitriol for Apple's move either, accusing the company of protecting "a dead ISIS terrorist's privacy over the security of the American people." With rhetoric such as this playing on the fears of voters around the country, Apple may face an uphill battle in the court of public opinion. Or as a BGR report noted, the FBI may have laid a "clever trap" for Apple, noting, "there's a danger here that if Apple botches the politics of this fight that it could undermine public support for end-to-end encryption as a whole."
Others outside the political spectrum also disagree with Apple. In a post on Medium, Blair Reeves contends that iPhones are not black boxes, and that the Fourth Amendment allows for search and seizure when reasonable and with a court order. He writes, “The Fourth Amendment does not immunize anyone against government searches of their ‘papers and effects’ – it merely says that any searches that occur cannot be ‘unreasonable,’ and must be supported by a warrant.” A report for The Washington Post contends that Apple will lose the case in court, suffer a PR "disaster," and thereby setback privacy for everyone.
Yet, there is also a lot of public support for Apple's move. Google is publicly backing Apple in this fight, and not only have privacy advocates expressed support for Apple - including the Electronic Privacy Information Center and the Center for Democracy & Technology - but other organizations have as well, including Forrester and the Internet Society. Plus, the Electronic Frontier Foundation staged a public rally in support of Apple at a San Francisco Apple store, and plan more rallies nationally next week.
Whether through the presidential election, the consumer's wallet, or in a court of public opinion, the value citizens place in privacy and national security will be demonstrated during this fight. And whether Apple is right about taking on the federal government, it’s clear that privacy is a major consideration in all of this – not just for one company or country, either. As a result, the fate of this fight may well affect us all for a long time to come.