On one side of the equation, we have law enforcement agencies beating their chests, telling up the widespread use of encryption is hampering their efforts at catching bad actors. One the other, a private company, tech giant Apple, prepared to put their money where their mouth is and use the courts to protect our rights to use encryption, without an avenue for governments to access our data.
Apple logo image from Shutterstock
In 1999, a court in the United States ruled that software code was protected under the First Amendment. Declaring software code “free speech”, the Ninth Circuit Court of Appeals ruled that the government’s regulations preventing its publication were unconstitutional.
So, for the last 17 years, strong encryption has been freely developed and used.
Flash froward to the end of 2015 and a high profile case of domestic terrorism in San Bernardino, California results in the death of 14 people and wounding about 17 others. Husband and wife Syed Rizwan Farook and Tashfeen Malik were killed during the ensuing battle.
Prior to their attack, the destroyed several cell phones and computers but left one iPhone 5c intact in their car. That phone was owned by the County of San Bernardino.
Since then, the FBI and Apple have been in a legal battle. With the data on the phone locked by Apple’s on-device encryption — encryption for which Apple does not have, by specific design, a key – the FBI is using the courts to come Apple to create a new version of iOS that they can use to brute force attack the iPhone 5c in order to extract the information.
There is clearly a strong divide between people who believe Apple should do as they courts ask and those that belie there’s a bigger game at stake.
A survey of 198 security professionals conducted by Tripwire Inc at RSA Conference 2016 found
- 81 percent of respondents said it is either very likely or certain that cybercriminals would abuse the Government’s capability to access encrypted data if technology companies are required to provide it
- 82 percent of respondents said it is either very likely or certain that government agencies would abuse their right to access encrypted data if technology companies were required to provide it
- 53 percent said technology firms should be required to provide access to encrypted data on consumer devices if law enforcement serves them with a warrant or subpoena, and
- 88 percent believe it will reduce security and privacy on consumer and enterprise privacy and security.
On the other hand, a survey conducted by the non-partisan Pew Research Center found 51% of Americans say Apple should assist the FBI and just 38% said Apple should not unlock the phone to ensure the security of its other users’ information. 11% were undecided.
While this is playing out in the US courts, it’s important to realise decisions made in that jurisdiction may have profound effects globally. In my view, it’s highly unlikely Apple will produce two types of iPhone or two versions of iOS that treat encryption differently. In any case, doing that would only create a grey market where non-US iPhones would be imported to the US, rendering any move to limit access to encryption useless.
We also have to take into account the laws of legal precedence. If Apple loses this case then law enforcement agencies could use that precedent to compel all tech companies to unlock phones they believe were used in criminal activities.
The FBI has about 13 similar cases in courts across the US at the moment. Tellingly, they lost a case in Brooklyn, New York where a judge ruled against the FBI’s desire to access an encrypted phone. The FBI were making a similar case to that in San Bernardino although that case was related to a drug dealer they were trying to convict and not a dead terrorist.
For all of us, the stakes are significant.
If Apple is compelled to create new software to unlock an iPhone, this opens a very big door. The FBI is not asking Apple to hack the iPhone in question. They are asking Apple to create something that doesn’t exist – a new version of software that enables a brute force attack.
The implications of this alone are significant. Effectively, the FBI could ask anyone to make anything to support an investigation.
Governments don’t have a great track record for protecting information assets. If we learned anything from Edward Snowden we learned that government agencies eventually leak. If an iPhone decryption tool fell into the wrong hands it could lead to a significant problem where the data on any stolen phone could be accessed.
A recent case of a school teacher who lost their job when a student stole their phone and accessed one image sent by that teacher to their spouse comes to mind. Many people will have messages and images that, if taken out of context could lead to severe embarrassment or worse.
We live in a world where government surveillance, through CCTV cameras, data retention regimes and other instruments can be used to track a massive amount of our movements and interactions. At some point, citizens need to draw a line in the sand and say enough is enough.
Will this be that line?