Archives

March 4, 2016

Outcome of FBI fight with Apple will affect your privacy

Cross-posted from the Sacramento Bee.

The legal dispute between the FBI and Apple over a locked iPhone is clouded in technical details that are hard for many to understand, an unclear area of law, and a terrible tragedy in San Bernardino that provokes unease and fear.

To make matters worse, the FBI and Apple are engaged in a very public battle using open letters, blog posts and hearings before Congress with terms like patriotism, marketability and backdoors.

The outcome of the case will affect everyone's ability to keep their personal information safe on their smartphones and all their electronic devices. And it will test what limits exist on the government's ability to force unwilling and innocent third parties to help it investigate crime.

A federal judge has issued an order forcing Apple to help the FBI "unlock" the iPhone used by Syed Farook, who with his wife Tashfeen Malik, shot and killed 14 people and seriously wounded 22 in the December attack in San Bernardino.

The issue is not whether Apple should help the government in its criminal investigations; the Cupertino-based company has assisted the government many times in the past, and even in this particular investigation. Instead, Apple objects to the order issued by the judge because of the unusual nature of the request.

The government is asking Apple to create something that does not now exist: a custom-built version of Apple's operating system that would sidestep security features on the iPhone.

Without Apple's assistance, the FBI claims that it is unable to access information that exists only in the phone itself. In addition, because the iPhone would not accept this customized software update without Apple's digital signature - which would otherwise vouch for the software's trustworthiness - the court order compels Apple to do this, too.

How does this affect you? If Apple is forced to create the means to hack into its own products, the issue does not end with this case. As FBI Director James Comey confirmed in his testimony before the House Judiciary Committee on Tuesday, there are other phones that the government would like Apple to unlock.

Local police departments are also eager to seek similar orders from Apple if it loses the San Bernardino case. Indeed, the prospect of forcing Apple to create a permanent in-house hacking department for police purposes was one of the reasons a federal magistrate judge in New York on Monday denied the government's request to compel Apple to unlock an iPhone in a different criminal case involving a drug investigation.

Once Apple creates the means to bypass the security features it has created to ensure the security of the information on its phones, that software will be prized not only by law enforcement officials, but also by organized crime rings, identity thieves and foreign intelligence agencies. That's where all of our interests come in.

As the U.S. Supreme Court described them recently, smartphones could easily be described as "cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps or newspapers" - all at the same time.

That leads to the second issue: the extent to which the government can force an innocent third party to create something for law enforcement purposes.

In the San Bernardino case, the government relied upon the All Writs Act of 1789, a federal law intended to provide courts with the power to issue orders to carry out their duties. The act allows a court to issue orders that are "necessary or appropriate" when "agreeable to the usages and principles of law." No one is quite sure what the outer limits of the act may be, but the Apple case is testing those limits.

Does this include the power to force Apple to create an iPhone hack?

Comey, the FBI director, argues that the San Bernardino tragedy demands it. The problem is that we don't think of law enforcement power simply in terms of its objectives or the gravity of the crime in question. In our legal system, we take the reasonability of the means into account. If Apple is compelled to do this in a terrorism investigation, must it also do so in a drug case? A prostitution case? A delinquent property tax case? What the government seeks, in the words of one friend-of-the-court brief filed by a group of technology companies Thursday, is a demand "unbound by legal limits."

The extraordinary law enforcement means of today, if left unchecked, become the routine methods of tomorrow. And if the government is permitted to compel a technology company to create deliberate vulnerabilities in a phone today, very soon it may apply that power to the growing Internet of Things: the world of Internet-connected "smart" thermostats, televisions, toothbrushes and even Barbie dolls.

Apple's loss may mean that the FBI could one day force a company to deliver malicious security updates to one of the many smart devices you will own. These are products of convenience, not general consent to government surveillance. Do we want this case to pave the way for routine compulsion of private companies to watch us through our connected devices?

We should expect that the FBI and every other law enforcement agency would want to try every means necessary to prevent and investigate crime. But when those means exact a heavy cost upon our information security and privacy, we've struck the wrong bargain.