At the time I’m writing this, I am just returned from the RSA Conference on cybersecurity innovation – the world’s biggest digital security expo – where the iPhone dispute between Apple and the FBI touched every conversation. Needless to say, the situation is fluid with new developments and rhetoric appearing almost daily.
The battle over access to encrypted data on an iPhone provides a lens for a bigger debate on privacy, mobile devices and the implications for technology vendors that might face a similar request. Far from simple, each side uses broad brush strokes to paint an unfavorable picture of the other. Some have characterized Apple’s response as a mere publicity stunt. Alarmingly, Manhattan D.A. Cyrus Vance criticized Apple’s actions as “thwarting criminal investigations and impeding public safety.” Regardless of the outcome, the case highlights lessons for IT departments and others charged with safeguarding data on devices. Here are four common questions.
First, what is the precise legal issue? From my perspective, the legal issue boils down to this question: Should a Vendor be required to “break” encryption on a product at the request of law enforcement?” Alex Abdo, a staff attorney at the American Civil Liberties Union, puts it this way “[t]his case is about the government trying to establish an illegal(sic) precedent that it can force a U.S. company to hack its users’ devices.”
FYI Alex, I think you meant “legal” precedent here, since an illegal precedent would — by definition — be unenforceable.
Apple has claimed that it can’t, at least not without using some sophisticated programming. However, Apple can no longer say that is not technically possible, because it is. Instead, in the message to customers, Apple points out that once the iOS version allowing for the unlimited electronic input of passwords is used, there are no guarantees that will only be used once. Apple also alleges the government is asking Apple to hack its own customers, “though technically, the FBI intends to do the hacking itself.” Says Leonid Bershidsky at Bloomberg. It just needs a way in.
Second, why does it matter to business? There is a storm brewing around protection of consumer data. iPhones are one of the most common points of entry for such data. iPhones also contain robust encryption and data protection measures that are appealing to consumers and businesses. iPhones are restricted to work with certain security measures at the device level, like a single TouchID sensor-device pairing. This security measure ensures that attackers cannot build a fraudulent TouchID sensor that “brute-forces” fingerprint authentication to gain access.
For some time, businesses have been loading data onto cloud-based storage services. Using the cloud can affect data protections. Cloud-computing suppliers, whose ranks include smartphone providers, routinely receive court orders to turn over data that in many cases would have been harder for law enforcement to obtain had it stayed on a local device. Encryption can keep certain smartphone data outside the reach of law enforcement. Even with encryption, “[t] he safest place to keep your data is on a device that you have next to you,” say EPIC.
Third what does it mean for encryption and cloud computing? Encryption and cloud computing “are two competing trends.” Of course it is possible to encrypt data in the cloud. This latest salvo is just another chapter in the FBI’s fight against Apple and encryption, which started when Apple implemented new security and encryption features with the launch of the iPhone 6 in September of 2014. Back then, Apple said it wouldn’t be able to unlock phones anymore—even if the authorities came knocking at their door with a warrant—because it just didn’t have the technical means.
According to Motherboard “the US government has since been testing the legal boundaries of what it can force Apple, and by extension any other tech company, to do, mainly using the questionable legal authorities granted by a 227-year-old law.”
Fourth, what should I be doing now? Understanding leads to confidence. CIOs are surely frustrated by another growing legal minefield for a technology that is probably already widely deployed throughout the enterprise. It has been reported that Apple’s iPhone 6 was the most popular smartphone in enterprises, taking up 26 percent of all device activations as early as the first quarter of 2015. Uncertainty around whether one will receive a request to decrypt data, and best possible ways to respond, leads to hesitation in planning, creating and implementing policies. Many hope the Apple-FBI battle will resolve questions around technical “back-door” measures and vendors need to include and/or use such techniques.