The news reports about the lawsuit between Apple and the FBI over a terrorist’s iPhone is fraught with misinformation and security theater. It has been characterized as privacy’s last stand or as the tech industry’s gift to criminals around the world, and everything in between. I assume you have read something about the case, so will start by providing two documents that you may not have links to. Both of them pre-date the Apple case.
First is the Keys Under Doormats paper, written by more than a dozen different security researchers report in July 2015. The paper does a very good job laying out the issues involved in decrypting our modern computing devices. Many of these researchers were involved in the Clipper Chip era of the late 1990s, when the government last tried to force their way into our devices.
While you should read the entire paper, here are some highlights. The paper concludes by saying that “the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago.” They also say that providing decrypts would be “unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”
The second document was written by the NYC District Attorney last November. It deals exclusively with whole disk smartphone encryption, which is the central issue of the case. It contains a proposal for device vendors to be able to unlock any phone under the request of a search warrant. The report has justifications and technical questions for both Apple and Google. Again, the entire document is worth reading, but between September 2014 and September 2015, the DA’s office was unable to execute approximately 111 search warrants for smartphones because those devices were running iOS 8, which automatically encrypts its information. They claim this feature benefits criminals and imperils the safety of us all.
Okay, here are some of my own thoughts.
Is the DA’s proposal a backdoor way around encryption? The government and law enforcement officials say no. I would disagree, and say that their proposal is probably better characterized as a side door. Having a way inside an encrypted disk compromises the disk’s security, no matter how it is done and who holds the keys.
Shouldn’t Apple, Google et al. want to cooperate with law enforcement? Sure they should but in a way that won’t be a threat to overall security of everyone. I side with the “doormats” folks on this one. The issue, as they say, is that “Law enforcement cannot be guaranteed access without creating serious risk that criminal intruders will gain the same access.”
The FBI initially stated that they were only interested in a single iPhone, and then later changed their statements. The FBI is being somewhat disingenuous here. If Apple develops the technology to break into a phone, this will certainly be used in numerous other cases. The FBI carefully picked a test case with a known criminal, a terrorist, to make their request more sympathetic to the courts and the public.
Don’t encryption tools benefit criminals? Many of us say that we have nothing to hide. Perhaps that is true, but why should citizens have their phones compromised by others who are either less sanguine about their rights to privacy or who are trying to gain access for illegal intent? Sure, gaining access to encrypted information isn’t easy: you might have read how the FBI arrested Ross Ulbricht for his activities with Silk Road. But that’s the whole point. The FBI got around the various encryption protocols he was using by seizing his open laptop at a public library in San Francisco, preventing him from closing his session so his identity could be verified and they could gain access.
Why can’t corporate IT departments make use of mobile device management tools to open their phones for the law? Indeed, this is sort of what happened with the San Bernardino case. However, his employer, the county health department, had only partially installed the MobileIron MDM tool. Because it wasn’t completely implemented, they couldn’t get all the information out of the phone. Certainly now many IT managers who have heard about this recognize the value of MDM. Perhaps they will finish their own installations as a result. But there will be many phones that other law enforcement staff will get their hands on that will be in a similar state: do we really want to pass legislation to compel IT workers to do their jobs properly? And just because I have a personally owned phone that is managed by an MDM doesn’t mean that IT can obtain any information from it.