Thursday, February 18, 2016

What's at risk if Apple gives in to the FBI?

The current face-off between the US government and Apple over security/privacy laws presents an interesting conundrum, and I have been finding it difficult to convincingly come down on one side or the other. But I think I am there now.
As you probably know, the FBI is asking Apple, or rather trying to compel them, to help them break into a password-protected iPhone used by Syed Farook, one of the gunmen in the December 2015 mass shooting in San Bernardino, California. The iPhone 5c, like other late-model iPhones, has a security feature that completely wipes the content of the phone after 10 wrong guesses at the password. The FBI wants Apple to disable that feature, effectively to allow them unlimited guesses in order to access the phone's data for their security investigations. This amounts to a kind of master key, a so-called "back door", which could theoretically be requested again and again in the future, although the FBI are insisting that this is a one-off request, that they simply need one-time only access to one phone.
Apple CEO Tim Cook has rejected the request out of hand, claiming that to do so would be to "undermine decades of security advancements that protect our customers", and has basically said "sue me!". And it seems that is just what they will do. Apple company lawyers claim that such a move would "threaten the trust between Apple and its customer and substantially tarnish the Apple brand", thus affecting the company's bottom line. No less an authority than whistle-blower Edward Snowden is calling it "the most important tech case in a decade". Authorities and leaders in the tech world are split on the issue, with Facebook and Google backing Apple's stance, and Microsoft backing the FBI. Certainly, the case has the potential to set important privacy precedents both in the USA and in the rest of the world.
So, what to do?
Frankly, I am gob-smacked that the US government does not have the capability to carry out this kind of procedure itself, or even to arrange to have it done privately, no questions asked (software mogul John McAfee has offered to do the job for free, although mainly in the interests of publicity for his own US presidential campaign). When I see some of the things government agencies and private operations routinely achieve on fictional TV programs, this seems like child play in comparison. Are you telling me those programs are not real? I'm not necessarily saying that this would be a good solution, just that I am surprised it is not possible.
Of course, there are those conspiracy theorists who maintain that the FBI could easily hack the iPhone themselves, but that they want to set a precedent that that they will be able to use in the future. This kind of sounds plausible, but not totally convincing.
Neither am I totally convinced by the argument that, once a back door has been opened, it would always be available to the US government in the future, and potentially to other, less trustworthy governments, and, ultimately, to criminal elements. Maybe I am being naïve, but it seems to me that the operation could be done in a controlled environment, on a one-off basis, and then destroyed.
I'm also not convinced that Apple's compliance with the FBI in this case would automatically lead to a complete loss of freedom and privacy, and that, as some argue, everyone's personal data would suddenly become available to governments and criminals without the owner's consent - for one thing, as I understand it, this procedure requires the physical phone as well as access to the decryption software. It has also been pointed out that criminals would just stop using iPhones for their nefarious activities (apparently, there are many encryption products out there, most of them not in the USA).
Of course, all this does not mean that it SHOULD be done, merely that one or two of the arguments against may not hold water. I think, on balance, that the potential gains from hacking one phone that was possibly involved in a one-off terrorist action, and which may or may not have useful information on it, is not worth the possible damage that could be wreaked on the privacy and security of cellphones and other data sources, and the unpalatable precedent it sets. The risk is simply too great, and the potential rewards too small.

Adding more fuel to the aforementioned conspiracy theory, it turns out that the FBI have managed to crack the phone without Apple's help, and has dropped the court case against Apple, at least for now.
An unknown "third party" has apparently been helping the FBI with the problem, and there is some evidence that this mysterious third party might be the Israeli-based cyber-security company Cellebrite, a subsidiary of Japan's Sun Corp, whose website claims that it can extract information from the iPhone 5c and other locked phones. It was later revealed that the hack cost the FBI about $1.3 million.
So, now Apple is in the position of having to plug a security flaw in order to protect its own reputation. And I am just waiting for them to take the FBI to court for illegal hacking and data theft.

No comments: