Apple is currently locked in a legal battle with the FBI over a court order to assist the Bureau in unlocking a cell phone recovered from one of the San Bernardino shooters. “Apple v. FBI,” as it is often referred to in the news, may prove to be a landmark case that defines the boundary between citizen privacy and national security—not just in the United States, but around the world. The outcome of the case, and any actions subsequently taken by the U.S. government in the name of fighting terrorism, will likely play a significant role in shaping international norms that have profound implications for privacy and security in the era of the Global War on Terror.
In the aftermath of the brutal terrorist attack in San Bernardino, California, the FBI recovered the work phone of one of the deceased shooters and accidentally locked themselves out of the device while trying to retrieve information. Determined to pursue any leads that may have been contained within the phone, the FBI then demanded Apple’s assistance in unlocking the phone, an order which CEO Tim Cook pledged to fight in a passionate customer letter released February 16.
Not Just One Phone
In a Lawfare blog post published February 21, FBI director James Comey claimed the Bureau only seeks access to the San Bernardino phone as a one-off request. Comey wrote:
We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land.
Comey’s claim could not be further from the truth. Though the FBI’s legal case is purposefully narrow, supporters of the FBI as well as defenders of Apple know it has far broader implications:
- The FBI has requested Apple’s assistance in accessing information on at least 12 other iOS devices.
- New York City Police Commissioner William J. Bratton and Manhattan District Attorney
Cyrus R. Vance Jr. said they currently possess 175 iPhones they cannot unlock. Vance, during an interview with talk show host Charlie Rose, was asked if he would want access to all phones that were part of a criminal proceeding if the government prevails in the San Bernardino case. “Absolutely right,” he responded.
- In a congressional hearing before the House Judiciary Committee on March 1, Comey himself acknowledged if the FBI won the San Bernardino case it would seek access to locked devices in other cases.
Many believe a precedent from the San Bernardino case could apply to far more than just locked phones. An amicus brief in support of Apple filed jointly by Airbnb, Ebay, Twitter, and 15 other companies explains:
The government’s demand, at its core, is unbound by any legal limits. It would set a dangerous precedent, creating a world in which the government could simply force companies to create, design, and redesign their systems to allow law enforcement access to data, instead of requiring the government to use the measures, and meet the requirements, of legislatively enacted statutory schemes…
The government seeks unbounded authority to compel Apple to design software that does not currently exist and that will circumvent and undermine security measures intended to protect its users’ data. This principle could require companies not just to turn over one user’s information but to weaken security measures created to protect all users.
Most experts do not believe the FBI needs Apple’s assistance to access the data on the San Bernardino phone. John McAfee, inventor of McAfee antivirus software, offered to decrypt the phone free of charge, and Wired published a list of potential ways the Bureau could crack the passcode. The Feds have finally caught on; Justice Department lawyers requested a hearing scheduled for March 22 to be delayed, and a federal judge agreed. When requesting the delay, Eileen Decker, U.S. attorney for the Central District of California, wrote that “an outside party demonstrated to the FBI a possible method for unlocking [the phone].”
The Problem with a “Government-Only Back Door”
To understand the potential repercussions of the FBI’s case against Apple, it is necessary to understand exactly what Apple would have to do in order to comply with the Bureau’s demands. Apple’s customer letter regarding the case explains the FBI has asked them to build a “back door to the iPhone,” with sweeping implications:
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession…
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control…
The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.
In other words, Apple claims there is no way for them to meet the FBI’s demands without creating a back door that could be used on any device that runs iOS—and once that code exists, it could potentially be used by anyone to access hundreds of millions of devices. There is no way to be completely sure the back door could only be used by a specific agency, meaning Apple will have been forced to create a vulnerability in its own product.
If a back door were installed, intrusion by the FBI would be but one of many threats to Apple customers’ data and personal information. In the event that a foreign government, terrorist organization, or even a solitary hacker gained access to the “government-only back door,” the resulting data breach could make the last year’s Office of Personnel and Management (OPM) hack pale in comparison. Once a back door that circumvents encryption security exists, any malicious actor could potentially gain access to it.
Put simply, there is no such thing as a “government-only back door.”
In July 2015, a group of cybersecurity experts released a report that discusses “exceptional access,” which refers to data and communications services such as Apple being required to engineer their products in a way that guarantees law enforcement access to data. Exceptional access proposals are “unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.” Referencing the OPM hack, the report notes, “exceptional access would create concentrated targets that could attract bad actors.”
“Mandating companies to provide exceptional access to government agencies could also drive hundreds of billions of dollars in business away from U.S. companies. If Apple’s phones provide government access to their data, customers may look toward companies based in countries whose governments do not mandate similar requirements for products that are more secure.”
Mandating companies to provide exceptional access to government agencies could also drive hundreds of billions of dollars in business away from U.S. companies. If Apple’s phones provide government access to their data, customers may look toward companies based in countries whose governments do not mandate similar requirements for products that are more secure. A government-mandated back door could also present a liability issue for private companies, which would then be selling a product with a known security defect.
The United States is not the only arena for this battle between security and privacy; similar struggles between private companies and national governments have taken place in China, Russia, and the United Kingdom, among others. Governments struggling to keep up with the pace of technological advancements and deal with the threat of terror attacks are attempting to demand companies store data on their citizens, ban virtual private networks, and mandate the existence of back doors in telecommunications products.
Unfortunately, the FBI seems to be taking the same position as China and Russia on the issue of government-mandated access to privately held information, placing President Obama at risk of being perceived as hypocritical. Last December, China passed a counterterrorism law that mandates internet firms and telecommunications companies operating in China provide law enforcement with decryption keys in terrorism cases and install security back doors to provide authorities with surveillance access. In a February interview with Reuters, Obama said he personally raised this issue with Chinese President Xi Jinping, stating, “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”
“Imagine how hollow these objections will ring if a US court can order what China was trying to compel by statute,” commented Greg Nojeim of the Center for Democracy and Technology.
It is not yet clear how broadly the Chinese will apply the new counterterrorism law, which is purposely ambiguous, but it is possible “Apple v. FBI” will influence their willingness to commandeer private companies.
“The United States cannot deny the role it often plays in shaping international norms and opinions. Its actions, policies, and public statements regarding the Global War on Terror have greatly influenced the actions of other countries.”
Adam Segal, senior fellow at the Council on Foreign Relations and an expert on both China and cybersecurity, does not think “Apple v. FBI” will influence Chinese policy, which he sees as driven by concerns regarding domestic stability and the free spread of information within China’s borders. “What happens in the United States will have very little impact on what China ultimately decides to do,” he writes. However, Segal notes China has responded to foreign criticism of its counterterrorism law by citing international norms and foreign practices. “It is clear that Chinese leaders are more than happy to exploit what is happening in the United States as political cover,” he says. The United States cannot deny the role it often plays in shaping international norms and opinions. Its actions, policies, and public statements regarding the Global War on Terror have greatly influenced the actions of other countries.
The Future of Public-Private Relations on Security
Private tech companies have a vital role to play in counterterrorism and law enforcement—and Apple has assisted the FBI when possible on many other cases involving access to data—but government-mandated insecurity is not that role. If the FBI prevails over Apple, the San Bernardino phone could be the first of millions of devices left vulnerable to government and non-government actors alike.
A final section from the July 2015 cybersecurity report highlights the severity of the issue for the entire world:
The US and UK governments have fought long and hard to keep the governance of the Internet open, in the face of demands from authoritarian countries that it be brought under state control. Does not the push for exceptional access represent a breathtaking policy reversal?
Bureaucratic government systems move far slower than 21st century private companies, so it is no surprise government policy lags far behind the explosion of technological innovation in the modern age. Governments fear platforms that could be used as a “black box” by terrorists or other dissidents—a communications or data storage device that cannot be accessed by law enforcement. And rightfully so. However, correct legislation of the relationship between law enforcement and private tech companies will require more pragmatism than the FBI has put forth in making its case to the world for government-mandated back doors.
Image: An Apple iPhone password prompt screen. (Ervins Strauhmanis/Flickr, Creative Commons)
Cartoon: “Trap Door” (Stuart Carlson)
Brian Garrett-Glaser is a freelance writer and geopolitical analyst with experience working in D.C. think tanks, government contracting, and the wonderful world of lobbying. He holds a degree in international conflict analysis and resolution from George Mason University, and his writings have been published by the Council on Foreign Relations and the American Enterprise Institute. He currently works for a government contracting company as a public affairs specialist.