Throughout the ongoing fight between Apple and the FBI over custom access to an iPhone used by one of the two terrorists who killed 14 people in San Bernardino, the government has framed the argument as a simple trade-off: You must surrender a little privacy if you want more security. The scales don’t balance quite so neatly, though; there’s nothing secure about giving the FBI their way. Still, it's been an effective way for the government to win over the public, on its way to trying to win over the courts.
FBI director James Comey most recently pushed the dichotomy in an op-ed for Lawfare. “We have awesome new technology that creates a serious tension between two values we all treasure: privacy and safety,” he writes. “That tension should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living.”
It also should not be framed as an absolute. Doing so presents the issue to the American public in a way that makes the FBI’s request palatable while obfuscating the potentially dangerous precedent it would represent.
The case against the FBI’s insistence that it is not asking for all that much has been made repeatedly, both here and elsewhere. In fact, a team of researchers offered a version of it last year when they published the prescient paper "Keys Under Doormats.” [.pdf]
“As computer scientists with extensive security and systems experience, we believe that law enforcement has failed to account for the risks inherent in exceptional access systems,” the group wrote in July. The risks of that type of backdoor include adding complexity to an already intricate system that’s difficult to keep secure, and the impossibility of creating access that would be used solely by the FBI. Any backdoor accessible to law enforcement can and also would be used by a hacker for any number of nefarious reasons.
“It would be great if we could make a backdoor that only the FBI could walk through,” says Nate Cardozo, an attorney with the Electronic Frontier Foundation. “But that doesn’t exist. And literally every single mathematician, cryptographer, and computer scientist who’s looked at it has agreed.”
The current Apple case doesn’t involve a backdoor in the traditional sense. The FBI is asking Apple to create a tool that would circumvent a feature that deletes all of the information on the phone after 10 failed password attempts. “We don’t want to break anyone’s encryption or set a master key loose on the land," Comey wrote. But the authority it would grant the FBI could be used again across a range of scenarios that weaken our privacy, sure, but our security as well.
“The precedent isn’t that they unlock one phone,” says Jake Williams, CEO of Rendition Infosec. “There’s no reason down the road they can’t go to Microsoft, or anyone else, for that matter, to create some intentionally vulnerable applications.” In the scenario Williams envisions, the FBI could force Microsoft to send out a malicious Windows update to any machine connected to a specific IP address, like the Wi-Fi at a coffee shop.
In truth, you don’t need to look as far ahead as that. In a newly unsealed court brief, Apple lawyer Marc Zwillinger reveals that the company has challenged at least a dozen recent FBI requests to unlock iPhones by various means. In some cases, Apple could extract the requested data without creating a new tool. In four instances cited in the brief, though, the iPhones in question run iOS 8 or later, the operating system a new tool would be designed to circumvent.
Not only, therefore, is this not just about “this one phone,” as the FBI has insisted. It’s not even about hypothetical future cases. The ruling, or at least the precedent it sets, could assist the government in at least four instances Apple is currently fighting. It also could apply beyond our borders, in countries with whose governments have concerning human rights records.
“If China [today] demanded that Apple put in a backdoor, Apple would say no,” says Cardozo, adding that the company could threaten to pull its products from the market, creating a public relations nightmare for the Chinese government. “That equation changes once Apple accedes to an FBI order. If the FBI can compel Apple to do it, and it’s publicly known that Apple has given the FBI this key, then China has a very different calculus … The PR around a Chinese demand gets a lot better for China, and a whole hell of a lot worse for Apple.”
And increasingly, it’s the PR that matters.
What’s important to understand about the San Bernadino iPhone case is that its very existence is a public relations maneuver.
“The FBI chose this case very, very carefully,” says Cardozo, who argues that law enforcement sees it as the “perfect case” for litigating the issue in the absence of backdoor-friendly legislation from President Obama and Congress. That it’s a terrorism case, in particular, spurs sympathies to align with law enforcement, regardless of how much benefit the FBI would actually get from the access it has requested.
“I think if the FBI said hey, we want to architect backdoors into devices so that we can get access to whatever we need, whenever we need it---need being a relative term there---I think the public in general would not be for that,” says Williams.
So far, buoyed by the specter of terrorism and the false duality of privacy and security, the public in general is buying what the FBI is selling. A recent Pew Research poll found that 51 percent of Americans think Apple “Should unlock the iPhone to assist the ongoing FBI investigation,” while 38 percent say Apple should not. (The rest had no opinion.) Even the survey itself shows how effective the FBI’s messaging has been. Apple is not being asked to unlock an iPhone; it’s being asked to create software that would help the FBI unlock it. After which, there’s every reason to expect Apple and every other tech company will be asked to create more software that could be used to diminish even more civil liberties.
At the same time, the FBI has managed to attack Apple’s posture of altruism, saying in a recent court filing that the company’s resistance was rooted in “its concern for its business model and public brand marketing strategy,” not larger security concerns.
It’s an odd construction in that it assumes the two are mutually exclusive. Security has long been part of Apple’s sales pitch, but that doesn’t diminish its importance.
For its part, Apple has posted both a strident defense of its opposition and an FAQ for customers, which reiterate largely the same points: That compliance would open the door to a host of security and privacy oversteps. It has also reached out directly to the press, both to clarify its position and embarrass its opponent.
In many ways, Apple’s is the tougher sell, because the way computer security works means that it has to be absolute. Any precedent that says a company can be compelled to weaken its security will have injurious consequences, full stop. There are no shades of grey, no matter what politicians and law enforcement might suggest.
“You hear over and over and over again, from the pro-backdoor camp, that we need to strike a balance, we need to find a compromise,” says Cardozo. “That doesn’t work. Math doesn’t work like that. Computer security doesn’t work like that … It’s kind of like climate change. There are entrenched political interests on one side of a ‘debate,’ and on the other side is the unanimous scientific and technical community.”
Ultimately, the reason this debate is happening at all is that there’s no legislative guidance around encryption. The All Writs Act that the FBI has cited dates to 1798, and even the most recent supporting precedent dates to 1977. Until Congress acts, the FBI will continue to attempt to gain access through the courts.
“These issues will be decided in Congress,” Bill Gates said in a recent Bloomberg TV interview, attempting to clarify previous comments that had been wrongly interpreted as him favoring the FBI. “You don’t want to just take the minute after a terrorist event and swing that direction, nor do you want to swing away from government access when you get some abuse being revealed. You want to strike that balance.”
That resolution may be forthcoming. In an open letter to Comey today, US Representative Ted Lieu, a California Democrat, asked that the FBI withdraw its case in favor of letting the legislative branch do its job. “We should all take a breath and talk to each other,” he writes, echoing Comey’s call that Americans “take a deep breath” about the debate, “rather than use a lawsuit to circumvent the critical and necessary policy discussions.”
Lieu, one of four sitting federal lawmakers with a computer science degree, has dabbled in encryption legislation before, having recently proposed a bill that would preempt states from haphazardly passing their own anti-encryption laws. At the time, he was hesitant about introducing legislation that would have a broader impact, but his stance appears to have possibly evolved.
“The precedent set in this case would essentially enact a policy proposal to weaken encryption that has not yet gained traction in Congress and was previously rejected by the White House,” says Lieu. “Let Congress, stakeholders, and the American people debate and resolve these difficult issues, not unelected judges based on conflicting interpretations of a law passed 87 years before Alexander Graham Bell invented the telephone.”
And when those debates do happen, let’s also make sure they’re not framed by misleading dichotomies like “privacy versus security.” We can’t give up one without presenting a grave threat to the other.
