Feeding the Privacy Debate: DoJ Eyes Apple
Monday, March 7, 2016
Posted by: Megan Mann
By Brian Green
Most Americans know the tragic story of the many innocent lives impacted by the terrorist acts carried out in San Bernadino in early Dec 2015 that left 14 dead and 22 injured. Recently, the tragedy spilled over into a fierce privacy debate, which could result in new legislation with far-reaching impacts. 
According to the Government’s “Motion to Compel”, during the FBI’s investigation into the shooters, Syed Farook and his wife Tafsheen Malik, the FBI obtained a warrant for, and access to, Farook’s vehicle and digital devices within the vehicle, including the now infamous iPhone 5c. Farook’s iPhone 5c was issued to him by his employer, the San Bernadino County Dept of Public Health (SBCDPH).
In support of the investigation, SBCDPH provided the FBI its consent to search the iPhone looking for additional leads in the case. The FBI confirmed that the phone was used to communicate with multiple parties prior to the attack. However, without access to the data on the iPhone, the value of the iPhone evidence is limited. The iPhone 5c was locked with a passcode and set to erase all data on the phone upon 10 unsuccessful login attempts. The FBI realized the need to either determine the correct passcode, or build a technical mechanism that will enable bypassing a locked and encrypted device without the passcode.
The Government’s “Motion to Compel” states that Apple has the technical ability to engineer a way to circumvent the phone’s security mechanisms, so the FBI applied for an order pursuant to the All Writs Act compelling Apple to assist in unlocking the phone. When Apple refused to assist, the Justice Department filed a motion to force Apple to comply.
The FBI had limited options to bypass the phone’s login screen. Since the Farook was killed in a shootout with police, he cannot provide the passcode. Nor does Apple know any individual user’s passcode. Therefore, the only remaining technical option is to engineer a methodology to circumvent the device locking / encryption function on the device. This is where the true privacy issue emerges.
Apple could provide the FBI with signed software that can be loaded onto the phone to enable bypassing the security time-delay feature that erases the contents of the iPhone after 10 unsuccessful attempts. This bypass feature would enable the FBI to employ “brute force” methods (essentially rapid guessing) to crack the passcode without fear of deleting all data on the phone. Developing such a method to circumvent the device-lock is not a tool that applies only to one device. Rather, Apple would be providing the FBI with a tool to circumvent the lock screen on any iPhone 5c and possibly all iPhones.
According to an op-ed piece written by Senator Richard Burr, Chair of the US Senate Intelligence Committee in USA Today , Burr stated his position that Apple “has wrongly chosen to prioritize its business model above compliance with a lawfully issued court order.”
However, according to the Washington Times, Apple with the support of other powerhouses such as Google and Mozilla said “it would fight the court order, arguing that it cannot create a ‘back door’ for law enforcement without making everyone’s phone hackable by criminal enterprises.” 
Apple CEO, Tim Cook, responded, saying “The government suggests this tool could only be used once, on one phone. But that's simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”
In an interview with WSOC-TV’s Jason Stoogenke, Burr said he wants the administration and the technology industry to come up with a voluntary agreement for these kinds of cases. If not, he says he's working on a bill that would compel companies to comply. The Journal reported on Feb 18th that Sen. Burr is working on a bill to criminalize a company’s refusal to decipher encrypted communications. As of the date of this article, ARS Technical reports that Senator Burr has backed off on the idea of criminalizing such a refusal, but he is considering new encryption legislation.
In the world of social media opinion, the final results of a survey on USA Today’s Twitter feed showed that 48% of readers disagreed with Senator Burr, while only 41% agreed with Burr’s position.
And in an ironic twist, John McAfee, self-proclaimed “cybersecurity legend” and presidential hopeful, wrote an opinion piece in Business Insider offering to decrypt the iPhone, because he is so strongly against the FBI’s order. Mr. McAfee offered that his team of hackers will “free of charge, decrypt the information on the San Bernardino phone, with my team.”
Implications for CRTC Membership
A potential technology solution that could have helped in this situation is mobile device management (MDM) software. According to an AP story on Feb 21st, SBCDPH had paid for, but never installed, MDM software on Farook’s iPhone. Any CRTC organization issuing mobile devices (e.g., phones, tablets) to employees should consider implementing a MDM solution to maintain organizational control over devices if they are lost, stolen...or worse. Moreover, CRTC organizations are encouraged first and foremost to ensure the organization implements a comprehensive asset management program. This includes ensuring all the organization’s assets are controlled, and that the MDM covers all the mobile operating systems in use on the company network.
Many companies in our membership community who provide digital security products for government and private customers understand the importance of user trust. These companies should closely track developments in this case. For product developers, the potential requirement to assist the government in deciphering encrypted communications on their product(s) could significantly impact their current product security architecture, requiring redesign or possibly an entirely new business model. Knowing this in advance may drive product architecture decisions.
Further, security product developers should also consider the financial impact of a potential consumer migration to foreign manufacturers for security products, as the US laws would likely not apply equally to foreign manufacturers, thereby making foreign products more attractive to security-minded consumers.
In summary, characterizing this debate as a battle between privacy and national security would be an incorrect characterization of the issue. Providing a reusable technical solution to the government for accessing a customer’s encrypted data could undermine both privacy and national security in the US. As many people know from the recent notification by OPM of the compromise of sensitive security background check information, just because the “good guys” are in possession of the “keys to the kingdom” doesn’t mean the “bad guys” can’t get to the keys. 
Who Said It?
In most “privacy vs. security” discussions, it doesn’t take long before someone pulls out the famous quotes from our Founding Fathers, highlighting Ben Franklin’s oft-misquoted statement that “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”
Listening to comments from Benjamin Wittes, a senior fellow at the Brookings Institution and the editor of Lawfare in an interview with NPR's Robert Siegel, we realize that Franklin’s quote wasn't originally intended to mean what people think. 
The words appear in a letter widely presumed to be written by Franklin in 1755 on behalf of the Pennsylvania Assembly to the colonial governor. “The letter was a salvo in a power struggle between the governor and the assembly over funding for security on the frontier, one in which the assembly wished to tax the lands of the Penn family,” he explains in Lawfare blog. 
Wittes notes that Franklin “was writing about a tax dispute between the Pennsylvania General Assembly and the family of the Penns, the proprietary family of the Pennsylvania colony who ruled it from afar. And the legislature was trying to tax the Penn family lands to pay for frontier defense during the French and Indian War. And the Penn family kept instructing the governor to veto. Franklin felt that this was a great affront to the ability of the legislature to govern. And so he actually meant ‘purchase a little temporary safety’ very literally.”
Franklin’s statement wasn’t about liberty, but about taxes and the ability to “raise money for defense against French and Indian attacks. The governor kept vetoing the assembly’s efforts at the behest of the family, which had appointed him”, Wittes states.
“It is a quotation that defends the authority of a legislature to govern in the interests of collective security. It means, in context, not quite the opposite of what it's almost always quoted as saying, but much closer to the opposite than to the thing that people think it means.” 
CRTC members are encouraged to visit the links to background information referenced in this article to better understand all sides of the issue.
Click here for PDF version