The FBI got around ordering Apple to cooperate in breaking its own security, but when the next case arises, and it will, should the company refuse to help, the outcome will have far reaching implications.
Regardless of the fact that the FBI found a way around ordering Apple to assist the FBI in cracking the password on an iPhone used by a shooting suspect in the San Bernardino murders, the central issue was not resolved and there are some pretty compelling reasons why Apple, and others who find themselves in a similar situation, should just say no to such orders.
The heart of the problem is this: The issue is not about this phone in this situation. What could have happened if Apple had complied would potentially have affected every phone (and every device) in every situation.
Companies like Apple take security seriously. They’ve had to, for many reasons. The new reality is that mobile devices such as phones, laptops and tablets are not just personal anymore. They’re our address book, our calendar, our diary, our email tool, all rolled into one. At the same time, they have also become business devices.
With the rise in bring your own device (BYOD) policies and Mobile Device Management (MDM) solutions, companies are in essence saying: “It’s OK to use your own device to transmit, open and work on sometimes sensitive company documents—as long as they are secure,” as mandated by legislation such as HIIPA and Sarbanes-Oxley. Companies do this because they trust the inherent security features in your device and, thanks to changes Apple made to their software after the Snowden incident, the data on their devices was considered only accessible to someone who has the device passcode. Apple specifically designed its security so not even they could decrypt it.
The FBI wanted Apple to create a custom iOS that would in essence eliminate or override these safeguards.
On one level, it may seem reasonable, even justified, for the government to make this legal intercept request as it’s for public safety. The problem is the slippery slope it creates. This case may have been relatively clear cut, but what about the next time, and the next? What if custom code had been created and then gets in the wrong hands? The even greater issue here is the fact that, once created, this passcode workaround can be compelled time and time again. Few expect that this will be the last time that Celllebrite are called upon to access an iPhone’s data – and not just by the FBI.
The request created a powerful precedent on a government’s right to encroach on its citizens’ privacy and companies’ right to create secure software. It is not difficult to foresee a time in the near future where authorities could compel technology companies like Apple to deploy software over-the-air (OTA) that would share the location, audio and video of their customers’ devices. Legislation is already rearing its head in the United States and UK on data privacy, and it’s causing some businesses to consider things like jurisdictional advantage as part of their core business strategies. More legislation isn’t necessarily the answer as society as a whole wants information to be more secure.
The implications are far reaching. Having a backdoor built or leaving the ‘key under the mat’ undermines businesses and the security of transactions, whether they be business related or personal. It impacts just about every type of business in every Western economy. And it also means that governments are clearly failing to see the importance of personal security, and that has significant impact for both business and society.
So, what does this case mean for the future of data and data security? If Apple or any other organisation is forced to provide a backdoor then companies will be forced to re-engineer future versions of their product, making them less secure. Apple has already moved in the other direction with the introduction of Secure Enclave in A7 devices. Secure Enclave isolates security safeguards from the iOS thus making it even harder to access encrypted data or deploy brute force access attacks, yet still not impossible. Nothing being discussed in this case would have protected the journalist that talked about his own feelings of violation when his email was hacked while using free Wi-Fi on an airplane recently.
The industry was closely watching the Apple case because of the precedent it was expected to set on several fronts. The general feeling was, if this can happen to Apple, it can happen to any company. It’s a fine line between protecting people’s physical security while compromising their personal security. Apple was doing this for all of us – taking a stand that our private data should remain so.
As it turned out, this was not the precedent-making case we expected, but it will come, where a company says no to backdoors, and cannot be hacked, but is being legally compelled by the government to cooperate, and the ramifications of such a case will be felt for years to come, regardless of outcome.
By Chris Peel, Vice President Engineering, Echoworx
This article originally appeared in SC Magazine