Legal battle could have had unpredictable cybersecurity consequences.
By now, most people are familiar with the recent Apple vs. FBI dispute about the right to gain access to information on the iPhone of the San Bernardino shooter who was involved in a terrorist event that rocked our nation. The case drew worldwide attention because the outcome threatened to alter the balance between privacy and security from a national and global perspective.
The gunman had two cellphones. His private cellphone was destroyed. However, his work cell was retrieved, and the FBI wanted to identify any information on that phone that could be of value to the investigation. Both the FBI and Apple hoped for justice to be served on behalf of the victims of this terrorist attack. However, the point of concern was the actual process by which justice will be achieved.
The use of iPhones is now widespread. An estimated one out of three people in the United States were iPhone users at the end of 2015, with an estimated 101 million worldwide, according to a Consumer Intelligence Research Partners report. These users expect certain levels of privacy and security. In response to this rightful expectation, Apple has hardened the iPhone operating system over the last few years. Apple now encrypts all devices by default and protects them with a four-digit passcode. A valid passcode will allow access to a decryption key that can be used to access information on the phone. If there are 10 unsuccessful attempts to enter this passcode, the decryption key will be permanently erased, rendering the information on the phone impossible to access.
In February, a judge ordered Apple to create a special software tool to circumvent the security measures in the iPhone. Apple fought the order that required it to do three things:
* Disable the limit on the number of attempts for the passcode.
* Allow the FBI to enter these passcodes automatically via some electronic method such as Bluetooth or Wi-Fi.
* Ensure there is no unnecessary delay introduced between attempts to enter the passcode.
The FBI eventually found outside assistance, and dropped its case against Apple. But the questions the case raised were troubling to many. The court order sought to force Apple to create a software tool allowing the FBI to hack into the iPhone, stating that tool would only need to work on the specific phone about which the FBI was concerned. After that, Apple or the FBI would be free to destroy the tool for hacking the iPhone.
At face value, that sounded like a wonderful outcome. However, things are different in the digital world than the physical world. In the physical world, if a tool is no longer needed, it can simply be destroyed. In the digital world, it is much harder to destroy something once it has been created. A complex digital tool can be perfectly replicated many times with ease and with low traceability, making it the potential target of cyber criminals.
Given the way that digital devices and cryptography work, the tool Apple was being ordered to create to hack a specific iPhone could be used to target any iPhone, iPad or the new Apple TVs. This tool would have the potential to allow governments or cyber criminals to access the data of millions of users and to violate their privacy without any significant barriers of protection.
For many who struggle with understanding the ramifications of this potential issue, it can be likened to a home security system. Imagine if there was a key, or a code, one could use to unlock all home security systems, regardless of previous safeguards put in place. The results could be catastrophic if the tool used to create this access was leaked, stolen or archived.
It is inappropriate to ask companies to reduce or circumvent the security measures that they incorporate into their products. Cyber terrorism and cybercrime occur at higher levels than ever before. We should encourage corporations to incorporate as many techniques as possible into their products to protect and secure our private data. No company has ever been ordered to develop software to circumvent their own security measures. The court order, had it been enforced, would have set a precedent with far-reaching and unforeseen consequences.
Companies should not be in the equation. We should uphold their mission of protecting the privacy of consumers.
Robert E. Johnson III is president and CEO of Cimcor Inc., a Merrillville-based company at the forefront of initiatives to protect critical IT infrastructures for global corporate, government and military clients.