Apple, FBI, Congress: 5 Burning Questions Raised - InformationWeek
IoT
IoT
Government
News
3/3/2016
09:06 AM
50%
50%
RELATED EVENTS
7 Key Cloud Security Trends Shaping 2017 & Beyond
Dec 15, 2016
Cloud computing is enabling business transformation as organizations accelerate time to market and ...Read More>>

Apple, FBI, Congress: 5 Burning Questions Raised

As Apple and the FBI struggle over matters of encryption, privacy and security, a House Judiciary Committee hearing helped to highlight several questions in need of answers.

iPhone Encryption: 5 Ways It's Changed Over Time
iPhone Encryption: 5 Ways It's Changed Over Time
(Click image for larger view and slideshow.)

Engaging in a public contemplation of current encryption policy and practices, Apple SVP and general counsel Bruce Sewell presented testimony before the House Judiciary Committee March 1 as part of a hearing titled "The Encryption Tightrope: Balancing Americans' Security and Privacy."

FBI Director James Comey; Manhattan D.A. Cyrus Vance Jr., representing the National District Attorneys Association (NDAA); and Susan Landau, a professor at Worcester Polytechnic Institute, also gave testimony and answered questions before the committee.

By the conclusion of the hearing, it was clear that a number of ideas and practices will continue to be contested, and that headline-making issues won't be resolved until answers are determined. Questions brought up include:

1. Does the FBI have the right to determine how safe is "safe enough"?

Many of the frustrations of the NDAA and the FBI stem from an Apple software upgrade (with the introduction of iOS 8 in September 2014) that made device encryption the iPhone's default mode. In his testimony, Vance stated, "We want smartphone makers to offer the same strong encryption that Apple employed before iOS 8."

Apple's Sewell, in his testimony, asked: "Should the FBI be allowed to stop Apple, or any company, from offering the American people the most secure product it can make?"

The answer to that question could have ramifications for numerous industries.

2. Can the FBI force a company to produce a product?

Sewell testified that the FBI is asking Apple not to only unlock iPhones, but to "give them something we don't have."

He continued, "[They are asking us] to create an operating system that does not exist -- because it would be too dangerous. … Should the FBI have the right to compel a company to produce a product it doesn't already make, to the FBI's exact specifications, and for the FBI's use?"

Microsoft, Facebook, Google, and other major tech companies plan to file "friend of the court," or amicus, briefs, in support of Apple. If Apple can be made to create a product at the FBI's demand, so can any of them.

3. What security problem does Apple's latest encryption solution address that iOS 7 didn't?

Vance testified that with iOS 7 Apple was able to balance encryption and compliance with court orders.

"It is not entirely clear what cyber-security problem Apple's new encryption is intended to solve," Vance testified. "Individuals' phones were not being stolen and hacked into."

He continued, "Likewise, Apple has not explained how any software it may create for purposes of responding to search warrants -- software which Apple keeps in its sole possession -- would fall into 'the wrong hands.'"

(Image: Mutlu_Kurtbas/iStockphoto)

(Image: Mutlu_Kurtbas/iStockphoto)

Landau, in her testimony, provided context that offered a hint at the answer.

"The cyber-exploitation of US companies, in which attackers from overseas have reaped vast amounts of intellectual property, threatens the US economic strength," she testified. "In the last decade, the United States has been under an unprecedented attack, one that NSA Director Keith Alexander has called 'the greatest transfer of wealth in history.'"

4. Is this the last we'll hear of the All Writs Act?

In New York and California, local governments have tried to get Apple to unlock iPhones for them, citing the All Writs Act of 1789. Signed into law by George Washington, it insists that people or companies provide law enforcement with a reasonable amount of assistance.

On Tuesday, a Brooklyn magistrate judge ruled in favor if Apple, which had been brought to court on the grounds of the All Writs Act.

[Read iOS 9.3 to Snitch on Spying Bosses.]

"The government posits a reading [of the Act] so expansive -- and in particular, in such tension with the doctrine of separation of powers -- as to cast doubt on the [All Writs Act's] constitutionality if adopted," wrote Magistrate Judge James Orenstein.

On Tuesday, Judiciary Committee Chairman Bob Goodlatte (R-VA), read aloud a description of the All Writs Act that characterized it as an "antiquated statute … never intended to empower the courts to require a third party to develop new technology."

Goodlatte asked Comey his opinion of that characterization, to which Comey replied, in part, "Old doesn't mean bad."

5. Is the government going to allow "evidence-free zones"?

Current encryption on iPhones has locked the government out the devices and kept iPhone data away from the government, as well as from Apple. Tim Cook, in his Feb. 16 "Message to Customers," wrote, "We believe the contents of your iPhone are none of our business."

During the House Judiciary Committee meeting, Congressman Trey Gowdy (R-SC) pushed against this idea.

"I hear people advocating for these evidence-free zones. There are just going to be compartments of life where you are precluded from going to find evidence of anything. And I'm trying to determine whether we, as a society, are going to accept that," he said.

Indeed, we can all look forward to more discussion, and some answers.

Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pdembry950
50%
50%
pdembry950,
User Rank: Apprentice
3/7/2016 | 1:19:30 PM
Whose iPhone is it?
I do not see a privacy issue here at all. The iPhone is owned by the City of San Bernardino. It was not the property of the killer. The city is ok with AAPL cracking the iPhone. I do not see why the user of the city's property has any more privacy right than someone who uses a company owned PC. If you want privacy, pay for your own equipment. I also do not see any risk in a modified iOS "escaping" into the world. Do the work at an AAPL facilty with the iPhone owner representative there to witness it. Once the data has been retrieved, reload the real iOS and release the phone to the owner. What's the problem?

Another commenter asked why bother since the act has already been committed. The data on the phone may give clues to accomplices and other contacts, although by now they would likely have skipped out. All of this could have been handled quietly except for AAPL wanting to win a pee-ing contest.
Jschmidt27
50%
50%
Jschmidt27,
User Rank: Strategist
3/4/2016 | 12:09:49 PM
Apple
Evidence free zones are a bad idea and prime for abuse.

The big question is since Apple and other Silicon Valley companies cooperate so readily with Chinese authorities spying on their own people, why are the balking at protecting US citizens when the intervention into the phone requires a court order. Is sale more important to them in China than the security of the US?
Aroper-VEC
50%
50%
Aroper-VEC,
User Rank: Strategist
3/4/2016 | 10:52:05 AM
What does it matter?
My subject is a little misleading but the question it poses really relates more to the specific case for the San Bernadino shooting which has cast a spotlight on this encryption issue. I am having a hard time grasping what benefit would be derived from any data collected from the phone. The shooters are dead and will not stand trial for their alleged crimes. Given that is the case, what benefit would there be from obtaining any data off the phone? What are they expecting to find? A text that calls for the shooting to start? What would be learned from that? The event has passed and these perpetrators committed this act in broad daylight. Short of straight out snooping on every person's personal conversations how could this be prevented from happening again? Suppose we find out that they did text each other prior to shooting up the facility; what do we do with that data? What benefit is provided from establishing a timeline? I don't see much value in all this effort to get data from people who cannot be tried for their crimes since the government already took it upon themselves to execute the assailants.

From a prosecutorial standpoint, it would make sense if there was the possibility of there being data on the phone that implicated those on trial or an additional participant. In drug cases you may reveal the number or contact information for the "boss" or the supplier. In fraud cases you might get exposed to data that corroborates the conspiracy theory or that ties the parties together for the fraud. But, in cases of random shootings, and especially when the shooters are killed, either by their own hands or law enforcement, what benefit is there to such historical data? We've gathered plenty of evidence from prior shootings and learned a lot about the various suspects and we know that this will happen again - as it has. No system has been put into place that has successfully thwarted any mass shooting attempts. If any attempts have been curtailed it has not happend by some data exposure but the old fashioned way, someone tips off the police.

With the Internet of Things on the horizon and more and more data being stored on electronic devices and media, it has become even more important to protect that data. The old ways of doing things are not working. There is a reason why physical locks have gotten progressively more complex over the years. Why should data locks be any different? At least with physical locks you could create additional barriers and make the effort far costlier than the prize. The same thinking should apply to electronic data and the best locks that we have involve encryption. Now, the government doesn't necessarily want to take that away but they want to have a master key. Anytime you create any sort of backdoor you create an exposure vector that is prone to exploitation and you are also left relying on the trust of individuals to protect that "master key". There is an inherent danger in that proposal and one that I am not willing to support. There is no such thing as 100% security but we don't need to be purposely punching "secret" holes in the protection to make the government's jobs of evidence gathering and enforcement any easier and also trust that it will not be exploited in any way. Anyone remember the OPM breach? I do, my SSN was leached in that attack. So, why then should I trust the government with the keys to my most personal data?

I understand that there are still some issues to be settled. I can appreciate law enforcement's difficult tasks. I also appreciate how advances in technology have helped to solve cases; advances in forensics, data modeling, wire tapping, etc. There definitely needs to be a balance but I am not sure where we can find that balance.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll