4 reasons an iPhone isn’t a Safe Deposit Box (and why that’s a very good thing for us all)
The standoff between Apple Computer and the FBI is now being played out in front of the US Senate. At issue are comparatively ancient laws pitted against leading-edge technologies to battle an age-old nemesis, individuals and groups whose purpose is to harm other human beings.
Should any government agency have the power to compel a company to develop products that jeopardize its customers' privacy and security?
The ancient part is the All Writs Act of 1789, which was originally signed by President George Washington and amended heavily in the early 1900s. All Writs was originally intended to compel a third party to help with a criminal investigation, such as a bank helping when someone put stolen property into a safe deposit box. Today, All Writs can be used by law enforcement to force the bank to either open the box or allow access to retrieve the stolen property.
The FBI is currently invoking All Writs against Apple. The demand is for Apple to create a special version of its iOS operating system so that the security feature that erases encrypted content after 10 incorrect password attempts is disabled for law enforcement.
Here are 4 things to keep in mind as the Senate circus plays:
1. All Writs Test: Cannot put undue burden on the Party
Like all laws, there are certain tests that need to be met for the law to apply. In this case, the test that All Writs cannot put “undue burden on the Party” will be front and center.
Apple argues that removing security features for the US government puts all of its products, and customers, at risk for brute force attack. Apple submitted court documents that call it “trivially easy” for attackers to crack passwords without such protections.
Keep in mind that Apple has already turned over the iCloud backup for the phone in question. It turns out an FBI procedural error caused much of the problem.
2. If one country has the keys to the kingdom, shouldn’t they all?
One of the most compelling arguments for not eliminating password protections or creating back doors to encryption is the reality of who should – versus who will – have access to those seemingly use-only-in-direst-need portals to anyone’s secured content. Senators are already voicing concerns that creating such inroads for one government will be grasped by all.
To put this in perspective, keep in mind that the top smart phones are predominantly manufactured in China. The fastest-growing smart phone user populations outside India are Pakistan, Indonesia, Nigeria, Egypt, and Vietnam -- areas who's people are increasingly intimidated by organized terrorism.
If a back door is there, every country where the phone is used should have access. At minimum, it creates more means for social injustice or intellectual property theft by authoritarian regimes. It also begs the question of global market trust and impact on product choice.
3. Encryption and Password Protection erosion is bad.
In the movies, opening safe deposit boxes for illicit contents offers a great visual. Blunt force is a drill to break the lock. However, the movie plot is limited to one location and a few boxes.
Conversely, creating special government overrides for authentication, like passwords, and putting backdoors in encryption is more akin to cutting out walls in every building foundation on every building on the planet. Weaken the foundation and you’ll find new stress points never imagined. Also, how secure will those “secret” doors be? Edward Snowden became a household name by showing just how quickly apparently impenetrable tech secrets held by the government can become global headlines.
4. Long term: Mixing public safety, commerce and privacy means costs and complexity multiply accordingly.
Many banks are no longer offering safe deposit boxes for the simple reason that they are labor and cost intensive. Most banks require two staff members to retrieve boxes. Keeping up with billing for a safe deposit box is also costly.
So what will be the long-term impact on the companies that manufacture phones, data storage and in-transit security? Will they have to double staff to keep up with government requests to disable cybersecurity? Or will new security models evolve to bridge the gap between all parties?
For a mobile phone, two already makes sense in the case of two-factor authentication to access secured content. There have been discussions about a third factor, that being either a “country or state encryption key”, that would vary by nation of use or could be used by a trusted political body, such as the United Nations. This third factor could displace (and complicate accordingly) the current backdoors being touted by law enforcement.
Encryption is ubiquitous and here to stay.
Having public debate on the Senate floor moves the discussion from closed-door appeals to tech CEOs and courtroom dramas to a public forum. It will illustrate how pervasive this case really is as well. For example, since data can be stored in and manipulated via multiple locations and devices at once, applying laws developed 200 years ago to the technology and threats of today is a stretch. The challenge also extends far beyond a single mobile phone to any technology, consultant, or service provider that touches, secures or stores the data on cloud, data center and device.
It's now in public debate and the world is chiming in. Should mobile phones and our data be treated just like valuables in a safe deposit box, subject to the laws and whims of wherever that box (or phone) resides?