Why I disagree with nearly everyone regarding Apple and the FBI.

Most people seem to have lined up into the usual polarized camps regarding the FBI’s demand for access to an iPhone associated with the San Bernardino attacks. Privacy advocates on the one side who are opposed to the Government’s action, and on the other side, people who support the Government because they are concerned about terrorism. I disagree on some level with a lot of the positions and explainers that I’ve read on this, so I thought it was worth taking a few minutes to express my perspective.

First, the specific thing the FBI is asking for is not a “backdoor” and it does not threaten the security of other iPhone users.

Computer scientists worry about creating backdoors for law enforcement access to popular software and communucations systems. I wrote a paper about this once. The reason we worry is that these backdoors weaken everyone’s security in order to afford law enforcement with access. Criminals can sometimes take advantage of those back doors to do things that we don’t want them to do.

What the FBI is asking for in this specific case doesn’t weaken the security of my iPhone or your iPhone. It is an update that only needs to be run on the specific phone associated with the San Bernardino attacks, and it only weakens the security of that phone. Therefore, it doesn’t raise the same kinds of issues that computer scientists are normally concerned about when they object to “backdoors.”

Furthermore, there is little risk that the software will leak, because it can be constructed in such a way that it will ONLY be accepted by the specific iPhone in this case.

The bottom line is that the FBI’s specific request in this case has little to no negative consequences for people’s privacy or security on a technical level. Furthermore, they’ve got a warrant! So why not let them proceed? Well, that brings me to my next point:

Second, the WAY that the FBI has asked the court to issue this order may lead to other things that DO threaten security and privacy.

If a court can order Apple to create an update for the specific iPhone connected with the San Bernardino attacks, which weakens a security feature in that iPhone, this begs a question: What else can that court order Apple to do under the scope of the All Writs Act, and under what circumstances?

Could a court order Apple to send a security weakening update over the air to a phone that is still in use? Imagine all of the devices in your house that can receive software updates. Not just your computer and your phone, but your television set, your thermostat, and your car. Over time, more and more devices are going to be connected to the Internet.

Can the FBI force companies to turn any of those devices into a monitoring device whenever they have a warrant? This is a serious question that I think people need to think about, because it looms closely on the horizon.

How often will different law enforcement organizations use this kind of authority? How much cost and expense should individual companies be forced to incur supporting law enforcement by making software updates like this that spy on their customers. Is that something the courts are equipped to figure out?

If a court can order Apple to send an update to a specific suspect’s device, can they order Apple to send an update to everyone’s devices? Could the court do that without a warrant, as long as the update only collected information, such as meta-data, that the court did not require a warrant to access?

What about the NSA? In the United States, searches that are performed for an intelligence purpose don’t require a normal, probable cause warrant, and are handled by a special Foreign Intelligence Surveillance Court with secret proceedings. What kinds of software updates might be ordered by this secret court?

What about other countries? People all over the world use technology that is made here in the United States to communicate. If our Government prompts American tech companies to get set up to deliver rogue updates to their products for law enforcement use, Governments in other countries will order the same things, perhaps under very different standards of suspicion and oversight.

The law that the court order in this case involves, the All Writs Act, was written in 1789. Obviously, the authors of this law did not anticipate the complicated set of questions that I just posed. Regardless of whether or not the courts beleive that the All Writs Act can be used in this way, Congress has the power to pass new legislation governing this area, and is probably better equiped to consider all of the complicated details.

Unfortunately, I lack confidence in either the courts or the Congress to reach the right balance here. The cloud hanging over all of this is the fact that the United States operated an illegal domestic mass surveillance system for many years, with the full knowledge of the senior politicans responsible for Intelligence oversight. Are the people responsible for this massive policy failure ready for the challenging questions that lie ahead? As John Adams once put it, “we have not men fit for the times.”

Mostly thoughts about privacy and infosec.

Mostly thoughts about privacy and infosec.