Go to the profile of Benjamin Ang
Benjamin Ang
law - technology - Cybersecurity - electronic music - comics - Singapore

As Apple v FBI goes into sequels, is any of our data safe? #encryption #cybersecurity

Over the past months, the US Justice Department has made requests to Apple to help them access data on iPhones which were seized from (1) the deceased gunman in the San Bernadino shootings, and (2) a suspect in a New York drug case. Although these requests have since been withdrawn, the story isn’t over for iPhone users. And the implications extend beyond the USA, to the rest of us.

One of the reasons (there are several, expressed and speculated) that Apple had resisted both requests was that such actions would expose their customers to the risk of cybersecurity breaches, because there would now be a way to get past their own security measures and encryption. As it turns out, Apple did not have to compromise their own security measures and encryption, because in the first case (1), an unknown third party helped the FBI to get into the phone, and in the second case (2) an unspecified person gave them the passcode.

Before you conclude that the story is over, and start following this week’s next interesting news, remember that the following issues are now open:

  1. There is at least one method of getting past iPhone security and encryption, which at least one third party has discovered. Which means that it’s only a matter of time before that information finds its way into criminal hands. Those criminal hands could be anywhere: New York, London, Moscow, Jakarta, Kuala Lumpur, Singapore.
  2. The US Justice Department (or the FBI, or the New York police) still have hundreds of iPhones seized in hundreds of cases, from which they want to extract data for investigations. This is probably also true in many cities around the world. So we are only at the beginning.
  3. Because the requests were withdrawn, there is still no definitive court ruling whether the requests are valid and enforceable. Which means that the legal battle is still going to have to be fought.
  4. As the encryption arms race heats up, and Apple declares that it is going to make its security even stronger, there are legislators in the US and other countries calling for laws to either ban encryption, or make it compulsory for companies to provide a way for law enforcers to bypass encryption (‘back doors’).

Cybersecurity experts generally advise that any method of bypassing security or encryption, has the potential to be discovered or leaked, either by negligence, ignorance, deception or corruption, and fall into criminal hands. Therefore the current state of affairs seems very dangerous for the average user like you or me.

In the past, security conscious mobile phone users (e.g. people who don’t want their personal data stolen) on both iPhones and Android phones (the majority of users) would have to use specialized apps to encrypt their data.

Today, more encryption is available automatically, as mainstream apps like WhatsApp are providing it by default. These will pose yet another obstacle for law enforcers and investigators — after getting past the phone security, they would have to get past the security on the messages.

However, security conscious phone users still have to be alert. The fact that Apple’s much vaunted security could be overcome is a reminder that no encryption (or other security measure) is impenetrable forever. Someday a third party will find a way into WhatsApp messages. And if you respond to a message which contains a link to a dangerous site, or a malware attachment, you would still be in trouble.

Therefore, I suggest that we can’t be complacent just because smartphone manufacturers or messaging app developers are offering encryption out of the box. We still need to be careful about what we say and store on our devices and in our messages, on the understanding that someday, somewhere, they could be compromised.

This is also published on my blog Tech Music Art and Law http://techmusicartandlaw.blogspot.com