A No Win Situation
I found the following letter from Apple in my Twitter feed tonight and I thought it was so important that I had to share it:
This doesn’t just have implications for Apple in the US. This has massive implications for Apple worldwide, from encryption, device security and data sovereignty angles. To put it bluntly — what makes you think that the FBI (or any part of the US government really) would use this without hesitation against citizens and then not use it against those who aren’t citizens? If you believe that I have a bridge in Brooklyn that I wonder if you’d be interested in buying.
Whatever you think of Apple as a corporation they have a duty of care, etched in law in a lot of the countries they operate in, to provide an experience that protects and safeguards their customer’s data from so-called bad actors” — identity thieves, hackers, cyber-criminals and others with malign interests — who would use this backdoor for nefarious purposes.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
The one thing you can guarantee is that once this “backdoor” was created by Apple, it would only be a matter of time before it was replicated in the wild. Apple has spent countless hours making sure that holes like these do not exist in their iOS products and patching them with alacrity if — and when — they are discovered. To do anything else would be a breach of trust with their customers, and as mentioned previously, a breach of law in a large number of countries they operate in.
To ask Apple, a company that sells well over a hundred of million devices built on the iOS platform worldwide every year, to breach the encryption built into every single device running on the iOS platform is staggeringly naive, stunningly negligent and completely without precedent.
Apple, as stated in their letter, would put every single one of those devices at risk by the simple act of creating the backdoor. Every single iPhone, iPod Touch and iPad worldwide would be vulnerable to breach. This is a potential catastrophe the likes of which has never been seen. This is the US government asking Apple to unlock the back door, not only to every house in the US, but to every house worldwide — and then announce that the backdoor existed and was open for business. In a matter of days, weeks at the most, criminals would have replicated the backdoor, breached it and exploited it.
Forgetting the potential liability this would expose Apple as a company to (“I bought an i-device thinking it was secure and my identity was then stolen. Give me millions”), the scale of what the FBI and the US government are asking apple to do simply beggars belief. If the US government can force Apple to provide this backdoor — and this is exactly what they intend to do — what is to stop them from forcing other companies from providing them similar backdoors?
What if they forced Visa/MasterCard/Amex to provide them backdoor access to their systems allowing them to browse a list of every transaction you’ve ever made with your credit card? What if they forced Facebook to provide them with backdoor access to their systems allowing them to peruse every conversation you’ve ever had with Messenger, every like button you’ve ever clicked, every meme you’ve ever shared, every profile you’ve ever stalked?*
There is more at risk here than just Encryption.
Apple as a company is in a terrible position right now. They are, as they proclaim on all their devices, a proudly American company. The problem with being an American company these days it that it means they are sovereign to the US government — a government that over the last few years have increasingly begun to wage a war against encryption. What you might have missed if you don’t regularly read tech news is that they’ve been waging a war against data sovereignty as well.
If you aren’t familiar with the concept of data sovereignty, here’s a quick overview for you:
Almost every piece of electronic data you access over the internet (e.g. your email) is stored in a data centre. That data, because it is stored on a physical medium (eg a hard drive) has a physical presence in a country and is held to be sovereign to laws of the country in which it is physical present.
This means that if your data is held in a data centre in Ireland, it is sovereign to the Irish government. Traditionally this means that ONLY Irish government has the right under law to grant law enforcement agencies access to it for investigatory means.
US law enforcement agencies, and the US government too, have sought in recent years to sidestep this sovereignty. In an ongoing case stemming from 2014, Microsoft, an international company with its head office in Washington State, and thus sovereign to the US government, has been ordered by US judges to hand over emails held in its Hotmail data centres not located on US soil or in territories covered by US sovereignty. The emails in question are located data centres that are in Ireland.
Microsoft is currently in the process of appealing those orders, arguing that if the same was done by a foreign government to data held on US soil it would spark an international incident. They’re losing the battle though. It is only a matter of time before they are forced by the US judicial system to comply and hand over the emails.
The alternative course of action — refuse to comply — is simply unthinkable for a public company. The US judicial system would implement, without hesitation, daily punitive fines until such time as they comply. This leaves Microsoft in a no win situation. Comply, losing your users trust and breaching the law of a country that you operate in, or don’t comply breaching a local judicial order and be fined into oblivion until you do.^
US law enforcement agencies, and the US government, have shown time and time again that they don’t care about the potential consequences these actions might have. They don’t care that by forcing a US company to give it access to data stored and protected by the sovereignty of another country it is breaching trade agreements and forcing a company to break the laws of another sovereign nation. It doesn’t care that it is setting a dangerous precedent where any company with a US attack surface (that is operations within the US) can be forced by their US sovereignty to give the government access that circumvents the laws of other nations.
Moreover, they’ve shown time and time again that they simply don’t care for the rule of law — be it their own, that of other sovereign countries or that set out in international treaties to which they are a signatory.
Where do we go from here?
This problem would seem to have a very simple conclusion — when selecting cloud services, buying tech devices, and/or selecting software you should select options that don’t leave you exposed to US government mandated encryption or data sovereignty breaches.
In the real world though it fast becomes apparent that it is almost impossible to select a technology product or service with zero US attack surface. Every device is running software provided or built by an American company on hardware designed or built by an American company (albeit in China) and utilises cloud services owned and operated by American companies.
It’s a catch 22 and the US government knows it. You will, at some point, have to utilise a US company’s services. In some cases, you’ll have no choice but to choose US companies for your technology needs because there is no other choice. This means exposing yourself to the new reality — the US government, once a bastion of Truth and Freedom™, is the latest and most potent enemy of the freedoms they so recently proclaimed to uphold.
How the mighty have fallen.
Knowledge then, becomes key. Where possible, know what your exposures are and limit them when and where you can by choosing local companies with locally sovereign solutions. You won’t be able to entirely limit your exposure to encryption and data sovereignty breaches but if you’re smart you can control the potential risks involved.
*There is some anecdotal evidence to suggest that this is already happening and that it was ordered by the secret FISA (Foreign Intelligence Surveillance Act) courts. It is illegal for any company ordered to provide this information by a FISA warrant to talk about the fact that they have been forced to provide this information by a FISA warrant. More information can be found here: https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court#FISA_warrants
^For more information on the Microsoft case see: