By Noa Yachot
You’ve likely caught wind of the fact that the government and Apple are in the midst of an intense legal showdown in what Edward Snowden has called “the most important tech case in a decade.” The battle is over the legality of a court order compelling Apple to write new software — which the company cleverly referred to as GovOS in a court filing today — that disables several security features that the FBI claims are preventing it from accessing the contents of the work phone of one of the shooters in the San Bernardino attack. Apple is resisting the order, and the company’s CEO, Tim Cook, has committed to going all the way up to the Supreme Court if necessary.
Lest there be any doubt, the ACLU is with Apple on this one, as it was in a similar case several months back. The government’s request is not just about this one iPhone — it has far-reaching consequences for every device, for global cybersecurity, and for basic freedoms at home and around the world. Communications security is critical for the functioning of democracy, and the precedent the government is seeking could do terrible and lasting damage.
Here’s why.
1. The precedent would undermine some of the most important developments in digital security over the last few decades.
To bypass the iOS security features that are preventing the FBI from accessing the contents of the phone, Apple would need to cryptographically “sign” a new version of iOS before pushing it out to the phone (in the same manner it does whenever iPhone users update the iOS on their phones). The signing step essentially confirms that Apple vouches for the update.
If Apple is forced to sign the new, security-broken GovOS, it would undermine one of the most important developments in digital security in recent years. These days, all tech companies build automatic updates into their products. This is an excellent way to ensure that security flaws are patched up as quickly as companies can discover them and that all of us continue to use secure devices immune from malicious attackers.
But once the government secures a precedent to force a company to vouch for an update that it knows is actually insecure malware, users will stop trusting automatic updates. After all, how would anyone be able to trust an update from Apple when the public knows that the government might be directing the insertion of vulnerabilities into new software, even when it’s signed by Apple? Vulnerabilities will go unfixed, creating an optimal environment for hackers and spies. At a time when even President Obama has recognized cybersecurity to be one of the most significant economic and national security threats we face today, it makes no sense to undermine one of the best online security mechanisms out there.
2. Foreign governments and cybercriminals would rejoice.
The malware that the government wants Apple to write would certainly be used as a mold to break into other iPhones — indeed, law enforcement is lining up in case Apple loses this case. A government-mandated master key to a locked smartphone would be like candy to foreign governments who want to monitor their citizens, and tech companies — who can currently resist such requests by arguing that they simply do not possess the software required to help — won’t be able to refuse to comply with demands abroad if the U.S. governments gets its way in this case. (Keep in mind, also, that most other countries lack the procedural and substantive protections against searches and seizures that our Constitution guarantees.)
Indeed, a government win in this case would almost surely have a domino effect leading to thousands such requests — not just to Apple, but to all consumer tech companies. If every tech company needs to be ready to write new backdoors into its product, that means the introduction of scores of new vulnerabilities into the world. And the more such backdoors exist, the more malicious actors will focus their efforts on seizing them.
3. The human rights implications are chilling.
Again, it’s not hard to imagine the Chinese government serving Apple with a warrant to hack into the phone of a dissident activist or intellectual. That development would have a devastating impact on democracy and human rights activists and movements worldwide, which depend on secure communications to flourish. Recognizing the importance of encryption to human rights, the U.S. government has spent tens of millions of dollars to equip activists around the world with technologies to allow them to communicate securely. This case could undercut those efforts in one bang of the gavel.
4. With the Internet of Things, the government wouldn’t need your smartphone to spy on you.
If the FBI wins the struggle against Apple, the implications would extend far beyond your phone. The precedent would allow the government to demand backdoor access to any device it thinks might assist it in an investigation. With the proliferation of smart devices that are constantly connected to the Internet, all those warnings about the end of privacy that may have once sounded hyperbolic will have proved prescient. That smart TV, wireless shower speaker, or intelligent oven could be compromised by a manufacturer compelled by the government to monitor you at home.
5. Putting this powerful tool into the hands of law enforcement agencies that have a history of biased policing will compound existing disparities.
We know that there are existing disparities in policing and warrant execution practices. Increased government investigative powers will simply reflect — and likely exacerbate — these disparities. In other words, already overpoliced communities are likely to be the recipients of these new age search warrants, which provide concerning government access to our digital data.
This is particularly concerning because the government has taken the position that once they have access to your phone, they have the authority to look at everything. So, an investigation into a minor drug crime could result in police sifting through emails, text messages, and everything else stored on the phone.
6. In a democracy, companies are not conscripted to work for the government against their will.
Forcing a private company to become an investigative agent for the government is an extreme proposition that wouldn’t stop with this one phone. If the government gets its way in the Apple case, it will get a green light to compel tech companies to work on its behalf whenever it wants help coding its way through the defenses of a given device. There’s a big difference between compelling a company to hand over information already in its possession and compelling a company to serve as a spy for the government. If the government prevails in the Apple case, it would make for an unprecedented expansion of government overreach — not just into our data, but into our creative agency.
7. Encryption has been used to communicate for centuries.
Some of American’s highest level security officials, including former NSA Director Michael Hayden and former DHS Secretary Michael Chertoff, have extolled the virtue of encryption in securing our cyberdefenses. They are part of a rich history. As our friends over at EFF have noted, the Founding Fathers of the United States were big fans of encryption, which they recognized was critical to prevent their communications from falling into the wrong hands. Not only did the Founding Fathers use encryption, but they actually developed encryption tools after America was independent — to protect their communications from the government they helped to start.
The bottom line is that for the sake of privacy, data security, and democracy — we should be focused on strengthening our digital defenses, not weakening them. That’s far more important than the data on any one phone.
Noa Yachot is a Communications Strategist for the ACLU
Once again the ACLU is the defender of child molesters, child pornographers, drug dealers and terrorists. Allowing these types of individuals a safe digital haven is bad for public safety. The government has obtained a legal warrant to obtain access to the San Bernardino terrorists phones. The author cites Eric Snowden as an authority supporting his position. Pathetic and once again the Davis Vanguard becomes a tool of the ACLU.
I think Wizner made the point well here last week when he argued that “there is a reason why in the Fourth Amendment, suspicion of wrongdoing comes before search. It’s not only because of the presumption (of innocence) that we should generally (be careful), it’s because of the danger that a government with enough data about any of us can find some basis for being suspicious.”
The government can already get in to all our phones and read all our e-mails (I wonder if Tia saw anyone from “homeland security” after her C4 comment last week). This is just about the government wanting an “easier” way to get in to any phone to make it “easier” to put people in jail.
The San Bernardino terrorists are horrible people (and dead) so the government was smart to claim that they need to get in to “their”phone (they have convinced many people including zaqzaq). It does warm my heart to read more on the far left like David are starting to realize that the government wants to make thing easier for government (and is not our friend).
I’m less concerned with subpoening the data from Apple than I am the idea of creating a backdoor to that data for future use.
SOD
“The San Bernardino terrorists are horrible people (and dead) so the government was smart to claim that they need to get in to “their”phone”
A question for you. What if the owner of the phone was not dead but had escaped ? What if there was evidence that this was just one of a series of planned attacks ? Still no reason to cooperate on the part of Apple ? What makes the CEO of a corporation a better judge of what information should be made available than a judge acting on a petition of the FBI ? I also a very concerned about the “creation of a backdoor” ? But at what point does safety outweigh privacy ?
Again, I have no answers. Only questions for consideration.
Tia wrote:
> A question for you. What if the owner of the
> phone was not dead but had escaped ?
I’m fine if Apple (or anyone else) “wants” to help the government find a criminal that has escaped (or design a “back door” to get data).
I don’t see any difference between the government “forcing” Apple to help them get data from a phone as putting Tia and David in leg chains and “forcing” them help “look” for the escaped criminals all day.
First of all, the Government isn’t using Apple to get a criminal in this case – the guys are in custody and the government has plenty of evidence against them.
Second, Apple isn’t just turning over data, the government is actually asking Apple to hack into the device, that takes this to a whole other level.
“The bottom line is that for the sake of privacy, data security, and democracy — we should be focused on strengthening our digital defenses, not weakening them. That’s far more important than the data on any one phone.”
I think that the “bottom line” is much more complicated. I have very mixed feelings about this issue and would like to play devil’s advocate for a moment. The ACLU and Apple are basing their objections on hypotheticals. So let’s play with some hypothetical’s on the other side of the issue. Let’s suppose that the data on the “any one phone” was felt by the FBI to be critical to preventing another 9/11, or a nuclear attack on major American cities, or the release of small pox or some other biologic or biochemical weapon let’s say at a major hub airport. Still no cooperation from Apple ? Where would they draw the line ? Is there no point at which the public safety would take precedence over Apple’s proprietary rights ? I have no answer’s, only concerns which I think are worth discussing.
zaqzaq
“Pathetic and once again the Davis Vanguard becomes a tool of the ACLU.”
I certainly do not feel that opening this very important conversation with an opinion piece from the ACLU in any way makes the Vanguard “a tool of the ACLU”. The Vanguard is all about the initiation of conversations and it certainly seems to have been successful in eliciting your contribution.
Actually the start of the conversation was the article on Ben Wizner’s talk last Friday
South of Davis
“The government can already get in to all our phones and read all our e-mails (I wonder if Tia saw anyone from “homeland security” after her C4 comment last week). This is just about the government wanting an “easier” way to get in to any phone to make it “easier” to put people in jail.”
Two thoughts about your post.
1. Many believe that the most important duty of the government is to attempt to ensure the safety of our citizens. This has been stated many times, in many different ways from posts here on the Vanguard to the debates and campaign speeches of the presidential candidates. So it would seem that many are willing to accept draconian measures when they see those measures as only affecting others, but not when they feel it might threaten or inconvenience themselves.
2. Nope, no contact from the feds. But what I have had is a great deal of unsolicited contact from companies trying to sell me products and services based on other sites that I have visited voluntarily.
There seems to be a great deal of distrust when we are talking about the government having access to our information, but very little concern is demonstrated when large corporations have access to the same information. What baffles me about this perspective is why one would trust the CEO’s or other decision makers at a major corporation ( over which we have no power at all, note even the vote) over the decision makers in the government ? Both are humans with all the frailties and temptations of humans. So why the unquestioned trust in the “private sector” to have our best interests at heart over those who have built public sector careers ?
Tia wrote:
> There seems to be a great deal of distrust when we are talking about the
> government having access to our information, but very little concern is
> demonstrated when large corporations have access to the same
I have an equal level of distrust for big business and the government, but I fear the government a little more since the government can audit me or put me in jail (while big business can just mail me tons of junk mail and torture me with pop up and banner ads)…
Excellent distinction between the threat of an overly powerful government and the threat of an overly powerful corporation. The real devil’s brew is when one works closely with the other to their mutual benefit.
I think you are underestimating the threat of big business. There are also questions about how well big business will guard the information that they acquire on people, whether it can be stolen in data breeches as we have already seen, people can have that information used to black male in some cases, steal identities in other cases. That’s just the tip of the iceberg.
This article is excellent as was the one by Wizner.
It seems clear that an enlightened, modern American should simultaneously be a member of the ACLU and the NRA.
Napoleon
“Excellent distinction between the threat of an overly powerful government and the threat of an overly powerful corporation. The real devil’s brew is when one works closely with the other to their mutual benefit.”
And this was the point that I obviously should have made clearer. I think we are well beyond the point where those with the most economic resources which are usually highly economically successful businessmen and women have undue influence in our electoral system.
I’m not a cybersecurity expert, but have done some programming in the past and have worked a lot with software, including software with both passcode and hardware plug-in keys; and can think of ways to resolve each and every one of the 7 points that are raised in this article (some of the points listed as problems are really false problems; they are easily bypassed).
The main bugaboo is what to do about foreign government requests for software keys; and how contracts & inter-governmental policies for security agreements can be negotiated. I think some precedent for similar highly secure information-sharing agreements exist in the diplomatic world (embassies & such) already.
It will take some effort and likely some legislation; but I see nothing fundamentally impractical about ensuring privacy at current levels, while at the same time providing a mechanism for judge-signed warrants for access to a combined software/hardware key (a few copies that are locked in safes in several regional FBI offices, for example, with rigorous protocols, chain-of-custody, etc).
This is mainly a technical and protocol problem, and has a technical and protocol solution.
I’d like to see an article on this issue that, instead of throwing up problems that can be bypassed, has the objective of exploring the best means (including legislative means) by which both privacy concerns and security concerns can be addressed; I don’t think that in this particular case the two need to be mutually exclusive–seek for solutions that satisfy both sets of concerns; I think there can be a win-win here.