Digital

The iPhone’s Been Hacked but the Game of High-Stakes Consumer Encryption Will Continue

 

The stand-off with the FBI has now been postponed, pushing the battle of consumer encryption to another day. Credit: iPhoneDigital, CC BY 2.0/Flickr

The stand-off with the FBI has now been postponed, pushing the battle of consumer encryption to another day. Credit: iPhoneDigital, CC BY 2.0/Flickr

If there’s one thing that we’ve learned from the fallout of the San Bernardino terrorist incident, in which Apple has been heavily pressured into writing a backdoor into its own device, it’s that the folks over at the FBI would be absolutely terrible at poker.

Let’s go over the timeline: Apple’s stand-off with the FBI and the US Government started a little over five weeks ago after the Justice Department issued an order to the company, asking it to help the FBI in cracking into an iPhone 5C that had been used by the San Bernardino terrorist. Apple’s help was required, according to the FBI, because too many attempts at guessing the pass code could cause the device’s memory to be wiped completely – a quirky feature aimed at deterring thieves that can be switched on by any iPhone user.

Their request was therefore simple if troubling: Apple could help out by creating a new version of iOS (dubbed “govtOS”) that would remove the 10-passcode attempts feature along with a couple of other changes that would allow the FBI to brute force their way past the phone’s encryption.

This sort of technical manipulation, Apple CEO Tim Cook has declared, would be bad for US national security. “Once created,” he pointed out in a statement, “the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes. No reasonable person would find that acceptable.” Which brings us back to the law enforcement agency’s gambit.

A month ago, FBI Director James Comey stood up before Congress and testified (under oath) that the FBI couldn’t hack into the phone, which is why they were demanding that Apple help out. Last week, the FBI declared that it could access the iPhone without Apple’s help; and that the judicial hearing, which would decide whether Apple should be forced to write a new version of iOS, could be suspended. On Tuesday, the agency announced that it had accessed the data on Farook’s iPhone.

There are two ways of viewing these series of developments, both of which depend on how much you trust the US Government and its law enforcement agencies.

One view is that the FBI was intent on making this case a precedent; a way of publicly upping the stakes so as to expand its powers of surveillance. After all, there’s no public sympathy for the privacy of a dead and convicted terrorist: a Pew Research poll pointed out that nearly 51% of Americans felt that Apple should be forced into helping out the FBI.  Getting a judge to force Apple to create a backdoor for you while getting the opinion of the public behind you is too sweet of a move to pass up.

The other perspective is that the FBI was being honest from the beginning and that at the time of the first Congress hearing, it simply didn’t have any alternative methods of accessing Farook’s iPhone.

Unfortunately, both these views paint the FBI in an unfavourable light. In the first scenario, the FBI is an opportunist and a chicken. While the San Bernardino case initially captured the sympathy of the public, this slowly melted away after an outpouring of support from all quarters allowed Apple to win the public relations battle. In this scenario, it is likely that the FBI realised that it would lose the judicial appeal, thus prompting it to fold its cards and finally look at alternative ways of getting into the terrorist’s device.

In the second scenario, the FBI is simply inept at best and downright careless at worst. Rather than fully examining whether it could contact various zero-day exploit firms or jailbreakers, it decided to embark on a course of action that it knew would endanger public security, consumer privacy and weaken Apple’s encryption standards.

Unfortunately, at the end of the day, the FBI and the US Government are simultaneously some of the worst and most powerful poker players in the world. Even if the FBI folds, as it may have done in this case, it gets all of its chips back and can play again any day without losing anything. Apple’s statement on Tuesday, which claims victory, signals as much. The FBI can try forcing Apple or any other technology company at the next opportune moment.

The India-BlackBerry case

The Apple versus FBI stand-off received global attention, with India being no different. Most newspapers – the Times of India, The Hindu, Financial Express, Business Standard, Indian Express – ran editorials that came out very strongly in Apple’s favour. The Economic Times was the sole paper that took an extremely pro-national security stance, running an editorial that was titled “Our sympathy is with the FBI in its tussle with Apple”.

And yet, it’s not as if India has never grappled with a similar problem. During 2010-2013, the Union Home Ministry and Canadian smartphone maker BlackBerry (then called Research in Motion) locked horns over whether the government should have access to the encrypted traffic that passed through BlackBerry’s devices and its enterprise servers.

BlackBerry, like Apple, took the position that complying with the government’s orders would dilute the high security standards that its customers had come to expect. After much pressure and arm-twisting, accompanied by a rather sinister and veiled threat of banning  the company from India, BlackBerry finally caved in 2013.  During this time, however, BlackBerry didn’t exactly witness a huge outpouring of support from Indian stakeholders.

Take the Financial Express for instance. In an editorial titled ‘In a BlackBerry Storm’, published in 2010, the newspaper points out that the “real problem lies with the communications that are encrypted”.  “Although the probability is low”, the editorial acknowledges, “in theory, a terrorist organisation could sign up for Enterprise [BlackBerry’s corporate software]”.  

It caps it off by pointing out that the Indian government must upgrade its own technical capabilities and asking a little ominously: “Can we really believe that the governments of US and China, two of the most paranoid, would let BlackBerry off the hook that easily? Perhaps, but only if they possess superior decryption abilities.”

Contrast this to the paper’s editorial on the Apple versus FBI case, where it comes out swinging very strongly in favour of Apple, pointing out that if Apple succumbed to the FBI’s request, this would set a bad precedent. “That will truly be an Orwellian 1984,” the editorial notes. “Basically it is not whether Apple can comply but whether it should at all.”

Absolutist encryption

What explains the rather lacklustre response to BlackBerry and India when compared to the support expressed for Apple? While the eventual progression of the two cases became different, it’s mostly because the concepts of network security, surveillance and privacy have become increasingly tangled over the last decade. It has become extremely hard to view these as three separate concepts and tackle them, from a regulatory perspective, as different silos. 

Ten years ago, governments could have, in theory, lawfully set up interception mechanisms at telecom companies in order to snoop on telephone calls or SMSs, without leaving a ‘backdoor’ that could be exploited by other malicious parties such as hackers and criminals. Today – with the centralisation of software, hardware and data in the form of the modern smartphone – it has become extremely difficult for governments to hack into an operating system or piece of software without leaving a door open for other actors to do the same.

Digital encryption therefore is absolutist in nature: if you are a supporter of smartphone and software encryption, you have to support it for everybody. You can’t have loopholes for the government alone to exploit.  Unfortunately, this is exactly what Comey wants. At the FBI-Apple hearing before Congress, the FBI director pointed out: “Our job is simply to tell people there is a problem. If there are warrant-proof spaces in American life, what does that mean and what are the costs of that?”

Warrant-proof spaces have always existed though. Law enforcement agents can’t access the human mind after all. And yet it is in the nature of technology companies, especially Apple, to continue to construct these warrant-proof spaces. Privacy and security are competitive advantages in the marketplace now, as evidenced by Apple’s plans to create a new generation of phones that may be completely uncrackable.

This violent clash of opinions continues even in the fall-out of the San Bernardino case. For instance, after the FBI announced that it had found an alternative means of accessing Farook’s iPhone, civil liberties groups such as the American Civil Liberties Union and the Electronic Frontier Foundation demanded that the FBI disclose the potential security vulnerability that it used in order to gain access to the terrorist’s device, so that Apple could patch it up in a future software update. The FBI on its part has, however, deemed it classified even as it maintains that the method it used could only be used on that one, specific iPhone.

Whose security and interests matter more here? That the FBI and other law enforcement agencies are given an easier job protecting national security? Or that security and privacy of millions of iPhone users, whose private and financial details are often located on their phones, is protected? While these questions haven’t been answered in the Apple-FBI showdown, this incident marks the first battle in deciding how national security and citizen privacy will co-exist in the future.