This time last year the FBI and Apple were spoiling for a fight in what promised to be an epic battle between privacy and government overreach. No sooner had the two suited up and laced their gloves, than the battle fizzled out after the FBI used a third party to crack the iPhone 5C used by San Bernardino shooter Syed Rizwan Farook that was at the heart of the controversy.
Soon after, another high-profile case involving access to an iPhone – as part of a drug investigation in Brooklyn – came to a screeching halt when authorities got the password for that phone from an outside party.
Despite those positive turns of event, Apple – and other tech companies – couldn’t take off on their victory lap. Though it was eclipsed by the tumult of the presidential election – Hillary Clinton’s use of a private email server, the swell of allegations that Russia interfered in a sacrosanct democratic process, and a furiously tweeting president-elect sucked up much of the air in the room – the debate at the center of the Apple-FBI dust-up is still brewing.
“The FBI found a way to crack iPhone without Apple’s help,” explains Trevor Hughes, president and CEO of the International Association Privacy Professionals (IAPP). “So we never got a legal judgment.”
What the industry did get, though, was a hint at policy to come. “An enormous amount of consensus emerged that a backdoor in an encrypted system is not good, it creates a key” for access, says Hughes. “Any backdoor creates a security risk.” The public, activists and some lawmakers rightly assessed that leaving a way in for even the most upright of democracies would open it up to national and intelligence initiatives of more nefarious governments and organizations.
Apple CEO Tim Cook was overwhelmed with the initial response from a wide swath of the public. “Over the past week I’ve received messages from thousands of people in all 50 states, and the overwhelming majority are writing to voice their strong support,” he wrote at the time in a letter explaining why Apple wouldn’t cave to the court order mandating it heed the government’s request for help in the San Bernardino case. “One email was from a 13-year-old app developer who thanked us for standing up for ‘all future generations.’ And a 30-year Army veteran told me, ‘Like my freedom, I will always consider my privacy as a treasure.’”
Indeed, a Thycotic survey of 250 Black Hat Las Vegas attendees shows similar support for the Cupertino, Calif.-based company’s position. Nearly half, or 45 percent, think the U.S. government has been hacking and spying on citizens’ personal data for a very long time, but only now has come to light. And four out of five respondents believed Apple was in the right.
Cook, personally, has drawn praise for standing strong. “Tim is unwavering in his support of an individual’s right to privacy,” Rep. John Lewis (D-Ga.) wrote of Cook last year in Time’s 100 Influential People. That’s high praise indeed, from the noted civil rights leader who as a young man marched with Martin Luther King Jr. over the famed Pettis Bridge in Selma, Ala.
Tech companies and their leaders that don’t show similar backbone might find potential customers hesitant to purchase their products, a panel at SC Congress in Atlanta agreed last spring.
“If I know a company has willingly built back doors into their products, from a purchasing perspective, it’s a factor I take into consideration,” said Kevin Morrison, head of information security for Jones Day, even if those backdoors are there for maintenance purposes.
That kind of thinking likely shored the Cupertino, Calif.-based company’s resolve in taking on the government. Self-described “Apple geek” Gary Phillips, CISO of the Enterprise Infrastructure Services (EIS) division of Time Warner, speaking on the same panel, said he wouldn’t “attribute to Apple any high-minded ideas. I think they protected their market.”
The Apple case also sparked an uptick in the interest and use of encryption by both vendors and users.
“Encryption is becoming more and more common,” says Hughes, though it creates a bit of escalation – intelligence [agencies] want access and consumers want more and more protection.”
The last 12 months have given rise to numerous events that will likely test the mettle of Apple and its peers, as well as users, on issues of backdoors and encryption. Expanded NSA and FBI surveillance powers and a new U.S. president who has thus far proved inscrutable on issues of policy but has expressed strong feelings about – and even urged a boycott of – Apple over its resistance to the government’s entreaties, threaten to change the landscape.
Consensus emerged that a backdoor…is not good.
– Trevor Hughes, IAPP
Privacy watchdogs went on high alert earlier this year, after the NSA was given expanded powers to exchange information gathered in its global surveillance operations. The intelligence organization will now be allowed to share raw data with the federal government’s 16 other intelligence agencies.
The Obama administration’s order stipulates that communications intercepted by the NSA can be shared before privacy protections are applied. Previously, the NSA was restricted in what it could do with the data collected as part of its surveillance activities.
The alteration means that more government personnel will have access to the intercepted raw data – which includes communications from satellite transmissions, phone calls and emails both in the U.S. and abroad.
When asked whether he believed this new rule to share “raw signals intelligence information” will threaten privacy rights, Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation (EFF), a digital rights group based in San Francisco, told SC Media that indeed, it would.
“This change represents a significant and substantive expansion of the number of people and agencies permitted to access raw, unfiltered, warrantless surveillance data,” he says.
The bulk collection of communications data of Americans is taking place today, purportedly under the authority of Executive Order 12333, Cardozo explains.
“That collection violates the Fourth Amendment. These rules don’t make the underlying collection any more (or less) unconstitutional.”
These rules, especially Section VIII, invite law enforcement to engage in illegal “parallel construction,” Cardozo told SC Media. “Warrantlessly collected data is (in essence) laundered and hidden, not just from criminal defendants, but even from courts.
The FBI, too, was granted sweeping new authority to broaden its spying as Rule 41, a new edict proposed by the Supreme Court, was adopted in earnest, granting U.S. judges the right to sign off on warrants outside their jurisdiction.
Whereas judges previously could only provide orders within their own locale (usually spread over a few districts), the new rule would apply to a wider dragnet, even across countries. The intention is to more effectively prosecute cybercrimes which, of course, could originate and spread beyond one particular jurisdiction. But privacy advocates argued that Rule 41 would allow the FBI to expand its surveillance capabilities. An agent would need only to get a judge’s signature on a search warrant to put into play the agency’s network investigative techniques (NITs), which allow the agency to hack into and monitor any computer or device on the globe.
As with most issues, where Donald Trump will land on surveillance, government requests and encryption now that he’s in the White House is anyone’s guess. “Trump has spoken strongly about surveillance,” says Hughes, “but he loves his personal privacy.”
In February 2016, Trump told Fox and Friends the then-Republican candidate said “I agree 100% with the courts. In that case, we should open it up. I think security over all — we have to open it up, and we have to use our heads. We have to use common sense.”
Days later he called for a boycott of Apple until the company aided the FBI and accused Cook of “looking to do a big number, probably to show how liberal he is.”
The EFF points out that Trump was quoted as saying during the campaign that he tended “to err on the side of security” and also spoke in favor of restoring portions of the Patriot Act.
“When you have people that are beheading [you] if you’re a Christian and, frankly, for lots of other reasons, when you have the world looking at us and would like to destroy us as quickly as possible, I err on the side of security,” Trump was quoted as saying.
He has also called whistleblower Edward Snowden a “terrible threat” and a “terrible traitor.
Hints at how the wind may blow for tech companies and the government going forward may be found in Trump’s cabinet, intel and advisory picks.
Sen. Jeff Sessions (R-Ala.), nominated for Attorney General, called out the USA FREEDOM Act, which replaced the Section 215 under the Patriot Act, for making “it vastly more difficult for the NSA to stop a terrorist than it is to stop a tax cheat.”
Trump’s pick for CIA director, Rep. Mike Pompeo (R-Kan.), in an opinion piece in the Wall Street Journal, called for “a fundamental upgrade to America’s surveillance capabilities” and said “legal and bureaucratic impediments to surveillance should be removed.”
In fact, surveillance should be taken a step or two or three farther, Pompeo opined, saying, “Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database.”
He’s had even harsher words for Snowden than Trump, saying the whistleblower “should be brought back from Russia and given due process, and I think the proper outcome would be that he would be given a death sentence.”
In January, Russia extended Snowden’s asylum by three years, just a day after President Obama pardoned whistleblower Chelsea Manning. Amid findings by the intelligence community that Russian operatives meddled in the U.S. presidential election, Trump has continued to praise the country’s president, Vladmir Putin. Whether two will agree or clash on Snowden’s fate remains to be seen.
Just how hard – or even if – Trump will press tech companies into action on behalf of his administration’s security goals, is also up in air.
Tech pros recently pushed back against Trump’s pledge to build a Muslim registry that he says will help curb terrorism. Last December, nearly 3,000 Silicon Valley engineers pledged to not participate in the building of any such registry. “We refuse to participate in the creation of databases of identifying information for the United States government to target individuals based on race, religion, or national origin,” they stated in a letter.
They’re likely to maintain their stand against providing backdoors into their products as well. But the issue continues to percolate and will do so until the industry gets a legal ruling – whether that will come this year or later depends on whether the Justice Department makes it a priority going forward.
But, how’d they do it?
After months of spurning the government’s advances, Apple found itself in the unenviable position of trying to get the FBI to tell it just how a third-party vendor, said to be Israeli security firm Cellebrite, was able to crack the iPhone 5c that belonged to San Bernardino shooter Syed Rizwan Farook. Now 100 pages of documents released by the bureau in response to a Freedom of Information Act (FOIA) lawsuit purport to do just that…only the documents are heavily redacted and don’t reveal much at all.
The Associated Press, Gannett and Vice Media had filed a federal lawsuit asking for details on who the FBI hired to get into the phone, how it was done and how much the agency paid, even while insisting that only Apple could aid lawmakers in providing access.
According to the Associated Press, the documents, marked “secret,” revealed that FBI signed a non-disclosure with the vendor and also entertained interest from three different companies.
That a third party was able to get into the phones encrypted files lent credence to the belief that the FBI was hoping to make an example of Apple, using the dispute as a test case to set legal precedent.
A breach at Cellebrite and the theft of as much as 900GB of information also likely proved Apple right in taking a stand against providing a backdoor into its products. In a statement on its website Cellebrite said, “The impacted server included a legacy database backup of my.Cellebrite, the company’s end-user license management system.”