More Than Meets the iOS
Three important takeaways from the Apple/FBI standoff.
By Tom Kulik
You are probably aware of the dispute between Apple and the FBI, where a federal judge ordered the company to access and decrypt an iPhone owned by one of the perpetrators of the December 2015 San Bernardino shooting in California.1
Apple fought the order tooth and nail,2 given its investment in the customer security and privacy provided by its operating system’s encryption.
The FBI chose this battleground carefully as an effort to pry back Apple’s encryption armor. As the drama escalated, however, the bureau abruptly changed course when it announced that it had found a third-party provider who was able to successfully hack into the iPhone.3
Even though the FBI moved to vacate the order to compel as a result,4 here are three reasons why you (and your business) should be paying attention.
1. Escalation is inevitable.
Both Apple and the federal government have been on a collision course since Apple implemented encryption on its mobile devices with the release of iOS8. There are already reports that Apple is in the process of making it even harder to hack its mobile operating system. Other mobile phone and app providers are watching closely,5 and it would be no surprise should they follow suit.6 In fact, WhatsApp—a platform owned by Facebook that has a billion-plus monthly users—just switched on end-to-end encryption for all communications. 7 At a minimum, these moves will likely create a cycle of never-ending software security and privacy escalation that may impede less costly alternatives and increase costs to the consumer.
2. This is not a one-off decision.
Regardless of your sympathies to either side of this debate, our system of common law is built upon precedent— the compilation of judicial decisions over time that embody laws under which we live. Should the government prevail, there is not just a possibility, but a likelihood that such a ruling would evolve into precedent.
An expanded use of the All Writs Act (as part of the Judiciary Act of 1789) underpins the arguments in this case. A federal magistrate in November 2015 ordered Apple to work with federal prosecutors to access and decrypt an iPhone in a bankruptcy and passport fraud case.8 Even last summer, federal investigators apparently attempted to access a locked iPhone under a search warrant regarding a stolen, altered, and/or counterfeit check scheme.9 Hundreds of requests to unlock iPhones have inundated the FBI10 since at least October 2015. In fact, Apple alone has dealt with at least 12 such requests since September 2015.11
Without question, this is more than just a one-time governmental “ask.” Given that the FBI admitted its “mistake” in changing the Apple ID password associated with the shooter’s phone,12 should companies ever be compelled to “hack” their own products when such alternate modes of extraction exist? If so, where do they draw the line? A federal judge in Brooklyn, New York, seems to have done so recently, holding the government’s arguments to compel Apple’s technical assistance under the All Writs Act so expansive as to cast doubt on their constitutionality.13 The consequences of this decision may affect the viability of the pending EU-U.S. Privacy Shield, which will replace the U.S.-EU Safe Harbor program that has yet to receive the full blessing of EU regulators. Businesses everywhere need to contemplate these questions, especially where the business model relies in any way upon secured platforms, communications, or data.
3. The hack will definitely not stop here.
The Apple iOS is a closed system. If you think any “master key” that the company creates to access and decrypt the operating system will be used only once, you are mistaken. Such an exploit would, at the very least, create a tool and mechanism that may prove too tempting to not only the federal government but also to others with far less altruistic motives. Apple itself has stated publicly on its website that it cannot guarantee its own control over such a “backdoor.” Any workaround could be a shining beacon of opportunity for every hacker seeking to access and exploit iPhone data—something that won’t go unnoticed by Apple’s customers and developers.
Some mobile app developers leverage the strong encryption of iOS as a compelling feature of the platform. Without question, knowing that an exploit exists that cannot be “patched” will most certainly have a chilling effect on development and could operate as a digital billboard to hackers. Worse yet, Apple engineers indicated to Reuters in April that this “hack” would not remain secure for long. Some observers are confident that Apple will patch its iOS to stymie this hack in the future, but the game will eventually start all over again.
No matter which side of the debate you may support, the unresolved questions posed by this matter will have repercussions far beyond Apple and the scope of federal access to encrypted data. Only time—and precedent—will tell. TBJ
TOM KULIK is an intellectual property and technology partner in Scheef & Stone, a full-service commercial law firm based in Texas. He uses his award-winning industry experience in technology to help clients navigate the complexities of law and technology in their businesses. Read more at legalintangibles.com.