Apple vs FBI: A case for encryption

Diplo’s webinar on the Apple-FBI case, on 17 March (watch the recording), evolved into a Socratic dialogue on the core concepts and underlying assumptions of the case. The lively debate inspired us to create a series of posts that argue the main dilemmas, played out by three fictitious characters, Privarius, Securium, and Commercias. While the first post summarised the main facts, and the second tackled security-related arguments, the third conversation tackles privacy and encryption. Join us in the debate with your comments and questions.

Commercias: …A win for Apple – among other issues – is also a win for privacy…

Privarius: The question is, can Apple damage privacy by claiming to protect it? In making extreme claims, they could be pushing the pendulum too far, and risk provoking a counter-reaction by endangering privacy protection. As President Obama recently said at a South by Southwest (SXSW) conference, ‘after something really bad happens, the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that are dangerous and not thought through.’

Commercias: On the other hand, we may say that it was the FBI who was, in fact, pushing too much. Apple and similar companies have cooperated by giving investigators all the data they have about the suspects; yet the FBI is asking them to go an extra step, and in the process, weaken the products’ encryption. The fact is that the FBI has already acquired large amounts of evidence about this case thanks to digital forensics and the support of the Internet industry (including Apple). Today, a user’s digital communications is not only saved on his/her phone, but is stored in the cloud by service providers such as Facebook or Google, which readily cooperate with the FBI to provide the data its investigators need.

Privarius: This also raises several questions: Was there really such a need to break into the phone? Does this justify setting a precedent? Is the benefit of this request proportional to its consequences?

Commercias: Furthermore, security experts such as the former US anti-terror chief claim that the FBI could have turned to the NSA for help, since this case may be related to terrorism; it is likely that the NSA has advanced techniques that can break the code. This can lead us to conclude that there might not have been a real need for the FBI to push Apple; yet the FBI chose a case linked to terrorism to push its limits and try to set a precedent.

Privarius: One positive aspect, if you may, is that as a result, encryption technology is flourishing. There are dozens of unbreakable encryption applications online, readily available mostly for free. There are complete solutions, integrating hardware, OS, and software. More importantly, hardware development has led to the creation of motherboard chips, such as Intel’s SGX, that incorporates encryption within a silicon wafer; this chip will soon become a common feature in products, with little possibility (if any) for anyone to unlock it with the use of any software or hardware patch. The outcome will affect how users choose their products, and may lead them to switch to other products with tighter encryption, or to install their own encryption software. This will leave law enforcement with even less control.

Commercias: But even with less control, law enforcement agencies may still be able to carry out their investigations without breaking encrypted communications – such as by using metadata, digital forensics, offline means, etc – right?

Privarius: Yes, they can. While there is little evidence on the usefulness of meta-data (zero success according to NSA) or access to encryption materials in preventing terrorist attacks (prior to the Paris attack, terrorists used unencrypted SMS), most criminal cases now require digital forensics as a critical part of the investigations. I would however distinguish between surveillance for national security purposes and to combat terrorism, from digital forensics for combatting crime (and not only cybercrime).

Commercias: True. Law enforcement has many digital forensics tools available at their disposal. I would add geolocation, data from telecom companies, and access to service providers’ cloud storage through court orders and other legal means. Besides, recent research (such as that by the Berkman Center) foresees that cyberspace is unlikely to ‘go dark’, for many reasons, and there will still be many sources for digital evidence without the need to break into encrypted spaces. Which would mean that Apple can retain its strong stand over privacy…

The next post, published on Monday, 28th March, will discuss privacy and the economic model. Stay tuned.