Skip to main content

Contextualizing the iPhone Encryption Debate

March 22, 2016

Author:

Alexander Kegel

Two years ago, Director James Comey of the Federal Bureau of Investigations (FBI) stated, “there will come a day when it will matter a great deal to the lives of people…that we will be able to gain access” to smartphones. He further expressed interest in having “that conversation [with companies responsible] before that day comes.” That day came on February 16th when the FBI requested access to an Apple iPhone to collect data pertaining the deaths of 14 individuals in the December 2, 2015 San Bernardino terrorist attack. In response, Apple CEO refused to create the software necessary to access the San Bernardino terrorists’ iPhones.

Precedent for accessing encrypted smartphones—in particular, in cases where the phone creators will have to create software specifically to facilitate that access—is still being created. A case is currently moving through New York federal district courts over unlocking a drug dealer’s iPhone in which an initial ruling has sided with Apple. The Justice Department has appealed the ruling.

Law enforcement has been using the All Writs Act of 1789 to argue for law enforcement access to encrypted devices. Law enforcement agencies argue that they need access to encrypted devices in order to protect populations. In contrast, companies such as Apple argue that creating such access both limits the security of devices and creates a situation in which too much privacy is being traded for security.

The Issue

The San Bernardino terrorist phone is password protected and after ten failed password attempts, the phone will auto-erase itself. Law enforcement has asked Apple to disable the auto-erase function so it can brute force the password and gain access to the phone.

For a crime-fighting agency, there are three problems with the security program of the iPhone; passwords have to be inserted manually one at a time, there is a delay between failed passwords and there is an auto-erase function after ten failed attempts. To access the information on the phone, the FBI has requested that Apple create a software file that will allow for access to the specific San Bernardino smartphone without the threat of erasing all the user data. An important distinction, in this case, is that the file would be coded to the specific iPhone and would not modify the operating system but serve in conjunction.

Concerned for the data security of their customers as well as likely the optics of giving law enforcement access in the wake of the Snowden revelations, Apple has both expressed an ideological difference with the FBI and has resisted the FBI in court. The foundation of Apple’s argument against the insertion of the unique software file stems from the concern that this file could be used to hack all iPhones without the knowledge of their user and eliminate all user privacy. Apple has requested that the FBI respect the data privacy of all the users and not just the rights of the legal citizens. Many other technology companies, including Amazon, Microsoft, Google and Intel and others, have since spoken in support of Apple.

The Limits of the Law

A central component of the debate over whether Apple should write code allowing the FBI to access the phone is about the acquisition and usage of warrants as they pertain to smartphone data. Law enforcement officers, whether at a local or national level, argue that they should have the ability to gather images, messages and web search histories from smartphones to aid in investigating serious crimes from child pornography to terrorist attacks.

Much like gaining access to papers locked in a criminal’s bank vault (and using a law designed to permit this very type of access, the All Writs Act), the FBI applied for a warrant to search the contents of the iPhone in question. The All Writs Act is a law, dating back to 1789, which states that the Supreme Court and all other constitutionally established courts may issue all writs, or orders, necessary to investigations within their jurisdiction. Simply put, the courts may order any company to support the carrying out of justice in an investigation.

If in possession of a valid court-approved search warrant, law enforcement officers are allowed to tap phones and access even the most secure bank vaults with little public concern; thus, the debate over smartphones stems not from law enforcement accessing data but from the inability of law enforcement to limit the data they acquire in such a search. The concern that law enforcement can’t limit the data they acquire combines with a perception that the images, documents and call logs are more personal once transferred to an encrypted smartphone, making the issue more complicated.

However, the developments of this case regarding a vocal public response identify a troublesome misapprehension about the purpose and actions of the FBI as it relates to data collection. In a letter to customers, Apple CEO Tim Cook played up the possibility of warrantless mass surveillance arguing that there is no control through which the FBI could be stopped from using the backdoor endlessly to endanger the data security of all customers. For a data collecting agency, such as the NSA, the concern over unwarranted encryption cracking and data collection is a serious issue—as Snowden revealed. However, the FBI is a crime fighting agency and finds the surveillance of metadata (information on the times, origins and destinations of phone calls, electronic messages, instant messages and other modes of telecommunication) too difficult to analyze in a field where quick reactions are crucial to investigations.

The Usage of iPhone Encryption by Malicious Actors

The stated purpose of the FBI in accessing the San Bernardino shooter’s iPhone is not for the purpose of mass surveillance, but to investigate the deaths of 14 people. The FBI’s argument is that it is interested in protecting the security of the American people whether that requires access to a bank vault or an encrypted iPhone.

The FBI argues that if a warrant no longer enables access by the FBI to iPhone data, a dangerous precedent is set for the criminal community. John Escalante, the chief of detectives for Chicago’s police department, accentuates a concern within the law enforcement agencies when stating that “Apple will become the phone of choice for the pedophile.” While this is a volatile statement, he is not alone in concern about the usage of the iPhone encryption to protect criminal activities. Imaging the ability for a pedophile to protect any evidence of their crime by caching photos, location data and communication logs behind an encryption to which the FBI does not have access. FBI Executive Assistant Director Amy Hess of the Science and Technology Branch before the Subcommittee on Information Technology of the House Oversight and Government Reform Committee, echoed statements by James Comey on the danger of marketing a device which enables criminals to store data outside the reach of the law.

While the FBI focuses on the limits of warrants to provide security, many civil liberty organizations that are on the side of Apple, such as the ACLU, focus on with the legal ramifications cracking encryption in relation to the Fourth Amendment. For civil liberty groups, the concern of unwarranted search and seizure of information presents a limit to the power of government. Within this context, the FBI must have access to the information that would allow them to solve the murder of individuals without endangering the privacy of the data of similar individuals. Thus, the debate between privacy and security is not a simple one to solve.

Conclusion

The smartphone encryption debate is representative on a more inclusive debate within cybersecurity: that of privacy versus security. There is no doubt that the privacy of user data is increasingly importance as more users transfer personal data both online and onto their smartphones. However, while Apple has a right to be concerned about unwarranted data collection and decryption, to protect the privacy of smartphone users completely, one must acknowledge the inability for law enforcement agencies to protect the security, whether national or individual, of all citizens.

The balance between protecting the rights of the individual citizen and securing the safety of criminals and other malicious actors from the law is a concern that must be addressed. The resolution to this debate does not lie in either strict FBI supervision or Apple resistance. The FBI, as a crime fighting organization, will not necessarily place privacy above security while Apple, as a producer of consumer devices, will not necessarily place security above privacy. So the decision should fall on neither solely Apple nor the FBI; the decision must remain with the people whom they are both attempting to protect.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.