Apple vs. FBI: nobody won
Last night I had drinks with someone who knows a ton about the Apple vs. FBI case. He explained to me the following:
- The way the FBI eventually figured out a way into the San Bernadino shooter’s phone was extremely involved and expensive, involving things like shaving tiny pieces of hardware apart without dropping anything or exposing anything to too much heat.
- This is a good thing, because that expensive process is extremely hard to scale.
- Also, there was no legal precedent created.
- Moreover, Apple has been making iPhones increasingly secure by default, for example with default encrypted iCloud data in more recent version of its operating system.
- Which means that in a couple of years, most people using iPhones will be pretty well protected from even expensive FBI searches, again as long as there’s no legal requirement to create backdoors.
This story is interesting, but it still leaves me extremely unsatisfied. In particular, I’ve really gotten riled up by stupid media stories that “Apple won”.
I’ve maintained for a while that this story isn’t a story about Apple at all, because Apple is not accountable to the public in any real way; Tim Cook could change his mind tomorrow about whether to care about consumer security and we wouldn’t be able to do anything about it.
I think I have to amend that claim somewhat, though. Because what’s really happening is that Apple, or rather Tim Cook, is pushing through his vision of consumer protection, knowing that there will be very little the U.S. government, or any other government for that matter, will be able to do about it on a technical level, unless they’re willing to make iPhones illegal altogether.
That’s not without precedent. For example, there are some radio scanners that are illegal in the U.S. and other countries. But it’d be hard to imagine what the public’s response would be to being told that they can no longer buy iPhones.
So, the way I see it, it’s Apple vs. everyone, and Apple is feeling pretty good about its chances.
And look, I happen to agree with Apple this time. But it’s a screwed up and tenuous situation, and it’s deeply anti-democratic. We haven’t actually had the urgently needed conversation about whether Americans have the right to encrypted communication. Instead, we’re relying on a private company to make de facto policy for our benefit. What?
Here’s what I’d like to see: a real conversation about what Americans are entitled to. It’s a conversation that Obama started a couple of weeks ago at SXSW:
if the government can’t get in, then everybody is walking around with a Swiss Bank account in their pocket. There has to be some concession to the need to be able to get into that information somehow.
I’ll start. Obama’s comparing the individual’s desire for privacy with a Swiss Bank account is a smear tactic on the one hand – we’re trying to avoid taxes or something, which smacks of the tired line “don’t worry if you have nothing to hide” – and it’s disingenuous on the other hand – acting as if all information is equivalent, when we know that the government may claim access to our financial information, for tax purposes, but should never have access to our love letters. And since both kinds of information is stored on our phone, I think right there we have a pretty great argument explaining why our phones are nothing like Swiss Bank accounts.
Here’s what I’d like to see. A nuanced discussion about what types of data the government should have access to and under what circumstances, where the government has to make its case and the public gets to weigh in, since we care about terrorism too.
mathbabe 
The point of the comparison to a swiss bank account is not that the government should have unconditional access to your love letters or other personal data, since the IRS doesn’t have the legal right to access such information unless they get court orders to go beyond their usual audit access. It’s that a swiss bank account gives a person the ability to hide data that the IRS or other agency has a legal right to access, but gets hidden illegally.
Right now, most love letters are stored in peoples homes outside an iphone but the government doesn’t have the legal right to access them, so requiring a back door on encryption is just maintaining the status quo.
Now, the debate I’d like is how to better hold the government accountable for following the laws on accessing personal data, such as criminal convictions for government officials for violations of personal privacy and stronger whistleblower protections. I’m probably in a quite small intersection of those who cheered on Snowden’s NSA revelations and those cheering on the FBI breaking Apple’s encryption.
LikeLike
I think the point is that the rules regarding what electronic information is accessible to the government and under what circumstances are very unclear and, to the extent that there are protections from the government they are coming from decisions made by a corporation. There should be clearly defined rules and the public should have significant involvement in defining them. Also, they should not be subject to change at the whims of a corporation or its CEO.
This is also true of rules about what information corporations can access and how they use it. There should be clear rules set in a democratic way.
LikeLike
Nathan, I agree with you both about Snowden and the FBI/Apple case. I very strongly support a right against being searched. I’m a proud ACLU member (and my membership is not conditional on the ACLU being perfect).
Yet no right is absolute. Obama is correct with respect to his main point. I think we are entitled to due process rights against being searched unless there is a really good reason. In the FBI/Apple case, as far as I can tell, there was a really good reason.
The problem was technical. The only way to search that particular phone, Apple claimed (I defer to experts, although I remained very skeptical), was to allow the FBI to search every phone. But the FBI found someone to solve that technical problem.
Cathy rightly says that not all information is equivalent. That’s very important.
Yet the lines that mark our rights with respect to information are drawn in ways that many people do not like. Copyright is notoriously both good and bad, for example.
In some places, the lines either mark what information one is entitled to. In other places, the lines mark what information someone else is *not* entitled to (except through due process). Philosophers talk about positive and negative rights.
I’m a librarian. But I also think authors and musicians should have some rights to the content they create. I’m not going to defend the way the lines are currently drawn, although it’s possible that some lines make sense.
Another difficult case involves libraries whose servers are used as Tor nodes: http://boingboing.net/2015/09/16/kilton-librarys-tor-node-is.html
Jason Griffey argues persuasively, using librarians’ professional code of ethics, that libraries should set up Tor nodes. Yet it is easy to anticipate the push-back, since this would make libraries into vehicles for mass violation of copyright.
http://boingboing.net/2016/03/28/how-libraries-can-save-the-int.html
LikeLike
> The problem was technical. The only way to search that
> particular phone, Apple claimed (I defer to experts,
> although I remained very skeptical), was to allow
> the FBI to search every phone.
Apple modifying their software to add a backdoor would
make every phone running that software vulnerable. The
FBI could claim that they would only use it once, but
if they ever changed their mind, they could use it
again and again. Even if Apple removed the backdoor
in the next software update, the FBI could ask them to
add it back in, so yes, such a modification would grant
FBI the capability to search every phone.
Eventually, hackers would find Apple’s backdoor and use
it for criminal purposes. If you think it unlikely,
look at how every couple of months hackers find
backdoors in home routers and modems. See the
following URL for a recent collection of news about
such discoveries: http://routersecurity.org/bugs.php
Mandating insecurity through backdoors would harm all
law-abiding citizens and make government agencies using
those systems insecure too. Of course, criminals could
continue to use currently existing secure cryptographic
software. The FBI’s only hope to continue surveillance
of criminals would be to hope that they would be so
lazy as to use the default insecure software. That
hope would be fulfilled at times, but this week’s NYT
article shows that ISIS is already using cryptographic
software that doesn’t come with their devices. See
http://www.nytimes.com/2016/03/29/world/europe/isis-attacks-paris-brussels.html.
> But the FBI found someone to solve that technical problem.
Apple’s iPhone has a long history of security
vulnerabilities (https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49),
so it’s not surprising that the FBI found a company
willing to exploit one such vulnerability to break into
the phone. However, Apple and other vendors fix those
vulnerabilities when they are reported. The FBI wants
Apple to insert a security vulnerability that will
never be fixed.
LikeLike
So, I agree with this premise in the abstract. As a part of living in a society governed by both our laws and our civil protections, we allow the government the right to access some of our private information when they can demonstrate a good reason to do so…and we have a judicial system that is supposed to be the arbiter of what said good reasons are. The legislative + judicial processes also play a role in setting and regulating what constitutes good reasons in general.
But in recent years, I think a lot of Americans are feeling that our government hasn’t held up its end of the bargain. Creating a “backdoor” is very different in a society where you feel you can trust the government to only use it in a transparent way vs. in one where we now have clear evidence that the government did so surreptitiously, without public consent. I don’t know how you reconcile this, unless you fully adjudicate the legality and constitutionality of those programs…which Obama has specifically shied away from doing.
None of this, however, makes me more comfortable with Apple. If anything, I lean more toward trusting our elected government than the CEO of a private company (especially after learning how many of those private companies went along with the government’s surveillance programs a few years ago). I honestly don’t know the solution. I really do like and enjoy the services a company like Google offers, and I think it would be nearly impossible to function in today’s world if I refused to use them (e.g. my only choices for my work phone are Apple or Android). But I hate the amount of information about myself I have to expose and consent to having stored indefinitely on a third party server to make use of them.
I do think there are important discussions we need to be having about who has rights to our data and when and for how long…but those discussions need to extend beyond the government (I have no idea what regulations can be put in place on private companies, but I suspect there are some). I also think it’s hard to get a lot of interest for these discussions going, when the responses I get to bringing up privacy–even when working in the electric utility industry where the data can tell you tons about what a person is doing–is most people saying that “no one cares about you that much, why worry who has your data”.
LikeLike
Here’s a comment from a friend:
I agree with the first point, that it’s not about Apple (except that no other company had the stones to stand up…so it became about Apple being first), but I disagree that Apple isn’t accountable to the public in any way.
I strongly believe public companies (they are called public companies for a reason) are accountable to the public in 4 ways:
1. If the products and services they produce aren’t valued by the public, individual consumers (a.k.a. the public) doesn’t buy them.
2. If the company offers bad jobs, private citizens (a.k.a. the public) won’t work there.
3. If the company has a terrible strategy or bad management, private investors (a.k.a. the public) won’t buy the stock.
4. If the company doesn’t pay taxes, the government will fine or revoke their license.
On the other hand, if the government provides crappy services, encroaches on individual rights, over taxes, etc., all the public can do is vote…but then only once every 2, 4, or 6 years, and even then, the choice is limited between the 2 flavors of incumbents. And most of those incumbents are really accountable to donors…to pay for campaigns…to buy ads on TV…
Where is the real accountability?
LikeLike
I agree with all of that, but I don’t consider that real accountability. Nobody’s getting put in jail. Let’s call that “soft accountability.”
I’d like to see laws put in place around privacy so that people who break the laws are put in jail, including FBI agents.
LikeLike
I’m sorry Cathy: are you really saying that the way we should hold Tim Cook to account for his promises of trying to keep iPhones secure is to throw him in jail if he fails to live up to these promises?
LikeLike
Hahaha no not at all. I’m saying the government – and all corportations – should agree to rules that protect us, and they should be enforced.
LikeLike
“We haven’t actually had the urgently needed conversation about whether Americans have the right to encrypted communication.”
Huh? Why do we need to have rights enshrined in law for everything we do? I see nothing urgent or needed here – we’ve had the ability to have *secret* communications since the invention of communication.
LikeLike
My suspicion is that Apple gives not two hoots about privacy/civil liberties. Apple is concerned with losing the Chinese market like Google did. The Chinese government clearly doesn’t want FBI to access their phones; however, Apple will gladly build a backdoor for China.
LikeLike
I totally disagree.
LikeLike
Which accusation? The fear of losing a market or the willingness to build a backdoor. As was noted above, Apple has previously been quite happy to cooperate with law enforcement.
LikeLike
I wouldn’t say it’s undemocratic. If the U.S. Congress wanted to, it could pass a law that made Apple legally required to give access to its phones if there’s a government search warrant (I suspect that the 4th Amendment means they need a search warrant, although IANAL). The U.S. owns the frequency ranges it licenses to phone companies, and it can control what is allowed to go over them … although you might want to have a lawyer read the license contracts carefully to see what conditions the government can impose on them.
Of course, the U.S. Congress is probably not going to pass such a bill, so it’s up to the courts for the time being.
LikeLike