By now, you are aware of the situation in which Apple and the federal government have been embroiled whereby a federal judge, after a motion to compel filed by the federal government, ordered Apple to access and decrypt an iPhone owned by one of the perpetrators of the San Bernardino shooting in California. Apple fought the order tooth and nail, given its investment in its iOS and the security and privacy iOS encryption provides its customers. I remain highly sympathetic to the reasons the federal government seeks access in a case such as this one, but the FBI has chosen this battleground carefully in an effort to pry-back Apple’s encryption armor…and the stakes are high for more than just Apple. As the drama escalated, however, the FBI abruptly changed course…because it apparently found a third-party provider who was able to successfully hack into the iPhone in question. Even though the FBI moved to vacate the order to compel as a result, here are 3 reasons why you (and your business) should be very concerned:
- Escalation is Inevitable. Both Apple and the government have been on this collision course since Apple’s implementation of encryption on the Apple iPhone in its release of iOS8. If forced, Apple will not simply take this intrusion lying down. There are already reports that Apple is in the process of making it even harder to hack its iPhone iOS. Other mobile phone and application providers are watching closely, and it would be no surprise should such providers follow suit. In fact, WhatsApp just switched on end-to-end encryption for all communication on its platform – a platform owned by Facebook and its billion+ users! At a minimum, this will likely increase costs to the consumer at the expense of creating a cycle of never-ending software security and privacy escalation that may impede less costly alternatives – like the fact that the FBI likely bungled getting some of the iPhone data it wanted in the first place.
- This is NOT a One-Off Decision. Regardless of your sympathies to either side of this debate, our system of common law is built upon precedent – the compilation of judicial decisions over time that embody of laws under which we live. Should the government prevail in this case, there is not just a possibility, but a likelihood that such a ruling would evolve into precedent. An expanded use of the All Writs Act (as part of the Judiciary Act of 1789) is underpinning the arguments in this case – a carefully considered tool for the courts stemming from our nation’s founding arguably never intended to be used in the manner in which the FBI seeks to have it applied. A federal magistrate in November of last year ordered Apple to work with federal prosecutors to access and decrypt an iPhone 5s in a bankruptcy and passport fraud case . Even last summer, federal investigators apparently attempted to access a locked iPhone under a search warrant regarding a stolen, altered and/or counterfeit check scheme. Hundreds of requests to unlock iPhones have inundated the FBI since at least October 2015. In fact, Apple has dealt with at least twelve (12) requests to unlock iPhones since September 2015 alone! Without question, this is more than just a one-time governmental “ask”. Given that the FBI admits its “mistake” in getting the data it seeks from this iPhone through alternative means, should a commercial enterprise ever be compelled to “hack” its own products when such alternate modes of extraction exist? If so, where to draw the line? A federal judge in Brooklyn, N.Y. seems to have done so recently, holding the government’s arguments to compel Apple’s technical assistance under the All Writs Act so expansive as to cast doubt on their constitutionality. Moreover, the consequences of this decision may affect the viability of the pending EU-US Privacy Shield – the replacement to the U.S. Safe Harbor that has yet to receive the full blessing of EU regulators. If you think this issue is limited to iOS, think again – businesses everywhere need to contemplate these questions, especially where the business model relies in any way upon secured platforms, communications or data.
- The Hack will Definitely NOT Stop Here. The Apple iOS is a closed system. If you think that any exploit that Apple creates as a “master key” to access and decrypt iOS will only be used once, you are mistaken. The entire purpose of the access sought by the government is to circumvent iOS encryption to permit a brute force hack by cycling random passcodes on an iPhone to unlock it- an exploit that would, at the very least, create a tool and mechanism that may prove too tempting to not only the federal government in other cases, but to others with far less altruistic motives. Apple itself has stated that it cannot guarantee its own control over this “backdoor”. In fact, this workaround would be a shining beacon of opportunity for every hacker seeking to access iPhone data to exploit it – something that won’t go unnoticed by Apple’s customers and developers. Moreover, it seems that the Justice Department may have looked to foreign contractors or hackers to circumvent Apple altogether…and reportedly used an Israeli firm to crack into the iPhone at issue while refusing to tell Apple exactly how they did it. I represent clients that developed apps for mobile platforms, some of which leverage the strong encryption of iOS as a compelling feature of the platform. Without question, knowing that an exploit exists that cannot be “patched” will most certainly have a chilling effect on development to the platform…and operate as a digital billboard to hackers in the process. Worse yet, Apple engineers have indicated that this “hack” will not remain secure for long. I remain confident Apple will patch iOS to stymie this hack in the future…but the game will only start all over again (see point 1 above).
No matter which side of the debate you may support, the unresolved questions posed by this matter will have repercussions far beyond Apple and the scope of federal access to encrypted data. Only time…and precedent…will tell.
Tom Kulik is a leading intellectual property & technology partner at Scheef & Stone, L.L.P., a full-service commercial law firm based in Texas who uses his award-winning industry experience in technology to creatively help his clients navigate the complexities of law and technology in their businesses both domestically and, as a member of the Mackrell International legal network, throughout the world.