Never in a million years would I think of calling a company that has, from time to time, more cash on hand than the U.S. federal government, the “David” of any story but here we are and Apple well deserves the title.
Recently, there was an attack in San Bernardino, California. Two gunmen, later identified as husband and wife, opened fire in public, killing 14 and injuring another 22. They claimed allegiance to ISIS, the terror state. The resulting mayhem prompted the government to investigate fully the shooters and every aspect of their lives to determine greater motives, possible accomplices and to see if there were future attacks planned by their allies.
The iPhone Encryption Standard
Enter the iPhone. This ubiquitous phone, used worldwide and second in popularity only to the wide variety of Android mobile phones available everywhere, is apparently the personal mobile device of choice for these particular terrorists. Apple has integrated hardware encryption that, if the user activates it by enabling the passcode option, encrypts all data on the phone by locking it to a unique identifier (UID). The UID is fused into the phone’s hardware and is running AES 256bit encryption.
While this encryption is not impossible to break, it does take a brute force attack to break it, meaning the device has to be slammed with potentially millions upon billions upon trillions upon quadrillions of passwords. Basically, it takes an incredible amount of computing firepower to break it and even then, if the password is complex enough, it could take longer than this planet has to live before our sun goes supernova and we’ve all been dead for millions of years.
Judge’s Verdict: Apple Must Help FBI Break into iPhone
The vast resources of the FBI and their on-staff hacker teams haven’t been able to break this simple device to access the data. Apple’s historical stance is that not only will they not comply to try and help U.S. law enforcement break their own encryption systems, they essentially cannot in situations like this. Because the encryption relies on a hardware UID, they’re just as stuck as the FBI. The FBI and US Government, claiming that individual data protection is essentially a hindrance to them performing their jobs, petitioned the judicial system to order Apple to help the FBI break into the iPhone. The judge agreed and ordered Apple to help the FBI break into the phone.
Apple has thus far refused, rightfully claiming that to do so would create a “backdoor” into their products which would defeat the purpose of personal data protection and encryption. In an open letter, Apple has said that:
“All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.”
This response has been a refreshing change for the security community that has been eschewing backdoors into encryption for years with the logic that if the good guys can learn about them then so can the bad guys.
The Slippery Slope of Privacy and Government Interference
We have had examples of government interference with our encryption privacy in the past. Consider that the NSA paid RSA, the security corporation who has their products used by countless corporations for security, 0 million to intentionally keep a backdoor into all of their products by using Dual Elliptic Curve as its number generator. Dual Elliptic Curve has a known backdoor that the NSA, and hackers if they discovered it, could exploit to enter virtually any RSA secured network.
We stand on the edge of a rather slippery slope when it comes to the government and privacy. Apple has shown that having a bulletproof encryption can effectively protect an individual or organization from loss or theft, which sadly also includes protecting terrorists’ data. That is the catch-22 with encryption. For all good it can be used for, we have to take the bad with it and understand that even if it makes law enforcement’s job harder, it’s ultimately for the greater good.
Is it in Apple’s Best Interest?
Time will tell with Apple on this issue. Like most international corporations, Apple has a different stance on issues depending on local law and its ability to hinder Apple product sales. As little as a year ago, Apple agreed to allow the Chinese government security access to their devices for the purposes of security reconnoiter. Apple is the first foreign mobile phone corporation to do this as they’ve been trying to break into the Chinese market to compete with Xiaomi and Lenovo.
This position is in stark contrast to the recent stance within the United States over encryption. China has a more controlling government when it comes to digital information and internet access. Combine that with US export of encryption compliances Apple has to adhere to and there could potentially be backdoors already built into the iPhones for the Chinese government to use since early 2015 when Apple agreed to allow China into their devices. We in the security community would love to take Apple at its word regarding this issue here in the USA, but we fear it’s simply marketing.
Take the Lead in Protecting Your Information
Everyone should be running encryption regardless of the device. It protects all personal data stored on the local device from theft, loss or any other kind of illegal access. Even free cloud services are using basic encryption to transfer your data into the cloud. They also usually store your data in an encrypted container, so having all copies of the data encrypted should not be an unusual practice.
Ultimately we are all responsible for our own data and its security. We put our trust into providers that we expect to handle our data with care, lest they lose business and credibility when a breach occurs. If these companies cannot protect us from our government when they wish to potentially circumvent our right to privacy, then new companies will arise that can.
Already there is a slew of business class companies offering advanced encryption with rather libertarian stances in terms of privacy. For example, when it was determined that Edward Snowden had stored his stolen NSA data in the cloud, it was sitting at a provider that allows its users to encrypt their own data with keys that prevent the company itself from accessing the data. The company, SpiderOak, could not help the NSA break into Snowden’s data. True privacy is out there for us to use. We just hope Apple is with us.