In December, 2015, two terrorists in San Bernardino, California, committed a horrific and gruesome crime when they murdered 14 coworkers and seriously injured 22 others. Law enforcement caught up with these murderers a few hours later and they died in a shootout. Good riddance. If you commit an act of terrorism, you deserve the harshest consequences society can offer.
But this blog post isn’t about terrorism. It’s about the aftermath these terrorists left behind in an encrypted Apple iPhone 5c. Three months later, the FBI is unable to break into that phone to examine its contents.
The phone belongs to the San Bernardino County Department of Public Health, where one of the murderers was an employee, and is now in FBI custody. The phone’s contents are encrypted and the phone may be set to brick itself after a small number of penetration attempts. Apple itself has no way to access it. Here is a blog post with details.
The FBI wants Apple to engineer a special firmware update for this specific phone to allow the FBI to bypass the phone’s security and look at its contents. The FBI secured a court order compelling Apple to cooperate. Here is a PDF with the FBI motion. Here is a PDF with the court order. Apple CEO, Tim Cook, expressed Apple’s opposition to the order in an open letter, published on the Apple website. Here is a PDF copy in case the website link goes bad.
And now the fight is on. It’s the long awaited clash of privacy rights versus counter terrorism. And although I question the value of anything stored inside the specific phone at the center of this fight, the big picture stakes could literally be life and death.
Naturally, politicians are weighing in. In this article Donald Trump called Apple “disgraceful.” Trump also said, “We should force them to do it. We should do whatever we have to do.”
And in a USA Today Opinion piece, Senator Richard Burr, R-NC, Chairman of the Senate Select Committee on Intelligence, said, “The newest Apple operating systems allow device access only to users — even Apple itself can’t get in. Murderers, pedophiles, drug dealers and the others are already using this technology to cover their tracks.” Here is a PDF of Senator Burr’s article in case the link goes stale.
On a personal level, if my family or friends were victimized by a terrorist attack, I would do everything in my power to gather information to bring the attackers to justice, and if encryption got in my way, I would bust whatever heads I needed to break it, legal or not. I would not care about bigger policy issues.
But when I look dispassionately at the bigger picture, I am forced to conclude Apple is right and the FBI is wrong. And the longer I look at the issue, the stronger my convictions become.
Tim Cook framed the Apple arguments around privacy and trust and a slippery slope to tyranny. And his arguments are persuasive and right on. But the arguments so far on both sides miss a larger point – the perceived trade-off pitting privacy against law enforcement is not the most important issue. More important than any trade-off, weakening encryption, even to break into this one phone, hurts the fight against terrorism more than it helps and the government has no business trying to compel companies to break the security of their products.
Apple could break into this one phone and maybe the government might uncover a few names. Maybe. But at what long term cost? Senator Burr, if Apple loses this fight, then murderers, pedophiles, drug dealers, and others will simply find another encryption tactic to cover their tracks. If the government wins this skirmish with Apple, we will all pay a long term price in the more important war against crime and terrorism.
In a Feb. 19, 2016 interview on CBS This Morning, Assistant New York City Police Commissioner, John Miller, took Apple to task by asking Apple how many victims in Paris and San Bernardino were Apple customers. Miller is right to frame the debate in life and death terms. So my question for Miller, if I ever get a chance to ask is, how many more people will die if law enforcement forces tech companies to weaken encryption? How does it make sense to cripple the good guys when the bad guys won’t follow the rules?
Like it or not, strong encryption is here to stay. It’s a fundamental part of 21st century society. We can no more roll back encryption than we can replace cars with horses and buggies.
Don’t believe me. Just use recent history as a guide.
For many years, the open source IPSEC community refused to accept contributions from US citizens because of the threat of US Government regulation. So encryption technology continued to progress, just without input by the United States. If we return to that broken way of thinking, we will blind the United States when dealing with our enemies. Not only will we not be able to decipher encrypted communications, we may not even know they’re going on.
I spent 16 months writing and publishing “Bullseye Breach,” an educational book disguised as an international fiction story about how Russian criminals steal 40 million credit card numbers from a large US retailer named Bullseye Stores. No amount of government regulation inhibiting or regulating encryption would have helped in any real-world breach scenarios, and the arguments suggesting the government act as a safe storage location for encryption keys has more holes than Swiss Cheese. Just ask any victim of the recent OPM breach about the safety of US Government servers. If people who apply for security clearances can’t trust the United States Government with private information, why should the general public trust the Government with millions, perhaps billions of encryption keys?
That’s why Apple must win this fight. To stop a first step down a slippery slope and keep the playing field level between the good guys and bad guys, so the good guys have a chance to fight back. Crippling encryption cripples the good guys. It delivers exactly the opposite result the government and all of us want.
One final note: I am now a Red Hat employee. For people unfamiliar with the tech industry, Red Hat is the preeminent open source software company and is rocking the IT industry. The opinion expressed here is mine, and may not reflect what the leaders at Red Hat think. But I’m right.
(Originally published on my Infrasupport website Feb. 19, 2016. I backdated here to match the original posting date.)