Editor’s note: Below an ISACA member and volunteer shares his opinion on the Apple and FBI story. ISACA encourages open discourse from individuals. What are your thoughts on this topic?
Apple's brand is known for innovative functionality, reliability, security, and ease of use. Apple strives to continuously improve the iPhone operating system (OS) and its security capabilities. The FBI’s request of Apple to build a way to unlock a terrorist’s iPhone implies that the security safeguards that Apple built into the device may be a danger to law, order and national security.
Consistent with US government guidance, Apple builds privacy and security safeguards into the development of the iPhone. If an iPhone is lost or stolen, then strong encryption combined with safeguards that wipe user data from the device after a set number of unsuccessful login attempts work in concert to assure the privacy and confidentiality of the iPhone owner and his/her data. An FBI court order requires Apple to develop code that will weaken iPhone security.
A court order compelling a provider of products and services to weaken security safeguards is a complex issue that transcends borders, specific companies, phone models or devices. The issue encompasses more than individual privacy. The final disposition of this issue can potentially impact national cybersecurity strategy, economic and national security policy, and international commerce.
Could the FBI Request Undermine National Cybersecurity Strategy?
For nearly two decades, the US government prodded the private sector to strengthen the nation’s cybersecurity posture. The NIST Framework for Improving Critical Infrastructure Cybersecurity encourages the strengthening of governance and risk management. The Framework calls on providers of products and services to employ privacy and security by design as an important step to help assure the nation’s economic and national security.
The FBI wants Apple to create and introduce code into the Apple iPhone OS that will undermine the safeguard that protects iPhone against brute force attacks. Many have been referring to the FBI’s request as a “key” or “back door.” Code that undermines the encryption or other security safeguards that protects privacy, confidentiality, integrity or availability of information or IT sounds very much like malware.
Once created, the FBI-requested code is not easily controlled. The code might end up in the wrong hands. Enhancements can further violate user privacy and compromise the confidentiality of personal data. Unauthorized access to personal data stored on a smart phone can embarrass the owner of the device or make them vulnerable to fraud. Identity fraud impacts millions of Americans each year, and its impact is measured in the billions of US dollars. Proceeds of identity fraud fund organized crime and terrorism. Code created at the request of law enforcement as a means to fight criminals and terrorists could be leveraged by criminals and terrorists to finance their operations.
Could the FBI Request Present International Political Implications?
The FBI’s rationale is based on common desires for law, order, and national security. Governments around the world have the same objectives, including those led by dictators and despots. Would Apple then be forced to share the FBI requested code with law enforcement and national security agencies from any nation in which it sells its products? What is the impact to Apple’s reputation, brand and market?
The US is not the only nation home to technology innovators that have concerns for law enforcement and national security. South Korea is home to Samsung, maker of smart phones and smart televisions. If the South Korean government adopted a similar strategy (ordering malware to weaken security safeguards and enable law enforcement and national security organizations access to Samsung devices), would the US government object to South Korea’s action or would the US government demand access to the same code?
Could FBI Demands Jeopardize Global Commerce?
Onward transfer of personal data from the EU to the US is part of an expanding digital global economy that increasingly relies on the free flow of data. The EU privacy culture is very different from that of the US. In the EU, personal data and baseline requirements for legitimate handling and appropriate safeguarding of personal data are clearly defined in the Privacy Directives. In the US, there is no overarching legislative regime that defines legitimate handling and appropriate safeguarding of personal data. In the US, there is no standard definition of personal data. A patchwork of federal and state laws tends to regulate the use of identifiable data on an industry-by-industry basis.
By EU standards, the US privacy culture is not adequate. This inadequacy creates challenges for onward transfer of personal data from the EU to the US. Before personal data can be transferred from the EU to the US, the receiving entity must provide additional assurances that meet EU standards. A recent EU case involving Facebook demonstrates US government access to an American entity’s data can lack key components of the EU standard, such as reasonable limitation, due process, and transparency and yet be “legal” by American standards.
In the Facebook case, the EU Court of Justice invalidated the EU – US Safe Harbor Privacy Principles. While Safe Harbor was one of three methods through which onward transfer of personal data from the EU to the US can take place, it is believed that the same rationale could be applied to invalidate the remaining methods, Model Clauses and Binding Corporate Rules. As a result, doubt is cast over the future of EU-US onward transfer. The FBI request for code that can enable the agency access to iPhones might be perceived by the EU a continuation of an ongoing erosion of the US privacy culture. EU-US onward transfer can be further jeopardized.
When the question “Should Apple unlock the iPhone of a terrorist to keep us safe?” is posed by a pollster to people on the street, of course most Americans are likely to act on emotion, choosing law, order and safety. But beyond privacy, a wider, deeper, more nuanced view of the matter reveals potentially troubling questions that are not being answered. Compelling Apple to weaken encryption and make iPhone vulnerable to a brute force attack can undermine Constitutional principles and privacy protections, impair the US cybersecurity strategy, lower standards for products and services, and jeopardize the future of onward transfer between the EU and the US. The final decision should consider these and other implications, moving beyond the emotions associated with a single device.