Carter Schoenberg is the president and CEO of HEMISPHERE Cyber Risk Management, Inc.
In the post-Snowden revelation world, the world’s greatest technology firms have rallied behind the “Don’t Tread on Me” flag. The days of these technology firms, founded and based in the United States, working with Uncle Sam has come to a screeching halt. In recent congressional subcommittee meetings, we have heard Google, Apple, Telos, Microsoft, Verizon and other tech giants testify to the need for a balance of protecting their consumers’ privacy and intellectual property with national security concerns.
It is important to note that technology giants have generally worked with the government for almost 100 years. From providing the government next-generation technology well in advance of consumer access to monitoring telecommunications, the relationship has existed for a long time. Today, that relationship is strained to the point of creating an environment that will have profound legal and political implications.
In December 2015, 14 people were killed and 22 wounded in the course of a terrorist attack in San Bernardino, California. The assailants, Syed Rizwan Farook and Tashfeen Malik, were killed in a shootout with law enforcement later that horrific day. Because of the nature of the crime, the FBI took over as it had clear authority in such a crime. Its investigation has since revealed clear ties between the assailants and Islamic terrorism. One of the pieces of evidence acquired in their investigation was an Apple iPhone.
While most new phones have enhanced encryption capabilities, both BlackBerry and Apple products are particularly challenging for forensic analysis because of the chip set within these devices I will not go into the exact detail how law enforcement can extract information but another challenge with Apple products is an option that enables a “self-destruct” type mechanism. I do not mean literally. The iPhone is not going to blow up like something from “Mission: Impossible” but there is a capability to completely wipe all data from the device after 10 failed logon attempts. This essentially creates a $600 paperweight for your desk.
This scenario was recently publicized when local police seized a phone of a citizen filming the police in an alleged abuse of power and physically assaulting a civilian. When the police seized the phone of the person filming, and trumped up a charge to arrest the owner of this phone, they proceeded to have the department’s Criminal Investigation Division attempt to break into the phone to view the video (allegedly to erase it) and after 10 failed attempts, the iPhone wiped itself. It is important to note it was only recently the Supreme Court said law enforcement couldn’t compel an American citizen to provide the password to their cell phone or computers as it violates the Fifth Amendment.
Because of these challenges, the FBI obtained a court order to have Apple decrypt the iPhone lawfully taken into evidence as part of this two-part criminal/terroristic investigation. Apple has been served the court order but has its legal team in place to defend a position of “we are not going to do this.”
Traditionally, in the United States, we have a two-week memory cycle and then we move to the next big thing. Just as the classified email investigation for Hillary Clinton is not going away, I believe this story is not going anywhere but up. Up to the United States Supreme Court, that is.
Apple’s position is that 1) it has significant privacy concerns for its consumers and 2) concerns about divulging intellectual property. Apple’s internal practice of security is outstanding. The company has very strict policies and procedures that include termination of employment if two independent teams even have a basic discussion of one another’s project in the cafeteria.
If this sounds harsh, perhaps it is but this approach has been highly successful nonetheless. In fact, this approach is so successful that hackers are offering Apple employees up to $23,000 for network access to Apple resources. When you are multibillion-dollar company, you have the financial resources to look at the FBI and give the proverbial finger.
However, is Apple right to take this position? What is it that the FBI is asking for, exactly? The bureau wants the contents of the assailant’s iPhone. That is it. So, let us look at the two key concerns Apple is professing as the reason it will not comply with the court order.
Most states have unique privacy standards and granted California has some of the most stringent. For there to be a concern of privacy, there must be an implied level of harm to the individual. The person in question is deceased. We do not have any headlines of a family member coming forth and saying, “Please don’t do this."
Furthermore, any information collected will be for the investigative purposes to support national intelligence activities in fighting terrorism within the United States and abroad and is likely not going to be made available for public consumption.
Protecting Intellectual Property
If the FBI provides a court order to have Apple unlock the device and provide a drive copy of all the iPhone’s contents, I am not sure I see what intellectual property is being compromised. Why can’t Apple bring the device into its lab, attest to the integrity of the process in writing, and then give the yielded information over to the Justice Department. The threat of a defense attorney issuing a subpoena for the Apple employees that may do the forensic exam is nonexistent because again, the former iPhone owner is dead.
Sidebar: It is important to note that Apple has the right to charge the government for such a service. This is no different than what the telecommunication companies charge local law enforcement for telephone records. So now, you have taken away the privacy, intellectual property and cost arguments. So why not comply with the court order? It is not as if it was a FISA court; a U.S. Federal Court judge in the jurisdiction of the sstate where the phone and manufacturer are physically located issued this.
The Flip Side
I have highlighted what is the most likely scenario for how and why the FBI would issue a court order to assist in the course of an investigation. However, if the court order were to instruct Apple (or any company) to provide a “God key” (aka backdoor) or insist government representative be present when the original equipment manufacturer facilitates the technical expertise to break into a device, then we have an entirely different scenario.
The reason why is that once an agent of the government is able to witness how to conduct such an exercise, it creates two problems. The first problem is that it could allow the government to have received knowledge transfer from Apple to conduct on their own without any further assistance from Apple. Unfortunately, because of the past activities of our government, I do not believe the “good faith” effort will prevail. The second problem is that Apple and other companies would place an intellectual property value on how to break the cryptographic modules on the devices and thereby have a claim of loss of intellectual property.
The long and the short of it is simply, if you have a court order issued within the authority of the courts as defined by the Constitution or Supreme Court decision, no one company is above the law. If there are concerns as described above, then you advise the government you will provide but it is contingent upon mutually agreeable terms. The position of flat-out saying no will possibly subject business leaders to contempt of court charges. Given the U.S. attorney general’s recent decrees on proceeding criminally against the C-Class, I would not dismiss the possibility of such a charge.
It will be interesting to see how this case evolves through appellate courts all the way up to the Supreme Court. Stay tuned.