On Monday, the FBI postponed a planned Tuesday court hearing with Apple about unlocking the iPhone of one of the San Bernardino shooters. The agency said it had found a third party with a promising proposal for bypassing the device’s passcode without help from Apple, which has been resisting providing assistance.
After weeks of pitched rhetoric, the decision seems like a sign that the FBI may not pursue this legal battle further. It would be a victory for security advocates who argue that undermining cybersecurity in investigations ultimately enables more crime than it stops. But would a retreat by the FBI on this case mean that the agency doesn’t want to fight the crypto wars anymore? Probably not.
The U.S. government has worked for decades to ensure that it has backdoors into as many encryption standards as possible so law enforcement and national security agencies can decrypt data when needed. In the 1990s, the National Security Agency even created the “Clipper Chip” for telecom companies. It promised to offer users encryption and openly touted its built-in government backdoor. Privacy and security advocates have consistently fought these types of projects, asserting that they can be unlawful in terms of privacy rights and even damaging to national security in the long run.
Though the Apple/FBI dispute is about the iPhone’s passcode security feature, not encryption itself, the agency raised many of the same issues by attempting to use a court order to mandate that a company undermine its own security feature. But even if the FBI retreats in this case, the debate will continue. On Monday, American Civil Liberties Union staff attorney Alex Abdo told the New York Times, “This will only delay an inevitable fight over whether the government can force Apple to break the security of its devices.”
The Apple/FBI fight has highlighted an important distinction. There’s been a longstanding debate in the United States (and elsewhere) over how to balance national security and privacy. What surveillance abilities should the government be allowed to have? But the situation with the San Bernardino shooter’s iPhone actually highlights a different tension, described by cybersecurity expert Susan Landau as “security versus security” in congressional testimony earlier this month. In this case, it’s not just a question of whether law enforcement should be allowed to do something it might want to do, like tapping landlines, but whether law enforcement should even be able to do the particular types of surveillance it wants.
Security advocates argue that undermining digital security measures to help law enforcement also weakens those measures against bad actors. Landau explained:
Twentieth century approaches that provide law enforcement with the ability to investigate but also simplify exploitations and attacks are not in our national-security interest. Instead of laws and regulations that weaken our protections, we should enable law enforcement to develop twenty-first century capabilities for conducting investigations.
Of course, it is possible for the approach Laundau is proposing to enter dangerous territory itself, as the National Security Agency’s expansive, formerly secret (and illegal) surveillance shows. Apple’s stance against the FBI didn’t create this debate, and whether or not the FBI is able to unlock the San Bernardino shooter’s iPhone on its own, the broader controversy will continue in the courts and Congress.
“The U.S. government should be aligned with tech companies to create more secure products,” said Oren Falkowitz, the CEO of Area 1 Security and a former NSA employee. “By making the unlock issue so public, the FBI is undermining the security of technology people use every day.” With its recent delay, the FBI may be signaling that it understands how important public perception is. And using the courts to make demands of companies instead of coming to a mutual understanding could backfire. In the case of Apple, reports in the last few weeks have indicated that company employees might resist working on the tool the FBI is requesting or even leave the company to avoid contributing to it.
Corporate cooperation with law enforcement isn’t always so fraught. Apple’s lawyers have made a point of noting the company’s longstanding accomodations for government investigations. And this has been standard practice in the tech industry for years. But companies have been realizing that walking the line between compliance with government and transparency is an important way to win customer trust. And the value of data on mobile devices like the San Bernardino iPhone is only going to increase.
Whenever the Apple/FBI showdown ends, the crypto wars won’t be over, but they will have thoroughly expanded into mobile. “We have to acknowledge that this new platform is now how the world accesses their computing resources,” said Mike Murray, vice president of security research at the cybersecurity firm Lookout (which specializes in mobile defense). Smartphones are the place where criminals plan crimes, but they’re also the place where people do basically everything. “If I’m a [hacker], I know exactly where I have to go,” Murray said. “I have to go attack your phone.” As long as that’s true, mobile devices will need as much protection as they can get.