Why forcing Apple to break iPhone security is a bad idea

iphone security

The US government wants to compel Apple to help it break into an iPhone used by the San Bernardino terrorist. The company is refusing. Which side is right?

It’s widely agreed that the government should be able force a company to turn over information it possesses when there is reason to believe that information could be used to prevent a terrorist attack. However, that’s not what the current dispute between Apple and the Department of Justice is about. The government is asking Apple to undermine privacy protection that the firm has spent years developing and refining by creating software to defeat that protection. And it is just to discover whether any useful information was added to a terrorist’s iPhone between October 19, 2015 and December 2, 2015.

Apple contends that the information could have been retrieved already had the government not acted in haste. Shortly after the attack, the FBI asked San Bernardino County, the terrorist’s employer and owner of the phone, to reset the terrorist’s iCloud password so that the FBI could access his iCloud account. That gave them access to his last iCloud backup, which took place in October, but it prevented an automatic backup of more recent information presumably because the phone is still using the old iCloud password. (The FBI is now suggesting that the terrorist may have disabled automatic backups after October 19, but this is only speculation.)

Apple’s legitimate concerns

Data security is like a marathon that never ends. Data security developers work constantly to stay a step ahead of data thieves. Data thieves are always trying to catch up, and from time-to-time they succeed. If we as consumers want data security we can depend on, then it’s important that we allow security developers to continue moving forward so they can maintain a lead over data thieves.

Companies such as Apple have a right to design products that make it as difficult as possible for unauthorized persons to access users’ private information, and consumers have a right to buy these products. When consumers purchase insecure products they make themselves targets for identity theft. Once bad actors have access to your accounts they may be able to use your credit cards, pose as you while committing crimes -- even blackmail you. Governments that do not respect citizens’ right to privacy tend not to respect other basic rights. The Soviet Union recruited people to watch and report on neighbors, friends and even family members who expressed anti-government feelings.

The government claims it is only asking Apple to help it retrieve information from one iPhone. It also insists that doing this would not place an unreasonable burden on Apple. These are specious arguments.

As Apple CEO Tim Cook explained in his letter, the government is asking Apple to invent a backdoor solution that could be used to defeat security on other iPhones. As iOS security specialist Jonathan Zdziarski points out, the backdoor will have to be tested and documented like any other new product. A court could require Apple to demonstrate that the new software does what Apple claims. This could involve providing the court with a copy for independent testing. And while the government promises to only use the backdoor solution on one iPhone, Apple reports that “law enforcement agents around the country have already said they have hundreds of iPhones they want Apple to unlock if the FBI wins this case.” Keep in mind that the courts often rely on precedent when making new rulings. The development of a backdoor for the iPhone at the government’s behest could open a Pandora’s box.

The government’s argument that compelling Apple to break iPhone security does not place an unreasonable burden on Apple is silly. The government reasons that since Apple regularly develops phone software, and the government is willing to reimburse Apple for the effort, then asking Apple to develop this particular phone software can’t be an unreasonable burden.

However, that completely ignores the real issue.

Apple isn’t refusing because it believes developing a backdoor solution would be too difficult. Nor is Apple saying that it can’t spare the resources to help with a terrorist investigation. Apple is essentially refusing to: 1. publicly demonstrate that its privacy protection can be defeated; 2. develop software that will undoubtedly invite more requests to help defeat iPhone security; and 3. damage its reputation as a company that takes its customers’ privacy so seriously that it even denies itself access to their private data.

The government’s motion is like asking a company that makes vaults to demonstrate that it can break into one of its own products. The designer of a specific model probably knows that model’s weaknesses and, therefore, the best strategy for cracking it open. But requiring the manufacturer to break into one of its own vaults increases the risk to customers who rely on the same model to protect their valuables and undermines the company’s business going forward. The burden is not the time and effort needed to crack open one vault, it’s the damage to the company’s reputation.

The government’s illegitimate demands

Apple exists for the benefit of its investors, customers, and employees. However, as congressman Ted Lieu said, "This FBI court order, by compelling a private sector company to write new software, is essentially making that company an arm of law-enforcement. Private sector companies are not -- and should not be -- an arm of government or law enforcement."

There is another aspect of this case that is troubling. Law enforcement officials have been demanding that makers of encryption devices should be required to provide law enforcement and national security agencies the ability to decrypt secret communications enabled by their devices. They have observed that (outside of government) encryption tools are often used by criminals, terrorists and spies. However, their demand ignores the experience that criminals will obtain encryption tools illegally just as they obtain guns illegally. It also suggests that they see privacy as a privilege to be dispensed or withdrawn as the government pleases.

The government is being extremely arrogant about this case. It ridicules Apple’s position by calling it a "marketing strategy" -- as if Apple could not possibly have any legitimate concerns and is merely pulling a PR stunt. However, the government’s campaign to force Apple to develop a backdoor solution could also be dismissed as a "marketing strategy." It distracts attention from the government’s failure to detect a couple with connections to "other people of interest to the authorities." And how is it that a townhouse containing thousands of rounds of ammunition and material for making more than a dozen bombs went unnoticed?

Perhaps it’s time to recognize that protecting private information and detecting planned terrorist attacks are both legitimate crime prevention activities.

This article is published as part of the IDG Contributor Network. Want to Join?

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies