Apple v FBI: The US Debates Privacy

Is there such a thing as security that  is so good that it's a danger to society? That's the bigger picture at hand as Apple continues to fight an order to unlock a terrorist's iPhone.

That fight made its way to Capitol Hill recently for a hearing in front of the House Judiciary Committee, the government body that covers matters relating to how law and order is enforced in the US.

Over the course of four meandering hours, representatives dived headfirst into the complexities of the case FBI director James Comey said is the most difficult issue he has ever had to deal with.

He told the committee that his organisation was seriously concerned by the growth of what law enforcement describe as "warrant-proof spaces" - the term given for methods of communication or storage that, even with the correct permission from the court, can't be accessed. Not by police and not by technology companies.

Apple has strong support among its users - and from the technology industry. "If we're going to move to a place where it's not possible to overcome that," Mr Comey warned, "that's a world we've never lived in before in the United States."

His demand that Apple assists his agency in weakening the iPhone's security was met with this from California Congresswoman Zoe Lofgren.
"The alternative [to strong encryption] is a world where nothing is private.

Apple was represented in this hearing by its lead counsel, Bruce Sewell.
Aside from customer letters, and a somewhat stage-managed interview with ABC, it's the first time the computing giant has been put under scrutiny over its refusal to comply with the FBI order.

Bruce Sewell said breaking into the iPhone would be dangerous. Sewell put in a strong performance thanks, largely, to the testimony of cryptology expert Prof Susan Landau - whose pivotal input I'll discuss later. Mr Sewell endured fierce exchanges with South Carolina Congressman Trey Gowdy, who was angry at what he deemed a lack of cooperation in this controversial case.

How is it possible, the Congressman offered, to live in a world where the FBI has the authority to stick a finger up someone's rear in search of drugs, but not the power to look at the locked iPhone of that same suspect? There's no simple answer to that, of course, though Apple might contest that law enforcement's capability to carry out such physically intrusive actions doesn't increase the general public's risk of exposure to an unruly finger or two.

But, crass comparison aside, Congressman Gowdy's heated questioning eventually arrived at this key point - if Apple won't comply with this order, he thinks the company must at least be forthcoming in sharing what it is actually prepared to do.

In a similar vein, the session's sound-bite moment came from the mouth of Congressman Jim Sensenbrenner, who scolded Apple for having the audacity to demand Congress do something without offering any solution itself.

"All you've been doing is saying 'no… no no'," the Congressman said.
"You're operating in a vacuum…You've told us what you don't like. You haven't told us one thing about what you do like. When are we going to hear about what you do like so Apple has a positive solution to what you are complaining about." Congress could, he added, continue unassisted by Apple, "but I can guarantee you aren't going to like the result".

Mother's diary
That's because, judging by some of the questioning during the session, some members of Congress consider it unfathomable that police cannot reach the information kept in Apple devices.

It's a barrier hindering many, many cases. Mr Comey could not say exactly how many phones the FBI wanted to unlock nationwide, other than that it was "a lot".

Later in the hearing, we learned that there are 205 locked iPhones currently held by police in New York alone.

We were reminded about a case involving Brittany Mills, an expectant mother who was shot and killed on her doorstep in Louisiana last year. Her baby boy died soon after. Ms. Mills - whose family attended the hearing - kept a personal diary on her phone that could contain crucial information about the murderer. The phone is locked, rendered unreachable by Apple's encryption software.

"I think about the nine-year-old girl who asked 'why can't they open the phone so we can see who killed my mother'," said Louisiana Congressman Cedric Richmond.

Mr Sewell said Apple had done a lot to help with that investigation, but without creating the kind of tool demanded by the FBI in the San Bernardino case, it would be unable to assist further.

Making a smarter FBI
But maybe someone else could?
Republican Congressman Darrell Issa - a favourite among tech enthusiasts thanks to his opposition to several bills considered to be anti-internet - gave Mr Comey a hard time over the process leading up to asking for Apple's help.

Mr Issa said the FBI had not explored all the options for accessing the data and circumventing Apple's security.

He said the FBI should be investing in bringing in people with that expertise, not relying on companies like Apple to do the work for them.
Point being - if the FBI could crack the phone itself, Apple's opposition would be irrelevant.

This call was backed up by the thoughts of Prof Landau, an independent cryptology expert who argued, with some force, that there was no way the FBI's request in San Bernardino could be carried out safely.

The so-called Islamic State has used encrypted app Telegram to announce attacks
She said that while Apple could no doubt keep the code required to crack Syed Farook's phone a secret, the real issue is what will happen when Apple is subjected to possibly hundreds of requests to do the same thing on other devices.

She said the surge of orders would mean Apple would need to create a faster process to handle the task, one that would by its nature be vulnerable to exploitation through interception, or perhaps a rogue employee.

Prof Landau insisted the only real course of action was for the FBI to invest heavily in becoming smarter - rather than compelling Apple to make its products less secure.

Because a weakened iPhone would have one critical side effect, she said. Criminals would simply use other, more secure methods to talk to each other - apps created by countries outside the US, offering encryption mechanisms even more secure than those offered by Apple currently.

Should that happen, the wishes of Congress matter not a jot.

"What you're saying," Congressman Jerrold Nadler asked Prof Landau, "is that we're debating something that's… undoable?
"That's right."

Ein News: 

« 8 in 10 IT Pros Believe Data Is Cloud Safer
Reduce Risk With Threat Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Advenica

Advenica

Advenica develops, manufactures and sells innovative cybersecurity solutions for encryption and secure information exchange.

First National Technology Solutions (FNTS)

First National Technology Solutions (FNTS)

First National Technology Solutions is a leading provider of flexible, customized hosted and remote managed services including IT security and compliance.

Rhebo

Rhebo

Rhebo Industrial Protector monitors and ensures the continuous, correct, and predictable operation of real-time Industrial Control Systems to prevent outages and reduce downtimes.

Cyphercor

Cyphercor

Cyphercor is a leading smartphone and desktop-based two-factor authentication (2FA) provider.

Cyber Security Audit Corp (C3SA)

Cyber Security Audit Corp (C3SA)

C3SA specializes in architecting, operating, managing and improving defensible and resilient IT infrastructures for Canada's public and private sectors.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

Swarmnetics

Swarmnetics

Swarmnetics helps customers discover hard-to-find software vulnerabilities by hacking your system before the bad guys do.

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP) is the Swedish industry association for Swedish incubators and science parks.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

Broadcom

Broadcom

Broadcom is a global technology leader that designs, develops and supplies a broad range of semiconductor and infrastructure software solutions.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

GreenPages Technology Solutions

GreenPages Technology Solutions

GreenPages provide expert strategic guidance and proven cloud-era solutions for our clients. Every day we help organizations leverage the cloud securely with less risk and cost.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

CI-ISAC Australia

CI-ISAC Australia

CI-ISAC has been designed to support and promote existing legislation and Government initiatives that are working to uplift cyber resilience across critical infrastructure sectors.

Infinavate

Infinavate

Infinavate Fort CyberVault offers end-to-end services that comprehensively responds to the organization’s information security and privacy needs.

Smartcomply

Smartcomply

Smartcomply is an automated and AI-powered cybersecurity and compliance platform that aids businesses in reducing the time and money spent on cybersecurity and compliance.