This Apple situation is messy. The FBI chose a good battle ground. They know they probably don’t actually need anything on that specific phone. The shooter destroyed some other phones but left this one alone which indicates that he knew what type of data might be incriminating and this phone didn’t contain any. This phone was his business phone which means it belonged to his employer and he was employed by the local government. So a lot of the typical privacy arguments don’t apply here. He had signed a paper saying that his employer had a right to everything on that phone. So the government should have a right to get into the phone, right? Not quite…
All Apple phones (and lots of other brands too) are fully encrypted. If you don’t have the passcode, then not even Apple can break the encryption. Depending on the strength of your password, you potentially need more computing power than the world possesses right now to break the encryption. That’s a great thing, but there’s a loophole that the FBI is trying to exploit. They want Apple to create a custom version of the operating system that will allow them to guess the password to unlock the phone. Normally the operating system enforces a five second delay between guesses to make brute force guessing impractical. There’s also a limit on how many times you can guess incorrectly before the phone is completely locked forever. Those limits in the operating system can’t be easily removed. The phone is built so that it will only run an operating system that is digitally signed by Apple. This protects you against a lot of malware because there’s no way for an attacker to fake the digital signature. The government is trying to force Apple to create a one-off version of the operating system and sign it with their digital key. This would give the FBI the ability to try to guess the short password to unlock the phone. Once it’s unlocked then all the data is unencrypted and voila!
This sets a very scary precedent which basically says that no matter what great security and encryption measures a company puts in place, the government can force the company to break them. It’s a bad situation to be in because it doesn’t actually stop anyone from taking their security into their own hands and really keeping it safe. Additionally, this hurts American businesses because what other government is going to trust our products if they see a precedent like this get set?
This is a win-win for the FBI. If their request is granted, they have legally set an enormous precedent which gives them a huge amount of power. And if they lose, public outcry from less technical citizens will be for lawmakers to jump in and create some kind of “backdoor” loophole law for the future so that this kind of thing doesn’t happen again. This is probably an even worse situation than the legal precedent I just described in the last paragraph. If you create a back door or magic key to break security and encryption, you have effectively negated the benefits of that security system. The back door WILL be found by the bad guys and even worse, you won’t know when they find it or when they are using it. It’s impossible to create a perfectly secure back door.
The bottom line is what we should already know: if you have data that you need to protect, you need to be responsible for protecting your data. It is possible for you to encrypt and protect your data so that nobody else on the planet can break into it today. You’ll have to do your homework and keep up with the changes to keep improving and strengthening your process. Every year, computing power increases and we’re able to crack older security schemes.
Any issue like this is bound to get flamed into flames by the presidential election, but it’s good that people are talking about these topics. We need the courts to decide if it is our right to have data that is private or not. This case will go a long way toward deciding that. Hopefully, along the way, we’ll educate the general public about the pros and cons of the various outcomes instead of just inhaling the rhetoric from their side of the aisle. There’s no perfect answer but there are a lot of really bad ones that we need to avoid.
Apple vs DOJ
This Apple situation is messy. The FBI chose a good battle ground. They know they probably don’t actually need anything on that specific phone. The shooter destroyed some other phones but left this one alone which indicates that he knew what type of data might be incriminating and this phone didn’t contain any. This phone was his business phone which means it belonged to his employer and he was employed by the local government. So a lot of the typical privacy arguments don’t apply here. He had signed a paper saying that his employer had a right to everything on that phone. So the government should have a right to get into the phone, right? Not quite…
All Apple phones (and lots of other brands too) are fully encrypted. If you don’t have the passcode, then not even Apple can break the encryption. Depending on the strength of your password, you potentially need more computing power than the world possesses right now to break the encryption. That’s a great thing, but there’s a loophole that the FBI is trying to exploit. They want Apple to create a custom version of the operating system that will allow them to guess the password to unlock the phone. Normally the operating system enforces a five second delay between guesses to make brute force guessing impractical. There’s also a limit on how many times you can guess incorrectly before the phone is completely locked forever. Those limits in the operating system can’t be easily removed. The phone is built so that it will only run an operating system that is digitally signed by Apple. This protects you against a lot of malware because there’s no way for an attacker to fake the digital signature. The government is trying to force Apple to create a one-off version of the operating system and sign it with their digital key. This would give the FBI the ability to try to guess the short password to unlock the phone. Once it’s unlocked then all the data is unencrypted and voila!
This sets a very scary precedent which basically says that no matter what great security and encryption measures a company puts in place, the government can force the company to break them. It’s a bad situation to be in because it doesn’t actually stop anyone from taking their security into their own hands and really keeping it safe. Additionally, this hurts American businesses because what other government is going to trust our products if they see a precedent like this get set?
This is a win-win for the FBI. If their request is granted, they have legally set an enormous precedent which gives them a huge amount of power. And if they lose, public outcry from less technical citizens will be for lawmakers to jump in and create some kind of “backdoor” loophole law for the future so that this kind of thing doesn’t happen again. This is probably an even worse situation than the legal precedent I just described in the last paragraph. If you create a back door or magic key to break security and encryption, you have effectively negated the benefits of that security system. The back door WILL be found by the bad guys and even worse, you won’t know when they find it or when they are using it. It’s impossible to create a perfectly secure back door.
The bottom line is what we should already know: if you have data that you need to protect, you need to be responsible for protecting your data. It is possible for you to encrypt and protect your data so that nobody else on the planet can break into it today. You’ll have to do your homework and keep up with the changes to keep improving and strengthening your process. Every year, computing power increases and we’re able to crack older security schemes.
Any issue like this is bound to get flamed into flames by the presidential election, but it’s good that people are talking about these topics. We need the courts to decide if it is our right to have data that is private or not. This case will go a long way toward deciding that. Hopefully, along the way, we’ll educate the general public about the pros and cons of the various outcomes instead of just inhaling the rhetoric from their side of the aisle. There’s no perfect answer but there are a lot of really bad ones that we need to avoid.