The "San Bernardino iPhone" has become a significant test case on the boundary between privacy and safety, corporations and government. Let's examine the battle between Apple and the FBI, and discuss the implications for healthcare...
Just after 11am on Wednesday, December 2, 2015, several 911 calls reported shots fired at the Inland Regional Center, a state-run facility for people with developmental disabilities, in San Bernardino, California. By 2pm police confirmed that 14 people had been killed, 17 (ultimately 22) wounded, suspects on the loose. By 3:30pm a shootout exchanging hundreds of rounds was reported on a residential street less than two miles away, the two suspects killed within and near a rented SUV quickly surrounded by the authorities.
The two shooters were identified as county health inspector Syed Rizwan Farook, 28, and his wife Tashfeen Malik, 27. Syed calmly left a holiday party with his coworkers at the Inland Regional Center and returned fully armed and in combat gear with his wife; they fired 75 rounds into the crowded room and fled, leaving three unexploded pipe bombs. Subsequent search of the SUV and a townhouse in nearby Redlands revealed weapons, tactical gear, ammunition, and explosives; search of their Lexus sedan discovered an intact iPhone 5c.
The Terrorists’ Telephone
By January the FBI investigation was in full swing, but encountered a frustrating glitch: unlocking the suspects’ personal data from the recovered smartphone. Although Apple was subpoenaed to provide backed-up iCloud data (and complied), the FBI nonetheless asked San Bernardino County, the owner of the work phone, to reset its iCloud password to gain access to that same info—which proved to be more than six weeks old. The amateurish mistake precluded access to more recent data, precipitating a much more significant ask.
Because the iPhone operating system is designed to delete all data on the device after 10 failed password attempts, and because Apple insists that the encryption key is contained within each device and is therefore only accessible with the password, the FBI has asked Apple to disable the feature so the prodigal iPhone 5c can be hacked and the personal data on it recovered. But to do that, Apple would have to alter the code on the software itself, creating a “backdoor” potentially allowing all iPhones to be hacked in the same way.
Apple denied the FBI request, resulting in a February 16th U.S. District Court order to provide “reasonable technical assistance” to the agency. The very next day Tim Cook, Apple CEO, issued a strongly worded “Message to Our Customers”: “The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
The Raging Debate
The tech industry rallied quickly and almost entirely unilaterally. The CEOs of Whatsapp, Twitter, and Google applauded Cook and his message, while the “Reform Government Surveillance” initiative, with members from AOL and Apple to Dropbox, LinkedIn, Twitter, and Yahoo issued a statement opposing the creation of backdoor software. Unexpected support also came from an unlikely source, as Tom Hayden, ex-NSA and CIA Chief, insisted that America is more secure with unbreakable end-to-end encryption.
The political response not surprisingly fell largely along partisan lines, Senator Tom Cotton (R-Arkansas) representing the sentiment on the right with his assertion that “Apple chose to protect a dead ISIS terrorist’s privacy over the security of the American people,” while Senator Ron Wyden (D-Oregon) insisted that the surveillance precedent would ultimately be more dangerous to the American people than mandating ubiquitous data transparency. President Obama made no statement, instead creating a new cybersecurity commission.
Meanwhile the presidential candidates, locked in heated contests on both sides of aisle, used the Apple/FBI battle as a platform for their personal positions on the country’s hottest and most contested topic, terrorism. The GOP debates cast Apple as the self-righteous, self-serving obstructionist, while Clinton and Sanders refused to express a definitive opinion, both suggesting “compromise” without citing any specifics as to how the seemingly intractable divide between government and tech could be meaningfully negotiated.
By February 19th the situation had heated to the point the Department of Justice filed its own motion against Apple, alleging marketing gimmick, citing a 1977 ruling against the New York Telephone Company, and insisting the Circuit Court order “does not mean the end of privacy.” Trump not surprisingly fueled the hysteria with an outright call to boycott Apple, while less bombastic dialogue continued with Tim Cook and FBI Director James Comey both invited to testify directly before Congress and state their respective positions.
Interestingly enough, Bill Gates suggested that the ongoing Apple/FBI battle has less to do with a foundational conflict between privacy and safety, and more to do with merely providing important data on demand. “This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case. It is no different than should anybody ever have been able to tell the phone company to get information, should anybody be able to get at bank records.”
Compromise & Complexity
The American people generally agree, a Pew Research study revealing that 51% along surprisingly bipartisan lines favor the Justice Department and implore Apple to unlock the iPhone. Despite all the confusion regarding technological feasibility, corporate responsibility, governmental jurisdiction, and the delicate balance between privacy, personal liberty, and societal security, many believe some sort of compromise is necessary and inevitable. A few days later, Tim Cook sent an internal email to Apple employees that points in this direction.
“It does not feel right to be on the opposite side of the government in a case centering on the freedoms and liberties that government is meant to protect,” Cook wrote. “We feel the best way forward would be for the government to withdraw its demands… and, as some in Congress have proposed, form a commission or other panel of experts on intelligence, technology and civil liberties to discuss the implications for law enforcement, national security, privacy and personal freedoms. Apple would gladly participate in such an effort.”
Along these lines Senator Mark Warner (D-Virginia) and Representative Michael McCaul (R-Texas) have proposed introducing a bill to form a special commission on encryption in the style of the 9/11 Commission. The goal would be to gather all key stakeholders together so that law enforcement and companies responsible for communications and encryption technology “stop talking past each other.” Exactly how end-to-end encryption can be guaranteed while giving the government access to personal data remains to be seen.
Sensitive to the ongoing controversy, Cook went on a PR blitz midweek and did a half hour interview on ABC news. Stressing the importance of Apple’s position and the danger of over-simplification, he nonetheless expressed confidence that the issue could be resolved amicably. Meanwhile, The New York Times reported that Apple is actually working on new encryption technology that would make it impossible to unlock their devices, if successful precluding the government’s ability to access personal data barring judicial action.
Despite Gates’ words to the contrary, Microsoft just expressed “wholehearted” support for Apple, as the company continues to beef up iCloud security, and just issued a motion to vacate the DOJs court order. Clearly the battle will only heat up further as the two respective sides consolidate and throw down their respective versions of Constitutional Law: As blogger Bruce Schneier has observed, the government sees the challenge in terms of privacy vs. security, while the tech industry sees it as a security vs surveillance debate.
“Either everyone gets security or no one does,” insists Bruce. “Either everyone gets access or no one does. The current case is about a single iPhone 5c, but the precedent it sets will apply to all smartphones, computers, cars and everything the Internet of Things promises. The danger is that the court’s demands will pave the way to the FBI forcing Apple and others to reduce the security levels of their smart phones and computers, as well as the security of cars, medical devices, homes, and everything else that will soon be computerized.”
Crypto War & Peace
Alf Whitehead, SVP of Technology at Klick, categorically agrees. “There is no such thing as a backdoor that only works for the good guys. Any backdoor built for the FBI will inevitably be used and abused by other agencies, other governments, and other individuals. Rich Mogull at Securosis was right on the money, asking the question this way: “Do we have a right to security? If you think that the answer is ‘yes,’ then you must necessarily be opposed to backdoors, in any form, for whatever reason. The issue is clear: Privacy is too important.”
But what about national security? A terrorist with WMD? “Every piece of cryptography ever devised is susceptible to ‘rubber hose cryptanalysis,’ implying a suspect is ‘beaten with a rubber hose’ until he gives up his password. While I certainly would not advocate such extreme measures, legal measures can be put in place to compel people to reveal their keys. This allows for judicial oversight and presents a barrier to widespread abuse by the state—they can only target those worth targeting, without jeopardizing everyone’s security.”
Do you think Apple is sincere? “This seems to be Tim Cook’s personal mission,” says Alf. “Protecting customers is worth picking this fight. If they give in, then their products will be shunned by anyone who takes data security seriously. Business consequences could also be severe, especially in Europe after they tore up the Safe Harbour agreement over concerns about US spying on EU citizens. If Apple is forced to open its products, it’s conceivable that they (and other American manufacturers) could lose access to EU and other markets.”
What about Bill Gates’ suggestion? Can’t Apple just decrypt the iPhone and give the government the information it wants? “The FBI likely doesn’t want to turn criminal evidence over to a corporation,” says Alf. “And Apple likely doesn’t trust that their hack could safely stay inside their research facilities. Evidence suggests that intelligence agencies around the world have already built their own hacking kits that exploit this device flaw, while others allege the NSA tampers with US tech, putting American citizens and companies at risk.”
What are the implications for healthcare companies? “Pharmas and med device companies should be paying close attention to this, and to the breakdown of trust between the US and the EU on issues of privacy. The EU guarantees the right at a constitutional level, while the US has a fragmented system covering people on a sector-by-sector basis of the economy. This mismatch, combined with US government efforts that weaken the security of American tech, could lead to loss of access to important markets, and the rise of overseas competitors.”
The topline precedent is also significant, and potentially dire. “If Apple can’t secure a backdoor, then no one can,” warns Alf. “So you won’t be able to build them into any digital asset, or medical device, or piece of technology that you create. Such vulnerabilities are unacceptable in any industry, but especially in healthcare. If we take patient and institutional privacy seriously, if HIPAA and data security retain any meaning for healthcare payers and providers, then the industry needs to support the tech platforms that help guarantee it.”
Although John McAfee was nice enough to offer to hack the terrorists’ iPhone and get Apple off the hook, the gesture begs the question of data vulnerability. In our post-Snowden era the Crypto War rages on a whole new level, Spy vs. Spy and hacker against hacker, the stubbornness of cracking enormous prime factors our only leg to stand on. Until someone solves the Reimann Hypothesis and perhaps builds a prime number generator we at least have the math—but what’s done with it is still a legal question, one best not left to the courts.
Confidence from Klick
Does your healthcare partner understand the science, communications, and tech of data security? Are you confident that your digital partner can help keep your data safe, and your experts properly informed? The stakes have never been higher, nor the uncertainties greater. Not a day goes by without significant and often transformative changes to the people, platforms, and processes central to keeping your data compliant and secure, and your customers information private and safe. Email Alf with questions to get the answers.
“It would be wrong for the government to force us to be a backdoor into our products. Ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.” – Tim Cook