The encryption quicksand into which Apple is sinking

As the encryption argument takes center stage in the ongoing Apple vs. the U.S. Government squabbles, a very important—and potentially destructive—change is taking place in security strategy.

As the encryption argument takes center stage in the ongoing Apple vs. the U.S. Government squabbles, a very important—and potentially destructive—change is taking place in security strategy.

The encryption and security thinking used to be focused solely on protecting a customer's data from cyberthieves and other bad guys attempting to break in. It then morphed to also see law enforcement as the attacker, putting in various defenses to keep out municipal, state, federal and global investigators, sometimes on fishing expeditions for any hint of wrongdoing.

Companies like Apple—and where Apple goes, the tech industry almost always follows—are now adding a new enemy to its to-be-protected-from list: itself. The theory goes that if Apple's best engineering can't break into its own devices, government court orders will be irrelevant. Apple can't be made to do what it can't physically do.

But this raises an interesting legal question. What if Apple goes out of its way to spend millions of dollars to develop a way to not able to do something? Is that intentional obstruction?

Look at it from a different perspective. Let's say that a well-financed drug dealer specifically knew that law enforcement wanted to look at particular financial records that he possessed. What if he created a massive vault that, upon a specific voice command in its owner's voice, would delete all access codes and disintegrate the vault's contents? (OK, if it could really disintegrate all of its contents, I suppose it wouldn't need to delete its codes. But drug dealers tend to opt for security redundancies.)

Could the act of creating such a vault and saying that command be considered defiance of the anticipated court order? Would it potentially constitute contempt of court?

We have discussed here why it's not a great idea to have the government dictating corporate encryption policies. But what the government is doing here is a lot more invasive than many people think. They are not asking for the encryption backdoor. They are instead asking Apple to use its engineers—at no cost to the government—to create security weaknesses that the government can exploit. Specifically, they are asking for a removal of the limit on the number of bad password attempts before the system locks up, as well as the removal of time limits between break-in attempts. With those two items gone, brute force attacks will inevitably be able to crack into the phone.

Mark Rasch is a former federal prosecutor, former head of the U.S. Justice Department's high-tech crimes unit and currently serves as the chief security evangelist for Verizon. Rasch argues that Apple—and anyone who follows them—are in the clear legally.

Here's the legal bottom line, from Rasch's perspective, which is not necessarily in accordance with the legal interpretations of current Justice Department lawyers or lawyers for the next administration's Justice Department.

Rasch's position: A court-ordered search warrant only applies to law enforcement. A search warrant to search a suspect's home allows law enforcement to search but does not require the homeowner to cooperate. The homeowner, Rasch argues, is fully within his rights to say, "Thanks, but I choose to not let you into my house." Law enforcement then has the right to smash the door in, but that order doesn't obligate the homeowner to do anything. A court order to a civilian would have to happen under the All Writs Act. The question then goes to whether the court has that power.

"Not cooperating and obstruction are different things. Obstruction in advance doesn't exist," Rasch said. "Nor does 'aiding and abetting a crime by not making it easy for me to solve crime.'" The closest Apple analogy would be if police had a valid search warrant and were trying to break into a suspect's home, Rasch said. The suspect in this scenario had so expertly reinforced all of the doors, windows and walls that police equipment—including battering rams—were ineffective.

What if police turned to a construction worker walking down the street and said "We want you to spend as many weeks as it takes to figure out a way to break into this house"? Even if the police offered to pay the worker a fair rate, does he have the obligation to comply? What if he doesn't want to spend weeks doing this? "The government wants to take the labor of Apple engineers without just compensation," Rasch said. And even getting just compensation—which is irrelevant in this case because "Apple doesn't want to get paid to do this"—is tricky.

"Apple doesn't want to take invading a customer's privacy and to turn it into a profit center," Rasch said. "And the government doesn't want to establish the precedent of having to pay people to comply with a court order." In short, as long as Apple doesn't do this to circumvent the search for a specific criminal act that they know about in advance (and no one has suggested that they are), crafting a way to lock themselves out permanently is legally sound.

Alas, it's not that simple. Consumers are maddeningly self-contradictory. They love the idea of Apple not having access, so that they Apple cannot violate their privacy even with a search warrant. But they hate the idea of Apple not having access if the consumer forgets his/her password and can't simply reset it. They want access to all of those photos and messages and videos no matter what and they expect Apple to be able to do that.

The typical response to sidestepping forgotten passwords is to go for biometric authentication. In theory, a consumer can't "forget" their retinas or their fingerprints. That is also not a perfect solution. What if the phone suffers some corruption and the phone can no longer match the consumer's biometric self with the phone's file? Again, they expect Apple to be able to swoop in and help.

That is the real problem. If Apple creates the perfect defense against itself, it can't comply with urgent requests from the government or it's customers.

Don't forget that in this specific case, the government wants to break into the iphone of Syed Rizwan Farook, one of the killers in the San Bernardino, Calif. shooting rampage. And his phone was not owned by him. It was owned by the county agency he worked for, and the county government—the true owner of that phone—has consented to the phone being searched.

That means that there is no privacy issue in this immediate case, although it's a certainty that privacy will crop up in other cases.

Rasch points out that had the county's IT folk been using a mobile device management product on county phones, this entire issue would have been avoided as the county would have had the employee's password. The question then comes back to Apple—and other technology players—and how far they are willing to go to thwart government inquires (to protect customers) when such efforts will also block those customers if they get accidentally locked out of their phones.

It's akin to CIOs who want no one to be able to get into an enterprise network without proper credentials, unless they are lost, in which case they want their vendors to be able to override and get in.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place