Apple, the FBI and a terrorist’s iPhone

This week, Apple CEO Tim Cook wrote an open letter describing why Apple was resisting a request from the FBI to provide a method to gain “back door” access to the iPhone, as part of an ongoing investigation to the San Bernadino mass attack on Dec. 2, 2015. The mass shooting and attempted bombing carried out by Syed Rizwan Farook and Tashfeen Malik, killed 14, wounded 22, and is considered to be the worst terror attack on U.S. soil since the September 11 attacks some 15 years before.

Details surrounding Farook and Malik ultimately suggested that they were, as FBI Director James Comey described, violent, homegrown extremists who were inspired by foreign terrorist organizations. The big question was whether the pair were part of a larger terror organization, so their every communication was examined in close detail. Until they hit one of the shooter’s iPhones.

The FBI was unable to unlock the phone, due to the point-to-point encryption it provides, specifically to its Messages app. Texts and pictures could be obtained by service providers. And Apple had cooperated and provided any information the shooters had left on the iCloud data storage service. But that wasn’t enough; the phone remained a mystery, as did any communications on it that might provide a glimpse into how the shooters arranged their attack.

The FBI requested that Apple provide the agency with a way to break into the phone, which Apple declined. The FBI then went to a federal judge, which ordered Apple to provide access to the iPhone’s encrypted data. Apple has resisted that order.

Apple’s CEO Tim Cook explained the company’s position in an open letter to the public. He wrote that what the FBI wanted was for Apple to write new software that would enable “back door” entrance into iPhones in general, all so that the data on the shooter’s phone could be accessed. Apple’s contention is that once such software is written, if it were to fall into the wrong hands, any iPhone’s security could be compromised. Just by writing the software at all compromises not just the specific iPhone in question, but iPhones in general. By obeying the FBI’s request, Apple would be putting its entire iPhone user base—which currently is around 100 million iPhones—at risk.

Since then, the CEOs of Google, Facebook and Twitter have all come out in support of Cook and Apple, noting that even in the noble effort to fight crime and to prevent future terror attacks, to require the willful compromising of an entire technology’s security protocols is simply a step too far against the public’s right to privacy.

It’s a thorny issue. On one hand, there is the desire to sacrifice a little liberty—as we have already done in the past—to provide better security for everyone. On the other hand, there are significant concerns that this sacrifice might create problems that are actually bigger and wider-reaching than the ones the FBI is trying to combat.

From a compliance standpoint, this is something worth watching, as the outcome of this dispute is by no means settled. Given a company’s responsibility for protecting customer data, and the liabilities that arise in data breaches (to say nothing of the cost per record that results from a data breach), the kind of security a device like an iPhone provides makes data easier to secure across the board, and makes the task of data compliance much easier. Should the FBI prevail, then one could argue that there is no form of data protection that cannot be back-doored should authorities deem it necessary. How this might impact areas of specially protected data, such as health care records, deserves special consideration.

At some point, there needs to be a cost of risk imposed on this. The San Bernadino attack caused a huge amount of horror and mayhem. And yet, similar—if not larger—numbers of people are hurt and killed in vehicular accidents every day, and it is not a national cause for action. And while one naturally wants to support our federal law enforcement, no federal agency has a perfect track record. One need only look to last year’s Animas River spill, caused accidentally by the Environmental Protection Agency to wonder…what if the FBI created a similar disaster with data security? A saying about roads paved with good intentions comes to mind.

How badly data security ought to be compromised for the sake of physical security is a question not easily answered. But it is one that anybody who is responsible for data security at all should at least begin to ponder. One way or another, the showdown between Apple and the FBI will prove to be a moment long remembered.