The legal battle between the FBI and Apple Inc. over the unlocking of San Bernardino shooter Syed Farook’s cell phone demonstrates the increasing willingness of U.S. technology giants to challenge the government over access to user data and has inspired a wider debate over information security and privacy laws. The changing nature of the global information industry has forced companies like Apple to find ways to comply with the often disparate policies of the countries in which they operate. At the same time, the U.S. government must determine how to balance policies best suited to meet the needs of domestic technology conglomerates with its own security interests.
The Apple case made headlines on Feb. 16 when a federal judge in Los Angeles, ordered the company to help the FBI decrypt data on the iPhone owned by Farook, who along with his wife shot and killed 14 people in a sophisticated attack on an office holiday party Dec. 2. Apple responded to the judge’s order by announcing its intention to fight the decision in court.
Though treated as breaking news by most mainstream media outlets, the confrontation between Apple and the U.S. government has been more than a year in the making. In late 2014, Apple began encrypting all iPhone data and added security hardware to its newest devices. The company also began touting its products as being so secure that even Apple could not access the information within. The move elicited criticism from top U.S. officials, who feared it would hinder investigations related to national security.
Balancing Privacy and Law Enforcement
To understand the intricacies of the Apple case, it is important to understand the technology involved. Since most people use weak passwords inadequate for protecting data, the iPhone includes a measure known as a key derivation function that is designed to deter efforts to guess a password using a brute force technique. This is a basic hacker method that essentially involves guessing passwords until one proves to be right.
Key derivation ties the encryption key needed to access the information on the phone directly to the user-created password. Each time an incorrect password is entered, the device imposes a delay before the next attempt can be made. The delays grow longer — up to an hour — with each incorrect guess. To avoid a lengthy wait, hackers will often try to circumvent the function by using a computer to generate a list of all potential keys. They then apply the keys to the encrypted information until one is successful.
But for the FBI, using a computer to crack Farook’s iPhone is not an option. Apple’s key derivation function requires the input of a second key unique to the device itself. That key is stored only on the phone’s physical hardware, and it cannot be accessed from anywhere else. As a result, the correct password must be entered on the phone itself to unlock its data. Without the second key, FBI analysts could encounter considerable delays in trying to hack Farook’s phone. In addition, too many incorrect password guesses could trigger an automatic and permanent erasure of the phone’s data.
And so, the FBI is not asking specifically for a way to get around the encryption protecting iPhone users’ data; it is asking for a way to get around the features that impede its efforts to guess Farook’s password. Technically, Apple has the ability to fulfill the FBI’s request. While the company does not maintain a record of every phone’s unique password, it does hold a master key making it possible for Apple to write software that would make it easier for an outside party to hack into an iPhone. The California court has ordered Apple to produce software specifically to help the FBI crack Farook’s phone.
The Dilemma of an Interconnected World
Certainly, Apple is not the first technology company to wrestle with how to handle law enforcement requests for help in surveilling and investigating its customers. However, the Farook case demonstrates how the interests of governments and major data companies are increasingly at odds.
In an era of networked global communications and commerce, information technologies serve as both a crucial resource and potential threat to governments. Many are struggling to find ways to protect their own data while simultaneously monitoring potential security concerns, all using the same infrastructure. Meanwhile, the expanding role of networked devices in the daily lives of billions of people has led to a growing consumer demand for data security and personal privacy, a demand increasingly incompatible with national security imperatives.
At one time, U.S. technology companies were the dominant source of information technologies that supported the Internet. But that is changing. Many countries began to develop new data security and privacy regulations after Edward Snowden leaked intelligence in 2013 detailing U.S. computer espionage activities that leveraged the domestic technology industry. Since then, U.S.-based technology corporations like Apple, Microsoft and Google have had to adapt to a variety of rapidly changing policy environments around the world.
China, for instance, has sped up the development and adoption of domestically produced technologies so that it can move away from those invented by U.S. companies. Beijing has also begun to more rigidly control its cyberspace in the name of national security. Both of these efforts could undermine the operations and competitive advantage of U.S. information companies doing business in China.
Meanwhile, under the guise of protecting its citizens, Russia has implemented a data localization law that would require certain companies to physically store digital information within its borders. And to the west, in response to privacy concerns raised by the Snowden leaks, the European Court of Justice has invalidated the Safe Harbor framework, which permitted the transfer of EU consumers’ data outside the boundaries of the bloc.
The U.S. Government vs. the Private Sector
In the United States, technology giants are becoming increasingly concerned by these developments, especially as consumers demand more privacy. Consequently, companies like Apple are leaning more heavily on data security features to market their products — a tactic that directly conflicts with the goals of U.S. intelligence and law enforcement agencies.
The Farook case has given Apple an opportunity to trumpet its efforts to protect user privacy. In doing so, the company is directly answering the concerns of the European Union, which has called for U.S. companies to negotiate a new Safe Harbor framework. It is also making the company’s stance clear to governments working to solidify their information policies. This is especially true of China, where a 2015 policy proposal raised fears that Beijing would demand that U.S. companies hand over sensitive intellectual property or give it the ability to bypass data security measures.
Apple is not the only company trying to address the changing global landscape by confronting the U.S. government over privacy. Since 2013, Microsoft has been caught up in a legal feud with the U.S. Justice Department after refusing to comply with a search warrant for email stored in a data center in Ireland. Despite being a U.S. company faced with a U.S. court order, Microsoft has insisted that Washington work with Dublin to gain access to the data.
In both cases, the companies involved could have chosen to simply comply with the court-mandated orders, a decision that would not have been unusual given the tech sector’s history of cooperation with law enforcement and intelligence agencies. However, the Apple and Microsoft cases touch on issues that are becoming increasingly important to consumers — and as a result, to their biggest suppliers. It is no surprise that other technology giants have been quick to back Apple in its battle with the FBI, whether by voicing support or echoing Apple’s rhetoric.
The highly publicized dispute highlights the persistent challenge that the United States faces in its information security policies: The government plays the role of a partner, not a leader, in that security. It relies on the private sector both for infrastructure and its data monitoring strategy, whether that cooperation is consciously undertaken or not. But as the global environment that U.S. technology companies have to navigate evolves, their willingness to publicly challenge Washington’s attempts to monitor information will likely grow. And so, regardless of how Apple’s legal dispute with the FBI plays out, it’s clear that the interests of U.S. technology companies will become increasingly less aligned with those of the government that regulates them.