• United States




Why the feds’ iPhone-cracking loss is our gain

Mar 01, 20164 mins
Data and Information SecurityEncryptionGovernment

The government has been blocked not only from cracking open an iPhone, but from eroding encryption -- and personal privacy -- as we know it

legal issues
Credit: Thinkstock

Now that a federal judge has ruled against the government in one of the iPhone unlocking cases — remember, it turns out multiple iPhones were involved, not just the “terrorist iPhone” — it looks like a rare victory has been scored for the right to privacy.

If the case stands, we’ve been spared the establishment of a terrible precedent.

As you may know, the FBI asked for a special version of the iPhone’s OS that would not wipe the device after 10 failed password attempts. But if other judges take a different path than in yesterday’s ruling on a similar case involving an alleged drug dealer — and support the FBI — what would stand in the way of all sorts of electronic invasions of privacy? An invasion that would begin, of course, with the weakening of encryption itself.

We’ve all heard the arguments on both sides about providing encryption backdoors. What no one talks about is that the bad guys don’t need to use the weak version that the government would like to make the default on every personal device. Real, dedicated criminals will use good encryption, so the only people left with weak encryption would mostly be law-abiding citizens.

You can’t have a relatively secure Internet without guaranteed, good encryption. Are you tired of malicious hackers and malware complicating your computing life? Ultimately, encryption is the only solution to provide strong authentication and to prevent unauthorized snooping. Without good encryption, neither of those protections are possible.

Law enforcement will tell you that you’ll be given “strong” encryption that only it can break. Law enforcement will tell you that your information and identity will be safe unless it requests it using a court-issued subpoena, and then only under extraordinary circumstances.

Fat chance. Consider that yesterday’s ruling was not based on the iPhone in the San Bernadino case, but on another iPhone involved in an entirely separate drug case. The government’s argument started with “just this once to investigate terrorism” — and very quickly it was revealed that at least a dozen other phones were involved, on top of 70 earlier cases that Apple had not fought. Many district attorneys revealed that they had hundreds of subpoenas ready to file if Apple had been forced to comply. Next stop, traffic violations.

Let’s review the top three reasons why government should not have the ability to create backdoors through whatever means:

  1. Once a backdoor is created, you can’t guarantee that only authorized parties will use it. Computer history is replete with cases where a “hidden” backdoor was used by criminal hackers or cyber spies.
  2. Often, the information the government captures and stores is unrelated to illegal activity, but it’s gobbled up and stored just the same. And guess what? The government is terrible at securing such data. Consider the Office of Personnel Management break-in, which exposed personal information about everyone who has ever applied for a security clearance (even decades ago). There’s no more detailed information about your life possible. Now it’s out there.
  3. Another big reason: corporate survival. Apple is on the right side of the argument from a moral standpoint, but you can bet financial concerns loom large as well. America’s corporations are losing tens of billions of dollars in business due to our government’s proven ability to snoop, particularly in the cloud. That fundamental concern is scaring away international customers. I hear it in my own conversations with customers nearly every week.

If American vendors are required to install backdoors, it will hurt our most popular brands and companies, not just Apple. It will hurt their bottom lines, stock prices, and employee livelihoods.

Meanwhile, no one can stop the freight train that is good, “unapproved” encryption. It’s marching on despite what governments want. The really bad guys will use good encryption despite what the masses are instructed to do. People like me, privacy advocates, will continue to use good encryption, especially if we know our underlying protocols and devices can’t be trusted.

Remember, don’t buy the argument that leaving good encryption intact means that law enforcement agencies won’t be able to prosecute bad people. It just eliminates one tool in their ever-expanding toolkits. Law enforcement was able to convict lots of people in the days before digital communications and will continue to do so after encryption closes those pathways.

There is a basic human right for people to be able to keep their information, conversations, and communications private. Without it there can be no true freedom. And when push comes to shove, freedom must win in a civilized society.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author