For those interested in such things, there is a background dispute going on between Apple and the FBI with regard to the former helping the latter to unlock a phone belonging one of those involved in the San Bernardino shootings where 14 people died. The only person who has said anything interesting was Bill Gates and even then what he said was misrepresented by negligent reporting.
What he actually indicated was that “We need to have a discussion about these issues” and he is right because once again we have society coming face to face with an issue that didn’t exist before our “digital age” and new thinking is required.
The Line Up
On the one hand we have Law Enforcement wanting to gather as much intelligence on the two shooters who were eventually killed in a shoot out. They were obviously guilty, may well have acted alone but may have not and in closing the case, they (FBI), are looking for any relevant information some of which may be on the recovered iPhone.
On the other side we have Apple Inc who say that the private information on their customers Apple devices should always be secure and anyway, that is what they (Apple), have promised them. In addition they don’t have an existing built in “backdoor” to circumvent the security so they would have to write a special O/S to achieve the objective and once they have cracked it once, how many more requests/demands would there be not just in the US but also overseas, this is not a one off event. Obviously there are commercial considerations here for Apple as well as any “moral/ethical” principles, however, with China as a major growth area for them and a regime that won’t be shy to bend Apple into any shape they wish, reality intervenes.
Now on the face of it, neither side is being unreasonable however, neither side is grasping the real nature of the debate which must include the wider society we all live in. Such a debate must be a proper one where everybody understands what is at stake and further than that, fully understands what measures will be required to achieve a mutually satisfactory outcome.
A Lack of Trust a Lack of Common Sense
For those who don’t trust the “Authorities” to hold the line, they are correct, once any ‘tool’ exists which may ease their way, it will be abused by them. In the UK we had Surveillance Laws intended as part of an anti terrorist package used by local councils to spy on what time people put their bins out. So no, general dispensations aren’t the answer, you must be very specific and have a legal process with external approval requirements, there can be no chance of internal approval being all that is needed by Police or Intelligence Services.
On the other hand if a company like Apple sells a device that even they cannot crack open if required, this is to say the least naïve given the uses to which these devices can be put. All manufacturers and indeed all consumers must accept that whilst their privacy needs to be fully respected, there will inevitably be occasions when it cannot be guaranteed not just because of terrorism but also because of other purely criminal activities.
I thought that Apple put themselves totally at risk with regard to their overseas sales when in reply to the Court ruling they submitted the following which is an admission that it can be done: “If a purpose-built operating system such as the one the government seeks here got into the wrong hands it would open a significant new avenue of attack, undermining the security protections that Apple spent years developing to protect its customers.”
My Personal Take On This
I would suggest that all manufacturers of devices need to ensure that they are capable of unlocking their own devices if required. More than this, their customers need to know and understand that this is the case and take note when using these devices. The problem is that customers can be extremely dumb, they buy a ‘solution’ such as a 4 wheel drive vehicle to use in bad weather but continue to drive badly expecting the ‘system’ to compensate for their incompetence instead of doing the smart thing and learning how to use it properly. Tell customers that their data is totally secure and they will then set out through their own daft behaviour to make it insecure instead of working within the limitations. Much better that they are told that it is only by sticking to “these rules” that they can ensure that their data is safe.
The idea that a manufacturer would produce something that they cannot crack open themselves is frankly grotesque, such thinking can never be allowed to exist inside companies that may become involved in robotics for example. Imagine the parallel argument: “We cannot allow the robot to be hacked, we have therefore ensured that not even we can hack our own product once it goes live”. Now wouldn’t that just be as stupid as it gets ? What happens if the thing decides to go ape and become a “Killer Robot” and runs amok in Downtown San Francisco ?
Both Apple and Google want to get into driver less cars which are really robots of a kind. We have had this week Nissan withdraw a smartphone app which could could be used to remotely attack an all electric Nissan Leaf car: http://www.wired.co.uk/news/archive/2016-02/24/nissan-car-hacked
Okay, all that they could do was hack the heating system which could have disabled the car by running its battery down. In the above instance I have no doubt Apple would claim that it proves their point that any “backdoor” or vulnerability could also be hacked by people with malevolent intent. This is true but how does Apple not being able to hack their own products and yet the “bad boys” will anyway in due course, help either them or their customers ? Sorry, I think they are talking nonsense.
Systems and Structures
The following are just my thoughts and are offered for discussion purposes rather than proposing any particular solution in great detail, it should also be noted that what I propose is purely in a “British/UK” context, this may not work elsewhere because the political and cultural environments will vary.
All that said my approach is pretty simple, Apple may well as an American company within the borders of the USA argue their case through the Courts but this option will not always be open to them in other jurisdictions. The point is that once nations decide that fully encrypted devices are contrary to their national security whether internal or external then device manufacturers will be faced with compliance directives or outright bans on sales of their products.
One of the problems often faced is that during an investigation, the Police may seize property for examination and because it is just part of a jigsaw in a process then hang on to it. Eventually because this is “Real Life” stuff as opposed a one hour TV drama, they hang on to it for so long that even they forget they have it, the property in question may just as well have been confiscated outright. This is obviously not suitable, let alone even half efficient when it comes to electronic devices, either they contain relevant information or not and in the latter case, need to be returned to their owners quickly.
In the UK one might consider setting up a totally independent body dedicated to “Digital Forensics” but overseen and directed by a committee that includes Judges. This body would need to be totally independent of both the Police, Government and all their Agencies, it’s purpose would be to act as a backstop to the privacy of the citizen. Fully staffed with appropriate technical people, if a request was approved and a device handed in, it would be examined and the detailed report handed back to the Managing Committee who would either pass it on in full if they thought it appropriate because of content discovered or declare it “Nothing to Report” and return the device back to the owner directly.
Obviously there are many details that I haven’t covered here but one of the benefits of such an approach would be that device manufacturers would have a single source of contact within the UK and only have one group to train on their devices.
This is neither a simple or easy problem to solve because there is “Right” on both sides but it is a problem that will only grow in the years ahead so we really should be thinking about the issues raised right now, this is just the tip of a rather large iceberg.