Should we go down the FBiOS rabbit hole?

The headlines have been soaring for the past 2 months over the Apple/FBI debate. We will not be going into the specifics of this particular case, but for those of you who have been living under a rock the whole time, here is a brief summary of the situation:

Following the San Bernandino shooting, the FBI came into possession of an iPhone used by one of the terrorists who killed 14 people last year on December 2nd. Suspecting the device might contain helpful information in the fight against terrorism, the FBI requested of Apple to develop a new iOS version – or an FBiOS as the media baptized it, capable of circumventing certain iPhone key security features. At the request of the Justice Department, a federal judge instructed Apple to assist law enforcement in unlocking cell phones whose contents are cryptographically protected.

The issue was taken to court and, while Apple was instructed to assist law enforcement, it blatantly refused to do so. Backed up by technology giants such as Google and Facebook, Tim Cook, CEO of Apple, stated his position firmly: ‘this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control’. During his public relations campaign, Cook pointed out repeatedly the impact the court order could have on the privacy of IPhone users. Seeing as how only in the US there are 110 million IPhone owners (a little over a third of the entire US population), we can understand how that might upset some.

On the other hand, the FBI made quite a compelling case, invoking past situations when impenetrable IPhones were involved and lives were in danger. When the argument is national security and the fight against terrorism, the majority will give in to fear and renounce privacy in the favor of security. At least, that is how the US government portrayed the FBI-Apple dispute, a battle meant to determine which of the two is more important. Would you rather feel safer or have more privacy? This question, however, begs for a singular answer, while one aspect cannot exclude the other. Less privacy doesn’t automatically equal more security, on the contrary.

Benjamin Benifei, our Legal Consultant at ITrust, states his opinion: ‘It is easy for public authorities

Benjamin Benifei, our Legal Consultant at ITrust, states his opinion: ‘It is easy for public authorities to criticize data encryption. Opinions are fusing together in order to weaken encryption by legally stripping it of its use, enforcing the creation of hidden backdoors, or by simply forbidding it. That being said, what the general public needs to understand is that limiting data encryption will have a definite negative impact on our society. It will not achieve its goal of helping law enforcement agencies to fight terrorism, but will instead reinforce hacker’s chances to get a hold of our sensitive data, jeopardizing even more our security’.

We tend to see eye to eye with our consultant on this. There is a tension being created now at the center of rising new technologies, a tension that was anticipated neither by device manufacturer nor by law government agencies. The real dilemma here is not to define the exceptional cases when security trumps privacy, but this: how do we conserve both security and personal rights without hindering one or the other?

With this bigger picture in mind, it becomes easier to see that the FBiOS discussion was merely a pretext to bring forward the fact that there is no clear legislation around encryption in the US. In court, the All Writs Act cited by the FBI dates way back to the 1800s, which no longer hold their validity more than 200 years later.

In the end, the FBI dropped its case against Apple and managed to recover the data on the terrorist’s iPhone via a ‘third party’ – represented, in fact, by a handful of professional hackers that the Federal Bureau had paid to do so. The method used by this third party is said to only unlock the iPhone 5C used by the San Bernardino shooter.

The resolution puts in a questionable light the entire case to begin with, but the turmoil it arose is just now starting to spread its ramifications. A policy proposal aiming to weaken encryption, by forcing tech actors to override their own security features for the sake of law enforcement, was introduced by US senators not long ago. On the other side, the technology sector and privacy advocates form a united front in militating against its approval in Congress.

One thing is clear: the situation has yet to find its balance on US soil. On the topic, Benjamin also explains the legal status of encryption in France, treated similarly in 2004: ‘The LCEN (Loi pour la Confiance dans l’Economie Numérique; English: Bill for Building Confidence in the Digital Economy) bestowed upon French companies the complete liberty regarding their choice of employing encryption methods. Nevertheless, the bill restricts the way these means of encryption are imported, provided and exported (Art. 30 from the LCEN). Refusing to provide law enforcement agencies with an encryption key that was supposedly used to plan and/or commit crimes, can be punished with a 3-year jail sentence, as well as with fine of up to 75k€ (Art. 434-15-2 from the Penal Code). Public prosecutors and police officers are, thus, entitled to request that an individual or a company communicate all information useful in “revealing the truth”, including encryption keys (Art. 60-2 from the Criminal Procedure Code). Therefore, if a similar case were to happen in France, Apple would be legally bound to hand over its encryption key in order to decrypt the data’.

The matter of security and privacy in the context of encryption can be carried out to no end and, depending on where you stand, both opinions may seem reasonable. ‘The trick is then’, Benjamin adds, ‘to fully respect cybersecurity good practices and to apply end-to-end encryption, leaving the phone manufacturer outside of the loop where encryption is concerned.’

Considering this option, is Apple’s refusal to cooperate really a declaration of their commitment towards user privacy? Or is it simply the tech giant’s way of distracting public attention from the fact that it is the only one to possess the encryption keys off all 700 million iPhones out there?

Link:

https://www.reveelium.com/en/fbios-rabbit-hole/