When the FBI dropped its court case against Apple — an order to the tech company to help break into an iPhone in the San Bernardino, Calif., murder case — it left behind unresolved data privacy issues concerning millions of mobile device users.
The bureau sought the help of a partner it did not identify to crack the encryption on the iPhone used by one of the two shooters, Syed Rizwan Farook, but how did it do what Apple, its maker, has said would be hard even for it?
Who’s got the goods
That’s one of many things we just don’t know, said Forrester Research analyst Chris McClean. For example, the hackers could have found a weak spot in an old device — the iPhone 5C used by Farook and owned by his employer, the San Bernardino county government — that Apple has fixed with updated security features.
Or it could have found something else.
“We may hear details later that there’s maybe something more fundamental as a flaw that allows people to break into iPhones, and Apple still doesn’t know what it is,” McClean said. “If there are details that come like that, there would be a larger concern for sure.”
One theory is the FBI can use the key on other phones in other investigations. But federal agents would have to have it in their possession before using it.
Unless the hackers “made a whole lot of money off it,” McClean said, they probably didn’t hand the decryption method over to the FBI. They might do better to sell it to someone else — say, another government.
“I think that there would be an enormous price that they could put on an exploit like that,” McClean said.
A closer look at data privacy issues
A second, longer-term issue pits the ability of government to do investigations against citizens’ right to protect their data.
Two Capitol Hill lawmakers, Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are trying to build a commission that would study digital security and make recommendations on how Congress should balance security and privacy issues. And a group of private-sector executives and former government officials are pushing for a separate initiative to address the matter, called The Digital Equilibrium Project.
That’s the right way to go, McClean said, as long as the members understand the technology they’re going to be examining. They can learn, he said, since the groups will include technology experts among their members, and other, outside experts can help them understand things like passwords and how encryption works.
But doing an extensive study of technology is a race against the clock. McClean fears that by the time any commission is done working, mobile devices will have biometric features — which identify authorized users by their physical characteristics — and stronger encryption, making them even harder to crack.
“So all of the technology issues that we may discuss over the next year may be moot before they finally come up with any kind of guidance,” he said.
But commissions can still do good on data privacy issues. They just need to be equipped with the right people asking the right questions, McClean said. They’ll have to discuss the various types of data that investigations might want to examine as well as the types of data that users of mobile devices have the right to keep private. They would also do well to look at aspects of European privacy law, such as the “right to be forgotten,” which creates a legal duty to destroy or hide information if requested. In Europe, people are considered the owners of their private information.
“I don’t think we have that kind of viewpoint in the U.S.,” McClean said. “Hopefully, we get enough experts that understand all of the ethical, legal, technology boundaries.”