News Stay informed about the latest enterprise technology news and product updates.

RSA Conference 2016: Apple 'goofed' in data encryption fight with FBI

SAN FRANCISCO — The debate on privacy vs. national security triggered by the recent Apple/FBI controversy lit up RSA Conference 2016, provoking sharp disagreement among panelists at one well-attended keynote. Leading cryptographer Adi Shamir said Apple had “goofed” and should have complied with the FBI, while data encryption expert Moxie Marlinspike applauded Apple’s stance, arguing that the company is performing a civic service by defying a court order.

The remarks came during Tuesday morning’s Cryptographers’ Panel, made up of pioneers and experts in the field of cryptography, which also included Martin Hellman, Professor Emeritus of Electrical Engineering at Stanford University, and Whitfield Diffie, cryptographer and security expert at Cryptomathic, both of whom received the 2015 A.M. Turing Award, or what moderator Paul Kocher of Rambus described as “the Nobel Prize for computer science.”

At the center of the panel discussion: the federal court’s ordering of Apple to help the FBI unlock the iPhone of one of the shooters in the Dec. 2, 2015, San Bernardino, Calif., terrorist massacre by creating new software to access the iPhone’s data. The FBI argues that refusing to do so compromises national safety, while Apple argues complying would create a “backdoor” that could set a precedent for creating systems to circumvent security.

The panel’s question: What impact will the possibility of technology companies being compelled by courts to create a tool that circumvents the security of their products have on national safety?

Most of the panel sided with Apple, saying that it would compromise national security.

MIT professor Ronald Rivest, who also heads the Cryptography and Information Security research group at MIT’s Computer Science and Artificial Intelligence Laboratory, said that compelling tech companies to provide extra keys or providing ways to dismantle their products’ security mechanisms is a can of worms unless Congress passes legislation that addresses thorny questions.

“Suppose we lived where this compelling can be done. Under what circumstances can this be done? How is the tradeoff done? Can anyone be compelled to do anything? Congress has to pass the law,” said Rivest, adding that the greater good of the country depends on both strong security and citizens’ right to have private conversations.

Hellman agreed, but added that he sympathizes with the FBI’s frustration and understands that its interest is not just in getting access to the data on a particular device, but with preventing crime.

“I think [FBI Director] Jim Comey is wrong, but we need to have a discussion on what is right for the country as opposed to what’s right for individual agencies,” he said.

Shamir, professor of computer science at the Weizmann Institute of Science in Israel, was alone in opposition, saying that while he is aware of the possibility of this case setting a precedent, the FBI is asking Apple to do something very specific.

“The FBI will give Apple a particular phone … to do something Apple is capable of doing,” he said. “It has nothing to do with placing backdoors in millions of phones throughout world.”

Shamir added that he believes the FBI has the advantage over Apple in this instance and that the tech giant made several “goofs.”

First, he argued, Apple made the argument that it is technically unable to help the federal agency with the investigation, but the argument failed because the FBI was able to point out specifically how Apple would be able to do so: create custom iOS software that would bypass or disable the iPhone’s security mechanism that limits how many times incorrect passwords can be entered.

“[Apple should] put out a new, updated system that will really prevent the FBI from [compelling Apple] to help them in the future, so that it is really able to make the argument,” Shamir said.

The second mistake Apple made, he said, is picking the wrong battle in what has been an ongoing issue while the FBI picked the ideal one to force its position.

“Almost everything is aligned in favor of the FBI. Even though Apple has encountered this in other previous cases, they decided not to comply this time,” he said. Apple should have complied this time and waited for a better “test case,” one in which its odds are better, Shamir added.

Marlinspike, founder of Open Whisper Systems, a nonprofit company that develops encryption software, aligned with the rest of the group.

Had FBI officials been able to access the data on the device, they likely would not have found much – there probably would not have been anything incriminating on the device; plus, the FBI already has a wealth of evidence, he said.

“The FBI already has all the certified call logs from cell phone carriers. It already has access to [the phone’s] iCloud backup,” said Marlinspike. “What the FBI seems to be saying is, ‘We need this because we might be missing something.’ … And the FBI seems to be saying we should consider their surveillance capability as something that is for our social good, and I don’t necessarily think this is true,” he said.

He put the Apple vs. FBI dispute on par with the legalization of marijuana and the legalization of gay marriage.

“How do we know we wanted to legalize marijuana if no one had been able to successfully consume marijuana because our laws had been perfectly enforced? … These developments would not have been possible without the p­ossibility to break the law,” he said.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

That's a great point that we are not hearing much about – the FBI likely has a ton of additional evidence. This whole Apple vs. FBI thing comes across to me as a mostly politically-motivated situation. Law enforcement and pro big government politicians are going to keep at it until they get their way with this whole encryption thing. The good news is that our industry has a lot of smart people who will figure out alternatives in the name of liberty.
Strikes me as more Apple cock-up than FBI conspiracy. 
The terrorists in this case are dead.  So the FBI does not need more evidence against them (although arguably against any remaining cohorts).  Several others have already come forward to request access to locked iPhones - various police departments as well as a family asking to unlock the photo's on their dead son's iPhone.  This is a VERY slippery slope that we really need to think through and understand all of the ramifications (particularly long-term) rather than respond to in a knee-jerk reaction.

Interesting discussion, but in my opinion the key comment is from was from Professor Rivest, "...unless Congress passes legislation that addresses thorny questions."  I believe Prof. Rivest is correct, because the basic question of security vs. privacy is, over time going to result in allowing Law Enforcement (LE) access to the SW used in mobile devices, including IoT units.  This access will not only be driven by U.S. LE agencies, but internationally as well, perhaps UK where the debate has been reopened or China where it will be mandated just to do business there.

The real question is the structure used to provide this access to LE under controlled, and monitored conditions.  This topic should be the center of the debate.

Agreed that much of the debate should concern possible future legislation, but that might not turn out to be very important. Passage of legislation is only one of at least two and possibly as many as four phases.

First, a law is passed. But second, it must be signed by the President. Or it might be vetoed, after which it must be passed with enough majority to override. And even then it probably must withstand Constitutional challenges.

For the complete sequence, it's important to have competent Representatives and Senators. (It's not clear if the American public can oblige.) And a President must have the interests of the nation in mind. (And much of the American public, at least currently, seems not to care about that.) Finally, Supreme Court Justices who will maintain Constitutional integrity need to be nominated and approved. (By some "outsider" President and Congresspersons who have little understanding of federal processes? Ummm...)

I'm not sure if any debate about it will include reason to any recognizable degree.