I'm not sure what was the bigger bombshell this week: a federal judge's order to Apple to help the FBI unlock the iPhone used by one of the shooters in the San Bernardino, Calif., massacre in December, or Apple chief executive Tim Cook's public letter to customers vowing opposition. Or anything audacious Republican presidential candidate Donald Trump had to say -- on this latest episode in the long-running battle between the government and Silicon Valley on access to private data, or on anything else for that matter.
Both the government and Cook make valid arguments. The FBI says it needs Apple to create new software to get at the data in the phone of Syed Rizwan Farook, who together with his wife shot and killed 14 people at the county health department where he worked. The feds' objective: to find emails, texts, photos or other digital evidence that tie the couple to terrorist group Islamic State. The Apple fight is about software privacy. Cook holds that hacking the phone is tantamount to creating a "backdoor," or a way to circumvent encryption controls.
"Once created," Cook wrote in the letter on Apple's website Tuesday, "the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks -- from restaurants and banks to stores and homes."
The White House tried to calm the feverish debate Wednesday, with spokesman Josh Earnest insisting that the government wants access to just a single device and is not asking Apple to "create a new backdoor to its products."
The Apple fight is far from over. Apple has vowed to appeal -- Reuters reports it has until Feb. 26 to respond to the court order -- and the case could conceivably be on a many-months-long journey to the Supreme Court. Meanwhile, politicians are calling for laws that would require phone manufacturers to install backdoors in their devices. The implications for today's organizations are enormous.
"If people know that there are backdoors that exist, they are going to find ways to get in," said Khalid Kark, a director in Deloitte's CIO research program. "Who's going to be responsible for those breaches, and who's going to be responsible for the sharing of the private and personal information that comes out of it?"
CIO case for no backdoors
While Kark believes the government is rightly doing what it can to investigate the San Bernardino case, it may be heading into dangerous territory. Forcing Apple to comply and help the FBI obtain the phone data, could, as Cook fears, pave the way for criminals to tunnel into the iPhones of millions of users. That's enough to make CIOs, who safeguard vast networks threaded with mobile devices against an ever-growing number of cyberthreats, even more jittery.
Worse for IT execs, Kark said, is the possible outcome of the precedent Cook and many in the tech community fear the Apple case would set: encryption-scuttling features on every device.
"If I were a CIO, I would be concerned about intellectual property that is housed in my operating system, in my servers, in my company," he said. "How secure would that information be that resides on my operating system, in my computers, in my company -- and especially in an environment where there is really serious global competition?"
If organizations can't protect their data, Kark said, they could lose their competitive advantage, and the whole economy could be at risk.
Laying down the law
For backdoors to be installed in smartphone software, the government needs legal backing, and right now it doesn't have it, said Johna Till Johnson, CEO and founder of Nemertes Research. There is a law that almost does it, she said -- the Communications Assistance for Law Enforcement Act, or CALEA. It was passed in 1994, during the Clinton administration, mandating that telecoms design their equipment to allow for government surveillance activities. So under the law, the government can get around encryption in communications networks but not on "endpoints" such as mobile devices.
"What the FBI is asking for is, in the absence of CALEA, 'Please do something that's very CALEA-like, and we promise to only use it once and it'll be fine,'" Johnson said. "And Tim Cook is saying, 'No -- sorry. You want me to comply with the law? Pass a law that I have to comply with.'"
Congress has debated legislation that would force U.S. tech companies to build backdoors into encrypted smartphones but hasn't made much progress. Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) of the Senate Intelligence Committee are working on a bill that would require companies to give the government access to encrypted information. Privacy rights advocate Sen. Ron Wyden (D-Ore.) said he expects more "dangerous" efforts this year.
Law or no law, some in the cybersecurity community think the government should lay off Apple. Gartner analyst Avivah Litan said the investigative tactic of forcing a tech company to help crack encryption makes no sense, because there are other encryption applications terrorists and cybercriminals can use to hide their communications.
"I just think they use these technology companies as an excuse not to do their own hard work," she said. "All the attention is focused on Apple or Google or Facebook. They should be better than that."
Good private investigators use a variety of methods to get the information they're looking for. Examining goods bought by Farook and his wife, Tashfeen Malik, interviewing everyone they've talked to publicly and privately -- such efforts could produce a password to the iPhone at the center of the case, obviating the need to enlist Apple, Litan said.
"Find somebody that knew these people that are willing to tell things in exchange for maybe some other immunity, who knows. Most good investigators don't rely on any single method."
CIO news roundup for week of Feb. 15
The Apple fight dominated, but other news grabbed headlines this week:
- AT&T will start testing its fifth-generation, or 5G, network in Austin, Texas, by the end of this year. The telecom was holding back on releasing plans on 5G, which will potentially offer customers Internet connection speeds of up to 10 to 100 times faster than the 4G connections they're used to, causing concern among analysts. AT&T's main rival, Verizon, said in September it would have its 5G network in place by 2017. John Donovan, chief strategy officer at AT&T, said the company wanted to ensure it had a system robust enough to handle cloud computing software and big data. "Everything we do has to do all of these things well," he said.
- IBM wants to make blockchain mainstream. Also known as "distributed ledger technology," blockchain technology underpins the digital currency bitcoin. It's a transaction database that lives on a vast network of machines, not in a centralized location. The idea is all parties can check every transaction, making, say, money transfers more reliable. On Tuesday, IBM launched what it's calling "blockchain as a service," which runs the technology in IBM's cloud, aiming for financial institutions as well as logistics companies as potential customers. The company is also contributing code and other resources to an open source project called Hyperledger, which is building blockchain-like software that can track the exchange of goods such as houses and cars.
- A U.K. startup is letting loose 20 hydrogen-powered vehicles for testing later this year. The Wales-based company Riversimple said the "revolutionary" Rasa will offer zero emissions and can get an astounding 250 mpg. The company said the car's braking system reverses its motors when engaged, in effect doubling as a power generator. How do you gas -- er, hydrogen -- it up? Riversimple is working with hydrogen fuel companies to put in stations, but first it needs drivers to subscribe. That's right. Instead of being for sale, the cars will be available, along with insurance, maintenance and fuel, for a monthly fee. Once it gets subscribers, refueling stations will be placed near customers' homes.
- A bug found in Twitter's password recovery system triggered the warning of around 10,000 users that their personal data could have been exposed. In a blog post, Michael Coates, trust and information security officer, said the bug affected the social networking site's systems for 24 hours and was patched soon after it was discovered. Twitter apologized for the incident and said is working with law enforcement to conduct an investigation.
Apple fight rallies fellow tech companies
Brian Madden on Apple-FBI showdown
How iOS data encryption and data protection work