The Department of Justice-sponsored unlocking of the Apple iPhone used by one of the San Bernardino murderers without Apple’s help reaffirmed that an overly encryption-based cybersecurity emphasis remains misdirected. It’s always been true that “getting to unbreakable is impossible,” as Apple now says.
Until the hack, debate among cyber-libertarians and law-and-order folks centered over whether DoJ pressure on Apple to decrypt the phone was unconstitutional involuntary servitude and compelled speech, or something more akin to jury duty (which, OK, is objectionable to some libertarians too).
Back when the war on terror began, I personally was against creation of the Department of Homeland Security (so was George W. Bush, at first) and the Transportation Security Administration (TSA), regarding both as menaces to their appellations. Many in my camp firmly resist mass surveillance like license plate readers, public cameras and biometrics where incidental data gets retained. Kicking in Americans’ electronic “front doors” needs warrant-based compliance with the Fourth Amendment’s protections against unreasonable searches and a specific, named target.
The alternatives to targeted Bill of Rights-complaint warrants are all the NSA-style sweep-and-keep invasions we (well, some) really oppose. Government should restrict the liberty of enemies, criminals and specifically identified suspects—not that of innocent citizens, and DoJ’s specific demand at least left the rest of us alone. Plus the phone belonged not to the shooter, but to the San Bernardino government, which consented to access.
The predicaments, we were told, were compulsion against Apple to perform an oh-so-difficult hack, and the opening of an iPhone back door forevermore exploitable by others (leaving aside the contention of some that Apple had unlocked phones before San Bernardino).
Yet, that blanket rather than specific back doors exist was already and remains the problem, and Apple’s help was never needed.
It has never been solely DoJ that could crack the iPhone. That someone other than Apple, indeed someone even outside the DoJ (the Israeli firm Cellebrite), accessed the device is a wake-up call on the state of data security, and perhaps inadvertently undermines future claims of difficulty with respect to court order compliance. Last week in North Carolina I met a whiz kid who’d just sold a patent for making crappy auto-tune sound human instead of robotic; he claimed he could crack the iPhone if he set his mind to it, and we have no particular reason to doubt him–or others.
I favor untrammeled encryption and strong rights of anonymity. But the iron rule is there always is a backdoor in the cyberworld. One thing the turn of events represents (but that we already sensed), is that companies have no business making certain promises that can’t be kept; but this is something not always their fault. First, at bottom, the federal government doesn’t allow privacy and is the ultimate violator (old Peanuts cartoon: “Dear IRS: Please remove me from your mailing list”). Second, everything from personal devices to critical infrastructure to the Pentagon to Obamacare records remains vulnerable to escalating computational horsepower, and perhaps eventually to quantum computers for which a second is nearly an eternity (that’s my one concern about AI or artificial intelligence), trumping the latest and greatest encryption technology.
The Internet for better or worse is a commons designed for sharing rather than an owned asset someone can govern. I’d said back in 2001 that, “more fundamental than issues of regulation or etiquette is the simple fact that, on a common-property Internet, despite assurances from tech entrepreneurs, no one, government or business, stands in a position to certify privacy or security guarantees.” If there had been air-gapped splinternets with full-frontal authentication as part of America’s critical infrastructure development, maybe things could have been different and/or evolved differently. I’ll leave that to our descendants.
But there can be workarounds. Cybersecurity is about protecting data and identities, yet perhaps more about survivability; about making it not matter when you’re hacked.
Security policy must presume that information is capable of being breached; likewise conversations, even though Facebook’s WhatsApp and others will boast encryption presumably making compliance with court orders impossible (at least you can always row out into Boston Harbor to converse privately like our framers). Since things are being promised that cannot be promised on an open Internet, the emphasis may be increasingly what should accompany encryption as far as protections in a world of LifeLock-adjusted consumer expectations on the one hand, and punishments for perpetrators or stalkers on the other. There will always be encryption, but shortcomings and arm-race one upsman-ships might be filled by more cyber-insurance, energized third party monitoring and recovery assistance, punishment of perpetrators and stalkers, evolution of new liability products and services, white-hat hacking and cyber-vigilantism (within bounds), biometrics demonstrating “liveness” rather than emphasizing secrecy as Dorothy Denning puts it (my personal favorite), more complex authentication, and more private networks with greater excludability.
It is easy to over-emphasize online risks compared to offline hazards, such as leaving the front door wide open so that a well-dressed and -spoken someone can walk in and disconnect servers, ignoring eavesdroppers on the train, hiring temporary staff with minimal background checks while laying out big cash for cyber-research, or ordinary credit card theft. Recent reports contend ISIS supporters have been working inside the Brussels airport a decade and a half after September 11, back when, in federalizing airport security, the TSA gave jobs to dozens of screeners with criminal records and without full background checks.
When it comes to advancing security, Washinigton can as hapless as any private party. So it cannot be our primary a source of solutions, or worse, regulatory commandments. The federal government must allow the pursuit, including greater encryption, of experimentation in ever greater personal (and national) security.
The Apple incident will cause some rethinking. User agreements sometimes disclose that privacy guarantees are not absolute when warrants appear, and the “unbreakable is impossible” reckoning reiterates the limits of guarantees generally. If the iPhone didn’t already exist, and one of us mere mortals set out to invent and market it to the public, DoJ-style requests, despite legitimate questions of servitude or impossibility, are the first thing we’d anticipate before we could sell the first share of stock. They’d be prominent in Form 10-K business risk disclosures. WhatsApp and successors will grapple with the same.
Networks and personal lives can be structured such that attacks against networks, institutions, or one’s personal affairs are eminently survivable, not an Armageddon, as what protects secrecy evolves. Our greater need is the digital equivalent of the Fouth Amendment’s protections of our “persons, houses, papers, and effects.” Perhaps a 28th Amendment.
Originally posted at Forbes.