The ongoing battle between Apple and the FBI took a new turn this week with the announcement that the FBI managed to unlock an iPhone belonging to one of the San Bernardino shooters. This was done without the help of Apple and has only increased ongoing tensions between law enforcement and the tech industry. UMass Law Professor Shaun Spencer offers his reaction to the battle being watched by anyone and everyone who owns a smartphone.
Does Apple have a case to make that the government should show how they were able to hack an iPhone?
SS: The Obama administration created an internal process for deciding when to reveal to software vendors that the government has discovered a so-called "zero-day vulnerability" -- a vulnerability that is unknown to the vendor and therefore easy for hackers to exploit. The administration created this process in 2010, the same year in which the NSA used the Stuxnet virus to damage Iran's nuclear enrichment facilities. Stuxnet relied on several zero-day vulnerabilities, including a Windows operating system vulnerability that affected millions of computers worldwide. As the administration recognizes, zero-day vulnerabilities can pose grave threats to our economy and national security.
In 2014, the administration announced that it had "reinvigorated" its policy on disclosing zero-day vulnerabilities, called the Vulnerabilities Equities Process. The administration says that it generally discloses zero-day vulnerabilities to vendors promptly. However, the policy contains an exception for vulnerabilities with a clear national security or law enforcement use. As White House Cybersecurity Coordinator Michael Daniel explained in 2014, factors that affect the administration's disclosure decision include the threat that the vulnerability poses to critical internet infrastructure, the risk that criminals or foreign powers could exploit the vulnerability to cause significant harm, and the intelligence benefit that the government could secure by delaying disclosure.
It's hard to predict what the administration will do in the iPhone case because we don't know exactly how the FBI defeated the security feature triggered by ten incorrect guesses at the iPhone’s password. If the workaround requires physical possession of the targeted phone, as appears likely, it would pose less risk than a software tool that could attack iPhones remotely. Assuming that the workaround requires physical possession, the administration might disclose the vulnerability to Apple eventually, but not before it has used it to extract information from encrypted iPhones in some of the most serious criminal investigations in which it has seized encrypted iPhones.
If you were advising a tech company that was advocating for stronger privacy/encryption rights, what would you suggest they lobby for? In other words, how can privacy rights in terms of technology be strengthened?
SS: Rather than asking how to lobby for encryption rights, I'd turn the question around. The starting point should be that technology companies are free to create the most secure encryption tools possible, and that the government bears the burden of justifying any limitation on encryption. In 2015, the Obama administration pushed for legislation requiring technology companies to build "back doors" to allow government access to encrypted data for law enforcement or national security purposes. Ultimately, however, a coalition of technology companies and privacy advocates resisted that push, and the administration backed off of its position, at least for now.
Are tech companies and consumers fighting a losing battle in protecting their privacy in the world of hacking and cyber-attacks?
SS: Privacy is certainly under attack as our lives become increasingly digitized and interconnected. Mobile computing and the internet of things offer many conveniences, but they also increase the risk of both accidental and intentional data breaches. Encryption is an important tool to minimize that risk. In fact, most states' data breach notification laws contain exemptions for encrypted data. So I don't think the battle for privacy is lost by any means. It's ongoing.
About Shaun Spencer
UMass Law Professor Spencer teaches Privacy Law and Legal Skills I-III, and also directs the law school's Legal Skills Program. His research interests include privacy law and policy and the empirical analysis of legal writing. Before joining UMass Law, Professor Spencer was a Lecturer at Harvard Law School and an Adjunct Professor at Boston College Law School, and worked as a litigator at Boston's Bingham, Dana & Gould, now part of Morgan Lewis.