Real security begins at home (on your smartphone)
What a difference a couple of years has made. The Department of Justice’s Office of Inspector General (OIG) released a report in March on the FBI’s internal handling of issue of whether the Bureau truly needed Apple’s assistance. The report makes clear that, despite what the Bureau said in its court filings, the FBI hadn’t explored every alternative, including consultation with outside technology vendors, in cracking the security of the iPhone in question. The report also seemed to suggest that some department heads in the government agency were less concerned with the information that might be on that particular device than they were with setting a general precedent in court. Their goal? To establish as a legal precedent that Apple and other vendors have a general obligation to develop and apply technologies to crack the very digital security measures they so painstakingly implemented to protect their users.
In the aftermath of that report, and in heartening display of bipartisanship, Republican and Democratic members of Congress came together last week to introduce a new bill, the Secure Data Act of 2018, aimed at limiting the ability of federal agencies to seek court orders broadly requiring Apple and other technology vendors to help breach their own security technologies. (The bill would exclude court orders based on the comparatively narrow Communications Assistance to Law Enforcement Act—a.k.a. CALEA, passed in 1994–which requires telecommunications companies to assist federal agencies in implementing targeted wiretaps.)
This isn’t the first time members of Congress in both parties have tried to limit the federal government’s ability to demand that tech vendors build “backdoors” into their products. Bills similar to this year’s Secure Data Act have been introduced a couple of times before in recent years. What makes this year’s bill different, though, is the less-than-flattering light cast by the OIG report. (The bill’s sponsors have expressly said as much.) At the very least the report makes clear that the FBI’s own bureaucratic handling of the research into whether technical solutions were available to hack the locked iPhone led to both confusion as to what was possible and to delays in resolving that confusion.
But worse than that is the report’s suggestion that some technologically challenged FBI department heads didn’t even know how to frame (or parse) the questions about whether the agency possessed, or had access to, technical solutions to crack the iPhone’s problem. And even worse is the report’s account that at least some Bureau leaders may not even have wanted to discover such a technical was already available—because that discovery could undermine litigation they hoped would establish Apple’s (and other vendors’) general obligation to hack their own digital security if a court orders them to. As the report puts it:
After the outside vendor successfully demonstrated its technique to the FBI in late March, [Executive Assistant Director Amy] Hess learned of an alleged disagreement between the CEAU [Cryptographic and Electronic Analysis Unit] and ROU [Remote Operations Unit] Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.
There’s a lot to unpack here, and one key question is whether “capabilities available to national security programs” — that is, technologies used for FBI’s counterintelligence programs — can and should be used in pursing criminal investigations and prosecutions. (If such technologies are used in criminal cases, the technologies may have to be revealed as part of court proceedings, which would bother the counterintelligence personnel in the FBI who don’t want to publicize the tools they use.) But the case against Apple Inc. was based on a blanket assertion by FBI that neither its technical divisions nor the vendors the agency works with had access to any technical measures to break into Farook’s company-issued iPhone. (Farook had destroyed his personal iPhones, and the FBI’s eventually successful unlocking of his employer-issued phone apparently produced no evidence relating to the terrorist plot.)
Was the problem just bureaucratic miscommunication? The OIG report concludes that this was the fundamental source of internal misunderstandings about whether FBI did have access to technical solutions that didn’t require drafting Apple into compelled cooperation to crack their own security. (The report recommends some structural reforms to address this.) And certainly there’s evidence in the report that miscommunication plus the occasional lack of technical understanding did create problems within the Bureau.
But the OIG report also suggests that some individuals within the Bureau actually may have preferred to be able to argue that the FBI didn’t have any alternative but to seek to compel Apple’s technical assistance:
The CEAU Chief told the OIG that, after the outside vendor came forward [with a technical solution], he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, “Why did you do that for?” According to the CEAU Chief, his unit did not ask CEAU’s partners to check with their outside vendors. CEAU was only interested in knowing what their partners had in hand – indicating that checking with “everybody” did not include OTD’s trusted vendors, at least in the CEAU Chief’s mind.
I have to note here, of course, that the FBI has consistently opposed strong encryption and other essential digital-security technologies since the “Crypto Wars” of the 1990s. This isn’t due to any significant failures of the agency to acquire evidence it needs; instead, it’s due to the FBI’s fears that its ability to capture digital evidence of any sort may someday be significantly hindered by encryption and other security tech. That opposition to strong security tech has been baked into FBI culture for a while, and it’s at the root of agency’s fears of “the Going Dark challenge.”
Let’s be real: it’s not clear that encryption will ever be the problem the FBI thinks it is, given that we live in what law professor Peter Swire has called “The Golden Age of Surveillance.” But if the day that digital-security technology significantly hinders criminal investigations ever does come, then it would be appropriate for Congress to consider whether CALEA should be updated, or whether a new CALEA-like framework for technology companies like Apple should be enacted.
But that day hasn’t come yet. That’s why I favor passage of the Secure Data Act of 2018 — it would limit federal agencies’ ability to impose general-purpose technology mandates through the courts’ interpretation of a two-century-old ambiguous statute. (Among other features, the Act also would effectively clarify that that the All Writs Act, general-purpose statutory provision from 18th century can’t be invoked all by itself to compel technology companies to undermine the very digital security measures they’ve been working so hard to strengthen.) In the long term, our security (in both cyberspace and meatspace) is going to depend much more on whether we all have technical tools that protect our information and data than it will depend on the FBI’s has a legal mandate compelling Apple to hack into our iPhones.
Of course, I may be wrong about this. But I share Apple CEO Tim Cook’s argument that this public-policy issue ought to be fully debated by our lawmakers, which is a better venue for policy development than a lawsuit filed based on a single dramatic incident like the terrorist attack in San Bernardino.
Image credit: wutzkohphoto