Ever since the first articles began appearing about the problem of terrorists “Going dark,” and long before the controversy concerning Apple and the FBI over the contents of ISIS-inspired murderer Syed Rizwan Farook’s iPhone 5c, I watched from the sidelines wondering whether and if to express observations or an opinion. It was like watching Kabuki theater day in and day out — for months on end. And it was a rare opportunity for everyone from lawyers who know nothing about technology, and technologists who know nothing about the law —and everyone in between—to offer up an opinion. I felt as if perhaps I might be the only subject matter expert (a cyber security lawyer, a forensic examiner, and erstwhile software engineer), with nothing novel to contribute.
As examples of the most spectacular commentaries, Apple, through its head of services, Eddy Cue, told us it wouldn’t be long before the FBI would force the technology company to surreptitiously turn on iPhone cameras and microphones, reported Univision. John McAffee, in an apparent bid to stay relevant, told us he would crack the decedent-terrorist’s iPhone gratis within a half hours’ time — and that he would eat a shoe on TV if he couldn’t. San Bernardino County District Attorney, Michael Ramos (yes, he passed the bar exam) urged in a court filing that Apple should assist the Government in accessing the iPhone because it, “May contain evidence . . . that it was used as a weapon to introduce a lying dormant cyber pathogen that . . . poses a threat to the citizens of San Bernardino County.” Edward Snowden, among others, speculated that there were extant backdoors or zero-day exploits available to the FBI or others to access the phone. Likewise, certain commentators assured us that black hat hackers could already extract data from an iPhone via “critical flaws” (and, of course, qualified such conclusory claims with, “I cannot publicly share specific details beyond this”). And one Central Florida sheriff pledged, "I can tell you, the first time we do have trouble getting into a cell phone, we're going to seek a court order [concerning] Apple. And when they deny us, I'm going to go lock the CEO of Apple up. I'll lock the rascal up!"
The controversy, which has been thematically cast as a tectonic collision between privacy and security in which one or the other must give way, is neither epic nor novel. Yet, I concede it is drama theater we must endure, if only because it brings attention to and sharpens important issues that may be unfamiliar to many.
This issue dates back at least to J. Edgar Hoover’s FBI intelligence gathering after World War II that continued until 1971, which led to the first Congressional investigations of the function and propriety of intelligence agencies’ activities. Then, just as now, technological developments resulted in a cat-and-mouse game between the Government’s intelligence programs and its subjects of surveillance.
That brings me to explain the ultimate thesis of this short commentary: the ability to communicate confidentially, as made possible by encryption, among other things, has become a cardinal tenet of information security needed to lubricate the engines of both commerce and government. The fact that criminals also rely this technology to obfuscate their criminal activity doesn’t mandate an attempt to monopolize or dismantle that technology overtly (as in through legislation or judicial imprimatur) and hope criminals won’t take notice or fail to adapt. They are resilient and resourceful and will adapt. And just because the Government might not be able to break the encryption (without great expense) is by no means the end of our civilized world. As has been true with all technological developments, just as one source of information has been foreclosed, new ones appear. Arguments to the contrary, I believe, are fueled just as much by laziness (i.e., resistance to innovation or adaption) as they are by a desire to serve and protect the public.
Prior to computer hard drives, law enforcement relied on banker boxes of papers. Although such evidence could be burned, leaving no trace, imagine the frustration of having to learn computer forensics and latent data recovery in order to access the same information that was once found on ordinary paper. That initial frustration must have led to euphoria when investigators soon learned that what criminals thought was deleted was, in fact, recoverable! Years later, solid state drives, defragmentation programs, and forensic wiping utilities robbed investigators of the fruits of favorite data recovery techniques. But, at the same time, mobile devices and cell tower data provided an even richer trove of evidentiary artifacts.
Now, many of those mobile devices use hardware encryption by default, encryption apps are ubiquitous, and there is a credible forecast that 70% of global Internet traffic will be encrypted this year. Yet, thanks to the so-called Internet-of-things and embedded devices, there are newly appearing repositories of information, including Internet-connected cars, airbag controllers that record speed and force of impacts, Internet-connected home heating and cooling systems that detect when homeowners have arrived home or departed, fitness devices with GPS and activity tracking, and many, many other devices. So, too, has surveillance in the public domain grown and improved exponentially. For example, grainy pictures of the escaped terrorist at the Brussels airport were recently circulated to the public for possible identification. Thirty years ago, this would have been unlikely. And a few years from now, the number and resolution quality of such cameras will be significantly improved. So, just as mobile devices are increasingly out of reach of law enforcement, new evidentiary sources are appearing everywhere. Law enforcement, just as the criminals, must innovate. And so, the cat-and-mouse game will continue with or without judicial or legislative intervention.
And that is why the FBI’s withdrawal of its request for the Court to deputize Apple, resulting from a third-party’s proffered solution, is not the denouement of this drama. Now, competing legislative proposals (e.g., proposed by Richard Burr (R-NC) or John McCain (R-AZ)) are being drafted to provide the Government with a back door (thereby providing plausible deniability for Apple, WhatsApp, and other companies in failing to voluntarily assist the Government). The notion that such measures would enhance national security seems to me, without studying the issue further, illusory. Certainly, some criminals would resort to using an app compromised by such legislation (just as some do so now by using unencrypted text messaging, for example), but tech-savvy criminals will resort to rooting the phone and utilizing cipher suites or non-commercial cryptology solutions from outside the U.S.
Recently, committee members of the House Energy and Commerce and Judiciary committees formed a working group on encryption. More promising was that House Homeland Security Chairman Mike McCaul (R-Tex) and Mark Warner (D-Va) of the Senate Intelligence Committee introduced talk of bill to create an Encryption Commission to analyze this subject. The panel would consist of computer scientists, cryptography experts, law enforcement, tech execs, intelligence officials, privacy and civil liberty advocates. In my view, this is the proper ecumenical gathering to address the subject, and I believe that they will do so in the context outlined above.