Tech firms rally around Apple over encryption row with FBI
Google, WhatsApp, Facebook and Twitter have all come out in support of Apple’s refusal to hack into an iPhone 5C running iOS9 used by San Bernardino gunman Syed Rizwan Farook.
A US judge has ordered Apple to create a custom firmware file to enable the FBI to bypass or disable the auto-erase function and brute force crack Farook’s iPhone passcode to access and decrypt data stored on the device, but the company says it will contest the order.
Google chief executive Sundar Pichai called the FBI’s request a “troubling precedent”, and said: “Forcing companies to enable hacking could compromise users’ privacy.”
“We build secure products to keep your information safe and we give law enforcement access to data based on valid legal orders, but that is wholly different from requiring companies to enable hacking of customer devices and data,” Pichai tweeted.
WhatsApp founder Jan Koum said he has always admired Apple CEO Tim Cook for his stance on privacy and Apple’s efforts to protect user data.
“We must not allow this dangerous precedent to be set. Today our freedom and our liberty is at stake,” he wrote in a post on Facebook.
“We oppose this order, which has implications far beyond the legal case at hand,” said Cook.
He said Apple was “shocked and outraged by the deadly act of terrorism in San Bernardino” in which Farook and his wife Tashfeen Malik killed 14 people when they opened fire on an office party on 2 December 2015.
But Cook said building a version of iOS that bypasses security in the way suggested by the FBI would “undeniably create a backdoor”. He added: “While the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
Since September 2014, all data on Apple devices has been encrypted by default. Apple is one of several technology companies that have introduced encryption in an attempt to restore customer trust after whistleblower Edward Snowden’s revelations about government surveillance operations.
Read more about encryption
- A report from US district attorney Cyrus Vance claims the encryption of data on mobile operating systems has had severe consequences for public safety.
- The Wikimedia Foundation calls on all websites to join its move to encrypt all connections by default.
- Seven more security suppliers join Blue Coat’s encrypted traffic management programme amid fresh warnings of attackers using encryption to hide malicious activity.
Facebook said in a statement that it also condemns terrorism. “Those who seek to praise, promote or plan terrorist acts have no place on our services,” the social networking firm said. “However, we will continue to fight aggressively against requirements for companies to weaken the security of their systems.
“These demands would create a chilling precedent and obstruct companies’ efforts to secure their products.”
In November 2015, Cook told the Telegraph that he believes strongly in end-to-end encryption with no backdoors.
“Any backdoor is a backdoor for everyone,” he said. “Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
Cook is concerned that creating a tool to help the FBI with the San Bernardino investigation could lead to future misuse.
“The government suggests this tool could only be used once, on one phone,” he said. “But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.
Read more about the draft Investigatory Powers Bill
- Bulk data collection provided by the UK’s draft Investigatory Powers Bill is unnecessary for security and law enforcement surveillance, according to Erka Koivunen, cyber security adviser at F-Secure.
- The draft Investigatory Powers Bill could have major implications for telecommunication companies operating in the UK.
- Facebook, Google, Microsoft, Twitter and Yahoo say they are particularly concerned about six key aspects of the UK’s draft Investigatory Powers Bill.
- The BCS believes criminalising reckless disclosure would reassure the public in how data is managed under planned surveillance laws.
“In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”
David Emm, principal security researcher at Kaspersky Lab, said having a backdoor in a product or software is all well and good for law enforcement reasons, but “it’s a bit like leaving a key under your doormat for your friend”.
“It’s great for letting your friend in, but there is no guarantee it’s your friend who will find it, and not a burglar,” he added.
According to Emm, if governments had backdoors for Apple products, rogue organisations could obtain these backdoors and use them for nefarious purposes.
“It is for this reason that this request, and other similar charters, such as the UK government’s proposed Investigatory Powers Bill, are flawed and could potentially undermine not only individual privacy, but corporate or national security,” he said.
Balance security and privacy
Emm believes the key issue for society is to balance the interests of national security with the need for privacy.
“Encryption is vital to the security of online transactions, and is a key tool of personal and corporate security,” he said. “For this reason, it is dangerous to undermine it.”
Facebook, Google, Microsoft, Twitter and Yahoo have all expressed concerns about provisions in the UK’s draft Investigatory Powers Bill.
The authority to engage in computer network exploitation, or equipment interference, is a “step in the wrong direction” and would be a “very dangerous precedent to set” because it could involve the introduction of risks or vulnerabilities into products or services, the companies said in a written submission to the Joint Committee on the draft Investigatory Powers Bill inquiry, which published its report on 11 February, 2016.
Apple has said that if the bill is approved in its current form, it will “spark serious international conflicts” by forcing UK companies to break encryption, hack their customers and violate international laws.
Jacob Ginsberg, senior director at encryption company Echoworx, said technology firms are particularly concerned about the severe lack of clarity around encryption and bulk data collection in the draft bill.
“Businesses need to be reassured that backdoors will not be built into end-to-end encryption,” he said. “If this is not clearly defined, there will huge financial implications for the UK economy as cloud and hosting companies will simply move their data to jurisdictions that the bill cannot influence.”
According to Ginsberg, whose company has made contingency plans to move its operations to Ireland if necessary, failure to ensure that the final version of the legislation provides enough assurances around privacy could destroy the UK’s data storage market, driving out more than £10bn worth of business.