Encryption Compromise: A Fleeting DreamWhy There Is No Middle Ground Between Apple, Government on Creating a Backdoor
The U.S. Justice Department's appeal of a court order that the government can't compel Apple to unlock an iPhone used by an accused drug dealer is significant because it sets in motion a process that could lead to a Supreme Court ruling on whether mobile device makers must give law enforcement a backdoor to circumvent encryption.
See Also: Passwords Alone Aren't Enough
Congress, meanwhile, is exploring whether an elusive legislative compromise can be found to give law enforcement or intelligence agencies access to critical evidence hidden on locked devices while safeguarding the security and privacy of individuals who use those devices. But don't expect Congress to act before the courts, and don't expect a resolution of the matter anytime soon.
On March 7, the Justice Department argued in filing its appeal that a federal magistrate in Brooklyn, N.Y., erred when he refused to order Apple to unlock the drug dealer's iPhone (see Apple Wins Legal Round Over Unlocking a 2nd iPhone ).
"Apple is not being asked to do anything it does not currently have the capability to do," federal prosecutors said in their filing. "Apple has used that capability dozens of times, in response to lawful court orders like the one sought here, with no claim that doing so put customer data or privacy in harm's way."
Differing Opinions from 2 Magistrates
Magistrate James Orenstein in New York on Feb. 29 said the government's interpretation of a 1789 law called the All Writs Act was too broad, noting that Apple isn't doing anything to prevent the government from unlocking the iPhone. In a similar case, Magistrate Sheri Pym in California approved a DoJ order, citing the All Writs Act, to require Apple to help the FBI crack open the iPhone of the San Bernardino shoot, who killed 14 people. Apple is appealing Pym's order (see Apple, FBI Draw Lines in Crypto Battle).
As both cases navigate through the appellate process, the ultimate arbiter could be the Supreme Court, but any decision could be years away. "The courts are slow to act on current legal matters that are impacting the area of security and privacy as it takes time to flesh out these matters," says cybersecurity lawyer Chris Pierson, CISO at invoicing and payments provider Viewpost.
Congress is getting into the act. The leaders of the Senate Intelligence Committee, Republican Richard Burr of North Carolina and Democrat Dianne Feinstein of California, are drafting a bill to require companies to comply with court orders to decrypt data and crack passwords.
U.S. lawmakers aren't alone in seeking to compel vendors to decrypt data under certain circumstances. French parliamentary deputies, defying government wishes, last week voted in favor of penalizing smartphone makers who fail to cooperate in terrorism inquiries, according to the French news service Agence France Presse.
Commission on a Mission
House Homeland Security Chairman Michael McCaul, R-Texas, and Senate Intelligence Committee member Mark Warner, D-Va., propose that Congress create a bipartisan commission of experts from the tech industry, intelligence community and privacy advocacy groups to identify a compromise.
But in the coming months, expect theatrics from Congress, not legislating.
"You've got Congress in a position where, yes, you'll see a lot of theater and it will be exciting and dramatic, but no congressman is going to want to enter an election year saying 'I voted for terrorism'," James Lewis, a cybersecurity expert at the think tank Center for Strategic and International Studies, says in a Steptoe Cyberlaw Podcast. "And, that's how it will be spun, so this will never come to a vote."
The idea of the commission arose even before the latest dispute between Apple and the government. But the commission is doomed to fail because a compromise is all but unimaginable. "There is no solution; get over it," podcast host Stewart Baker, former Department of Homeland Security assistant secretary for policy and National Security Agency general counsel, advises lawmakers.
What If Apple Keeps the Phone?
The idea that comes closest to a potential compromise is offered by security expert Martin Libicki of the think tank Rand, who suggests: "What about if Apple breaks the phone, keeps the phone and just hands over the data? Then, no one (except Apple) will be the wiser about how it was done? (Not that I'm advocating as much because there are other issues such as privacy, but ... )"
Apple would likely rebuff Libicki's idea. Apple CEO Tim Cook has said it's unacceptable to have the U.S. government ask "us for something we simply do not have, and something we consider too dangerous to create ... [building] a backdoor to the iPhone."
The main argument against requiring Apple to create a backdoor is that once done, others - criminals, terrorists and nation-state adversaries - could exploit it. "I cannot build an access mechanism that only works in the presence of a certain legal document, or only for a person who receives a paycheck from a certain agency, or only for a citizen of a certain country," cryptographer and cybersecurity author Bruce Schneier says. "By definition, technical access mechanisms can be used by anyone."
Hundreds of Foreign-Made Encryption Tools
Even if the U.S. government requires vendors decrypt their devices under court order, the bad guys can still use foreign-made encryption products beyond the jurisdiction of American authorities. Schneier last month in his blog identified 412 encryption products made outside the U.S. that are readily available for use.
Still, some security experts express faith that the best and brightest from government and industry can find that enigmatic compromise. "Don't give up on the creative energies of people of good will in law enforcement and the tech industry," says Bruce McConnell, global vice president of the think tank EastWest Institute and a former senior cybersecurity policymaker at DHS.
But I cannot envision how such a compromise would look. Can you?