Well done, you’ve done it. You have made security a priority in the product and services you provide. You have continuously reinforced to your customers that you will uphold and not compromise their privacy. They can trust you. Then the FBI knocks on your door and asks in the strongest possible terms if you would be willing to break your own security and let them in through the back door to see what one of your customers has been up to. What are you going to do?
This is the dilemma facing Apple right now in a story that has been all over the press in the last few days. The overview is that the FBI recovered an iPhone from a terrorist who killed 14 people and injured 22 in San Bernardino in 2015. This iPhone was locked with the regular 4-digit passcode that the FBI didn’t know, as the terrorist was shot and killed. The FBI have tried and failed to get into the phone so are now attempting to force Apple to circumvent their own security in order to gain access to it’s contents. Should Apple comply with their request? There are questions over the legality of this request. There are questions over if the request is technically possible: and there is a seemingly never ending stream of questions and opinions on the moral issues of this story.
Comments and thoughts have come from many on this issue, from Bill Gates and Donald Trump through to John McAffe, founder of the antivirus company that he gave his name to. The families of the victims of the terrorist incident have stated their thoughts and there are also protests happening in the US from the ‘hand off our phones’ campaign. What is the answer? I don’t know, but it will come to a head over time. What is more interesting to me and from the cyber security aspect is how Apple have prepared themselves for this very eventuality as their business model has gently evolved.
Both organisations here are secretive. Apple is corporately secretive and the FBI is secretive for the purpose of intelligence and national security. Should this atrocity have occurred in the days of the first iMac, the FBI would have taken the relevant technology and hacked into it. Apple would probably not have been involved. In the past 15 years (or more) more and more technology companies have transitioned to service providers. They now hold customers’ private data and communications. This is not the same as data about the customers – i.e. customer lists, but the day to day documents, photographs, messages and emails that belong to millions and millions of people. This evolving business model generates a huge amount of subscription based recurring service revenue for businesses but they can now be approached by the law enforcement agencies asking to see it.
If you are a service related company, housing data for your customers and you have got your security ratcheted up to a point that the FBI (or equivalent) cannot break it. What will you do when they come knocking at your door? Here we can learn from Apple who have a document on their website titled ‘Legal Process Guidelines’. This 15-page document is probably not on any ‘must read’ list however these guidelines, and I quote “are provided for use by law enforcement or other government entities in the U.S. when seeking information from Apple Inc. (“Apple”) about users of Apple’s products and services, or from Apple devices. Apple will update these Guidelines as necessary”. Apple has gone to great lengths and I’m sure to great legal expense to explain what data they hold, for how long, and what they can or cannot do.
Section I “Extracting Data from Passcode Locked iOS Devices” states that “For all devices running iOS 8.0 and later versions, Apple will not perform iOS data extractions as data extraction tools are no longer effective. The files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess” : Pretty clear eh? It goes on and on and on. If you consider that in 2015 Apple sold 231 million iPhones and according to their own statement posted on their website, they have never unlocked iPhones for law enforcement in the past. Have you, or your company got a document like this? If you are a business and you use many service providers it might be with doing an audit on them and see what their stance is should the FBI come knocking at their doors asking to see your data.
In this case Apple are clear what they hold, what the can access, what they can or cannot do. They are using security as a commercial differentiator and they have posted their legal process guidelines. Irrespective of how this story develops many technology companies that are providing more and more services to customers should look at what Apple has done in order to secure and protect its customers’ data not only from cyber attack but from law enforcement requests.