Encryption & Key Management , Next-Generation Technologies & Secure Development , Privacy
FBI-Apple Aftermath: Finding the Elusive CompromiseShifting the Debate Away from Backdoors
The FBI vs. Apple legal fray pitted security against privacy, with FBI Director James Comey and Apple CEO Tim Cook championing their respective causes.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
A truce, of sorts, is in place since the Justice Department earlier this week opted not to pursue a court order compelling Apple to help the FBI unlock the iPhone used by one of the San Bernardino shooters. The FBI cracked open the iPhone 5c with the help of an unidentified third party and dropped the case against Apple (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).
"The real irony here is that the privacy, the security and the law enforcement communities are all actually on the same side."
A senior law enforcement official told The Associated Press that the FBI managed to defeat an Apple security feature that threatened to delete the phone's contents if the FBI failed to enter the correct pass code combination after 10 tries. That enabled the government to guess the correct pass code by trying random combinations until the software accepted the right one, the AP reports.
Despite federal officials dropping their case, the battle of ideas stemming from the Apple vs. FBI battle endures. In one corner, Comey contends that Apple should have helped the FBI break into the iPhone used by Syed Rizwan Farook so authorities could gather evidence in the case. In the other corner, Cook argues that doing so would have weakened safeguards built into the iPhones, leaving potentially tens of millions of users exposed to hacks.
But balancing security against privacy, at least how it's viewed today, hasn't always been a problem.
"In the earliest days of the Internet, privacy and security were at peace, mostly because they largely did not exist or even matter," former RSA Executive Chairman Art Coviello writes in the preface to a document detailing the goals of the Digital Equilibrium Project, an initiative to pull together stakeholders to identify ways to simultaneously provide privacy and security. But that age of innocence is long gone.
"This blinding pace of digital adoption has far outrun the laws, social norms and diplomatic constructs that we painstakingly developed over centuries to conduct affairs in our physical world," Coviello says. "The result of that gap today is a growing tension between privacy and security."
Security Vs. Security
How can that gap be narrowed?
For starters, change the language to define the issue. Among some stakeholders, the matter isn't security vs. privacy but security vs. security. One type of security involves law enforcement protecting society from the bad guys; the other type focuses on technologies, such as smartphones, that millions upon millions of individuals rely on.
Another way to bridge the chasm is to rethink what the debate isn't about: creating a backdoor to circumvent encryption. Discussions should focus on how best to exploit technologies for public safety while safeguarding the security that the technologies furnish to users.
Cryptographers and IT company leaders, along with privacy advocates, have forwarded sound arguments explaining that if law enforcement (or intelligence agencies) are given a way to circumvent safeguards, nation-state adversaries and cybercriminals could employ them, too, to the disadvantage of individual, corporate and national security.
Comey and his cohorts would need to concede that backdoors are out of bounds. But then the two sides could collaborate to identify an array of approaches and techniques that could provide both types of security.
It's Not About Backdoors
"The real irony here is that the privacy, the security and the law enforcement communities are all actually on the same side," says Larry Clinton, president of the industry trade group Internet Security Alliance. "We are all defending against the criminal and rogue state attack community. We all need to realize that and find a way to move forward."
Greg Nojeim, senior counsel at the advocacy group Center for Democracy and Technology, notes: "We need to get over the debate about whether backdoors should be built in; it seems pretty clear they shouldn't be. We need to move on and assume a world where an increasing number of communications are encrypted. What techniques should the FBI be able to use to exploit devices and communications services, and which ones are out of bounds? That's the debate we need to have."
Look to Industry for Answers
Where can compromises be found on security issues? Veteran IT security and privacy practitioner Malcolm Harkins looks to the commercial marketplace for ideas.
Harkins, global chief information security officer at the IT security software provider Cylance, cites how some organizations employ behavioral analytics to ferret out malicious insiders while safeguarding individual privacy. When deployed properly, he says, behavioral analytics can spot anomalous behaviors in systems while anonymizing the individual performing them. Only after sufficient evidence is gathered, and presented to the human resources department, would the suspected individual be identified.
Information Security Alliance's Clinton sees the Digital Equilibrium Project as a forum for identifying the tools and techniques that could be used to gather evidence in a criminal investigation while safeguarding individuals' security and privacy.
Untying the Gordian Knot
"What we need is that reasonable people from all sides are meeting and trying to work their way through the many complicated issues that will need to be addressed to untie the Gordian Knot between the security people, the privacy people and the government people," says Clinton, an organizing member of the project.
Let's hope the efforts by Coviello, Clinton and their Digital Equilibrium Project associates establish a framework to identify that illusive compromise that gives law enforcement access to the data it needs while protecting the security and privacy of individuals.