Editorial counterpoint: What's really at stake in Apple encryption case

The Star Tribune Editorial Board breezily dismisses privacy and security concerns. I'm not sure it really understands the implications.

By Steve Borsch

February 23, 2016 at 12:17AM
An iPhone is seen in Washington, Wednesday, Feb. 17, 2016. A U.S. magistrate judge has ordered Apple to help the FBI break into a work-issued iPhone used by one of the two gunmen in the mass shooting in San Bernardino, California, a significant legal victory for the Justice Department in an ongoing policy battle between digital privacy and national security. Apple CEO Tim Cook immediately objected, setting the stage for a high-stakes legal fight between Silicon Valley and the federal government.
Weakening the encryption of a single iPhone like this one — would instantly open a Pandora’s box of cyberthreat problems. (The Minnesota Star Tribune)

The Feb. 21 editorial "U.S. security at stake as Apple defies order" was one of the most stunningly naive positions I've read yet when it comes to the controversy over Apple's stand on weakening the encryption of a single iPhone — a weakening that would instantly open a Pandora's box of cyberthreat problems that the Star Tribune Editorial Board has seemingly dismissed out of hand.

First, it should be noted that the FBI permitted officials in San Bernardino County, Calif., to reset the password on the iCloud account of Syed Rizwan Farook — a county employee suspected of killing 14 people and wounding 22 others in December — and only then requested Apple's help. (Apple has stated publicly that if this chain of events had not transpired, it would have been possible to obtain the shooter's iCloud backup data.) The FBI then negotiated with Apple to recover what it could. Discovering that doing so was not possible, and subsequently failing in convincing Apple to create software to weaken iOS (the operating system that controls the iPhone and iPad) so that investigators could break into the device without having it "wiped" by a limit of 10 failed password attempts, the FBI then obtained a court order hoping to force Apple to create a method to do so.

With respect to the Editorial Board's position on Apple's creating this sort of "bypass" for this one iPhone, all while acknowledging that doing so is not a "small threat" for iPhones already in existence, the board then opined: "There are, however, technology experts who say Apple could create a bypass … without affecting other phones." This is the supposed justification for minimizing the threat of putting in a backdoor (which the board euphemistically characterizes as a "bypass") for those 100-million-plus iPhones? Who are these so-called "experts," anyway?

Further, the board asks whether such a bypass could "then leak out," but also minimizes that threat as something trivial. This gross underestimation of the threat posed by such a leak (which is actually what security researchers say is an intentional "backdoor") demonstrates the board's considerable lack of knowledge of cybersecurity, encryption, hacker and oppressive nation-state threats. Any created vulnerability, or backdoor, is the threat. Such a backdoor would present an attack vector for prying open an iPhone for any purpose and one that would certainly come to pass, likely within a short time. In fact, Bruce Schneier — one of the top cryptographers, computer security and privacy specialists in the U.S. — lives in the Twin Cities and could easily have provided knowledge that would have prevented the Editorial Board from embarrassing itself.

What is most disturbing about the editorial is how it provides virtually near-zero context for Apple's position by, once again, diminishing it: "Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance." Using the word "concerned" trivializes Apple's position, especially since Snowden's revelations about the National Security Agency's (NSA) vacuum surveillance of communications, social connections, use of facial recognition on photos and myriad invasive techniques is — for those of us who actually understand what is going on here and abroad — one of the actual, biggest threats to our Constitution and to liberty itself. In my view, the NSA's possibly illegal (and certainly counter to its non-domestic-spying mandate) activities are jeopardizing our national security far more than an individual terrorist's iPhone.

FBI Director James Comey publicly stated in December 2015 that "companies should rethink their business models" when it comes to end-to-end encryption and cryptography overall, especially since companies like Google, Facebook, Cisco and many others accelerated their methods to leverage encryption to protect their users and their businesses after the Snowden revelations. Curiously, the Editorial Board also didn't mention that ex-NSA and CIA chief Michael Hayden not only has said publicly that he understands both sides of the debate over unbreakable end-to-end encryption, but that when it comes to demanding a backdoor, "I think Jim Comey's wrong." He is emphatic that "America is simply more secure with unbreakable end-to-end encryption."

Breaking or weakening encryption would result in catching only the stupid or putting the innocent at grave risk from oppressive regimes, while also bolstering those regimes that are waiting to see the outcome of this controversy before demanding Apple do it in their countries as well.

As we now know from the French newspaper Le Monde, the terrorists in the Paris attack last year used open communications and unlocked, easily traceable phones — nothing was encrypted — but it didn't matter, did it? That's because they either didn't believe they'd be found out or they, too, were naive about mass surveillance. Either way, smart-about-surveillance terrorists use end-to-end encryption, burner phones, dead-drops (of information) or, in the case of Osama bin Laden, couriers taking USB flash drives from place to place so as to stay off the Internet and other potentially surveilled communications technology altogether.

Perhaps Apple's democratization of encryption is what the Editorial Board is actually frightened about. If so, shouldn't the board also be up in arms about end-to-end encryption of Apple's voice and video tool FaceTime? Or about its instant messaging, which has been encrypted since 2011? Or about a highly secure, end-to-end encrypted voice and text app for iOS and Android called Signal? Or locked community-forum websites that are accessible only through Tor (i.e., the Onion Router, which bounces communication through relay servers, thus hiding the user so that bad guys and others who wish to remain private can communicate with one another shielded from everyone)? Or perhaps the Editorial Board advocates forcing Google to remove its new end-to-end, server-level encryption in e-mail so that the NSA can no longer tap lines between Google's server farms and vacuum up all e-mail traffic?

See the slippery slope we're on and how complicated this issue really is? That's why the editorial was naive and not even close to a cogent argument for a major newspaper. Think it through and try again, please, this time with an article that is well-researched and looks at the issue from all sides.

Steve Borsch, of Eden Prairie, is a consultant.

about the writer

about the writer

Steve Borsch