Apple's standoff with the FBI unfolded over the course of several weeks, but ended in a matter of days. That’s how long it took the FBI to find a way into a San Bernardino shooter’s iPhone and successfully exploit it without Apple's help. So while that particular case appears to be over, the encryption war is not. If anything, it is more urgent than ever.
The standoff over Syed Rizwan Farook’s iPhone 5C didn't set any legal precedents, but it reminded anyone with the slightest interest in the encryption debate that the stakes are real, and immediate. More importantly, it pushed the issue into the mainstream, making it abundantly clear to everyone that their phones and other devices can provide tremendous privacy.
Almost everyone knows about encryption now. And everyone’s moving quickly to shape its future.
Last month a federal court ordered Apple to create a software tool that would bypass security mechanisms in Apple’s software so that the government could perform what’s known as a bruteforce password attack to guess Farook’s password. Apple vehemently opposed, arguing it amounted to creating a backdoor for the government. That point's been rendered moot, for now; on Monday, the Justice Department asked the court to vacate its order that Apple create such a too.
To say this fight will encourage Apple to continue improving the security of its phones isn't wholly accurate. In truth, the company has been making its phones ever more difficult to crack since introducing the iPhone's in 2007. It's as reliable a march forward as faster processors and higher resolution screens.
But the rhetoric is different this time, and the stakes are higher. In February, The New York Times reported that Apple is developing security measures that will make it "impossible" for the government to break into a locked phone. In practice, this means making a phone so secure that even Apple can't get into it. And there are other ways the company could head off law enforcement, like making iCloud encryption as secure as iPhone encryption.
The bigger implication of Apple's fight with the FBI is that it's created a fundamental and perhaps insurmountable rift between law enforcement and the tech industry, two entities that haven't always gotten along but had, for a time, found a way to work together.
“The DOJ filing against Apple was another massive blow to the trust and cooperation between companies and the government,” says Nathan White, a digital rights advocate with Access Now. “Companies are not going to want to work with the government anymore.”
The strained relationship had only started to recover from Edward Snowden's stunning reveleation that the NSA had penetrated the internal systems of Facebook, Google, and others. Any warming in the relationship has surely cooled again, and tech companies may be more inclined to see the FBI and other agencies as adversaries.
At the least, it will make it far harder for the FBI and others to solve the types of cases in which it has relied upon Apple and others for help. Remember that in the San Bernardino case, Apple did provide the feds with a significant chunk of information; its main objection was over being compelled to write code that would circumvent its products' security.
Meanwhile, other companies now see that it’s possible to stand up to the FBI---in a terrorism case, no less---and still enjoy public support. "I think you’ll see companies announcing changes to their security practices going forward, some very soon," says Andrew Crocker, staff attorney for the Electronic Frontier Foundation. "It’s demonstrated that there’s fight in the industry."
There's also a fight in Washington.
After feinting at the encryption issue for at least five years, Congress is taking its first steps toward a legal framework for it.
Senators Richard Burr and Dianne Feinstein have been drafting an encryption bill since December, but according to Reuters didn’t begin sharing a draft of the legislation until last week---right before Apple’s date in court with the feds. The bill, which apparently would let federal judges order tech companies to provide encrypted data to law enforcement, has a long way to go before becoming law. But it speaks to lawmakers' eagerness to see Congress, not courts, settle the issue.
The bill also highlights the risks of being hasty. Accessing encrypted data isn’t always possible, especially without a so-called backdoor that offers privileged access. Beyond requiring something that may be impossible, the bill reportedly does not offer any specifics on the methods or circumstances under which companies would comply with a court order.
Meanwhile, Representative Mike McCaul and Senator Mark Warner are taking a different approach. Rather than jumping directly into legislating, they've spent months trying to form a commission of experts that will study the intricacies of encryption. "This is going to require a lot of deep thinking," says Rep. Ted Lieu, a former computer scientist and co-sponsor of the Warner-McCaul bill. "It is an issue that is fraught with potential unintended consequences if it's not done right."
That sounds reasonable, but the approach is in jeopardy because the Apple-FBI standoff created a spotlight that several lawmakers are eager to step into. The House Judiciary Committee and the House Energy and Commerce Committee created a bipartisan "working group" a week ago, claiming “primary jurisdiction” over encryption.
White doubts a law will take shape this year, because it's still too early in the debate and the proposals are too broad. But the fact there's so much activity suggests Congress is ready to act. That’s especially significant, given that just as recently as October the Obama administration publicly expressed no interest in encryption legislation. At the time, lawmakers seemed to think an ongoing conversation with tech companies offered the best approach. The FBI, by bringing the courts into the debate, may have prompted Congress to defend its turf. Perhaps it also helped lawmakers understand what exactly they’re legislating.
“I’m not sure that the FBI versus Apple case affected the legislation that members of Congress had been working on prior to the case, but it certainly did put the encryption issue much more at the forefront of members’ minds,” says Lieu. “The case did have a lot of points being made by both supporters and opponents, and I think that’s helpful in terms of educating not just Congress, but the American people.”
It’s the American people, after all, whose awareness and use of encryption is at stake.
The great irony of the FBI’s quest to access the data encrypted on an iPhone is that it made many iPhone owners realize that their devices can encrypt their data. “When the FBI decided to make this a public case, it’s safe to say they were not thinking about the awareness of this issue,” says Crocker. “One side effect of that is that average people who use smartphones are thinking about encryption on their devices in a way that they weren’t a month and a half ago.”
That’s not to say that everyone’s going to buy an iPhone expressly for its security. But public awareness of the importance of encryption has grown tangibly. As White points out, Amazon’s decision to nix onboard encryption as an optional feature on its Fire products caused enough public outcry that the company quickly backtracked. What's most telling is Fire OS hadn’t offered encryption since last fall, but no one noticed---or at least cared—until Apple's legal battle.
In some ways, Apple's fight couldn’t have come at a better time. Yes, Snowden’s bombsell revelations heightened everyone's concerns about privacy and security and government intrusion in our lives. But that was more than two years ago. Memories are short. People move on. Complacency is easy.
"People were starting to forget about it, thinking maybe this had been solved," says White. The DOJ’s legal actions against Apple brought those issues back in stark relief, all the more so because they dealt not with intangible concepts like metadata, or wonkish policy declarations, but with a physical object millions of Americans carry with them every day.
Crocker agrees. “People are more aware of how device security works, and encryption on phones,” he says. “Maybe they aren’t connecting that to security or chat, so the next step is a more holistic understanding of the importance of encryption for lots of different kinds of data and different scenarios.” The Apple case, Crocker says, has given people a context in which these principles are easier to grok.
It’s not that this renewed awareness wouldn't have happened without the Apple-FBI showdown. But the widening rift between tech and law enforcement, the newfound vigor with which legislation is being pursued, and the simple fact that more Americans are now aware of their phones' encryption will have a lasting imprint on not just security, but society.
As evidenced by their choice to drop its case, the feds shouldn't have taken Apple to court in the first place. But in doing so, they started a conversation America has been putting off for years.
