Cybersecurity

Questions linger over Apple-FBI case

The Justice Department’s hacking of an iPhone used by one of the San Bernardino terrorists without Apple’s help is raising more questions about the bitter fight between the government and tech giant.

{mosads}The DOJ on Tuesday said it had accessed the phone and dropped a case against Apple that sought to force the company to help unlock the device. But the fight over encrypted communications is far from over. 

Here are five lingering questions:

  

1. Will Apple strengthen its encryption?

The company already is. Apple regularly issues updates to close holes in its security software — including an update released just last week that patched a flaw found by a team of researchers at Johns Hopkins.

“We will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated,” Apple said on Monday.

Onlookers expect Apple is racing to identify and patch any weaknesses the FBI used to access shooter Syed Rizwan Farook’s iPhone 5S. The company now has a target on its back after the government told the world it found a vulnerability.

“One has to think that hackers around the globe are going to focus renewed efforts on finding what that vulnerability is, now that they know one exists, or breaking into the FBI to discover it,” said Fred Cate, founding director of the Center for Applied Cybersecurity Research at Indiana University.

The de facto arms race between encryption manufacturers and the government will likely intensify.

Apple argues that deliberately weakening encryption would make it easy for bad guys to hack law-abiding users. That leaves the government left to hunt out security holes to exploit while Apple works steadily to plug those same holes. 

“Law enforcement for years has been trying to keep up with technological evolution that has made it more difficult to investigate crime. We are in the second decade at least in that problem,” said Ed McAndrew, a former federal cybercrime prosecutor and current partner at Ballard Spahr

 

2. Will the FBI tell Apple how it hacked into the phone?

It’s possible, but digital rights experts aren’t holding their breath. 

Right now, it’s unclear how the FBI gained access to the phone. A law enforcement official told reporters Monday that “we can’t comment on the possibility of future disclosures to Apple.”

“I don’t think we’re going to go into any details other than what we put in our filing,” the official said.

Under a little-known cybersecurity rule adopted by the Obama administration in 2010, previously undiscovered hacks are subject to an interagency review to determine if they should be disclosed to the manufacturer. 

But the rule leaves a carve-out for national security concerns the government might take advantage of.

The government may want to keep its knowledge to itself, given that Apple says it will reject similar orders to help hack phones in the future.

“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack,” White House Cybersecurity Coordinator Michael Daniel said in a 2014 blog post outlining the decision-making process. 

“The gov doesn’t disclose security flaws to firms like Apple if useful to law enforcement,” American Civil Liberties Union technologist Christopher Soghoian tweeted last week.

 

3. Will we find out what was on the phone?

It’s very unlikely. A Justice Department official on Monday declined to give any indication of what might be on the device. Legal experts note that the federal government rarely comments on ongoing investigations.

 

4. Will this hurt Apple’s brand?

It remains to be seen whether the publicity given to the FBI’s exploit will shake consumer confidence in Apple’s security. 

“I don’t think the fact that an undisclosed security vulnerability allowed the FBI to get into this phone necessarily reflects poorly on Apple,” said Laura Koetzle, a vice president and group director at Forrester Research.

“Everyone knows that something that complicated is going to have security holes in it — it’s a question of what you do about them.”

And consumers don’t shop for phones based on security, according to a recent national poll which found only one in 10 people consider security features like encryption to be a deciding factor.

In fact, Apple ranked no higher than rivals Google and Amazon when it came to trusting its ability to safeguard privacy in a poll conducted during its high-profile dispute with the FBI.

If anything, Koetzle said, the outcome is a win for Apple because it wasn’t forced by a court to cave to the government. The company’s stance in defense of users’ privacy could earn it some goodwill from the public. 

 

5. Will this solve the encryption debate?

By dropping the court battle over Farook’s phone — which some expected to go all the way to the Supreme Court — onlookers say the DOJ only kicked the can on encryption.

Absent congressional action, which many see as unlikely, investigators will continue to do what they can to access devices and communications.

DOJ spokeswoman Melanie Newman said in a statement Monday that “it remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety… through the court system when cooperation fails.”

And other active cases are proceeding: DOJ is appealing a separate case involving a New York iPhone.

“What this really illustrates is that this is a technology-by-technology, device-by-device issue,” McAndrew said. 

Privacy advocates and technologists say the government is just delaying the fight over encryption.

“Those worried about our privacy should stay wary,” Rep. Darrell Issa (R-Calif.) said in a statement. 

“Just because the government was able to get into this one phone does not mean that their quest for a secret key into our devices is over.”