Opinion: The San Bernardino iPhone and the 'going dark' myth
By breaking into the iPhone at the crux of the FBI v. Apple legal battle, law enforcement officials undercut their argument that encrypted devices are their imperiling efforts to surveil criminal and terror suspects.
Now that the Justice Department has withdrawn its case against Apple over the San Bernardino, Calif. iPhone, it’s harder to take seriously the FBI’s claims that it is "going dark."
Since the US government can hack into the phone used by shooter Syed Rizwan Farook – and conceivably other iPhones in its custody – without Apple's help, it may be overstating its claim that the spread of encrypted apps and devices are harming its ability to track suspected criminals and terrorists.
FBI Director James Comey repeatedly has testified before Congress that encrypted technologies frustrate authorized surveillance efforts, and that even with a warrant or court order the agency can't access real-time communications or stored data.
That was the crux of its case against Apple following the San Bernardino terrorist attack. But when the agency received some outside help (apparently from this Israeli firm), it discovered that there are indeed other ways for it to get the information it seeks. That success doesn't do much to further its claims that going dark is a serious problem.
But it does give credence to the opinion floated by many security experts in the FBI v. Apple debate: The agency needs to boost its technical abilities to find ways to execute valid search warrants. And if the agency can't do it on its own, maybe it needs to seek outside help like it did to crack the iPhone used by Mr. Farook.
Mr. Comey previously has argued that the tech community should work on a solution (which critics have called a back door, and Comey himself has referred to as a "front door") for agents to decrypt communications when they have a warrant.
But, in this case, the FBI gained access to the data it wanted without any kind of "backdoor" or other access specially engineered for law enforcement. When the agency has access to that kind of technical talent, which can take advantage of existing vulnerabilities in devices, the need to augment law enforcement’s data access and surveillance capabilities seems much less pressing.
Cybersecurity expert Susan Landau drove this point home in a recent report on going dark published by Harvard University's Berkman Center for Internet and Society.
"There are, after all, other ways of going after communications content than providing law enforcement with 'exceptional access' to encrypted communications," she wrote. "These include using the existing vulnerabilities present in the apps and systems of the devices themselves. While such an approach makes investigations more expensive, this approach is a tradeoff enabling the vast majority of communications to be far more secure."
What's more, while consumers increasingly may be using technology to keep their communications private and secure, the government has access to an array of impressive surveillance technology and has the ability to glean an unprecedented amount of information from consumers’ digital footprints as our lives increasingly migrate online. That would seemingly offset any need to legislate that tech companies build in mechanisms to facilitate law enforcement access to data.
The Berkman report makes that point, too, noting that “[t]he increased availability of encryption technologies certainly impedes government surveillance under certain circumstances, and in this sense, the government is losing some surveillance opportunities. However, the combination of technological developments and market forces is likely to fill some of these gaps and, more broadly, to ensure that the government will gain new opportunities to gather critical information from surveillance."
By opening Farook’s iPhone, the FBI potentially obtained access to vast troves of digital information.
Instead of lamenting going dark, the FBI should take a more active role in poking holes – and bringing some light – to the communications and data it thinks are hidden by encryption.
Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.