You will already be familiar with the court order initiated by the FBI in California, directing Apple to circumvent the device lock on an Apple iPhone that was used by Syed Rizwan Farook, one of the perpetrators of the San Bernardino shooting.
There is no value in repeating here what has already been covered elsewhere. Unless one of the few developers hidden away on Infinite Loop that really know something about the subject come forward, most of the technical coverage is pure speculation anyway.
What I want to consider is what the order reveals about the expectations of authorities in the U.S. in regards to the privacy of personal data, and explore whether we need to consider a different solution for Canada.
The circumstances of the order have been carefully chosen by the FBI to maximize the chances of achieving their objective.
On cursory examination (which is what most media outlets will provide) the question is simple. Fourteen people are dead. It would appear obvious that any citizen’s, or corporation’s, duty was to assist the investigative authorities in any way they can.
But if you look at the specifics of the situation, the necessity for exceptional efforts to access the contents of the phone is less clear:
- Obviously, the information on the phone is not necessary to identify the perpetrator.
- The device in question was Farook’s work phone. My familiarity with covert operations is limited to reading John le Carré novels. But even I know that it would be stupid to use a work device to store or communicate something related to a major crime.
- There is no indication that Farook was part of a larger group, or that the contents of the phone would lead to conspirators or accessories. The San Bernardino Police Chief is on record saying that it is unlikely there is anything of value on the phone.
This is not a mistake. The situation is ideal for the FBI’s purpose. Enormous public, political, and financial pressure to comply with the order is being directed towards Apple. But any precedent (or legislation) that results will not be dependent upon there being a compelling need for the information at question for investigators to be granted access.
Despite how it is portrayed, the issue at question is not encryption. The order is about encryption key management, and how practical key management enables the broad application of encryption.
If Syed Rizwan Farook were still alive, had committed a long and complex pass phrase to memory, and had used that phrase as the key to encrypt the data the FBI would now like to examine, it would likely remain unavailable. We are prepared to apply significant incentives, including incarceration (or reductions in same) to encourage someone to reveal information. But a civilized society is not prepared to use any means possible to coerce someone to reveal something they know.
And, obviously, if Farook’s pass phrase had gone to the grave with him the information would remain unavailable.
But creating, memorizing, and repeatedly entering long and complex pass phrases is not something humans reliably and willingly do. To make effective encryption practical in a mass market product we use short, memorable, phrases (such as PIN numbers) as a key to access the longer, complex key that is necessary for effective encryption. And we apply methods in how those short pass phrases are handled (up to and including destruction of the encryption keys) to resist brute force attack, since such attacks are effective against the small key space of a typical PIN.
It is these protections that are specifically targeted in this court order.
If the FBI is successful in achieving their objective, anyone that provides tools that makes key management practical will be subject to court orders to compel them to bypass the controls that protect the keys. The effect will be to remove the capacity of encryption to protect data from U.S .authorities in most cases. And if Apple is correct, will also weaken the capacity of those protections to prevent access of encrypted data by others as well.
The result is weakened capacity for encryption to protect the data of the general user of information systems. And not the slightest inhibition to someone who employs encryption to do harm, but is willing to manage the keys themselves.
Examined from this perspective, it is much easier to be sympathetic with Apple’s position.
I actually have little concern about Apple products if the result of this exercise is a requirement to include defeats for key control mechanisms. Apple has the access to technical expertise, and motivation to maintain buyer confidence, to ensure that whatever solution results will make the best of a bad situation. My concern is with smaller manufacturers, who will chose cost and convenience of responding to court orders over rigorous security. Or will avoid the exposure altogether by not securing their products.
So how would this impact Canadians? Well unless we provide some regulatory or legislative direction otherwise, we receive the American version of products. So any compromises to key management mandated by American process will end up in the products we use as well. We could end up inheriting the compromised protection of these products without having any say in the matter.
Investigative authorities do need extraordinary capacities to perform the functions we expect of them. The FBI has chosen to use the judicial branch of their government to define those capacities, and the limits of those capacities, in the case of personal key management. That they have chosen to do so through the judicial route is primarily a result of the current dysfunction in their legislative branch.
But I believe Canada can do better. While we may grumble and complain about them, fundamentally Canadians have a much higher degree of trust in our institutions than Americans. And we have a functional legislative branch.
I believe the key insight that might help Canada move forward on this issue is that in most domains, an intrusion into our affairs is accepted in exchange for the integrity and functionality that results from a managed system. It is the second part of this bargain that is currently missing in the domain of digital data.
We accept license plates on our cars, and carry drivers licenses, because we understand that the road system would be unusable without the controls that these identity tokens enable.
But in the on line domain, we have no reliable identity and no controls. Atrocious spelling and fractured grammer is the only way my mother can determine that the phishing e-mail she received did not come from Microsoft. High value transactions are made using sites that do not employ two factor authentication. Authentication for government web sites is done by mailing me a one time cipher, like an operative in the first world war.
The primary security key store that we all use (and almost no one knows about) is the store of SSL certificate authorities in your web browser. The list of certificate authorities is managed ad-hoc and independently by each web browser developer. And whether a certificate authority is included in a browser has less to with reliability as to what fees were exchanged.
The non-specialist information systems user in North America has been abandoned in a Mad Max world where no one holds authority and each individual has to look out for their own interests. Apple has been successful, in part, because they provided a lock that provided a safe haven in an unsafe world.
And now the sheriff, who took no action when overseas hackers took your money, and had no interest in dealing with the malware that stole your data, wants Apple to remove that lock so they can come and have a look inside “to see if there is anything of interest”. Even the most adamant supporter of the police profession has little reason to be cooperative in that context.
The way forward is to recognize that our institutions have two equal accountabilities:
- to ensure our data and communications, when used for lawful purposes, are only shared with those whom we choose
- to procure information about those who intend to do us harm
It is only once we have established general confidence that there is integrity and accountability on the first point that we will be able to have a productive conversation about the second.
I have some ideas of how this could be achieved. But pursuing technical solutions independent of the civil considerations is what got us into this situation, so it is premature to outline them here.
What is more important is, what is the process that could achieve this lofty goal?
In the current context, the solution will not originate from the legislative branch. The topic is a divisive one, and if the US polls are reflective of Canadian opinion, almost evenly split between two positions (unlock the phone/keep the phone locked). Exploring the issue in any meaningful way requires a descent into legal and technical minutiae that will cause most to enter a coma. There is no clear, simple, populist position that a legislator can take; there are only downsides. You are either siding with the terrorists, or you are allowing the government to snoop on innocent people.
From a politicians standpoint this issue is Kryptonite wrapped up in Plutonium and covered with a nice frosting of Anthrax.
The only way forward is to develop a solution in an open and transparent way, effectively communicate the purpose and value of that solutions in to secure the publics confidence, then take it as a package to the legislative bodies with broad support already established.
Who needs to be involved in developing this solution? At a minimum:
- information systems professionals, to ensure that the best security methods are employed, and to ensure that whatever is proposed can be implemented
- the investigative branches of government (RCMP, municipal police) to determine what will provide them with the tools they need
- privacy professionals, to ensure that these concerns are addressed from day one
- communications specialists and the media, as understanding and acceptance of the solution is probably more important than the solution itself
It would be nice to have the intelligence community at the table, but that is probably being hopelessly naive.
Is it going to be a challenge to get these parties past an adversarial relationship, and to work in an open way towards an effective solution? Of course. Will the engagement and communications effort related to this be enormous? You bet. Is it going to be difficult to secure the attention and cooperation of major systems vendors to implement the solution, given the size of the Canadian market? Definitely. Will this mean additional costs to governments at all levels, at a time of fiscal challenges? Yes.
But I believe Canadians will still be better off tackling these issues and identifying our own solution, rather than standing aside and let them be decided for us in a US courtroom.
Britain is attempting to establish the first comprehensive legal framework for state surveillance powers anywhere in the world in their “Snoopers Charter”. But since the legislation only addresses police powers, and does not appear to advance individual’s privacy, it is receiving significant opposition. We should take this as a lesson learned; both sides need to get something out of the deal.
One last thought. Governments at all levels are exploring “innovation” as a component of a revitalized economy. The skills developed and dispersed, and the products developed, from designing, developing, socializing, and implementing a solution to this problem would be marketable worldwide. And making it work here first would be the ultimate marketing tool and beta test.
