In the end, the FBI didn’t need Apple’s help in unlocking an encrypted iPhone 5c as part of its investigation into a mass shooting. But given that Apple will look to make sure it closes the security hole that allowed access to its smartphone, the story is far from over and the ramifications of what happens next could have a ripple effect in Canada.
David Senf, IDC Canada’s vice president of infrastructure solutions, provided some thoughts via email on the fallout from the recent chapter in the ongoing Apple vs. FBI saga, and said the question that needs to be asked is the impact of weaker security.
“Although the math and solutions behind encryption are still safe after the FBI entered the phone in question, the tactic of breaking through, or apparently creating another vulnerability is at issue,” he said. “It is never a good idea to weaken security for isolated cases, as security is then weakened for all of us.”
Because the U.S. is moving backwards on this issue, said Senf, it is putting device makers, security vendors and its own citizens at more risk than countries such as Canada, although he said this particular case could have been worse had Apple been forced to unlock the phone.
But the implication of the case on Canadian business is “chilling,” said Senf, given that a law enforcement agency has exercised a tool to break into a smartphone, “not because it’s law enforcement, but because it can be done.” He said when the question of how much we can trust the “out of the box” confidentiality of our data is upset, this costs business. “It means thinking through and then potentially paying for more defenses to keep private data private.”
Security is paramount
And in an era of digital transformation, where every business process and slice of workflow is wrapped around technology, Senf said, security is paramount. “Weakening it slows progress,” said Senf.
In the meantime, finance, telcos, health, government and retail will all be paying more attention to the actions of the FBI.
Senf said Canada has been catching up to the U.S. in areas such as cloud spending and on security. The research firm released a report last year that found the current spend on IT security totalled 9.8 per cent of the overall IT budget for Canadian organizations, with the ideal spend pegged at 13.7 per cent. On a positive note, the IDC Canada report noted a higher than average budget growth through 2015 for security in the midmarket. However, the report said “it was striking how tablets, smartphones and web applications are not considered more strongly as points of security weakness.”
And one compromised phone has the potential to do a lot damage, according to information security consultant Michael Ball. Just the contact list of a wealthy socialite could lead to profitable phishing scams by cybercriminals, he said, adding what’s interesting about the FBI’s claim that it had gained access to an iPhone without Apple’s help is it’s not clear how it was achieved, and could even be a bluff.
“Did the FBI actually hack the phone or did they just say that to save face?”
The court case isn’t closed, just suspended, and Ball said Apple could pursue the matter so that the federal agency discloses their technique.
Ultimately, the overall issue is that if the FBI were able to crack the iPhone, then there is a vulnerability, he said. And if law enforcement agencies can gain access it, so can criminals. “If you want to know everything about a company, steal a phone.”
Ball noted that the iPhone 5c is a fairly old phone by today’s terms, and the later models have stronger encryption, although it means the same processes are used to gain access to device – it just takes longer.
Data residency: a subject of concern
The potential threat to privacy in the United States comes at a time when Canada has actually beefed up its privacy legislation. Last summer, Bill S-4 – The Digital Privacy Act was passed into law, making a number of important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). A key change was mandatory breach notification, so that under PIPEDA, organizations are required to give notice to the affected individuals and to the Office of the Privacy Commissioner of Canada about data breaches in certain circumstances.
In the past year or so, many major public cloud services including Microsoft Azure and Amazon Web Services have announced Canadian data centres, in large part to address data residency concerns of customers, particularly those in the public sector.
Data residency became a subject of concern with the introduction of the Patriot Act south of the border, prompting Canadian businesses and academics to wonder if the United States government and law enforcement could gain easy access to their corporate information and research data should it be stored offsite in a data centre south of the border. The act has been around for nearly a decade, noted Ball. “We’ve not seen any Canadian variant of it.”
However, a Canadian company operating across borders can be subject to the Patriot Act, so if the laws in the United States surrounding accessing to smartphones were ultimately changed as a result of this court case involving Apple and the FBI, Ball said a precedent could be set and the legislation could bleed into Canada.
He said the challenge right now is that legal entities can’t provide laws fast enough to keep up with technology and its rapid changes. “It’s really hard to maintain a legal platform to protect those technologies.”
Ball said the ability for both law enforcement and criminals to more easily hack smartphones may lead app developers to containerize their own encryption rather the rely on the phone-native security. Another approach to safeguarding a device might be to destroy the data if someone attempts to take it apart.
“If they can crack your phone, they could crack your smart TV,” said Ball. “What’s to stop them from invading a live, active system?”
The FBI’s pressure on Apple to provide special access is not the first time a government representative has asked for access to data traversing smartphones. Late last year, Pakistan backed down on its efforts to gain access to BlackBerry Ltd.’s servers handling BES communications, as the government wanted to monitor all traffic in the country, including every email and BlackBerry Messenger correspondence.
ITWorldCanada.com reached out to BlackBerry for input on this story, but the company declined to comment.