In a letter to customers on February 16, Apple CEO Tim Cook stated that his company would not willingly override the security features of an iPhone belonging to one of the San Bernardino mass shooters, defying a court order obtained by the FBI. This case has become the highest profile contest in the wider debate over the ability of law enforcement agencies to access data on encrypted smartphones in the course of their investigations. At issue is the practice of end-to-end encryption, where not even the device manufacturer retains the key to decrypt communications for law enforcement. However, pitting investigators against technology companies will not effectively balance cybersecurity with public safety. Device manufacturers, law enforcement, and policymakers must work together to determine the end goals of encryption and how to best accomplish those goals.
Crime prevention, law enforcement
In recent years, technology companies like Apple have raised the level of encryption embedded in their devices to prevent cyberattacks on their customers. This effort began in earnest in 2013 after Edward Snowden, a contractor working at the National Security Agency, released details about the extent of the agency’s surveillance activities. In addition to concerns about government surveillance, several major cybersecurity breaches in the intervening years have raised fears of criminal cyberattacks. Apple’s own iCloud service, Sony Pictures, and the U.S. Office of Personnel Management each experienced unauthorized access to sensitive information stored digitally. Encrypting devices attempts to prevent cyberattacks and unwanted surveillance at the same time.
The trend of technology companies rolling out strong encryption technologies has led prominent officials like Manhattan District Attorney Cyrus Vance and FBI Director James Comey to issue warnings about law enforcement agencies “going dark,” or losing access to digital evidence acquired through court-approved surveillance tools. Local law enforcement agencies around the country have amassed a large number of smartphones with inaccessible data as evidence in investigations. As more Americans purchase smartphones, use them for longer amounts of time, and entrust them with more personal information, the devices will only become more important to criminal investigations. Regardless of the strength of device encryption, law enforcement has an interest in the information stored on devices for the prosecution of criminals.
Potential targets and tools
Bridging the interests of privacy, cybersecurity, and public safety is not an easy task, but it is an increasingly urgent one. The FBI is not a technology company, yet it must somehow navigate a world full of communications devices. Likewise, Apple is not a law enforcement agency, yet its devices are both potential targets of cybercrime and potential tools for the commission of crime. Neither organization is a democratically elected decision-making body, yet each has expertise to bear on this issue. A solution will almost certainly come from outside of a courtroom; the decision of the FBI’s case against Apple will only be the beginning of the larger public debate, one that might only be resolved by an act of Congress or an international agreement.
While Congress holds hearings on encryption, federal agencies must also coordinate the various interests surrounding cybersecurity and privacy. Given the number of stakeholders, the largest task will be bringing together the variety of interests represented. Fortunately, the Obama administration has already launched a number of initiatives aimed at the intersection of these two issues, including the Federal Trade Commission’s PrivacyCon and a new Cybersecurity National Action Plan with an accompanying $19 billion budget. These respective efforts bring together information security experts in the private sector with federal regulators and increase the funding for Department of Justice cybersecurity activities. Future initiatives should promote direct collaboration between experts in the technology industry and law enforcement. Bridging cybersecurity and public safety goals is possible so long as stakeholders can agree on how to operate in a future with greater encryption.