By Kevin Carty
April 4, 2016 at 5:00 am ET
Technology and privacy advocates appear ready to accept the U.S. government’s solution to fighting terrorism online — independent hacking.
When federal investigators came upon a locked, encrypted iPhone used by one of the San Bernardino shooters and Apple Inc. refused to help unlock it, they had three options for reading the phone’s contents.
They could go to court, seeking to compel Apple to help grant access to the phone.
They could go to Congress, looking for legislation to mandate access to such phones.
Or they could try to open the device on their own, using geeks, powerful computers and backdoor hacking techniques.
The Federal Bureau of Investigation ultimately chose the third option after an unidentified outside party presented it with a way in to the phone.
Is that best option for the government to pursue? Privacy advocates think so.
“If I were to pick my poison, I would vote for government hacking,” said Jadzia Butler, a privacy, security and surveillance fellow at the Center for Democracy & Technology.
Tech analysts say that legislation to mandate companies’ assistance in accessing encrypted data would probably be too broad and wind up weakening security for all phones, according to Butler and other critics of that approach, including Sen. Ron Wyden (D-Ore.).
Likewise, going to court could have wide-ranging implications, possibly forcing broader changes that could weaken encryption. Already, the FBI has used a 1789 law to seek help from Google and Apple to open dozens of locked phones. “I do worry about future cases where law enforcement might seek to use the All Writs Act to force changes to security features,” Berin Szoka, president of the libertarian advocacy group TechFreedom, wrote in a blog post on Medium last month.
That leaves government hacking. Unlike legislation and legal action, hacking can be used on a case-by-case basis, disabling the encryption of one device at a time rather than weakening all devices, so goes the argument.
There are risks, however, including whether the government keeps its hacking tips to itself. “One perverse result of the current situation is it creates the situation where the FBI has no incentive to tell Apple about vulnerabilities that it’s found,” Szoka said in an interview.
In the case of the San Bernardino shooter’s iPhone, Apple products are left with a vulnerability that can be used again by the government or anyone else who can figure it out. So far, that is exactly what the FBI has chosen to do.
To be clear, hacking into the San Bernardino phone is entirely legal because the government has a warrant to read its contents. But observers are still worried. “As tempting as it is to hoard vulnerabilities, at the end of the day, doing that makes us all less secure. Doing that makes us all vulnerable to attack,” Butler said.
To address this problem, the government has developed a system, known as the Vulnerabilities Equities Process, to guide when it ought to disclose vulnerabilities. Privacy advocates worry that the self-policing system isn’t sufficient.
But they also say it may not matter for long. While investigators may now have difficulty accessing encrypted text messages, emails and phone calls, they can still look at “metadata,” location data and all sorts of unencrypted pieces of information. “Those records are incredibly powerful and often more revealing than content,” Butler said.
Encryption is more common, but as more devices are linked to the internet, more unencrypted data will be available. “The trajectory of technological development points to a future abundant in unencrypted data,” wrote several researchers in a recent paper from the Berkman Center for Internet & Society at Harvard University.
“We’re actually in a golden age of surveillance,” Butler said.
Privacy advocates note that as the internet of things grows and more devices go online, investigators will likely have even more unencrypted data to examine in criminal cases. “The FBI doesn’t have a going dark problem right now. If anything, they’re blinded by the light,” said Ross Schulman, senior policy counsel at the Open Technology Institute.
Kevin Carty previously worked at Morning Consult as a reporter covering tech.