About Phill

Since Apple CEO Tim Cook released his open letter announcing his opposition to an FBI court order compelling the company to provide access to an iPhone used by the San Bernardino shooters, the media has exploded with coverage painting the debate as a showdown between consumer privacy and national security.  They are certainly justified in doing so, as this has been the tack used by FBI Director James Comey, as well.  Sadly, this reduction of the issue to a binary state fails to fully consider the consequences of this order, and rhetoric coming from experts on both sides has become muddled as reports attempt to fill the mold left by this false dichotomy.

In truth, the full debate consists of arguments running along two separate but related points of division.  The first point rests on a determination of public policy, while the second is on the issue of precedent, both legal and practical.

Much of the reporting has tended to reduce the policy issue to a debate between privacy rights and national security without acknowledging that security interests do not stand as a unified front in this case.  The FBI does not represent the interests of the collective security community, but rather criminal investigative authority in particular.

Generally speaking, national security interests are concentrated on those measures necessary to anticipate and prevent the culmination of threats against the United States.  Such measures broadly fall into offensive data gathering measures, like intrusion and surveillance, and defensive measures, like detection and encryption, with dividing lines that often blur.

Criminal investigation pursues the goal of recreating the facts and circumstances of an incident after it occurs to enable prosecution in the justice system, potentially serving the goals of offensive security in the process.  However, domestic law enforcement is limited in many ways that intelligence gathering forces are not, especially regarding ways of gathering information.  Without delving into details, constitutional law and general understandings of public policy have historically favored putting greater restrictions on the tools available to gather information when the ultimate goal is the prosecution and punishment of an individual versus the prevention and deterrence of harm.

Within national security, cybersecurity has come to the forefront as a primary concern.  The past three years have seen a sharp rise in high-profile hacks of major businesses and government agencies, as well as attacks against control systems of physical infrastructure.  The most common access points for such hacks are not through the sleek methods often seen in pop culture depictions of hackers, but rather more mundane avenues like e-mail attachments and brute force credential hacks.  In such attacks, hackers can easily access valuable data through phones and other mobile devices belonging to insiders like company employees and contractors, which are often connected to company wireless networks and e-mail servers.  Ubiquitous security requires both end-to-end encryption, which applies to data in transit over networks, and endpoint security—the kind of measures that prevent access to stored data devices like the iPhone currently held by the FBI.  These measures provide an extra layerof protection for potentially attractive targets on mobile devices and enhance security for downstream networks those devices connect to.

Former CIA and NSA chief Michael Hayden echoed this sentiment recently on CNBC saying, “America is more secure—America is more safe—with unbreakable end-to-end encryption.”  Admitting that there is no such thing as “unbreakable encryption,” the question becomes, how much of a danger to that goal does the FBI’s order pose?  Technical professionals are split on this opinion.

Before continuing, we should note that the FBI is not asking Apple to directly subvert the encryption on the phone, but rather to remove a security feature that permanently locks the phone after ten failed entry attempts, requiring a factory reset that will clear the memory.  This security measure prevents a brute force password attack; with the feature disabled, the FBI would be able to employ typical hacking techniques to break the encryption themselves.  John McAfee, famous for his company’s computer security products, has said “There is no question that what the FBI has asked Apple to do is create a backdoor” that would create dangerous vulnerabilities for other Apple products.

In contrast, Professor B. Clifford Neuman doesn’t consider disabling this feature to be a “backdoor” at all, the creation of which he would oppose, instead arguing that the ability to break the security feature either does doesn’t exist or is an extant vulnerability. If the latter is true, compliance with the order would, he argues, allow Apple to strengthen the security of future iterations of the phone.  Neuman is certainly correct that the requested change does not create a full “backdoor” to the device because encryption on the phone is left in place.  However, it does create a wider vulnerability that would allow the FBI to break the encryption with tactics available to any experienced hacker, in effect turning what Neuman might call a minor flaw into a major opening for breach.

With most commentary acknowledging that the FBI order calls for the creation of some sort of vulnerability, the split in opinion partially comes down to how one perceives the long-term danger presented by one instance of a vulnerable version of the operating system (OS).  Giving the FBI the benefit of the doubt that this is the only time they will seek to create such a vulnerability, the danger in this case would then be a leak of the code for the compromised OS.  The community has reason for concern considering recent government hacks that have resulted in the publication of tens of thousands of pieces of personal information belonging to public employees, many of them in the FBI.  The creation of this vulnerability, even for a short time, would make both Apple and FBI targets for hackers above and beyond the typical threats these organizations face as a matter of daily business.

If no leak occurs, the implications of the other point of contention come into play—the matter of precedent.  Painted in political cartoons and soundbites as the “pandora’s box” argument, precedent poses a challenge to the continued sustainability of security practice for companies like Apple.  Current trends in cybersecurity point toward greater use of encryption, and law enforcement has expressed concerns regarding the consequences of these security measures for future criminal investigation.  For law enforcement agencies limited to a smaller toolbox than their intelligence counterparts, due to necessary civil liberties considerations, these concerns are valid, and one is left with the sense that the FBI has chosen the San Bernardino shooting as a battleground to test their ability to function in an encrypted environment.  The culmination is a Catch-22 for policymakers: for officials to investigate security threats, they must have access to networked devices and encryptedcommunications when they present warrants and court orders, but continuing to have such access will require maintaining a structural weakness in the encryption, thereby reducing security.

While the iterative notion expressed by Prof. Neuman is attractive—that Apple could strengthen future iterations of the OS by subverting the security features of this one—a practical limit comes should this isolated court order become a standard criminal investigative practice echoed across the country by prosecutors at the district and state level.  In this scenario, there would simply not be adequate time for the creation of ever greater security measures before each would need to be compromised to comply with a court order.  Even if the FBI is sincere in saying they do not intend this to be a precedent for future subversions of device security, the FBI does not have the authority to bar such orders coming from law enforcement personnel and prosecutors outside their jurisdiction.

Ultimately, the policy decision rests not only between the interests of privacy and security, but between strategies of offensive and defensive security: do we favor a security stance that relies on gathering information at the expense of the integrity of our own security measures, or do we favor maintaining the bulwark of our most effective defensive measures at the expense of effective investigation of threats?  This is not an easy question, and it rests not with the ideological divide that sometimes characterizes the often simplistic media dichotomy of “privacy vs. security.” Privacy and security are at stake no matter which path you choose.  Instead, we must decide which is more effective in the long-term, and which poses less harm to our other interests, including privacy.  Here, I echo a sentiment expressed by such disparate voices as Edward Snowden and Michael Hayden; in the long-term, the benefits of a solid defense outweigh those of isolated offensive victories.

Tim Cook, “A Message to Our Customers,” Apple, Feb. 16, 2016, .

See, e.g., Elizabeth Weise, “Pew: Public Supports FBI over Apple,” USA Today, Feb. 22, 2016, ; Maura Dolan and Victoria Kim, “Apple-FBI Fight Over iPhone Encryption Pits Privacy Against National Security,” Los Angeles Times, Feb. 18, 2016, .

Brian Barret, “The Apple-FBI Fight Isn’t About Privacy Vs. Security.  Don’t Be Misled,” Wired, Feb. 24, 2016, .

Note that “threats” here are not limited to physical terror or military threats, but rather all hazards that could negatively impact the security of the country.  See The White House, National Security Strategy, (Washington, D.C.: The White House, 2015), available at .

See, Henry Farrell, “The Difference Between Offense and Defense in Cybersecurity,” Washington Monthly Blog, July 5, 2013, ; see also, Jack Goldsmith, “Cyber Paradox: Every Offensive Weapon is a (Potential) Chink in Our Defense — and Vice Versa,” Lawfare Blog, Apr. 12, 2014, .

For more on this, see IC21: The Intelligence Community in the 21st Century, Staff Study, Permanent Select Committee on Intelligence, House of Representatives, 104th Cong. (1996), Part 13, available at .

See Dan Kedmey, “Cyberattacks Against Big Companies Surged by 40% in 2014, Report Finds,” Time, Apr. 14, 2015, .

Kim Zetter, “Everything We Know About Ukraine’s Power Plant Hack,” Wired, Jan. 20, 2016, .

Phishing has grown as a percentage of the most often used cyber breach vectors in the past five years, second only to credential hacks, with the majority of cyber-intelligence attacks coming through e-mail attachments or e-mail links. 2015 Data Breach Investigation Report, Verizon Enterprise Solutions (2015): 5, 53, available at

Tom DiChristopher, “US Safer with Fully Encrypted Phones: Former NSA/CIA Chief,” CNBC, Feb. 23, 2016, . I encourage readers to view the full video for Hayden’s comments on offensive and defensive security, as well.

Barrett, “The Apple-FBI Fight Isn’t About Privacy Vs. Security.”

“John McAfee Blasts FBI for ‘Illiterate’ Order to Create Apple iPhone Backdoor,” RT, Feb. 23, 2016, .

B. Clifford Neuman, “Why Apply Should Comply with the FBI: Cybersecurity Expert,” CNBC, Feb. 17, 2016, .

Gen. Hayden has said as much, stating in an interview “I’m trending towards the Bureau to get into this phone, unless of course Apple or others can show to me how this focused, specific concession, which isn’t really breaking the encryption, somehow leads to this other universe over here about which I agree with Tim Cook, we shouldn’t go.” “Apple and The San Bernardino Shooter’s iPhone: The Escalating Fight Over Privacy And Security,” The Diane Rehm Show, Interview with Gen. Michael Hayden (2015), available at . (cited as The Diane Rehm Show Hayden Interview)

Brian Barrett, “Hack Brief: Hacker Leaks the Info of Thousands of FBI and DHS Employees,” Wired, Feb. 8, 2016, .

For example, the cartoon by Stuart Carlson available at .

Steven Melendez, “FBI Renews Warnings on Terror and Encryption, With No Clear Solution in Sight,” Fast Company, Dec. 14, 2015, .

Krishnadev Calamur, “FBI to Apple: It’s About Justice, Not Precedent,” Defense One, Feb. 22, 2016, .

See Sean Gallagher, “Snowden: US Has Put Too Much Emphasis on Cyber-offense, Needs Defense,” Ars Technica, Jan. 8, 2015, ;  The Diane Rehm Show Hayden Interview (At 10:35:46, Hayden says “And, on balance, the defense here — the ability to create this really solid defense — trumps the occasional need to enable our offense.”)