Solving the FBI-Apple Dispute
There’s an old saying here in Washington: “personnel is policy.” It captures the notion that policy is only as effective as those who are charged with implementing it. Last week’s events in the Apple v. FBI encryption case have breathed new life into this saying and shed a spotlight on the need to ensure that law enforcement is given the human resources it needs to implement policy effectively.
Over the past week, we have heard many arguments on both sides of the dispute between Apple and the U.S. Department of Justice. The dispute has resulted in a court order requiring Apple to lend “reasonable technical assistance” to the FBI in its efforts to unlock a cellphone used by one of the San Bernardino terrorists. Lost in the growing cacophony is the role that personnel choices may have played in events leading up to Tuesday’s court order requiring this technical assistance. These personnel choices appear to be as important to the outcome as any other variable and they should play a central role in an effective solution to the fundamental issues underlying the current impasse.
Consider this nugget reported by Apple on its website: The Apple ID password linked to the iPhone belonging to one of the San Bernardino terrorists was changed after the government took possession of the device. If this had not occurred, the phone could have been placed in a Wi-Fi network it recognized and a backup of the information the government is seeking may have been accessible without the need for a court order requiring technical assistance from Apple. In other words, the backup was disabled by the government and not by Apple. Now, everyone is allowed to make mistakes, but it just so happens that this apparent mistake resulted in the government suing to compel Apple to write a backdoor to its technology, creating a precedent that undermines security overall, both in the U.S. as well as overseas. This alleged mistake is a signal of an urgent need to examine whether our law enforcement professionals are receiving adequate training in technology handling and forensics.
Let me be clear, I am not suggesting that the choices made by the San Bernardino investigators were malicious or intended to have such negative consequences for Apple. They were not acts of commission; they were (if anything) surely acts of omission. But they have resulted in serious implications, not only for Apple but also for consumers in this country and abroad who rely on Apple and others to keep their sensitive information secure and to protect them from identity theft, especially if their phones are stolen. From consumers’ perspective, it is not acceptable to expose them to additional instances of identity theft in the name of terrorism investigation when other win-win solutions might exist and have not been tried.
Hillary Clinton has called for a Manhattan-like project to tackle encryption and terrorism. According to Secretary Clinton, the project would “bring the government and the tech communities together” to find a way to give law enforcement access to encrypted messages. However, many expert cryptographers have gone on record to explain why exclusive government access is impossible. According to these experts, there is no such thing as a key under the doormat that is not also accessible by the bad guys who want to compromise everyone’s information security.
I have a more modest proposal: I would ask the government to focus on identifying and recruiting personnel who will get the job done without the need to outsource these challenging situations to the private sector. These personnel exist. They may not look like your typical federal agent. They may even wear hoodies and play video games in their spare time. But they can get the job done without the need for high stakes lawsuits and court orders that undermine security overall.