Apple vs. FBI… Privacy vs. Security: A False Choice

It’s been several weeks since the FBI filed suit against Apple regarding unlocking an iPhone, and public discussions on this topic have devolved into tired patterns of partisan posturing. “We must take a stand now to defend our liberty against government overreach!” “We must do everything we can do in the name of national security!” Please, turn off the TV.

There’s actually a third way of thinking about this which neither side is readily acknowledging, but as long as this debate is isolated in the courts between two sides, this third way won’t get the attention it deserves. If anybody deserves criticism, it is a legislative body that evidently lacks the imagination and understanding necessary to ensure both privacy and security where the property in question is data – the United States Congress. (Recent polls show Congress has a 7% approval rating. Readers should rest assured this blog post is not just a shameless plug for “Likes” from the other 93%.)

So what is so different about data that requires a different way of thinking? The best way to explain is to start with a quick overview of how we got here. It starts with search warrants, which were written into the US Constitution in 1791. The government could request an independent judiciary to issue the right to search one’s personal property if given sufficient verifiable reason for investigating. Police forces can search only specific individuals and their property, and only for just cause. Thus was struck a reasonable balance between privacy and security, and this construct has served us well since then. In spite of numerous waves of technology and new forms of “property” that folks in the 1700’s couldn’t have even imagined, subsequent generations could always strike a balance by applying this principle. Until now, apparently.

Apple argues the government is asking for something more general, a “backdoor” method that can be easily and effortlessly replicated across countless other similar property, thus raising concerns of government over-reach as well as the security risks associated with that method being stolen by bad actors and other misuse. Meanwhile, the FBI argues that there may be no other way to extract data from an individual phone, given the way the iPhone’s security features have been designed.

Many have attempted to explain this privacy versus security debate to the general public by comparing the iPhone with a safe (of the big locked metal box variety). Apple supporters reason that no safe manufacturer would just hand over its master key to the government, while those who side with the FBI cite precedent where search warrants have been used to open safes, regardless of methods employed.

But here’s the problem with this comparison – it assumes data is tied to a physical device, when this just isn’t true.

Consider that Apple has already turned over this terrorist’s data backed up in iCloud. This means there is a repeatable method of accessing any one person’s data in the cloud. Of course such methods are carefully protected and known to only certain Apple employees, but who’s to say that this is any more or less safe than what the government is asking Apple to do with the phone – to create a method that only certain people would know and can (legally) be used only with valid search warrant – aren’t both just as likely to be stolen or exploited by bad actors?

To say we should be ok with turning over personal data stored in the cloud, but not stored on a physical device, seems arbitrary. And for Apple to say that protecting the data on a physical device is critical to defend our privacy and keep us secure while simultaneously encouraging its customers to back up their data to the cloud, seems inconsistent.

At issue here is the nature of data – it flows from app to app, from clients to servers and back again, is backed up and hosted on myriad devices and generally isn’t tied to any specific device. The worldwide infrastructure on which our data resides is only becoming more complex, fragmented and interconnected in ways that often aren’t obvious to the data’s owners. Neither side here is really considering this reality. Instead, each side is using arguments grounded in 20th Century data-silo oriented thinking that data’s physical location is what matters, rather than the data itself.

To illustrate why this is wrong, let’s follow each side’s arguments through to their logical conclusion, neither of which are good.

Let’s say Apple were to win; what precedent will this set? That people who care about liberty and privacy need to be super careful, because their rights are inconsistently protected depending on whether they store their data on their own physical device or not? Imagine how hard it would be to provide comprehensive protection, with increasingly fragmented and seemingly arbitrary regulations covering different physical manifestations of data. Sophisticated bad actors will take advantage of this, keeping their own data safe on “unbreakable” devices while the rest of us unwittingly have our data shared in less secure environments where governments and the villainous alike may have easier access. The security minded folks among us, myself included, would be concerned about this outcome.

And if the FBI were to win? It essentially sets precedent that the way to manage this challenge is with the Faustian bargain of giving broad general powers to a single government entity as the only way to provide comprehensive security – the privacy minded folks among us, myself included, would be concerned about this outcome as well.

Albert Einstein once said, “We can’t solve problems by using the same kind of thinking we used when we created them.” We need fresh thinking. During an election year it is a perfect time for one or more candidates to show thought leadership here. Led by legislature not courtrooms, Congress should take this up. Failing that, the vendor community including Protegrity must educate and evangelize on the real issue: Data rights are about the data, not the device, not the app, not the cloud, or any other silo.

Just as our customers want to protect sensitive data no matter where it sits, so citizens worldwide should recognize their personal data is what’s valuable, and push for legal and regulatory reforms to protect and secure it. Privacy rights should confer to the data itself regardless of physical manifestation or location. The EU is far ahead of the USA on this, pushing for data rights on behalf of its citizens. It’s time for broader recognition of this fundamental challenge and to identify new solutions that keep us secure from terrorist attacks while protecting our data ownership and privacy rights. Without this, we won’t truly get to a data-driven future that is both safe and empowering for its users.

This article was originally published on Protegrity’s Blog.
Dominic Sartorio
About the author: 

Dominic Sartorio is a Senior Vice President at Protegrity, a worldwide enterprise data security software company.  Dominic leads the Product and Development departments for the company.  His career includes Vice President and Director assignments with Informatica, SpikeSource and Wily Technology.  Follow him on LinkedIn.