848 words – MR
Exploring the limits of privacy and security
by Tom Rataj
A recent precedent setting case raised many issues about personal privacy and security in the digital age. Although it took place in the US, most of the discussions are relevant in jurisdictions around the world, including Canada.
It all began in December 2015 when Syed Farook and wife Tashfeen Malik attacked the San Bernardino County Department of Public Health office where Farook worked during a training session and Christmas party. Armed with firearms and an explosive device, they killed 12 people and seriously injured 22 others.
The couple was located several hours later in a rented SUV and were killed in a shoot-out with San Bernardino police. Subsequent investigations revealed that they had been radicalized by foreign terrorist groups and carried out a jihadist-style terrorist attack.
Although the pair destroyed their personal cellphones prior to the attack, an iPhone 5C issued to Farook by his employer was recovered in the truck. Unfortunately for investigators, the phone was locked by a passcode.
Because the case was classified as a terrorist attack, the FBI became involved and made some preliminary but unsuccessful attempts to access the phone.
The agency then asked US District Court to compel Apple to create a special software package that would allow it to access the contents. Interestingly, the FBI used the powers of the All Writs Act, which was originally written in 1789.
The writ issued by the court gave Apple ten days to comply with the order. Apple immediately announced it would oppose the order because it created security risks for its customers.
“We oppose this order, which has implications far beyond the legal case at hand, wrote Apple CEO Tim Cook. “This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.”
The tech industry – including major players such as Microsoft, Google, Facebook, Twitter and Yahoo – and civil rights groups supported Apple’s position.
Even the United Nations High Commissioner for Human Rights, Zeid Raad al-Hussein, commented that allowing the FBI to succeed would “risk unlocking a Pandora’s Box.” It would have “extremely damaging implications” for human rights, whistle-blowers, journalists and political dissidents, he said, and would potentially be “a gift to authoritarian regimes” and criminal hackers.
The National Sheriffs’ Association and Federal Law Enforcement Officers Association, among other groups, supported the FBI, as did most families of the victims and survivors of the terrorist attack.
Microsoft founder Bill Gates initially supported the FBI but later clarified that he thought the case was provoking valuable debate about the issues. The courts would need to find the right balance and safeguards when dealing with electronic devices and digital data, Gates concluded.
BlackBerry CEO John Chen stated that the company’s guiding principle had been “to do what is right for the citizenry, within legal and ethical boundaries.”
His response was also in relation to a recent Canadian case where BlackBerry complied with a court order to provide technical assistance to the RCMP in an organized-crime murder investigation.
Apple also routinely provides technical assistance to police when accompanied by the appropriate court order. It was recently revealed that Apple provided technical assistance to investigators to extract data from the phone of co-accused Dellen Millard during the investigation of the Tim Bosma murder (near Hamilton, Ontario).
{iPhone ¨hacked}
The FBI and government withdrew their writ at the end of March because a third party firm had successfully accessed the phone. Although not officially confirmed, a professional “hacker,” using a zero-day vulnerability in the iPhone operating system, unlocked the phone, which apparently did not contain much valuable data or any connections to a known terrorist organization.
{Device security}
The iPhone 5C at the centre of the FBI case was locked using the standard iOS four-digit passcode, which cannot be cracked by a brute force attack — entering each of 10,000 possible number combinations. If an incorrect passcode is entered more than ten times, the encryption key for the phone data is erased, making it inaccessible.
Apple claimed not to have secret “back-door” access to the operating system and indicated it was unable to comply with the writ by writing special software to bypass it. It also claimed it did not have access to any user data or data in transmission or stored on iCloud servers as it is all encrypted.
The weakest security point on smartphones and computers is usually the users’ passcode. Simple four-digit passcodes are often easy to guess, like “1234,” and easy to see when a user enters them on a portable device.
Whenever possible, users should use complex passcodes that contain both upper and lower-case letters, numbers and special characters. These are difficult to guess, visually eavesdrop or break by a brute force attack.
The case raises a lot of interesting and complex issues about electronic devices. Arguments on both sides of the issue have validity, but ultimately personal privacy rights will triumph. Law enforcement will need to develop new and creative investigative techniques to cope with the challenges this creates.
Print this page
