Going Dark? The Rule Of Law, The iPhone, And Closet Doors
In a recent trip to Colombia, Privacy International learned that the Colombian mobile phone network does not use any form of encryption. In this sense, Colombian communications are stuck in the 1990s, where cryptography was not yet widespread, and was still tightly controlled by governments who feared its spread could threaten their capabilities to conduct surveillance.
The issue of encryption on mobile phones though is not unique to Colombia. The Director of the FBI has been on a media blitz in recent weeks, arguing that Apple’s iPhone encryption was posing a threat to security. Interestingly, a dear friend — and one of Colombia’s leading legal experts -- wondered exactly the same: wouldn’t Apple’s encryption of mobile phones threaten the legitimate right of the state, under law, to gain access?
Proponents of this view argue that the law should reach all aspects of our lives and that the rules would apply to all. Specifically, FBI Director James Comey said, with a tiring ‘law enforcement is going dark’ argument, said:
I hope you know that I’m a huge believer in the rule of law. But I also believe that no one in this country should be above or beyond the law. There should be no law-free zone in this country. I like and believe very much that we need to follow the letter of the law to examine the contents of someone’s closet or someone’s cell phone. But the notion that the marketplace could create something that would prevent that closet from ever being opened, even with a properly obtained court order, makes no sense to me.”
It’s a compelling argument to many, but raises an important question: Can a democratic nation require compliance of a company to change their technology, under the rule of law?
In this debate, I found myself revisiting the 1990s. One of the winning arguments from the crypto wars was that ‘security’ needs defining: state security may be separate from economic security, and personal security. After 9/11, the political debate forgot this again and everything became about ’national security’. It took the Arab Spring for a more evolved understanding to re-emerge, recognising that security technologies could be used against a nation's people.
Yet governments again forgot this, as we saw how they compromised security and systems around the world in the name of national security and economic well-being, which we now know thanks to Edward Snowden’s disclosures. And now with the FBI’s argument, they’re doing it again.
It’s our security too
The threats to our personal information are diverse: criminals, malicious hackers, companies, foreign states, and yes, sometimes our own governments.
This is true of all our systems that hold our personal information. Our mobile phones are starting to contain our most sensitive information in ways that were never previously possible. They contain the files that used to reside in our homes, our letters that used to reside only in our mailboxes, our health information that used to only reside in our doctors’ offices, our reading interests that used to only be held by libraries, and our purchasing preferences and browsing habits that never existed anywhere before in such a comprehensive way.
And it is only growing. Your mobile phone knows who all your friends are, all the places you have been to, and even has your calendar of where you are going to be.
Governments, some with the help of surveillance companies, are now capable of getting full access to our devices. It is possible to hack your mobile phone to turn on the camera and microphone without your knowledge. It is possible to get information off your phone and to read your emails. Police and others have technologies that allow them to download all the content of your mobile phone and they will retain this information indefinitely.
Encryption is the most basic and essential step. So is the issuing of security updates on the phones and to fix vulnerabilities. Devices should only be accessible to its owner, and to nobody else.
Even the FBI recommends it. If you don’t believe me, see here how the FBI recommends the use of encryption to protect yourself from malware.
Now, we are seeing Apple, Google, and other companies apply the most essential and basic security to the phone that is possible: keeping the data that is at rest on the phone in such a way that it is secure against anyone else getting access to it. While some recent moves by Apple have actually made people’s personal information more vulnerable to surveillance, steps to improve encryption are in the right direction.
The impenetrable door and the rule of law
This of course frustrates law enforcement agencies and border officials, as well as criminals and malicious hackers. It’s for this reason that US officials are asking these companies to reconsider the security they’ve deployed on our devices. And Director Comey raises the spectre of an un-openable closet door.
In one sense, this latest debate is somewhat ridiculous, since that our laptop and desktop computers have had this storage encryption capability for years now. But in another way, their argument is perhaps compelling: there will be times when the government needs to have access to your phone. Just as you have the right to lock your door, the government has the ability to hit down your door, with a judicial warrant, to gain access to your home.
If Apple and others implement security, in the government’s mind, it is the equivalent of creating a door that is so powerful that the government cannot hit down your door, even with a warrant. Seen in this way, it can be a threat to the rule of law.
Except that it isn’t. Governments could previously hit down your door because the door was frail — and in turn, we created rules to regulate that incredible power of the state. As William Pitt stated in a debate in the UK Parliament around general warrants and search powers in 1763,
The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storms may enter; the rain may enter – but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement.”
So rules were eventually established (there is a link between Pitt's statement and the 4th amendment to the US Constitution), thereby establishing the rule of law to regulate the incredible power of the state — a power that was made possible by the frailty of the door.
Innovation has now made it possible that the doors are indeed quite powerful, and this innovation is possible because of demand from users but also for their own protection, and to protect their rights. The rule of law is there to ensure that the powerful cannot abuse their powers — but when the technology prevents this very abuse, it would be very dangerous to argue that we must introduce frailty in order to then regulate the arising power that is open to abuse.
And there is abuse. The Snowden revelations made clear that governments are gaining access to our devices, turning on our microphones, tracking usage around the world, and even turning on our phones without our knowledge. They are collecting vast amounts of metadata about our interactions, our locations, our activities — and nothing that Apple or other companies have yet introduced will in any way reduce the risk of abuse here.
We are in the golden age of surveillance, and this is a problem that must be addressed by society. The fact that there are more debates about introducing greater surveillance powers at the risk of our personal security is a sad statement about the dominant political debates of our time.
What security and for who?
All those principled points aside, there are also practical dimensions. That is, there is a tempting argument, presented by some, that perhaps we could ask Apple and others to make ‘backdoors’ into our phones, that only legitimate law enforcement agencies could access. This is the equivalent of a strong door that can’t be broken down, but one that has a secret key that only law enforcement agencies could access.
First, there is the challenge of defining ‘legitimate law enforcement agencies’ — is this only US or Colombian authorities or authorities in other countries around the world? And second, there is the practical challenge: building security is very hard, and building security that has reduced security in only some circumstances is practically impossible. If we built a backdoor into our systems, there is a 100% likelihood that others, who are not deemed ‘legitimate law enforcement' will be able to get access. In modern computing, there is no such thing as a secret backdoor.
The threats to our privacy are indeed diverse, and the police must learn that protecting citizens’ personal information from illegal activity is a priority of the modern state and a modern economy. Weakening our collective security for some claimed inherent right of government to breakdown our doors is the priority of a state built for the police.