Why Apple Defends Encryption

TidBits.com ^ | January 20, 2016 -- 19:53 GMT | by Rich Mogull

[Swordmaker]

The Intercept recently reported that Apple CEO Tim Cook, in a private meeting with White House officials and other technology leaders, criticized the federal government’s stance on encryption and technology back doors (see "Tim Cook Confronts the White House Over Encryption," 14 January 2016). As it was a private meeting, we don't know exactly what happened, and The Intercept is admittedly biased on this issue, but such statements would certainly align with Cook's previous public positions. This is just the latest in Apple's spats with the government over encryption -- I first wrote about them in “Apple and Google Spark Civil Rights Debate" (10 October 2014).

Cook's dustup with the White House prompted Daring Fireball's John Gruber to ask:

This came up during last night's Republican primary debate -- not about tech companies refusing to allow backdoors in encryption systems, but about Apple specifically. Tim Cook is right, and encryption and privacy experts are all on his side, but where are the other leaders of major U.S. companies? Where is Larry Page? Satya Nadella? Mark Zuckerberg? Jack Dorsey? I hear crickets chirping.

These aren't nebulous questions from privacy activists or Apple enthusiasts. We are in the midst of fundamentally redefining the relationship between governments and citizens in the face of technological upheavals in human communications. Other technology leaders are relatively quiet on the issue because they lack the ground to stand on. Not due to personal preferences or business compromises, but because of their business models, and lack of demand from us, their customers.

(Apologies to our international readers, but this article is U.S.-centric since the issues vary depending on where you live. That said, a number of other governments, like those of the UK and France, are dealing with exactly the same situation.)

Why Governments Want to Read Your Mind -- When we talk about encryption and privacy from government surveillance, we're really discussing three separate, but related, issues:

• Our right to use technology that keeps our data and activity private from law enforcement agencies.

• The legal right and capability of our intelligence agencies to monitor our online activities and communications.

• Intelligence and law enforcement agencies either mandating or creating (legal or not) "back door" access mechanisms in commercial products and services to monitor activity.

Encryption plays a massive role in each of these issues, but it's only part of the story.

Civilian law enforcement agencies that serve the "law," not government leaders, are actually a relatively recent development in the history of the world. The concept is "policing by consent," which comes from the Peelian Principles of policing. Law enforcement is separate from the military and from intelligence agencies. We give police extraordinary, but not unlimited, powers to allow them to enforce the law and protect citizens. In the United States, multiple agencies at multiple levels (local, state, and federal) interoperate with the judiciary to create a series of checks and balances on power.

In America, law enforcement agencies at all levels have a long history of accessing personal information as part of their investigations. Police are accustomed to obtaining evidence from nearly any source, with the appropriate legal authority, via a process called "lawful access." The police can crack a safe, tap your phone, read your mail, access your financial records, and more, as long as they have the right authority. That may require asking a judge for a warrant (to read your physical mail); in other situations, the information is available using techniques with lower evidentiary standards (tracking your car with GPS, since public movements are. . . public). Regardless, all these situations are within the framework of the law. There are even laws that mandate telecommunications companies create back doors for lawful access.

The problem for the police is that new technologies block their ability to access information they need (or at least think they need) to do their job. Mobile phones, for example, have become one of the best information sources in law enforcement history since they consolidate a suspect's communications and personal data into one tidy package. Sure, police can get texts, call, and location histories through a phone carrier, but it's much faster and easier to pull it from the phone, which also likely contains Facebook posts, encrypted iMessages, email conversations, and a lot more.

This is the first time in history we have civilian communications and information storage devices that law enforcement can't access, even with a warrant. That's a slight exaggeration, since you can be compelled to unlock your phone (your passcode can't be tortured out of you, but a judge can toss you in jail until you give it up). And as I said, most -- but not always all -- the information on a phone is typically available in other places, but getting it elsewhere is far more time consuming than looking on the phone.

Law enforcement officers see strong encryption as a tool that impedes their ability to do their job, using tools they have never previously been denied.

Intelligence agencies are different. They aren't supposed to monitor U.S. citizens (except for a few very narrow exceptions). Even the bulk data collection that's come to light in recent years has limits and is predominantly focused on monitoring foreign communications, including those in to and out of the United States. Intelligence agencies don't enforce the law, they spy, on other nations and potential threats. But in recent decades they've faced a massive legal and logistical problem -- a large portion of the technology they need to use relies on products and services that originate in the United States.

If intelligence agencies need to tap bad guy email communications in Europe, they often need to crack into the likes of Google, Microsoft, and other services. Or at least tap them internationally, since they are explicitly not allowed to tap domestically. But as those who understand how the Internet works know, the lines between domestic and international aren't always clear.

And "tap" is a misnomer. Technology companies use encryption to protect information and transactions from attackers. That same encryption is powerful enough to impede intelligence agencies, or at least increase the costs for them to crack it. So they may know about some software vulnerabilities that let them break into systems. Or maybe they look at putting in a "back door" and keeping it secret. Except there are no secrets, and every back door is a security vulnerability just waiting to be exploited. Plus, deliberately introducing vulnerabilities or back doors in domestic systems is not only likely a violation of law, but also of the policies and operating procedures of the intelligence agencies themselves.

Both law enforcement and intelligence agencies face the same fundamental problem. Any tool that enables lawful access also enables unlawful access. There are no Golden Keys, only skeleton keys.

Thus:

• While we have a legal right not to incriminate ourselves to law enforcement, law enforcement has historically had access to anything we have ever recorded or communicated. Until now.

• Intelligence agencies are tasked with spying on foreigners in order to protect us, but the lines between "foreign" and "domestic" are blurrier than ever.

• Back door access for law enforcement (and, sometimes, intelligence agencies) has previously been legally mandated. But every back door is not only a vulnerability, but also potentially a tool for abuse, from criminals or hostile governments.

To top it all off, existing laws in many of these areas are often unclear or obsolete, at a time when the ability to access our devices and services is effectively akin to reading our minds. These fights over our online rights are fundamentally redefining the relationship between citizens and governments.

Why Apple Takes a Stance Where Others Don't -- Apple is far from the first company to find itself in government crosshairs. BlackBerry, for example, was forced to decrypt communications for the Indian government in 2010 or shut down operations in the country. Those same tools have since expanded and are used in other countries to monitor BlackBerry devices.

Let's go back to Gruber's list: Google, Microsoft, Facebook, and Twitter. I'll add Amazon and Samsung. In each case, these companies' business models don't put them in nearly the same position as Apple.

Google is fundamentally an advertising company that collects data on its users. That information can't be encrypted so only the user can see it, since that would prevent Google from accessing it and using it for targeted advertising. Even removing the ad issue, some of Google's services fundamentally won't work without Google having access to the underlying data. Google is taking a stronger stance with Android encryption, at least on the technology side (slowly, because Google doesn't control most Android hardware). But Google isn't vocal about this since all its data is accessible with a warrant. It isn't in the company's interest to call attention to this fact. However, I do know that Google does whatever it can to prevent spying and other monitoring, such as encrypting all communications between its data centers.

Microsoft is fundamentally a software company. The firm already offers strong encryption for PCs (Bitlocker), but it isn't consumer friendly and Microsoft owns only a tiny fraction of the mobile market. Its biggest customers, corporations and governments, are long used to monitoring Microsoft platforms for legitimate enterprise security reasons. Of all the companies here, Microsoft is in the best position to back up Apple, but Microsoft has such a long history of working with, and selling to, government that the company shies away from public conflict on this issue. Outside of the public eye, Microsoft is currently being held in contempt of court as the company battles the Department of Justice to protect user data stored overseas in a case that could define the future of cloud computing.

Facebook and Twitter? All data in social networks is accessible via lawful access (heck, most of it is effectively public anyway). Like Google, these companies are essentially ad platforms that need access to our data. While Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey may support strong encryption as individuals, there isn't anything their companies can do about it on a practical level. Amazon? It doesn't sell the hardware that matters, and as primarily a retailer, it isn't in a position to do or say anything that will make a difference. (The exception is in Amazon Web Services, which makes extensive use of encryption, including government-proof options.) Samsung? Samsung is a foreign company that the U.S. government would be unlikely to listen to.

Massive tech companies like Cisco, IBM, Oracle, and even HP simply aren't in the right part of the market to advocate on behalf of consumers.

All these companies place a high priority on the security of their products and services, but, for the most part, they can't build things that allow us to control our information and keep it private.

And again, to be perfectly clear, any time you enable monitoring, you reduce privacy and security. All back doors are security vulnerabilities. These are the equivalent to the laws of physics, not technical problems we haven't solved yet.

Apple is nearly unique among technology leaders in that it's high profile, has revenue lines that don't rely on compromising privacy, and sells products that are squarely in the crosshairs of the encryption debate. Because of this, Apple comes from a far more defensible position, especially now that the company is dropping its iAd App Network.

Not everything Apple makes is immune from monitoring. The company must still comply with government requests for data that can't be encrypted and lives on Apple servers, particularly for services like iCloud Mail, iCloud Drive, and iCloud Photo Library, all of which are subject to lawful access. Wherever possible, Apple uses strong encryption that even it can't access, as long as the technologies and user experience align.

And Apple, like most of these companies, only provides data when all the right legal boxes are checked. To do otherwise would expose the company to lawsuits.

There's probably even more to Apple's stance on encryption than the company's business model and desire to promote a competitive advantage. My opinion, without having ever talked with Tim Cook, is that this is at least partially social activism on his part. I suspect that this is an issue he personally cares about, and he has the soapbox of one of the most powerful and popular companies in the world under his feet.

We can hope that Larry Page, Satya Nadella, Mark Zuckerberg, Jack Dorsey, Jeff Bezos, and other tech CEOs will someday also speak out on these issues. But their personal feelings aside, they aren't in the same position as Tim Cook and Apple to take a stand.

Now is the time when we get to decide if we have a right to privacy and security, and the limits of our government for the digital age. It won't happen because of public statements by tech leaders. No, it's up to us to make our opinions about online privacy and security known to our elected representatives, in order to determine the limits of policing (and protecting) by consent.

In fact, you have an opportunity to weigh in right now. A bill has been introduced in New York State that would ban the sale of smartphones within the state unless they can be decrypted and unlocked by the manufacturer. It's astonishingly misguided, and for those who want express their disbelief that elected representatives could be so ignorant of technology (and geography), you can set up an account with the New York State Senate, vote against it, and even leave comments.

Then, just sit back and wait for the next ignorant statement or misguided piece of legislation, because these issues aren't going to be resolved easily, quickly, or definitively.

[Swordmaker]

Why is it Apple that is taking such a prominent stance ahead of all other tech companies on protecting consumer privacy? TidBits' Rich Mogull takes on that question, concluding that Apple is uniquely positioned to champion the consumers' privacy over all other tech companies because of its product line and business model.

"Apple is nearly unique among technology leaders in that it's high profile, has revenue lines that don't rely on compromising privacy, and sells products that are squarely in the crosshairs of the encryption debate. Because of this, Apple comes from a far more defensible position, especially now that the company is dropping its iAd App Network." -- PING!

Pinging Shadow Ace, dayglored, and ThunderSleeps for the overall relevance of this article.

Apple's Support of Consumer Privacy. Why?
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[Aliska]

I defend Apple’s encryption and hope they will prevail.

[Forgotten Amendments]

Starting to like this homo

[Swordmaker]

I defend Apple's encryption and hope they will prevail.

Some know nothing in the New York State Legislature has introduced a bill to prohibit the sale of any cellular device that allows encryption that the manufacturer cannot decipher. That would prohibit the sales of all Apple iOS cellular devices.

Once you permit the manufacturer to decipher the encryption, it is only a short distance for the hackers to be able to decipher it as well. A backdoor for the good guys is a backdoor for the bad guys too. . . usually about fifteen minutes later. Generally the bad guys don't even have to crack it. Bribes are faster and cheaper.

[Bobalu]

An offer of sorts was once made as a compromise.

What if we allow the government to restrict the use of hard encryption of such sophistication that it cannot possibly be broken... but the government allows the following.

All digital traffic will be encrypted at a level that the government can break with just modest effort... but with a key length sufficient that it renders it impossible to decrypt even a small fraction of all the digital traffic.

This allows for access to data necessary for national security but does not allow wholesale snooping.

The proposal was rejected very firmly!

Tells you a lot doesn’t it!

Our cell phone communications are virtually unprotected against nation-state level snooping because threats were made to weaken the security of the data. The criterion was that that data must be able to be decrypted in real-time...so the encryption had to be very weak.

[freedumb2003]

Apple is 100% correct on this issue.

[DB]

What I read was slightly different. I believe he proposed to fine Apple (or any other company) $1200 for each device sold that didn’t meet their backdoor requirements.

[freedumb2003]

>>Once you permit the manufacturer to decipher the encryption, it is only a short distance for the hackers to be able to decipher it as well. A backdoor for the good guys is a backdoor for the bad guys too. . . usually about fifteen minutes later. <<

That is why, if I bought a car with On*Star that I could not de-install, I would rip that SOB out of the car.

I prefer my 2001 car, whose extreme geek is a starter chip (and I look a bit askance at that).

All that tech just means someone can easily take control of your vehicle — to track or actually make it do things you don’t want.

[Aliska]

Starting to like this homo . . .lol.

Seems like every time I get mad at any particular group of people (for good reason I tell myself), one is placed in my face.

Like the Hispanic 20 something man who stopped his shovelling job to come help me get my car cleaned off when it got pretty icy. He mentioned if I was from here, yes, more or less always. Where were you from or born? Illinois lol. I got his card in case I need help again. I don't know how to handle if he has a green card or not. I know I wouldn't turn him in because he did a good deed for me, but if I were to hire him, I think I could get in trouble with the law.

BTW, did you know that if you hire someone to do odd jobs and pay them in cash which I do commonly for odd jobs, that if they are paid in one year $600 or over you have to 1099 them? I didn't but found out I did. And to add insult to injury, you have to PAY the IRS for the forms!

Maybe that was just my business interest. I'll have to find if it finds out to personal business like home repairs

As to the blanket head in Subway the other night, she seemed so self-assured, I got the impression that they think themselves superior to everyone. It was so subtle but so profound. Has to submit to her husband, but what I already said.

[Aliska]

Actually I got mixed up and this belongs on another thread about a different subject. But the two kind of intersected when you brought up the homo.

You wouldn't bake him a cake would you?

[Swordmaker]

What I read was slightly different. I believe he proposed to fine Apple (or any other company) $1200 for each device sold that didn't meet their backdoor requirements.

That is equivalent to a prohibition economically. They tax them out of existence. How does this accomplish what they want. The criminal who wants to hide his nefarious activities can still buy a very expensive device that is undecipherable which the law enforcement agencies and even the manufacturer could not break into. It merely costs him a lot more to safely be a criminal. How absurd.

[Swordmaker]

BTW, did you know that if you hire someone to do odd jobs and pay them in cash which I do commonly for odd jobs, that if they are paid in one year $600 or over you have to 1099 them? I didn't but found out I did. And to add insult to injury, you have to PAY the IRS for the forms!

No, the IRS forms are free. You got onto one of the Google top of the page sites that charge you for forms you can always get for free from IRS.gov for free. Be careful using Google. Some of the pay for form sites look almost exactly like IRS official web pages and you can only tell if you read the fine print at the bottom of the page. I almost got bitten by one the other day when I was attempting to get a new Employers Identification Number because my office was changing from a Partnership to a Corporation. That particular page only revealed itself when it wanted to CHARGE ME $99 for the application fee. . . when I knew it was FREE! I closed that page, went farther down the Google page until I found another one (took me four tries) and closely checked the URL to assure it said IRS.gov!

But, Aliska, all IRS forms, including the 1099s submission paperwork forms are free to download.

[DB]

I’m not arguing. Just adding a detail...

[DoughtyOne]

If you feel like it, join in the Free Republic Caucus (each day)

Thank you.

Be sure to read the rules and follow them so your candidate will benefit from you vote.

LINK

[DesertRhino]

Because its MORAL?
And I haven’t been an apple guy. but windows 10 and standing firm on encryption is luring me in and I think im on the verge.

[SpaceBar]

Apple doesn’t want to be a team player of Fascist Amerika.

[TEXOKIE]

bfl

[Swordmaker]

I’m not arguing. Just adding a detail...

Nor am I. . . just explaining for others who may not grasp the principle. I think you and I are on the same page. We understand how Liberal Pukes work.

[CurlyDave]

But, Aliska, all IRS forms, including the 1099s submission paperwork forms are free to download.

The red form which must be turned in to the IRS can be downloaded, but if you print it it is not acceptable to the IRS. The form sent to the IRS must be scannable, which the printed form isn't for some reason. There is a penalty for sending in a downloaded and printed form.