Weakening Encryption: The China Problem
By now, you’ve heard that the FBI has asked Apple to help break into the iPhone belonging to one of the San Bernardino terrorists. USA Today describes the specific request:
Right now, iPhone users have the option to set a security feature that only allows a certain number of tries to guess the correct passcode to unlock the phone before all the data on the iPhone is deleted. It’s a security measure Apple put in place to keep important data out of the wrong hands. This same thought process is followed by many other companies looking to protect their customers’ data from being leaked or breached in some way that infringes on the privacy and security of said data. Something like network intrusion detection may be implemented in order to avoid such attacks or find out about it before any real damage is done to the business or its reputation.
Federal prosecutors looking for more information behind the San Bernardino shootings don’t know the phone’s passcode. If they guess incorrectly too many times, the data they hope to find will be deleted.
That’s why the FBI wants Apple to disable the security feature. Once the security is crippled, agents would be able to guess as many combinations as possible.
Suppose Apple can do this. Suppose that the courts, up to and including the Supreme Court find that they must.
At that point, every device maker who wants to sell a device in the US would have to build this weakening capability into their products.
Putting aside the obvious fact that this capability will be reverse-engineered by the wrong people, the impact of this decision on the rest of the world (and Americans abroad) has not received the attention it should.
Nothing stops other countries from presenting similar demands under their own laws. In the case of liberal democracies, the harm to the innocent would be limited. Repressive regimes, though, would quickly utilize this new capability.
Imagine a case in which China got hold of the iPhone of a US citizen at the border about whom it was suspicious. It could present the phone to Apple to decrypt under Chinese law.
Why pick China for this example? While a company might be able to tell of Iran, Venezuela, or even Russia, China is an integral part of the global technology supply chain. They are uniquely positioned to exert leverage in the technology sector where other repressive regimes are not.
The only thing preventing China from using its leverage today is the mathematical impossibility of cracking the encryption. Take that out of the picture, and things get interesting for device makers.
Why pick a US citizen? This one is more interesting. The US government (and states and localities) have multiple ways to digitally spy on their citizens. They can capture traffic on American internet connections. They can subpoena information from cell phone carries and ISPs under the third party doctrine.
Foreign governments don’t have access to any of these. While the US does share intelligence with friendly government, repressive regimes such as China are left out in the cold. Capturing the device of an American is one of the few possible ways for a repressive regime to get at the info.
By demanding that Apple weaken security around its encryption, the FBI will be handing China an entirely new ability to compromise the security of American citizens while only marginally increasing its own reach. Considering that China has been expanding its hunt for dissidents to other countries, the last thing that the US government should consider doing is making Americans with smartphones more attractive targets.