If Apple and Google design their smartphones and tablets so that the government can’t gain access to encrypted data, then the bad guys win. Or that seems to be what a host of current and former law enforcement, anti-terrorism and intelligence officials are saying.
With the release of iOS 8 and the newest iPhones, Apple has implemented their device-based encryption so that there is no way they could comply with a government order to gain access to the content on a device, and this is now the default setting on iPhones. Google has also moved to do a similar thing on Android devices. Predictably, this has led to outrage from the law enforcement community, which has taken to the airways, op-ed columns and public speeches to denounce this move, saying that it will make it possible for criminals, drug dealers and terrorists to hide their actions and avoid convictions.
Now, I’m not going to get into the whole debate on the needs for strong law enforcement and reduced privacy and freedom rights in order to combat the evils of today. But there are a couple of key issues that jump out on this debate.
First, I’m not clear on how the moves by Apple and Google change things much. For years now it has been trivially easy to enable strong, full-disk encryption on these and other devices. Any bad guy who knew how to install an app on their device could have enacted these protections already.
Really, the main change is that these encryptions are now default. So while experienced bad guys have had this level of data protection for a while, now everyone, from Mom and Dad to the travelling salesperson, will have their data protected if they lose their device. Which makes one wonder, is the real main objection for these law enforcement officials that they now won’t be able to easily access the data of regular people? Or I guess it makes it harder to catch the really dumb bad guys. But I guess if they were dumb enough to not use free encryption, than they have probably messed up in other ways as well.
The other main problem in this debate is one that is of special concern to businesses and IT professionals. Namely, these so called security and encryption products that you’ve been using for years that had backdoors for government should be taken up on false advertising charges. Because there is no way that a system can have backdoors and be consider secure in any way.
Imagine you own a lot of valuables and you’ve decided to purchase the best safe that money can buy. The safe manufacturer steps you through all of the impressive features that make it impossible for even the most dedicated safe crackers to get through. And then you notice a little USB port on the side of the safe. You ask, “What’s that port for?” And the safe manufacturer reluctantly replies, “That makes it possible for law enforcement to connect to the safe, enter a code and gain access. You know, just in case bad guys were using the safe.” Would you purchase a safe that not only made it easy for government officials to get in, but also any other bad guy or government with the know-how to easily defeat it as well?
That’s what these backdoor options that government officials are. Holes in your security. There have already been real-world examples of criminal hackers and unfriendly foreign powers using backdoors to hack into business systems and steal data and information. And companies like Apple and Google have realized that they can’t sell secure products to businesses here, and especially abroad, that have built-in holes in their security.
Really it comes down to just one choice. Device makers can either do as Apple has done and say, “Look, this is a secure system and we can’t sell a secure system with a backdoor in it” or they just give up on offering any security whatsoever.
For more on this topic, read the Aberdeen report Understanding Your Encryption Footprint: Your Reliance on Security and Trust