The stakes for ensuring that data remains private have never been higher as Apple and The FBI duke it out over the Cupertino company’s refusal to play ball and disable built-in protections on an iPhone 5C owned by now deceased terrorist. Should the FBI succeed in its legal efforts to force Apple to comply, the ramifications of that decision would be felt across the globe, including Asia.
Data Privacy Asia reached out to some experts for their opinions on exactly how that decision may affect privacy and data security in the region.
How it all started
In order to understand the parameters of the legal battle it’s necessary to first have some background on just why the two parties, the United States Federal Bureau of Investigation and Apple are going toe to toe over this issue.
The FBI is demanding that Apple help it to bypass security features of an iPhone recovered from Syed Rizwan Farook, who, along with his wife, Tashfeen Malik, killed 14 people in December 2015 during a mass shooting.
On Feb. 16, 2016, a federal Judge in California issued an order demanding that Apple assist the FBI in accessing data on that phone, an iPhone 5C running iOS 9. Specifically, the FBI wants Apple to disable built-in protections that lock up or erase the phone when an incorrect passcode is input too many times. With that functionality disabled, the FBI can enter every possible passcode into the phone until it unlocks. This method is named “brute force” hacking.
Tim Cook, the chief executive of Apple, is fighting the order, calling it an “overreach by the US government”, National Security Agency whistle-blower Edward Snowden has called it the “the most important tech case in a decade”, while civil liberties campaigners have accused the US government of using the case to establish a dangerous legal precedent.
According to Chief Research Officer at F-Secure, Mikko Hypponen, who has written for New York Times, Wired and Scientific American told Data Privacy Asia that, in his opinion the “FBI was waiting for a suitable case they could use to twist Apple’s arm, and San Bernadino was a perfect case for them.”
What’s at stake?
The question might be asked ‘who cares?’ Joe Public already seems relatively unconcerned about privacy. We use Facebook, Google and Amazon and happily seem to hand over our data without any qualm. Users of websites can’t be bothered to block tracking cookies and ignore software solutions that would protect the privacy of their email.
As enticing as this argument is, it’s comparing (pardon the pun) Apples with Oranges. There’s a difference between surrendering our right to privacy voluntarily and having it forcefully taken from us by either a company, a hacker or even a government agency.
If that happens it’s a slippery slope towards a state of affairs where the ownership and control of data resides not with the individual but with a third party – who can then use that data in whatever way they see fit.
It’s tempting to ascribe only the noblest of purposes to the FBI’s efforts, however this is not the first time that a government has run roughshod over the idea of privacy. In late September of 2015 the US government took on Microsoft in order to gain access to the contents of a single Hotmail account stored on a Microsoft server in Ireland. This case has not yet been decided in the US Court of Appeals.
The consequences of a ruling in favour of the US government are murky – however it’s safe to say that such a ruling would not be good for privacy. If a government in one jurisdiction can force a multinational which stores data in the cloud to hand over information relating to an account held in another jurisdiction it opens up a Pandora’s Box that will be impossible to close. Once that particular genie is out of the bottle then it will be extremely hard to stop governments across the world from reaching out to foreign jurisdictions to force multinational compliance with domestic rulings.
In the case of Apple vs the FBI, the complainant, in this case the FBI believes the construction of this “backdoor” tool can be done privately, in Apple’s own labs, with unique code that will only allow it to work on Farook’s phone, and the software will never be used again. This is difficult to believe because we know Apple has received many such requests from law enforcement.
There is some recent argument that this is against the 13th amendment of the United States Constitution. To quote: “the 13th Amendment explicitly prevents ‘involuntary servitude’. Neither an individual, nor corporation owned by individuals, can be forced into the service of another unless they have committed a crime. Apple has committed no crime and let’s be unmistakably clear, they have no software that can break the encryption system. For Government to compel Apple to invent and then build something that does not exist is claiming they not only own their labour, but also their intellect.”
I don’t understand how FBI can come to any U.S. company and demand them to write software that does not exist at all.
Mikko Hypponen, CRO at F-Secure
This is a very compelling argument – to force an organisation to work against what for Apple at least is a competitive advantage is going against the ethos of the free market system itself.
Looking to Southeast Asia, Supawat Srirungruang, Partner at Rajah & Tann (Thailand) believes that neither the Thai Court nor Thai government is bound to follow foreign precedent.
He does however follow that statement up with a caveat, “That being said, this Apple case is a good example of how the balance between national security and privacy may be reached, and may be used as the case study in similar situation here (in Thailand).”
So we have a situation where foreign governments by and large would not be bound to follow the precedent set in another jurisdiction – however as previously mentioned, could a multinational be forced to hand over data held in the cloud – even if the client resides in a different country? As mentioned, the US Court of Appeals has not yet ruled. However, if the answer is yes, the ripple effect could spread across the globe.
In fact, the truth of the matter as far as the current case is concerned is that if Apple should agree to cooperate, the FBI (and other law enforcement bodies) will in all probability require such cooperation in the future.
Mikko Hypponen was very clear in his opinion of the latest move by the Federal Bureau of Investigation “[the] FBI wants to set a precedent. It’s not about just this case. They want to be able to do this again and again.”
Mr Hypponen draws on years of experience, and lawsuits in recent years would tend to back up his opinion. In fact, what privacy advocates are faced with is a simple ‘pinkie promise’ from the FBI not to use the legal precedent (or for that matter the ‘backdoor’) repeatedly for any number of uses.
If the judges’ gavel falls on the side of the US government and forces Apple to in essence hack its own product, what are the global implications – would this precedent give weight to efforts of regimes such as Russia, China or Turkey to follow the same path? What about Iran, Syria or North Korea? Apple is a billion-dollar company and is active in markets across the globe, it would lose significant competitive advantage if it was to have to choose where its products would enjoy robust protection.
The cloud complicates matters even further and what if a situation should arise where an aggrieved party escalates the case to an international tribunal and the ruling goes against it? Would member states then be able to use that ruling to bolster their case for infringing on the right to privacy?
These are vexing questions and the issue is tremendously complex.
So what is the solution?
According to Pauline C. Reich, Professor and Director of Asia-Pacific Cyberlaw at the Cybercrime and Internet Security Research Institute at the Waseda University School of Law, the solution might be one where the issue is approached on a case by case basis. However, she notes that this approach may not meet the requirements of law enforcement.
“In usual criminal cases, law enforcement cannot just obtain data but must get court approval and a search warrant. The problem with electronic data is that law enforcement may not be able to wait to obtain data through normal channels because data can disappear quickly, evidence can disappear quickly.
“My suggestion is not total access of government all the time via a back door but case by case requests to a special court that can respond quickly.
“Some countries have set up specialised cybercrime courts. Maybe such courts could provide the quick access law enforcement needs but there still have to be constitutional and procedural safeguards in each instance, not blanket access to everyone’s iPhone or other data,” says Reich.
For the greater good?
The current battle between Apple and the FBI is a complex one and the legalities of the issue will provide news outlets and privacy pundits with story lines for many days to come. However, the battle lines have been drawn. On one side you have the privacy pundits who are obdurate in their opinion that data should be sacrosanct and on the other, those who argue the merits of evaluating each argument on a case by case basis.
The conclusion would seem to be that we, as individuals must trust in institutions of justice and legislation to make the right rulings when it comes to privacy and data issues.
When we asked Professor Reich whether if given the choice she would delegate responsibility to your government or private enterprises to handle this responsibility her answer was telling;
Neither. [I] would recommend court review of applications for access to passwords, data based on the usual procedural safeguards and national law/constitution.
Pauline C. Reich, Professor at Waseda University
But are these safeguards good enough, in extremis could a government turn to legislative measures to force data disclosure from a manufacturer?
Supawat Srirungruang believes that in the case of Thailand this could very well be the case.
“Currently as Thailand is under the control of the National Council for Peace and Order (NCPO) and the interim Constitution of the Kingdom of Thailand B.E. 2557 Section 44 grants the NCPO a near absolute power to issue any orders in order to prevent, abate or suppress any act detrimental to national order or security, royal throne, national economy or public administration, and such orders are all deemed ‘lawful, constitutional and final’. Therefore, under Section 44, it is possible that a company be forced to weaken the security of its products.”
However, there is yet another side to the arguments – that is how we, as a global society evaluate exactly what ‘for the greater good’ actually means. In essence that is what this case boils down to – does the welfare of the many outweigh the rights of the individual? And who is the final arbitrator when we search for an answer to this question. Vigilance is certainly required from all parties with a stake in this very important question.