Stanford Politics
Pexels
US Politics

The FBI Should Not Have Hacked the iPhone

By on 19 Comments
Pexels

The FBI has made our technology insecure. In a rush to gather data after the tragic San Bernardino attacks, the bureau asked Apple to find a way to circumvent encryption on shooter Syed Farook’s iPhone. Citing threats to data security and fear of precedent, Apple refused. The resulting Apple-FBI feud incited a privacy and encryption debate that will damage government-tech relations for years. Still, some might think that one aspect of this debate, i.e. keeping the decryption key secure, is moot now that the FBI hacked Farook’s phone. A possible rationale is that unlike Apple, which could succumb to pressure from foreign countries that demand access to American iPhones, the FBI can in theory keep the iPhone decryption method secure. However, realistically, even if this secret is handled by the FBI, it can still easily be exposed by hackers preying on security vulnerabilities of the FBI and other government agencies, or by accidents that are made more likely when organizations ignore security procedure. As such, the FBI effectively created a serious security risk for small reward. With this in mind, the FBI should not have hacked Farook’s phone and the American government should exercise greater discretion in the risks it takes with our technology.

The U.S has a mixed record on cybersecurity. Although the government stops many minor attacks, it has failed to prevent major breaches like the attack on the Office of Personnel Management (OPM), which compromised data on 21 million Americans. To guard against destructive hacks like the OPM attack, President Obama introduced in February the Cybersecurity National Action Plan (CNAP), which among other reforms, “require(s) agencies to increase protections for their most valuable information.” The FBI already prioritizes its data security as well as the nation’s (it saw an 82 percent increase in computer intrusion investigations from 2002–2014); unfortunately, deficiencies in other government organizations’ security threaten the bureau and the data it holds. For example, a 15-year-old hacker compromised data on 20,000 FBI employees by hacking a Department of Justice-FBI portal. As this example suggests, the FBI will remain vulnerable until other agencies improve their security. In the meantime, the FBI has had to ignore security risks, and had to work closely with the DOJ on the iPhone decryption court case.

The decryption method is safest in an organization like the FBI, which places a high value on cybersecurity. Unfortunately, this method will likely not be housed exclusively within the bureau. In the past, data gathered for counterterrorism — namely NSA information gathered under the Patriot Act — has been shared with other agencies for non-terrorism related reasons, such as helping the FBI investigate narcotics cases. The FBI’s iPhone decryption method is in high demand from police departments who cannot circumvent Apple encryption. Other intelligence agencies might want the technique as well because they have struggled to break Apple encryption. This means that files on the decryption method are likely to be sent to many levels within other government agencies that have poor data security. Ultimately, the FBI has created a glaring security vulnerability because of the risks the bureau takes by working with poorly secured government agencies, and also because it cannot keep the decryption method secret once other less-secure agencies are granted access.

In addition, even if the FBI completely insulates the decryption method, organizational mistakes may reveal it. According to Stanford Professor Scott Sagan in The Spread of Nuclear Weapons: An Enduring Debate, organizations develop routines to coordinate among different units, yet these complex procedures can fail. As Sagan observes, these breakdowns sometimes occur by complete accident, but risks can increase when organizational actors deliberately violate protocol for the sake of expediency. When it comes to data, government officials often prioritize convenience over security. For example, Former Secretary of State Hillary Clinton, current Secretary of Defense Ash Carter, and current CIA director John Brennan all used private emails for official government work. Unfortunately, Director Brennan forwarded sensitive documents from his work email to his private email, which hackers accessed in October, 2015. As these leaders demonstrate, there are strong incentives to ignore security procedures even at the top levels of government, which can have enormous consequences.

Furthermore, even if the top leadership at the FBI strictly adheres to security protocol, junior members still can and do ignore procedure. For example in 2000, FBI agents continued intercepting email coming to potential targets even though they omitted email capture in their Foreign Intelligence Surveillance Act (FISA) renewal because it “was not productive.” Eventually, the FBI reprimanded the agents at fault and fixed the FISA issues, but all of this took time. If an agent who knew the decryption method broke security procedures, it would take time to address the security threat. This creates a window of opportunity where a lucky hacker could exploit a security lapse and access the decryption method. Due to the possibility of organizational accidents and the incentive to ignore procedure both at higher and lower levels, there is no certainty that the FBI can keep the Apple code safe.

While there is no absolute guarantee that the FBI will leak the decryption method, sources suggest that one way or another, the technique will not stay secret for long. Although Apple will patch any vulnerabilities once it analyzes the decryption method, the FBI has still created a serious short-term security threat. The groups most likely to discover the Apple code are hacker cells like Anonymous, who have created backdoor entry points across a number of American government systems, or nation-state hackers, such as the Chinese hackers that successfully orchestrated the OPM attack. Both hacktivists and nation-hackers who discover this method could use it to access any American iPhones they have access to, and depending on whose phone or the number of phones they have, this could lead to a dangerous security breach. In light of these concerns, is the security risk worth the benefits we receive?

I believe the answer is no. First and foremost, ISIS suggests that the San Bernardino shooters were ISIS supporters, not members. Even if one assumes Farook was in league with ISIS, there is little prospect of discovering further terror plots.The FBI has accessed Farook’s work phone, which was issued by the local government, and was backed up to iCloud until 6 weeks before the San Bernardino attack. Although the FBI claims it lost track of Farook’s movements for 18 minutes during the attack, it seems unlikely that Farook would have used that time to contact an ISIS handler from a work phone. Even if Farook did contact a handler, there is no guarantee that accessing Farook’s phone would lead to the handler, as ISIS goes to great lengths to ensure its devices cannot be tracked. Logic also suggests that the handler would have changed cellphones or otherwise destroyed the device to make it harder for the FBI to track, given all the attention focused on this case. This is important because without the handler, the FBI would not be able to discover other American ISIS plots. ISIS operatives are told almost nothing about other operations, and these low-level functionaries are of little use for the intelligence community. The FBI knows this, and if it thought there was a probability of catching the handler, it would have immediately used a third party to hack the iPhone rather than stoke a debate with Apple. Ultimately, access to Farook’s phone is not critical to the San Bernardino investigation and presents little opportunity to gather ISIS intelligence.

As I see it, the benefit of hacking Farook’s phone is to see if there are distinctly terrorist behaviours that the FBI can observe that will allow it to prevent future attacks. This is a responsible goal, and is similar to the goal of the NSA’s Skynet program (see the Terminator for why this is a horrible name), which is learning to track terrorists in Pakistan by interpreting cellular data. However, there are few known terrorists — the most recent report suggests that Skynet bases its calculations off of data from only 7 known terrorists, and as a result, is wildly inaccurate. The FBI can access domestic data the NSA collected under the Patriot Act, so the bureau could conceivably start a program that is similar to Skynet. Nonetheless, it would run into similar problems with difficulty obtaining data on known terrorists. Also, the FBI cannot truly understand Farook’s actions because he severely damaged his personal phone, which was probably a more accurate reflection of his activity. Even if the FBI had data from Farook and other domestic terrorists, it would still have to build a program that could identify similar trends among all American mobile data. This is a particularly daunting task because as of 2014, 90 percent of American adults had cellphones. The FBI may have other reasons for hacking Farook’s phone — such a desire to show San Bernardino victims that it is conducting a thorough investigation — but Farook’s data has no immediate value, and it will take a while for the data to be used in a meaningful way.

Though ACLU tech expert Daniel Gilmore suggests a hacker with physical access to an iPhone and unlimited time would find a way to hack into the phone, it may be easier for hackers just to steal the FBI’s decryption method. Due to the insecurity of other organizations and the potential for mistakes, the FBI cannot keep its technique secret forever. In the time it might take for Apple to address iPhone security flaws, hackers can access vast quantities of data. Therefore, simply creating a way to break iPhone encryption introduces a substantial security risk, with no obvious short or long term benefit.

To put it bluntly, the FBI should not have hacked Farook’s phone, and certainly should not have been so public about it. The bureau should tell Apple how it bypassed encryption so that the company can fix iPhone vulnerabilities as soon as possible. Overall, the Apple v. FBI conflict should offer a cautionary tale about the government’s relationship with our data. Though I welcome protest against the FBI’s misuse of data due to privacy and encryption concerns, the security debate is not over, and the public must encourage government agencies to take smarter risks with our technology.

Sebastian Alarcon, a sophomore studying political science, is a staff writer at Stanford Political Journal.

19 Comments

  1. Pingback: viagra super active

  2. Pingback: is there a generic for cialis

  3. Pingback: cialis pill

  4. Pingback: cialis price costco

  5. Pingback: viagra for sale

  6. Pingback: otc ed pills

  7. Pingback: best ed pills at gnc

  8. Pingback: men's ed pills

  9. Pingback: buy generic cialis

  10. Pingback: canadian pharmacy online

  11. Pingback: canada pharmacy

  12. Pingback: generic cialis

  13. Pingback: cialis generic

  14. Pingback: generic vardenafil online

  15. Pingback: levitra pill

  16. Pingback: levitra price

  17. Pingback: casino slots

  18. Pingback: slot games

  19. Pingback: generic name for viagra