As the encryption argument takes center stage in the ongoing Apple vs. the U.S. Government squabbles, a very important—and potentially destructive—change is taking place in security strategy.
The encryption and security thinking used to be focused solely on protecting a customer's data from cyberthieves and other bad guys attempting to break in. It then morphed to also see law enforcement as the attacker, putting in various defenses to keep out municipal, state, federal and global investigators, sometimes on fishing expeditions for any hint of wrongdoing.
Companies like Apple—and where Apple goes, the tech industry almost always follows—are now adding a new enemy to its to-be-protected-from list: itself. The theory goes that if Apple's best engineering can't break into its own devices, government court orders will be irrelevant. Apple can't be made to do what it can't physically do.
But this raises an interesting legal question. What if Apple goes out of its way to spend millions of dollars to develop a way to not able to do something? Is that intentional obstruction?
Look at it from a different perspective. Let's say that a well-financed drug dealer specifically knew that law enforcement wanted to look at particular financial records that he possessed. What if he created a massive vault that, upon a specific voice command in its owner's voice, would delete all access codes and disintegrate the vault's contents? (OK, if it could really disintegrate all of its contents, I suppose it wouldn't need to delete its codes. But drug dealers tend to opt for security redundancies.)
Could the act of creating such a vault and saying that command be considered defiance of the anticipated court order? Would it potentially constitute contempt of court?
We have discussed here why it's not a great idea to have the government dictating corporate encryption policies. But what the government is doing here is a lot more invasive than many people think. They are not asking for the encryption backdoor. They are instead asking Apple to use its engineers—at no cost to the government—to create security weaknesses that the government can exploit. Specifically, they are asking for a removal of the limit on the number of bad password attempts before the system locks up, as well as the removal of time limits between break-in attempts. With those two items gone, brute force attacks will inevitably be able to crack into the phone.
Mark Rasch is a former federal prosecutor, former head of the U.S. Justice Department's high-tech crimes unit and currently serves as the chief security evangelist for Verizon. Rasch argues that Apple—and anyone who follows them—are in the clear legally.
Here's the legal bottom line, from Rasch's perspective, which is not necessarily in accordance with the legal interpretations of current Justice Department lawyers or lawyers for the next administration's Justice Department.
Sign up for CIO Asia eNewsletters.