24 March 2016

The False Choice at the Core of the Apple-FBI Standoff

http://www.nationalinterest.org/feature/the-false-choice-the-core-the-apple-fbi-standoff-15548?page=show
Neither absolute privacy nor absolute security should prevail.
Daniel M. Gerstein, March 21, 2016 
The standoff between Apple and the FBI has been going on for a few weeks but it has been simmering for a great deal longer. While the focal point of this debate has been the government's attempt to compel Apple to unlock an iPhone tied to the San Bernardino County attacks—in essence to develop a backdoor creating an inherent vulnerability—the issue is far weightier than what happens to this single device.
In a very real sense, the results of this case and the accompanying dialogue represent an important skirmish in a much longer and more important conflict in which neither of the polar extremes can be allowed to dominate outright. At its core, the question comes down the issue of privacy versus security, where important compromises must be made to ensure that neither absolute privacy nor absolute security prevail. But in resolving this issue, the dialogue must not be allowed to devolve into a false dichotomy between two extremes, neither of which will satisfy the demands for security or privacy in a free and open society.

Apple's case, as espoused by CEO Tim Cook, is based on wanting to protect the privacy of iPhone users, coupled with not wanting the government to be able to compel the company to develop insecurity in its device. Apple has been joined in this battle by fellow tech companies such as Google, Facebook and Microsoft. The concerns expressed by the technology companies somewhat misleadingly imply that securing the terminal device—in this case the iPhone—will substantially increase one’s security, when in reality most insecurities are caused by an individual's online behavior, such as becoming the victim of a phishing attack, which make up about 90 percent of cyberattacks.
The FBI's case, while focused on the San Bernardino's shooter's phone, really comes down to the question of whether technology should have backdoors that allow for interrogation of electronic devices after obtaining proper legal authority. The outcome of this case has serious implications for the long-term ability of law enforcement to deter criminal and terrorist behavior, conduct investigations and secure prosecutions and protect United States citizens at home and abroad.

An important backdrop for the current debate is the perceived excess associated with the global surveillance program exposed in the Snowden classified information release from the U.S. National Security Agency in 2013, which has heightened sensitivity regarding privacy issues. To increase the intrigue, some—including former CIA contractor Edward Snowden—have claimed that the FBI already has the capacity to unlock the phone, but that the agency wants to drive home the point that law enforcement must have the capacity to access technology given appropriate legal authority.
Implied in Apple's case is that electronic devices should provide their users with absolute privacy. In this view of the world, everyone (including terrorists) would be able to operate with impunity taking advantage of the dark web, end-to-end signal encryption, and encrypted terminal devices such as the iPhone in question. Such a world would be unique within the legal frameworks established through the nation's founding principles, articulated in the Constitution and Bill of Rights and well-considered over 240 years of established law. These legal and societal precedents have long sought to balance the rights of the individual with the responsibilities of individuals as part of a larger community.
Such a balance implies that the individual's right to "life, liberty and the pursuit of happiness" cannot be absolute and must be tempered. Our current laws allow for infringing upon an individual's rights under narrowly defined legal parameters in which there is probable cause to believe that a crime has been committed or an imminent danger exists. This authority is granted through legal provisions governing search and seizure, with the limits defined on a case-by-case basis within a search warrant. In fact, FBI Director James Comey has forcefully made the case for over a year that law enforcement must have a capacity for searching electronic devices under these legal precedents.

In examining the case for absolute security, doing so through actions such as warrantless collection of data would move the argument toward the other extreme, leading to diminished individual rights, thus threatening the very fabric of society. It is important to note that the FBI has not made the case for these types of expanded authorities toward absolute security. Rather, the goal has been to extend the interpretation of current legal frameworks and precedents into the electronic age. Just as the right to privacy in one's house is not absolute and searches can be conducted under appropriate legal provisions, so too must provisions exist to allow for searches of electronic devices.

This discussion and the resolution of this case become even more prescient as the Digital Age continues to dominate our daily lives. What are the expectations for privacy with the proliferation of security cameras, the growing collection of electronically connected devices known as the Internet of Things, the ability to track individuals through their digital exhaust, and an increasing human-machine interface?

And what does this mean for the current Apple-FBI standoff? Certainly, the uniqueness of the Digital Age must be appropriately considered, but so too must the foundations on which U.S. society has been built. In the end, Apple should consider finding a way to support the government and may even end up being legally compelled to do so. But this incident should also spark a broader debate among technology companies concerning their role in maintaining the privacy and security balance. A starting point in this debate should be to recognize that the overwhelming majority of cyberattacks are related to phishing—and a user’s action—not to whether a user’s device can be secured.

At times, the rhetoric surrounding this issue has implied a false choice between absolute privacy and absolute security, between the digital Wild West and a police state. In this critical debate, neither extreme vision should prevail. A more nuanced set of accommodations must emerge that recognizes the need to retain this delicate balance between privacy and security.

Daniel M. Gerstein works at the nonprofit, nonpartisan RAND Corporation. He was the former Under Secretary (Acting) and Deputy Under Secretary in the Science and Technology Directorate of the Department of Homeland Security from 2011-2014.

No comments: