‘In 30 years of practice I don’t think I’ve seen a legal brief that was more intended to smear the other side with false accusations and innuendo, and less intended to focus on the real merits of the case.’

While that quote might resemble the fallout of an acrimonious divorce, it was in fact from Bruce Sewell, Apple’s lead attorney, in response to federal prosecutors’ formal position in the ongoing San Bernardino encryption case.

It serves to illustrate just how hostile the war of words between Apple executives and American officials (and supporters of those camps) has become over the last month.

The past two weeks has seen the big guns enter the fray once more.

At a tech conference in Texas, President Barack Obama gave fairly balanced commentary on the situation, while ultimately coming down on the side of law enforcement. He cautioned that it would be unwise to take an ‘absolutist’ view on the topic, and went on to state:

‘So if your argument is strong encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance that we have lived with for two hundred, three hundred years and it’s fetishizing our phones above every other value. And that can’t be the right answer.’

The ‘absolutist’ view is certainly one that Apple CEO Tim Cook has taken. Taking advantage of the always-hyped launch of new Apple products, Cook began his presentation with a call for debate:

‘We need to decide as a nation how much power the government should have over our data and over our privacy… We did not expect to be in this position, at odds with our own government. But we believe strongly that we have a responsibility to help you protect your data and protect your privacy. We owe it to our customers and we owe it to our country… This is an issue that impacts all of us and we will not shrink from this responsibility.’

While there are clearly some altruistic intentions behind Apple’s challenge, Cook failed to mention that Apple has a share price to protect, and—as I explained in my previous piece on this matter—encryption has become a selling point for tech customers.

The iPhone has become far and away the best-selling product in Apple’s line-up, accounting for 62.54% of the company’s total revenue in the final quarter of 2015. In the context of a saturated US smart phone market and a Chinese economic slowdown, there are expectations that iPhone sales will contract this year. Apple faces a sizable pressure to protect its historically incredible market performance.

Unfortunately, its share price at the beginning of February 2016 was at its lowest in two years. However, it appears that the company’s position on encryption isn’t doing their business any harm. All publicity is good publicity after all, and Apple’s share price has risen some US$10 since February this year.

A number of ex-senior US officials, including the former Director of the Department of Homeland Security, Michael Chertoff, and former White House cyber czar, Richard Clarke, have been speaking out against the US government on the encryption issue. Chertoff recently argued that developing software to weaken the iPhone’s existing protections would be akin to ‘creating a biological weapon’ and would be entirely counter-productive to broader national security, potentially enabling a wider cross-section of criminals and governments with access. Clarke took this one step further, stating that ‘encryption and privacy are larger issues than fighting terrorism.’

There’s also a clear difference of opinion within the US government on this issue. While the FBI and Department of Justice have dug their heels in, the Departments of Commerce and State and the White House’s Office of Science and Technology Policy have all argued that encryption is integral to protecting Amercian secrets, technologies and industries.

Most significantly, US Defense Secretary Ash Carter told the RSA conference in March:

‘Just to cut to the chase, I’m not a believer in back doors or a single technical approach… I don’t think it’s realistic. I don’t think that’s technically accurate.’

Clearly the Defense Department is concerned about sustaining it’s hard-won relationships with Silicon Valley. The rapturous applause that greeted Carter’s intervention will have put his mind at ease for now.

The biggest twist in the case occurred this week on the day before the court hearing was scheduled to take place. The FBI asked the court to postpone the hearing claiming that an ‘outside party’ had demonstrated a feasible way to crack the iPhone in question. It’s a fascinating development and there should naturally be questions about why the offer came at this late stage.

Richard Clarke claimed that the FBI wasn’t seeking help from the likes of the NSA as ‘they just want the precedent [of court-ordered access]’ to be established by the case.

There is no clear consensus on the encryption issue, and it can be expected to continue to split opinion and drive high emotion on all sides of the debate.

Regardless of whether the court case takes place or not, the fall-out from recent events will take its toll. The last of these three pieces will look at some of the potential consequences of the encryption debate we’re currently having.

 

The 2016 National Defense Authorization Act (NDAA) passed US Congress last week and has interesting implications for US cybersecurity policy. The NDAA instructs US Cyber Command to undertake cyber ‘war games’ to ensure the nation’s cyber capabilities rival its opponents’ in a future offensive cyber conflict. The Act explicitly identifies Russia, China, Iran and North Korea as the countries that the US must be most prepared to confront in cyberspace. It also authorises a budget of up to US$200 million for the Secretary of Defense to perform an ‘evaluation of cyber vulnerabilities of major weapons systems’. The move is partly in response to an inspection of the weapons program last year, which revealed widespread network vulnerabilities, unpatched software and weak passwords. Finally, the NDAA entrusts US Cyber Command with its own procurement budget designed to facilitate the rapid adaptation required for effective cybersecurity. All 1,300 pages of the Defense spending bill are set to be approved and signed by President Obama this week.

War gaming seems to be the theme of the week, with the US and the UK teaming up to test the cyber resilience of their financial institutions. Last Thursday’s exercise involved each state simulating an attack on the other’s financial sector to test the levels of information sharing, communication with the public and management of the incident. Participating actors included the White House National Security Council, the US Department of the Treasury, the FBI and the US Federal Reserve Bank of New York on the US side, and the UK Intelligence Community, the Bank of England and Her Majesty’s Treasury on the British side. Originally announced by President Obama and Prime Minister Cameron back in January, this war-game was designed to enhance transatlantic cooperation and collective resilience in cyberspace.

Privacy is a significant concern for internet users and apparently prison inmates are no exception. Securus Technologies, a leading provider of phone services inside US prisons, suffered a data breach that revealed the company has been recording all inmates’ conversations. The Intercept released a report claiming that a hacker provided them with Securus records of over 70 million phone calls that not only includes the call metadata (time, date, duration etc.) but also a ‘recording URL’ of the conversation audio. Now, it’s actually a widely accepted procedure to monitor inmates’ personal phone calls for security reasons. What makes this revelation interesting is that at least 14,000 of them are between inmates and attorneys.  If that’s proven to be the case, it may have undermined inmates’ Sixth Amendment rights to a fair trial and has been described by David Fathi, Director of the American Civil Liberties Union, as ‘the most massive breach of attorney-client privilege in US history’. While Securus is currently denying the existence of those illegal records, the company is also claiming that the data in question wasn’t obtained through a hack, but leaked by an individual with authorized access.

A number of recent events have revived questions around the relationship between the FBI, Carnegie Melon University (CMU), and arrests of dark net users. Tor Project Director Roger Dingledine is claiming that the FBI paid CMU at least US$1 million for its research that de-anonymises Tor users. Last July, two CMU researchers, Alexander Volynkin and Michael McCord, were going to hold a talk at the Black Hat Conference titled ‘you don’t have to be the NSA to break Tor’; however they pulled out at the last minute. Shortly after, the FBI conducted Operation Onymous, a multi-agency effort that took down multiple Tor-based websites, including Silk Road 2.0, and led to 17 arrests. Court documents from the proceeding trial of drug distributor Brian Farrell reveal the prosecution based Farrell’s involvement with Silk Road 2.0 on information obtained from ‘a university-based research institute’. According to Dingledine, the implied collaboration between CMU and the FBI to expose Tor-users’ information isn’t only unethical, but also a violation of the Fourth Amendment if the FBI didn’t obtain a warrant. The FBI has stated that those accusations are ‘inaccurate’, although speculation remains over whether it’s the accusation or the amount paid that’s inaccurate.

The tragic terrorist attacks that occurred in Paris last weekend have reverberated in cyberspace. The events re-opened the debate around encrypted messaging technologies and whether tech companies should be required to provide law enforcement with ‘back-doors’ to their encrypted communications. It was only last month that the Obama administration decided to not force companies to open their backdoors, however ISIS’ use of encrypted apps, such as Wickr, Signal and Telegram, to broadcast responsibility for both the crash of the Russian jet in the Sinai Peninsula at the end of October and last weekend’s Paris attacks has intensified demands. It’s suggested that ISIS exploited the encrypted connections of PlayStation 4 to execute the Paris attacks. Many are blaming the continued prioritisation of privacy over security following the Snowden revelations.

You might also be interested to know that hactivist collective Anonymous has joined the coalition and declared war on ISIS with #OpParis.

And finally, speaking of cyberspace and terrorism, check out this great Sydney Morning Herald article that distinguishes between cyber terrorism in Hollywood and reality.