Apple bites back

Apple Inc.’s refusal to help the FBI retrieve information from an iPhone belonging to one of the shooters in the terrorist attack in San Bernardino, Calif., has thrust the tug-of-war on the issue of privacy vs. security back into the spotlight.

As the legal wrangling to untangle the case widens, the Gazette spoke separately with George Bemis Professor of Law Jonathan Zittrain and cyber-security expert Michael Sulmeyer about the inherent tensions in the case, in which two important principles of American life are at odds. Zittrain is co-founder of the Berkman Center for Internet & Society, which examines law, ethics, and the intersection of the Internet and civil society. Sulmeyer directs the Belfer Center for Science and International Affairs’ Cyber Security Project, which investigates the effects and consequences of new technology on international security, political and economic development, and social welfare.

Zittrain and Sulmeyer said that although aspects of this case are unique, national security and privacy have collided before, and technology’s rapid evolution will continue to make any balance between the two a moving target.

GAZETTE: Do Apple and other tech companies have an ethical duty to assist the government in matters of national security?

SULMEYER: My own thinking is that most companies, most of the time, actually do want to be helpful in matters of national security. I think what we’re seeing in this particular case is a manifestation of the trust between the tech companies and the government, not a fundamental disagreement over the need to respect privacy and the need to ensure the national security.

ZITTRAIN: There are surely instances where a company should weigh the ethics of its decisions, and taken only on its own terms, this would appear to be such a case — especially because there’s no legal barrier to Apple helping out. But the circumstances here give rise to additional ethical and policy considerations. What are the second-order effects of Apple’s actively writing software to defeat its own security, and what might such practices do to the overall technology ecosystem? In other words, we need to stay focused on not just the urgent, but the important.

GAZETTE: If Apple complies with the FBI’s request, does this open the door to future emergency requests from law enforcement?

ZITTRAIN: It surely does. Here, the government isn’t just seeking information in Apple’s custody, such as customer communications or a password. It’s asking Apple to undertake software engineering. That’s what makes this, out of the box, very different from the usual requests that law enforcement makes of a private company.

The demand on Apple is for its engineers to write software to defeat the very thing that they built to prevent [the phone’s security] from being cracked. If one government asks for that, so will others — indeed others might do it whether or not the U.S. successfully carries through with its demand.

SULMEYER: It may, it may not. It all depends on how Apple chooses to implement a particular solution, and what standards the government requires in this case. You can understand why the tech companies view this as a slippery slope, but it doesn’t have to be.

GAZETTE: How do you balance privacy concerns with national security?

SULMEYER: This is not the first time that privacy and national security have created some friction for each other. In the ’70s, we had the eventual creation of the FISA [Foreign Intelligence Surveillance Act] rules and the separate court. There have been ways of adapting to technology over time, but still with due consideration to core values. I think it’s this balance between interests and values that government and the private sector have always negotiated and continue to negotiate. There’s never a government policy or decision that isn’t some mix of interest and values. This just happens to be the latest manifestation of how our national security interests and privacy values create some friction.

Whether the solution is going to look like past solutions, that I can’t tell you. It’s important to be able to have these kinds of discussions between the government and the tech community in a little bit more confidence, so that they negotiate proposals and ideas. There will be a time for scrutiny and for public comment and review and discussion. But it seems to me there also needs to be an antecedent period of time where they can try to get to ground truth with each other. We can get there; we can get to a positive solution where multiple parties feel like they’ve been successful. It just doesn’t look that way at the moment.

ZITTRAIN: The usual way we strike a balance is through a legislature — like the U.S. Congress — trying to very mindfully strike a balance and to set boundaries on when and how law enforcement can make requests, and how those requests can be made publicly known so that they can be debated later. And an independent judiciary can weigh the legislature’s action against what the Constitution permits.

But there’s a larger looming question. It’s not squarely brought by this case, but it’s close: “Should Apple and other companies be able to build tools that they themselves can’t crack?” (Shredder companies aren’t told to hold back on how many cross-cuts their shredders make in their customers’ sensitive documents.)

This question is not squarely joined here because it seems like Apple, with enough effort, can crack its own security. But there are successive versions of iPhones that Apple could build — especially in the wake of a situation like this — that would be intended to be immune to the kind of order in this case. That’s what I meant by second-order effects. And if Apple doesn’t do it, others, including overseas manufacturers, can.

That’s part of the so called “going dark” debate for which the Berkman Center just released a report coming out of a group with a very diverse membership. That debate is a much bigger one, with higher stakes. And to start demanding limits on what people’s hardware and software can do is a much heavier lift for the government to make.

GAZETTE: Is Apple’s stance a principled stand in reaction to Snowden/WikiLeaks [cases of the past], or is it more of a branding and business decision?

ZITTRAIN: They’re surely blended. Apple in particular has held out the fact that its business model, unlike some of its competitors — including Google — is not driven by advertising, which then in turn is driven by those companies processing personal information.

Apple may have found some traction, if not in the market itself, in market observers thanking them for that position and encouraging them to take it further.

But it’s tricky for Apple to have gone public with this, when I think in the public’s eye it looks like a no-brainer that they should offer help to get into this particular phone. Apple may feel that if it ends up compelled to help in this case, it may as a practical matter be very difficult to produce phones that governments around the world can’t demand access to.

SULMEYER: It’s hard to say [whether Apple’s stance is principled or not]. I would not claim to be in touch with the climate and culture of Silicon Valley. But just like we talked about the government having its interests and its values, a lot of times its values are going to reflect and inform each other. I don’t think Apple’s being disingenuous, but neither do I think the tech companies are inclined to go out of their way to do things that will hurt their business interests. In any event, I don’t think they’re trying to hurt national security.

GAZETTE: Now that there’s a stalemate, what do you expect will happen next, and how does this battle affect Apple’s business?

SULMEYER: The good news for Apple is they make a great product and people like it. So, it’s an open question whether and how the resolution of this particular issue affects the overall perception of the product. The good news for Apple is that if they continue to make good products, that carries a lot of weight. But it would not be surprising if further litigation ensued.

ZITTRAIN: Apple isn’t exactly refusing the government’s order; it’s not refusing to play ball. By continuing the legal process it’s precisely playing ball: asking the judiciary to fully weigh in on what the limits of government demands should be here. If it loses, it will no doubt undertake to obey the government order. That’s how the rule of law should work. In the meantime, I suppose the phone will sit in the FBI’s custody for a while — in a baggie in a drawer — while litigation settles a bit more the proper application of the All Writs Act and the extent to which Apple should have to make its engineers cooperate in creating the software needed to defeat the protections on the its phone.

The real question is what their future phones will look like and how much of a role the U.S. and other governments will seek to play in trying to limit how Apple can build them.

GAZETTE: Is Apple’s encryption really that good, or is the request an indication that the government’s technical sophistication is pretty weak?

ZITTRAIN: This doesn’t have to do with the government’s lack of sophistication. Instead it has to do with Apple being uniquely positioned to sign certificates to make an Apple phone accept a software upgrade that it would otherwise reject, and that upgrade — a security downgrade, to be clear — would be what would make it possible to test lots of passwords against the phone until the government gets the right one.

This interview has been lightly edited for clarity and length.