From a distance, it looks like the shoe is on the other foot, but it's really not. Now that the FBI, with the assistance of an undisclosed third party, has successfully cracked the security of the work iPhone of San Bernardino, California, terrorist Syed Farook, can Apple demand that the FBi show them how?
The story we all know by now is that the FBI and the Department of Justice had gone to federal court to try to force Apple to write code that would help weaken the phone's security and let them try to brute force their way through Farook's passcode. Apple resisted the demand, claiming that providing such information, even if it remained in Apple's hands, could potentially weaken the cybersecurity of all its customers' data, opening them up to potential hackers or cybersurveillance.
We don't know whether Apple would have won that fight in California because FBI withdrew its demand after figuring out on its own how to break into Farook's phone. But now the big question is whether the information will flow back in the other direction. Typically when the U.S. government uncovers a security vulnerability in the private sector, it has a process of letting these businesses know so that it can be fixed. But we have a surveillance security state where transparency and your privacy and cybersecurity ranks second behind the feds trying to keep its processes secret because of the war on terror. So we don't know whether the FBI will have to provide this info to Apple. Reuters explains:
The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.
Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. "There are no hard and fast rules," said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.
If a review is conducted, many security researchers expect that the White House group will not require the FBI to disclose the vulnerability it exploited.
Some experts said the FBI might be able to avoid a review entirely if, for instance, it got past the phone's encryption using a contractor's proprietary technology.
Explaining the policy in 2014, the Office of the Director of National Security said the government should disclose vulnerabilities "unless there is a clear national security or law enforcement need."
One analyst predicted that the FBI might not have to reveal the vulnerability if it required that physical possession of the phone was needed in order to crack it, because then that hacking method wouldn't be a threat to general phone users.
It creates an unusual tension because technically this is how we want the federal government to handle encryption in order to fight terrorism or major crimes. Nobody is arguing that the FBI doesn't have the authority to try to get access to the data on Farook's phone. The argument has been whether it could draft Apple to assist and to compromise its own security system. But once the FBI does it on its own (or with the help of a third party), there's still the matter of compromised security.
Though the dynamic is reversed, with the Apple requesting information from the FBI, the underlying issue remains the same: Can the government deliberately compromise the data security and privacy of American citizens simply by claiming it's necessary to fight crime and terrorism? Heaven knows they seem to be trying. Stay tuned. The FBI has agreed to help prosecutors in Arkansas attempt to gain access to another iPhone and an iPod to try to help solve a double homicide.