Apple vs FBI: and EU?

By | Thursday March 3rd, 2016

Some days ago, the Apple CEO Tim Cook decided to oppose an order signed by a Judge, denying support to FBI to brute force the Iphone of the San Bernardino terrorists.

Apple refuses to develop the software required to make it possible in order to protect its customers’ privacy: that’s why this event impacts on europrivacy.info. Between the right to data protection and the right to security a balance must be found, even if it is not always easy. But in this case, as far as I can understand, that balance is not the core of the litigation.

It would be nice to get the reader’s opinion on this issue. But let’s go back to the story.

To allow FBI to access the data stored in the terrorist’s Iphone, three key security features of the device must be bypassed (details here):

  1. Remove the 10-try limit (after the tenth failed attempt, data are erased)
  2. Remove the increasing delay (up to 1 attempt per hour, to brute force the account would require centuries)
  3. Allow to brute force using an external digital device

To make it possible a modified (hacked) version of IOS must be developed.

FBI accepts that the hacked version of IOS can be used only on that device (the software image is signed with the ID of the device) and that all the operations will be performed inside an Apple facility out of FBI control and that FBI won’t get the cracked version of IOS in its hand.

The reason for opposing is to protect Apple’s customers’ privacy and Apple’s point of view is described by its CEO in a “Message to our customers”.

In his message, Cook, doesn’t say that what Apple is requested to do is not doable: it would be doable (only by Apple) but has never been done and Apple doesn’t want to do it now.

These are the facts.

Some comments to explain the reason why I’m against the Apple position.

  1. It is not an issue between Apple and FBI but between Apple and a Judge. This is relevant because the Judge’s role is exactly to ensure that everyone’s rights are respected and furthermore the judge’s decision can be appealed.
  2. The person is dead and the public security implications are so relevant that it is quite clear that FBI has the right to get access to those data. That’s why Apple gave full support to FBI until this case arose. So, it doesn’t seem a case related to people’s right to privacy rather than to the right of a mobile phone maker to guarantee data protection to its customers, beyond the law and even against the law.
  3. The question is: can a place exist where public authorities cannot enter even if using legal procedures and for legal purposes? If the question concerns the physical world, such a place doesn’t exist. What Apple claims on is its right to build a digital place where no one will be able to get in, even when the owner is dead and a judge states the public interest to get in.

This would mean that the US jurisdiction cannot reach the whole US territory, through the existing laws and rights, because there is a digital place, created by Apple and conceivably controlled by Apple, where only Apple can enter.

  1. This should be acceptable because Apple declares they will never access that place (even if they could). The decision to oppose this Judge’s order should prove that everyone can trust it.

Why should our right to data protection be safer if Apple instead of a democratic State guarantees for it? Apple doesn’t respond to any democratic rule while FBI does.

  1. We live in a global world. Apple is a US company, the terrorist attack took place in the US, the court is a US court. What if the case happened in Italy or in China or in Iran, in a democracy rather than in a dictatorship, in favour or against US friends? Different local laws would apply, regardless of the final decision of the Supreme Court of the USA.

In fact something similar is happening in the case of Giulio Regeni, the young Italian researcher recently tortured to death in Egypt: Italian police is asking support to Facebook and other social networks to gain access to his private information, because the police doesn’t know the passwords. Here no hardware violation, no hacked version of OS are required but it is almost the same: will it be possible for an Italian Judge to order to supply the missing passwords or just the option to ask “please help us” is available to him or her?

Category: Legal framework Open Forum Tags: , , ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

Leave a Reply