The Justice Department has called off a high-profile legal battle with Apple after it was able to unlock an iPhone used by one of the San Bernardino shooters without the company’s help.
But rather than resolve the fight, this latest development is likely to motivate Apple and other companies to strengthen the security of their devices even more and force the government to keep up with any new security measures, technology executives and security analysts said.
“They’re in an arms race,” said Matthew Blaze, a cryptography researcher and professor at the University of Pennsylvania. “The FBI is trying to find new ways in and Apple is trying to find new ways to defend against that.”
Apple isn’t the only company that is aiming to install greater encryption around products, which makes intrusions by hackers and government investigators alike much more difficult.
The FBI case appears to have intensified efforts among tech companies such as Snapchat and Facebook to employ better encryption – a trend that began after Edward Snowden’s revelations of government spying in 2013 and a massive wave of cyber-hacking in recent years.
Cloud computing company Box, which filed a legal brief supporting Apple in the San Bernardino case, is one of the many tech firms rushing to offer new encryption-related security features. It recently launched a product, Keysafe, that allows corporate customers to hold on to their own encryption keys — a move co-founder and chief executive Aaron Levie said was as much about fighting off hackers and cybercriminals as it was about fending off government surveillance. The implementation of Keysafe means the company cannot collect and hand over the private information of a customer even when the authorities have a warrant.
Keysafe took two years to build, he said, but not because of the complexity of the security, but because of the challenge of building the feature without slowing down the system or making it difficult to use. “It’s relatively straightforward to build secure technology,” Levie said “It’s much harder to build that technology without interfering with the user experience.”
Tools using strong forms of encryption have historically been cumbersome to use, but that has been changing in recent years with the development of simple programs such as Signal, an encrypted text and voice messaging app. Facebook’s WhatsApp messaging service also relies on similar encryption technology.
Other efforts by tech giants to push towards encryption have made less progress: Related projects from Google and Yahoo aimed at giving their users a way to easily send and receive encrypted emails are still not finished almost two years after they were announced. Google’s effort to shift phones running its Android mobile operating system to encryption by default also has faltered because it caused performance issues on some smartphones.
Even as companies move toward encryption, they see the limitations. “There are boundaries in play here that stop this from being a fully encrypted, hosted world,” said Harvey Anderson, chief legal officer for security software company AVG Technologies, which filed a legal brief supporting Apple.
Apple, perhaps more than any other tech giant company, has heralded the push towards strong forms of encryption. In 2011, the company implemented end-to-end encryption for iMessage. In 2014, it announced that new versions of its operating system would automatically encrypt iPhones — moves that led some law enforcement officials to warned the technology could let criminals and terrorists “go dark” and escape justice.
Yet the government’s ability to get around the security features of a phone used by Syed Rizwan Farook, who carried out the mass shooting in San Bernardino along with his wife Tashheen Malik, shows that there are still chinks in Apple’s armor. And that may encourage the company to be even more diligent about closing gaps going forward.
“We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated,” an Apple spokesperson said in a statement. “Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.”
Blaze, the University of Pennsylvania researcher, assumes that Apple will fix whatever vulnerability was exploited to gain access to the phone in this case — at least if it learns exactly what the problem is.
It’s unclear if the government will disclose the bug to the company. The administration has a process for deciding when it should reveal security vulnerabilities that weighs different factors — including how badly the government believes it needs intelligence it may gain from exploiting the vulnerability.
Stewart Baker, a former Department of Homeland Security senior policy official now a partner at Steptoe & Johnson, argues Apple’s stance in the San Bernardino case gives the government little incentive to tell the company how it was able to break in.
“If Apple’s position is ‘we aren’t going to help you and as soon as you tell us about a problem we’re going to lock you out again,’ you’re basically saying the FBI should be complicit in locking themselves out of the phones,” he said.
But the government also must consider keeping Americans’ tech safe from other adversaries including hostile hackers working on behalf of foreign intelligence agencies and cybercriminals, according to Blaze.
“This vulnerability helped them get into this particular handset, but now they need to be thinking about who else could potentially use it to do the same thing,” he said.
Blaze and Baker at least agree on one point: This isn’t the end of the issue.
“This is a conflict that’s going to happen,” said Baker.