post

Seriously Minneapolis StarTribune? "U.S. security at stake as Apple defies order"

Click for an update - 4:04pm
iphone-in-handTo say I was stunned reading this editorial in this morning’s Minneapolis StarTribune is an understatement. I rarely get fired up enough to write a letter to the editor, but this time I felt compelled since they got this so wrong and I’m embarrassed for them that they published this editorial.

I just sent them my rebuttal and I reprint it below with the StarTribune’s paragraphs in italics and green. Also, since the StarTribune apparently did little-to-no research, I’ve provided them with helpful links.

Curiously the StarTribune changed the linkbait-like editorial title in the online version by toning it down, perhaps realizing that characterizing it as “Apple defies order” is wrong: National security is at stake in Apple’s faceoff with feds.

U.S. security at stake as Apple defies order

Apple Inc., the world’s largest info-tech company, now stands in defiance of a federal court order, saying it will fight attempts to force it to help the FBI crack the iPhone of a San Bernardino terrorist involved in a major attack on U.S. soil that left 14 dead and 22 injured. Apple says the government is overreaching and would be setting a dangerous precedent.

The company is wrong on both counts, but the world of encrypted information is a complex one. It is worthwhile to proceed carefully, because this could prove to be a critical showdown in the growing clash between privacy and national security.

Your editorial, “U.S. security at stake as Apple defies order” was one of the most stunningly naive positions I’ve read yet when it comes to the controversy over Apple’s stand on weakening the encryption of one, single iPhone. A weakening that would instantly open a Pandora’s box of cyber threat problems of which you are obviously clueless and seemingly dismissed out-of-hand.

First, it should be noted that the government negotiated for two months with Apple executives. When those talks fell apart, Justice Department officials turned to a federal judge, who ordered the company to create a way to bypass the security feature on the phone. The FBI had obtained a warrant to search the phone and, not incidentally, the consent of the employer that had issued the phone to Syed Rizwah Farook.

First off, it should be noted that the FBI permitted San Bernardino officials to change the password on the terrorist’s iCloud account (rebutted by FBI, now blaming official) and only then, obviously realizing their mistake, requested Apple’s help. Had they not done so Apple has stated publicly it would have been possible to obtain the shooter’s iCloud backup data. Since this mistake was made, the FBI then negotiated with Apple to recover what they could. Discovering that doing so was not possible, and subsequently failing in convincing Apple to create software to weaken iOS (the operating system that controls the iPhone and iPad) so they could break into the device without having it ‘wiped’ by its ten password attempt limit, the FBI then obtained a court order hoping to force Apple to create a method to do so.

Apple has complied with what Justice officials characterize as “a significant number” of government requests in the past, including unlocking individual phones. Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance operations. The company has continued to tighten its security systems and decided to no longer maintain a way into individual phones. Farook’s iPhone 5c was among those with a 10-tries-and-wipe feature that essentially turns it into a brick if too many false passwords are entered. Newer operating systems employ ever-more-sophisticated security features.

The government’s authority to get private information, such as texts, photos and other stored data, through a warrant is not at issue. The key here is whether the government can compel a private company to create a means of access that the company contends will weaken its premier product.

Cook maintains that creating a “master key” to disable security on Farook’s phone ultimately would jeopardize every iPhone. With more than 100 million in use across the country, that is no small threat. There are, however, technology experts who say Apple could create a bypass — allowing for what’s called a brute force hack — without affecting other phones.

With respect to your position on Apple’s creating this sort of “bypass” for this single iPhone, all while acknowledging this is not a “small threat” for the 100 million iPhones already in existence, you then opined, “There are, however, technology experts who say Apple could create a bypass” “without affecting other phones.” This is your supposed justification for minimizing the threat of putting in a backdoor (or what you euphemistically characterize as a “bypass”) for those 100 million+ iPhones already in existence? Who are these so-called “experts” anyway? 

Could such a bypass then leak out? It’s possible, but all corporate secrets face that danger. Might the government start knocking on Apple’s door repeatedly, wanting to unlock the devices of other would-be terrorists and high-level criminals? Clearly, it already has. To maintain privacy as much as possible, the government should limit its requests to matters of national security. Could hackers devise a bypass of their own? Some tech experts say that it’s possible and that no one should assume their device is completely protected.

Further you state, “Could such a bypass then leak out?” also minimizing that leak threat as something trivial. This gross underestimation of the threat posed by such a leak (which is actually what security researchers say is an intentional “backdoor”) demonstrates your considerable lack of knowledge of cyber security, encryption, hacker and oppressive nation-state threats. Any created vulnerability, or backdoor, is the threat. Such a backdoor would present an attack vector for prying open an iPhone for any purpose and one that would certainly come to pass and likely a within a short amount of time. In fact, one of the top cryptographers, computer security and privacy specialists in the United States, Bruce Schneier, lives in the Twin Cities and he could easily have provided you with knowledge that would have prevented you from embarrassing yourself by so openly demonstrating your technical naiveté when it comes to cyber security.

(Here’s a link to a paper which bolsters my argument, Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications (PDF), which was written by an elite group of 14 of the world’s top cryptographers and computer security specialists, who have concluded that the American and British governments demands for special access to encrypted communications cannot happen without putting the world’s most confidential data and critical infrastructure in danger).

What is most disturbing about your editorial is how you also provide virtually near-zero context for Apple’s position by, once again, diminishing it: “Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance.” Using the word “concerned” does, once again, trivialize Apple’s position, especially since Snowden’s revelations about the National Security Agency’s vacuum surveillance of communications, social connections, use of facial recognition on photos and other a myriad of other invasive techniques is, for those of us who actually understand what is going on here and abroad, is one of the actual, biggest threats to our Constitution and to liberty itself. In my view the NSA’s possibly illegal—and certainly counter to their non-domestic-spying mandate activities—is what is jeopardizing our national security far more so than one individual terrorist’s iPhone and the FBI trying to cover their mistakes on this one (or using this as a way to get Congress to act on outlawing, or minimizing, the use of encryption).

FBI Director James Comey publicly stated in December 2015 that “companies should rethink their business models” when it comes to end-to-end encryption and cryptography overall, especially since post-Snowden revelations, companies like Google, Facebook, Cisco and many others have accelerated their methods to leverage encryption to protect their users and their businesses. Curiously, you also didn’t mention that ex-NSA and CIA chief, Michael Hayden, not only has come out publicly to say that he understands both sides of the unbreakable end-to-end encryption debate, but when it comes to demanding a backdoor, “I think Jim Comey’s wrong.” He also sides with Apple in this debate and is emphatic that “America is simply more secure with unbreakable end-to-end encryption.”

Here’s the dilemma: The safer our smartphones are for us, the safer they are for those who would do this nation harm. Are we willing to provide those individuals or groups a secure means of communication on the most sophisticated portable device the world has known and block national security and law enforcement officials from gaining entry?

Fearmongering aside, it is important to remember that we can allow one thing without allowing everything. Forcing government officials to obtain warrants and provide a measure of proof that they have few other options for obtaining needed information are important protections.

Those conditions were met here. Terrorist activities pose an ongoing threat to Americans. This latest attack came at a holiday party by county employees, most of whom knew their attacker simply as a co-worker.

Within a tested legal framework, a company should be compelled to provide assistance on issues that can help prevent such assaults. Apple has a duty to safeguard both its products and its reputation. It does not have the right to jeopardize the nation’s safety.

Creating your backdoor would break encryption and is a disingenuous argument since I know StarTribune editors can read and perform basic research: breaking or weakening encryption would only result in catching the stupid or put the innocent at grave risk from oppressive regimes, while also bolstering those regimes who are waiting to see the outcome of this controversy before demanding Apple do it in their countries as well.

As we now know from the Paris newspaper Le Monde, the Paris attack terrorists there used open communications, unlocked phones, and ones easily able to be tracked (i.e., nothing was encrypted) but it didn’t matter, did it? That’s because they either didn’t believe they’d be found-out or they, too, were naive about mass surveillance. Either way, smart-about-surveillance terrorists either use end-to-end encryption, burner phones, dead-drops (of information) or, in the case of Osama Bin Laden, use couriers taking USB flash drives from place-to-place so as to stay off the internet and other potentially-surveilled communications technology altogether.

Perhaps Apple’s democratization of encryption is what you’re frightened about and that is your actual position? If so, then shouldn’t you also be up-in-arms about end-to-end encryption of Apple’s voice and video tool FaceTime? Or Apple’s instant messaging which has been encrypted since 2011? Or a highly secure, end-to-end encrypted voice and text app for iOS and Android called Signal? Or locked community forum websites that are accessible only through Tor (i.e., The Onion Router which bounces communication through relay servers, thus hiding the user) so bad guys and others who wish to remain private can communicate with one another shielded from everyone? Or perhaps you advocate forcing Google to remove their new end-to-end, server-level encryption in email (i.e., Gmail) so the NSA can no longer tap lines between Google’s server farms and vacuum up all email traffic?

See the slippery slope we’re on and how complicated this issue really is? That’s why I think your editorial position is incredibly naive and not even close to a cogent argument for a major newspaper. Think it through and try again please, this time with an article that is balanced, well researched, and looks at the issue from all sides.

About Steve Borsch

I'm CEO of Marketing Directions, Inc., a trend forecasting, consulting and publishing firm in Minnesota. Prior to that I was Vice President, Strategic Alliances at Lawson Software in St. Paul where I was responsible for all partnerships at this major vendor of enterprise resource planning software products and services. Read more about me here unless you're already weary of me telling you how incredible and awesome I am.

Leave a Comment