At Apple’s annual World Wide Developer Conference (WWDC) last month, the company announced their latest mobile operating system for phones and tablets, iOS 9. As is typical with Apple, this event included much fanfare and hyperbole. In addition to the announcements about all the software you didn’t know you needed, Apple quietly ratcheted up security and privacy features.
In some circles, these are important new features, but Apple’s continued use of encryption in iOS 9 will refuel the privacy versus law-enforcement debate reinvigorated by Edward Snowden a few years ago.
A technology primer: in cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Most important communications across the internet, e.g. banking, are encrypted. Encryption is your friend when you’re on an open WiFi hotspot at a coffee shop, but is the enemy of law enforcement when you are doing something illegal, because law enforcement cannot easily read your data.
A year ago, Apple caused a stir with the security features in what is now the current version of its mobile operating system, iOS 8. Several of the new features made law enforcement difficult, notably the default encryption of the user’s personal information on the iPhone. Apple’s CEO, Tim Cook also went out of his way to emphasize the strong encryption features of the popular iMessage and FaceTime services. As if to pick a fight, Cook then publicly stated that government eavesdropping has gone too far.
Predictably, government agencies swiftly condemned Apple’s choices with as much hype as an Apple product announcement. FBI director James Comey stated “[t]here will come a day when it will matter a great deal to the lives of people … that we will be able to gain access,” implying grave consequences for smartphone encryption so secure that the police cannot easily access information. The previous United States Attorney General, Eric Holder, criticized Apple and Google’s use of encryption. Federal officials and Silicon Valley executives engaged in some heated debates, with no agreement on a mutually beneficial solution.
As a compromise, the Federal government proposed back doors into encrypted products and services. A senior Yahoo executive quickly dismissed this idea, analogizing building in backdoors into cryptography standards to “drilling a hole in the windshield.” Efforts to resolve these differences resulted in standoffs, with Apple executives calling the FBI comments inflammatory. By early 2015, the controversy had subsided. Shortly after the new year, President Obama spoke at Stanford about cyber-security in somewhat softer tones. In the wake of the Sony Pictures hack in 2014, the benefits of encryption were clearer than ever: had Sony encrypted its records, hackers wouldn’t have access to that treasure trove of damaging business and personnel information.
After only a matter of months, Apple just added fuel back on the fire with iOS 9. iOS 9 continues where iOS 8 left off, containing even broader encryption capabilities. Using the features in iOS 9 in conjunction with the existing security features, almost all data coming out of the iPhone will be encrypted. Even if developers are unwilling to build in encryption, iOS 9 will handle it somewhat automatically.
Specifically, iOS 9 includes increased Virtual Private Network (VPN) functionality, which allows users to direct more network traffic from their iPhones to encrypted channels. The new operating system will also include a feature “App Transport Security,” which forces application communication (e.g. YouTube content, web browsing) over encrypted channels. Apple even recommended to application developers to use secure communications “exclusively.” With these new features and existing features, Apple is thus enabling and encouraging the encryption of all data. No doubt, this approach is part of a trend in Silicon Valley. Netflix recently announced it would encrypt video streams.
As frustrated as the FBI and NSA may be with Apple and other internet companies, they are out of luck, at least with conventional measures. Telecommunication carriers are typically required under Federal law to provide wiretap facilities for law enforcement, set forth in the Communications Assistance for Law Enforcement Act (CALEA). Congress passed CALEA in 1994 to provide additional tools for surveillance of digital telephony. Despite the fact that Apple does in effect provide telecommunications services, Apple does not fit within the statutory definition of a telecommunication carrier under CALEA.
Congress had the foresight to give the Federal Communications Commission (FCC) rulemaking authority to amend the definition of a “telecommunications carrier,” knowing that communication technology evolves quickly. The “substantial replacement provision” gives the FCC some rulemaking authority to deem companies telecommunications carriers to the extent that they are a replacement for a “substantial portion of the local telephone exchange service,” and that it is in the public interest to deem it so. However, to date, the FCC has not exercised its authority in this respect.
Unsurprisingly, the FBI has argued that CALEA should be amended. However, without a legal requirement for backdoors into its products, Apple continues to push as far as it can, making law enforcement access to the products and services it sells as hard as possible. Apple seems determined to ensure that everything worth encrypting is encrypted. Tim Cook continues to advocate in favor of users’ privacy. Given the strong interests of law enforcement and national security, it’s only a matter of time before Congress or the FCC decide to force Apple to cooperate. At the time of the writing of this article, the U.S. and U.K. governments are seeking to open back doors into encryption. But with Apple’s huge cash balance and lobbying efforts on Capitol Hill, it will likely be able to blunt the impact of any legislation.