On the Use of Encrypted Data by Law Enforcement

Abstract

Recent events have sparked a national debate about the government’s access to encrypted personal data from smartphones and the role technology companies have in solving crimes. This paper will discuss the ethical implications associated with a particular case from San Bernardino, California, and the reactions of the FBI and Apple Inc. An in-depth analysis of this case will provide the basis for arriving at a moral conclusion.

Introduction

How important is our data security? To what extent must technology companies protect their customers’ information? What happens when guarding this data risks human lives? These questions and more are at the forefront of a national debate. Engineers and those in technical fields have an obligation to understand both the specific circumstances of the issue and the ethical consequences of carrying out their roles in technology companies. As members of society with their own private data to protect and as agents with the ability to affect how this information is guarded, engineers’ moral viewpoint is vital to discussing this dilemma. But what are the ethical implications of mass data collection, and how trustworthy are the corporations gathering all of it? Should these companies aid law enforcement in preventing future crimes for the greater good? The process of collecting user data is not by itself unethical, but it opens the door to many opportunities for corruption. If it were possible to aid law enforcement without incurring great risk to millions of users, a system of preventative measures like this could be acceptable. However, under current circumstances, no safe solution exists for using formerly-encrypted data. Therefore, tech companies collecting our information must not surrender it to any outside entity, government or otherwise.

The San Bernardino Shooting

In early December 2015, a tragedy occurred in San Bernardino, California. Two violent extremists stormed into a Department of Public Health Christmas party and killed 14 people inside. The event made international headlines and further contributed to the ongoing debate over gun control and mass shootings in the United States. As the police and federal authorities began to sift through the evidence, they came across a smartphone belonging to one of the shooters, a work-issued iPhone 5C. Upon realizing that they were unable to unlock the phone for examination, the FBI formally requested that Apple construct a type of “back door” operating system that could circumvent the iPhone’s advanced security and encryption protocols. Apple released a lengthy statement to the public in which it denied the FBI’s request and explained its reasons for objection. Creating a way around their own security features, they said, would put every iPhone user at risk. Critics called this statement a façade and alleged that Apple was prioritizing their business interests over human life. Whatever their intent truly was, Apple was unwavering in their response.
After Apple’s refusal to comply with the FBI’s informal request for assistance, the FBI went to the court system. The Honorable Sherri Pym, magistrate judge of the United States District Court for the Central District of California, ordered that Apple build an alternate operating system that could be installed and used by the FBI on the terrorist’s iPhone. This operating system would allow access to the phone’s encrypted data with the following capabilities: 1) be able to bypass the auto-erase function that would reset the phone to its factory condition; 2) enable electronic submission of passcode attempts (eliminating the need for slow physical password input); 3) allow for rapid submission of passcodes without artificial delay. This order was justified under the All Writs Act of 1789 [1], and is an unprecedented instance of this act’s invocation in relation to technology.

A few weeks after the court order was filed, the FBI withdrew their request, stating that an anonymous third party had approached them with the ability to unlock the phone [2]. Although the name of this person or organization was never released, the FBI did announce that it had not bought the rights to the tool used to unlock the iPhone, but rather paid for one-time use. Apple never made an official statement about the unlocked iPhone, though the apparent existence of a back-door technology raises security concerns. The main ethical problem, however, was the FBI’s dealings with the anonymous third-party. The fact that a department of the United States government paid a private entity to exploit a weakness that could endanger millions of Americans is unacceptable. Furthermore, by not acquiring the exclusive rights to this technology, the FBI allowed a system like this to be used at the discretion of the third party, for whatever purposes they may see fit. This confirms to all those with nefarious intent that the iPhone’s security features can be bypassed, and the entity that controls this technology may yield to the highest bidder. By allowing this threat to exist, the FBI is endangering the same people it is sworn to protect. And while the creator of this technology is technically responsible for the actions of those who use it, the FBI is equally culpable due to negligence. The moral weight of blame for an action with preventable consequences falls on all those who failed to intervene. Therefore, if this tool has been used or will be used in the future to harm innocent people, the FBI must be held responsible.

The FBI’s Viewpoint

As an organization created to “protect and defend the United States against terrorist and foreign intelligence threats” [3], the FBI hoped to use information from the terrorist’s iPhone to help them perform their job. Before contacting Apple, the FBI tried to enlist the help of the National Security Agency, but to no avail. The NSA was accustomed to working with different technologies and could not unlock the phone either, which led to the FBI’s initial request. While Apple did offer technical advising to the investigative authorities, it sternly refused to build any kind of alternate operating system with special permissions. The FBI responded by obtaining the aforementioned court order mandating Apple to build and deliver this system. This case has a legal basis, since the FBI is allowed to use data from devices seized under a warrant, provided that they can access it. This case is unique, though, in that a governmental agency publicly asked a corporation to weaken one of its own devices so that its data could be used. From a moral standpoint, the FBI is attempting to learn from a past crime in order to potentially stop future crime. In this way, they are acting on behalf of the people who may fall victim to these future crimes that might be prevented. This solution is short-sighted, however, because it overlooks the harm that could be brought to many through decreased levels of data security. The idea of “fairness” obscures the right moral decision in this case, since different groups of people are exposed to harm whether the iPhone security is exploited or not. But as we will discover later, fairness for those affected by alternative outcomes is not the only factor to take into consideration when making an ethical decision.

Apple’s Stance

While Apple never denied the viability of the suggested plan, they asserted that the technology necessary had never been and would never be built. Even when the FBI suggested that Apple keep possession of the alternate operating system’s source code and only allow the FBI to use it, Apple still resisted. They argued that the risk of creating such a device would endanger the data of millions of iPhone users and other encrypted device users alike [4]. By making their data vulnerable, Apple claimed, they would be violating their own principles and their duty to their customers. Apple claims responsibility towards its customers in its original mission statement: “To make a contribution to the world by making tools for the mind that advance humankind.” [5]. Any company that intends to make “tools for the mind” has an obligation to protect the detailed personal information of its customers. Consumers must be able to trust their device manufacturer to fight for their personal security.

The Ethics

When examining this case from a strictly legal perspective, it is not exceptional by itself. It is quite common for documents and items to be subpoenaed by the United States judicial system from corporations and individuals alike. However, there is no legal precedent for a subsidiary of the United States government attempting to force a sovereign company to expose its own customers to risk. The FBI claimed that the back-door tool would be in safe hands, and that the risk to individual consumers would be negligible. In truth, since the technology to bypass Apple’s security protocols would have already been developed, the risk to citizens’ data security would have already been realized. Nevertheless, Apple persisted in its opinion that the personal information of its users should be valued above all else and refused to set the precedent of acting against its customers’ best interests.We arrive at an ethical comparison: the benefit that can be gained from collecting potentially-incriminating data after a crime versus the cost of risking the data security of many more individuals. This implies that either a few people take on a great physical risk (those who fall victim to crimes that could have been prevented) or that a much larger number of people take on a substantial privacy risk. Instead of trying to quantify the overall detriment to the common good caused by either alternative, a more thought-provoking discussion can be had about the intent of the agents acting in this case. In other words, the intent of Apple and the FBI is more important than the consequences of their decisions.

From a consequentialist standpoint, assessing the aggregate risk of harm and the number of potentially affected people seems like a valid approach to this ethical dilemma. However, weighing the detriment against the good caused by the two alternatives does not fully address the problem. Immanuel Kant, an 18th century philosopher, argued that the intention of the entity acting was more important in ethical decisions than the consequences of that decision [6]. This approach suggests that we must look into the intentions of both the FBI and Apple in considering this case. The FBI’s mission, to protect and defend the United States against terrorist and foreign intelligence threats, would imply that their intention in exploiting the phone’s security was a justifiable act in the interest of public safety [3]. At the same time, Apple’s intention to protect the right to privacy of their customers also comes from a similar desire to protect their users. In that aspect, the FBI and Apple’s intentions are quite similar. How do we come to a conclusion on an ethical dilemma in which both sides’ bases are founded upon the same logic? A deeper analysis of the true intent of each entity is in order.

Analyzing the short-term and long-term intent of both of the major players in this dilemma is essential to understanding which side is acting ethically. Without a holistic view of the particular interests of each entity, we cannot totally grasp the situation. Apple’s stated primary goal is to protect its users, which would seem to be a very noble and defensible cause. However, upon further inspection of the language that Apple CEO Tim Cook uses in his letter, there is another underlying motive for this stance. By implying that Apple’s cooperation in this case could lead to a vast abuse of power by governmental agencies, Cook is employing a slippery slope argument, an oft-used logical fallacy. Statements from his letter that inspire fear of the FBI do nothing but scare citizens and cause them to doubt the benefits to the common good that the FBI provides. For example, the comment “if the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data” [4] further perpetuates the notion that the government intends to enforce mass surveillance on its own citizens. There are several reasons why Apple could be attempting to make this threat seem real, but the primary reason is to vilify the FBI, so that Apple will seem to be in the moral right when defying them. In this way, Apple can protect its business interests and still appear to be acting on behalf of its users.

The FBI’s intent seems to have a simpler basis but is ultimately short-sighted. By requesting that Apple unlock the phone, the FBI did fulfill its short-term of goal of doing what it can to protect the American people. However, the harm that could be caused over time, by exploiting a weakness in security that millions of people rely on, far outweighs the benefits associated with doing so. Furthermore, attempting to set the precedent of having businesses modify their customers’ products for the government’s interests is dangerous for everyone with encrypted data to protect. These two factors invalidate the common good aspect of the FBI’s intentions. All that remains of the FBI’s intent is the desire to solve the case at hand, without regard for the consequences of doing so. While this conclusion does use a consequentialist approach to analyzing the true intent, the consequences are only used in determining the true intent of the FBI and Apple.

Neither Apple nor the FBI has completely altruistic intentions. However, Apple’s actions were at least partially for the good of its users, while the FBI simply wanted to gain more information on a single case, even if it would bring danger to millions of people. For these reasons, Apple is more closely aligned with the moral “right” in this dilemma. Truthfully, if the FBI were able to access the encrypted personal data of suspected terrorists, a great benefit could be provided to society. However, there is no way to guarantee data security for some users but not others, and the risk of corruption is far too high to allow. For this reason, Apple and other companies should not surrender their users’ personal data to any external entity, governmental or otherwise. To put the amount at stake into perspective, we must consider the full capabilities of encryption technology. In the words of Philip Rogaway, a computer science professor at the University of California, Davis: “Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension.” [7]. With this is mind, we can assert that it is impossible to remove the ethical component from conversations surrounding the release of encrypted data and we must always treat data security as an inherently moral issue. The FBI must learn to look at the long-term effects of its actions, while Apple and others must be steadfast in their commitment to keeping their users safe.

By William Whaley, Viterbi School of Engineering, University of Southern California


About the Author

At the time of writing this paper, William Whaley was a junior at the University of Southern California studying computer science and business. He is from St. Louis, Missouri, and wants to work in the field of financial analytics.

Works Cited

[1]R. Chesney, “Apple vs FBI: The Going Dark Dispute Moves from Congress to the Courtroom”, Lawfare, 2017. [Online].

[2]E. Nakashima, “FBI paid professional hackers one-time fee to crack San Bernardino iPhone”, Washington Post, 2017. [Online].

[3]”Organization, Mission and Functions Manual: Federal Bureau of Investigation | DOJ | Department of Justice”, Justice.gov, 2017. [Online].

[4]T. Cook, “Customer Letter – Apple”, Apple, 2017. [Online].

[5]”What is Apple’s current mission statement and how does it differ from Steve Job’s original ideals?”, Investopedia, 2017. [Online].

[6]”A Framework for Making Ethical Decisions | Science and Technology Studies”, Brown.edu, 2017. [Online].

[7]P. Rogaway, “The Moral Character of Cryptographic “, Web.cs.ucdavis.edu, 2017. [Online].

Suggested Reading

https://www.brown.edu/academics/science-and-technology-studies/framework-making-ethical-decisions

http://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf

http://www.prindlepost.org/2016/03/apple-cyber-security/