Wednesday 24 February 2016

Thoughts on encryption, and why the Apple vs. the DOJ thing is important.

There is a really interesting fight brewing right now between Apple and the US Department of Justice over the cell phone used by the shooters in San Bernidino. Most people have probably read about this in some form or another but it boils down to law enforcement asking Apple to break into the phone in a way that would allow them to simply brute force guess the password on the device as fast as possible to unlock the data that it contains.

The US law enforcement position is that they need access to this information to protect the public interest and because of the way that the device is designed and encryption is in place on these things they don't have a back door unless Apple puts one in place for them. Apple's position is that this is a slippery slope and that if they do this for a single device they will get pushed into doing this on more and more and more devices as soon as law enforcement realizes that they now have a way in.

The big problem that I have with this is that if Apple concedes and opens up this one phone they have now proven that it can be done. There's already one request showing up asking them to do anywhere between 9 to 11 more phones that I've seen posted online, and there's one US district attorney who's said that he's got about 175 phones that they have been unable to unlock. Consider that this is happening before Apple has even said that they can actually do what's being asked of them and it's not hard to see where this ends up.

And if you think for a second that the folks making Android devices won't be getting similar requests as soon as a precedent is set you need to give your head a shake.

Now normally I'm on the side of Law Enforcement in a lot of cases. They have a rough job to do and they pretty much have to be right 100% of the time, where somebody trying to cause problems just has to be right once to have an impact, but this bothers me in a way that I'm not entirely comfortable with.

First of all any time you provide a back door it's going to get abused. You can put as many controls on access to this information as you want but at some point in the chain there is going to be someone who has access and uses it for their own purposes. It might be somebody stalking a ex, somebody tracking their kids, or some other equally inane reason but once you open that door it's not going to be closed and will eventually get in the hands of people who want to use it for really nasty reasons.

Secondly, while I have nothing to hide that's not to say that I don't have information about myself or my family that I don't want being publicly disclosed. Everybody has secrets, and while the only sure way to keep them secret is to keep them off of my computer having anybody with the ability to just walk in and bypass any type of encryption that I have put in place - no matter how good I am about maintaining the security of my devices - is a troubling thought.

And while there are a lot of points that one can keep going over the government already can go after people to get this type of information - provided they are not you know, dead. If the government wants into something that I have encrypted they just have to go get a court order to get the passwords, encryption keys, or whatever is required to access that information.  Then I have the choice to provide that information or go to jail because I have decided to defy a court order. The advantage to this is that it's not something that's going to be done behind my back and it puts the onus on me to decide if it's worth going to jail to keep that information secure.

This is something that everybody should be watching carefully. If this box gets opened up it should cause us all to carefully reconsider what's secure in our world, if there is actually anything that we can consider secure at all.


No comments:

Post a Comment