Last week, FBI director James Comey had sharp words for Apple and its decision to enable encryption by default on iPhones. Comey argued that Apple was allowing its customers to "place themselves beyond the law," and he worried that unbreakable encryption feature will cost lives when law enforcement isn't able to get the information they need to thwart a kidnapping or terrorist attack.
But there are some good reasons for Apple to offer their customers the most robust privacy protections technology allows — even if that means the job of law enforcement becomes a bit more difficult.
The law is on Apple's side
While Comey accused Apple of helping users put themselves beyond the law, it's notable that he didn't say that the products themselves are illegal. That's because they're not: strong encryption products have been legal and widely available for years.
Indeed, the legal status of encryption products was one of the biggest tech policy fights of the 1990s. In the early 1990s, as computers were becoming fast enough to make routine encryption feasible, intelligence and law enforcement agencies were making arguments that sounded a lot like the ones Comey is making now. They wanted backdoors in encryption products to preserve their ability to eavesdrop on people.
But the feds lost that fight, and strong cryptography without backdoors became a foundation of the internet economy. Today, every major web browser comes with strong cryptography built-in. Disk encryption products are available for every major operating system. And email encryption tools are available for free download.
Law enforcement "backdoors" could make iPhones vulnerable to hackers
Comey wants to ensure law enforcement agencies armed with warrants can get access to private samrtphone data. But any system that facilitates access by law enforcement will also make smartphones more vulnerable to hackers too.
As computer scientist Matt Blaze points out, building secure software is a hard enough challenge in its own. Creating a backdoor for the feds adds further complexity, increasing the danger of bugs that will let the bad guys in.
Blaze would know. Two decades ago, the government was pushing the Clipper chip, an encryption device with a built-in backdoor for law enforcement. Then Blaze's research showed that the Clipper chip's backdoor mechanism made the entire encryption scheme insecure. The Clipper chip — and proposals for mandatory backdoors more generally — were scuttled.
Another example of the danger of backdoors came a decade later. The Greek telephone network was built using American hardware that complied with a 1994 law requiring telephone equipment to come with a backdoor mechanism to facilitate spying by law enforcement. In 2004, someone — some have blamed American intelligence agencies — used this system to gain unauthorized access to the Greek telephone network and spy on more than 100 phone lines belonging to senior Greek government officials, including the prime minister.
Some countries are more hostile to privacy rights than the United States
Whatever concerns you might have about privacy abuses by the NSA, one thing we can all agree about is that some countries have much worse privacy records. And if Apple retains the ability to unlock peoples' phones in the United States, it's going to face strong pressure to offer the same service to repressive regimes overseas.
That's not just a hypothetical concern. For example, BlackBerry has long touted its strong encryption features when selling its smartphones to corporate clients. But it came under pressure from countries such as the United Arab Emirates and Saudi Arabia to provide access to their customers' secure email.
BlackBerry's negotiating position was strengthened by the fact that, for some corporate and government clients, BlackBerry was unable to break their customers' encryption even if they wanted to. The encryption keys were managed by the customer, not BlackBerry.
If Apple retains the ability to decrypt iPhone data at the behest of US law enforcement, it's going to be hard to say no when Saudi Arabia, Russia, or Egypt comes knocking. And even if you trust the US government not to abuse its decryption authority, you probably don't trust Saudi Arabia's government to respect human rights.
And even if Apple refuses to help repressive governments, the governments might gain access anyway. Last year, the Washington Post reported that Chinese hackers had broken into Google's servers and accessed information about US surveillance targets. If Apple maintains a database of its customers' encryption keys to facilitate law enforcement access, that database would become a juicy target for foreign intelligence services.
The police will still have plenty of ways to solve crimes
Comey suggested that law enforcement access to the contents of smartphones would be essential to savings lives in terrorism and kidnapping cases. But his speech was short on specific examples where encryption actually thwarted — or would have thwarted — a major police investigation.
Last week, former FBI official Ronald Hosko wrote an op-ed in the Washington Post offering a concrete example of a case where smartphone encryption would have thwarted a law enforcement investigation and cost lives. "Had this technology been in place," Hosko wrote, "we wouldn’t have been able to quickly identify which phone lines to tap. That delay would have cost us our victim his life."
There's just one problem: Hosko was wrong. In the case he cited, the police had not used information gleaned from a seized smartphone. Instead, they used wiretaps and telephone calling records — methods that would have been unaffected by Apple's new encryption feature. The Washington Post was forced to issue a correction.
Indeed, while law enforcement groups love to complain about ways that encryption and other technologies have made their jobs harder, technology has also provided the police with vast new troves of information to draw upon in their investigations. With the assistance of cell phone providers, law enforcement can obtain detailed records of a suspect's every move. And consumers increasingly use cloud-computing services that store emails, photographs, and other private information on servers where they can be sought by investigators.
So while smartphone encryption could make police investigations a bit more difficult, the broader trend has been in the other direction: there are more and more ways for law enforcement to gain information about suspects. There's no reason to think smartphone encryption will be a serious impediment to solving crimes.