Professionalism/Apple, the FBI, Personal Data

From December 2015 to March 2016, the FBI investigated a terrorist attack in San Bernardino, California that left 14 dead and 22 injured. As part of this investigation, the FBI recovered one suspect's locked iPhone. A US District Court ordered Apple to help unlock the phone by circumventing built in security features. Apple refused to comply, resulting in a months-long debate in the public sphere. The FBI ultimately used a third party tool to unlock the phone and dropped its case against Apple. The investigation remains a major event in privacy and security circles.

San Bernardino Shooting, iPhone 5C and GovtOS
On December 2, 2015, 14 people were killed and 22 were injured during a terrorist attack at the Inland Regional Center in San Bernardino, California. Federal agents recovered Syed Rizwan Farook's work iPhone 5C intact. Agents wanted to use phone data as evidence when investigating the 2015 San Bernardino shooting. A four digit passcode locked the iPhone, preventing entry. The iPhone would delete all its data after ten incorrect password inputs. FBI agents attempted to bypass this security feature through iCloud data syncs. iCloud account password differences between Farook's iPhone and his iCloud rendered the data sync unsuccessful. . On February 9, 2016, the FBI announced it was unable to break into the iPhone. Agents asked Apple to unlock the phone. Apple claims the FBI wanted a to create a new operating system, dubbed GovtOS.

Apple Ordered to Assist FBI
United States magistrate judge Sherri Pym issued a court order in the United States District Court for the Central District of California "compelling Apple, inc. in assisting [federal] agents in [searching]" the San Bernardino shooter's iPhone 5C on February 16, 2016. Apple was specifically ordered to provide reasonable technical assistance in: The court order requested Apple to meet FBI demands by writing new iPhone software for Farook's iPhone. Apple was given five days to apply for relief if "Apple believes that compliance with this Order would be unreasonably burdensome".
 * 1) bypassing or disabling the iPhone's auto-erase function
 * 2) enabling FBI agents to submit iPhone passcode electronically
 * 3) preventing additional delay between passcode attempts

All Writs Act of 1789


The court order was issued under the All Writs Act of 1789. This act states that any courts established by Congress may issue all necessary or appropriate writs to aid their respective jurisdictions. The American Civil Liberties Union found that the government has been trying to use the All Writs Act to force companies to help crack customer phones since 2008.

Apple's Response
Apple released a public letter, written by CEO Tim Cook, that opposes the court order. The letter is directed at Apple customers and states that the "United States government has demanded that Apple take an unprecedented step which threatens the security of our customers." Cook contends compromising information security puts personal security at risk. According to Apple, building "a version of iOS that bypasses security" creates a dangerous backdoor. This software exploit threatens security when in the wrong hands.

There is no precedent for "an American company being forced to expose its customers to a greater risk of attack." Apple fears compliance to the court order will set a legal precedent. Cook writes, "if the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data." While Apple states the FBI's intentions are good, the company feels it is "wrong for the government to force [us] to build a backdoor into [our] products... Demand would undermine the very freedoms and liberty our government is meant to protect".

FBI Cracks iPhone
On March 28, 2016, the FBI announced that a third party helped unlock the subject iPhone. The Department of Justice withdrew the court order requesting Apple's compliance on the same day. FBI Director James Comey confirmed that FBI purchased a third party hacker's tool to unlock iPhones. Comey suggested the tool is worth over $1.3 million. This purchase didn't cover rights to the tool's technical details. The tool can only be used on older iPhone models lacking a Touch ID sensor. The Israeli company Cellebrite is rumored to have built the hack.

Ethics: Software Engineering Perspective
Apple's engineers and managers face an ethical crossroad. On one hand, they have a duty to user privacy product integrity. However, they must weigh this against their duty to the national security. Resolving this issue is an important one for engineers, especially in light of programs which ask corporations to aid the government's surveillance efforts.

ACM Code of Ethics
A first ethical analysis of this case uses the ACM Code of Ethics. The Association for Computing Machinery (ACM), the professional organization for computer scientists, developed this code to guide members in ethical decision-making. One relevant section of the code relates to a software engineer's obligation to preserve the privacy of a software's users:

"...It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals... User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code..."

The problem is reiterated rather than solved; the Code says that data must be confidential, except when it's evidence for legal violation. Unfortunately, later text in the Code adds confusion:

"ACM members must obey existing local, state,province, national, and international laws unless there is a compelling ethical basis not to do so. Policies and procedures of the organizations in which one participates must also be obeyed. But compliance must be balanced with the recognition that sometimes existing laws and rules may be immoral or inappropriate and, therefore, must be challenged. Violation of a law or regulation may be ethical when that law or rule has inadequate moral basis or when it conflicts with another law judged to be more important..."

Here, the Code appeals to the doctrine of civil disobedience; while obeying laws is important, there exist "higher laws" that may be more important.

Right to Privacy
Tim Cook, in the Apple Customer Letter, makes an implicit appeal to a "higher law" at the letter's close. He says: "While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect". The letter's text implies this higher law is the "right to privacy."

The Right to Privacy is a relatively modern concept, although some trace its roots to Aristotle's division of the political (polis) and family (oikos) spheres. It was first introduced to the United States' legal system by Louis Brandeis and Samuel Warren in their 1890 article, The Right to Privacy, in the Harvard Law Review. They contend that, in light of "instantaneous photographs and newspaper enterprise," the "right to be let alone" should protect a person's privacy and physical being.

As a Supreme Court Justice, Brandeis set a legal precedent on the right to privacy by writing a dissenting opinion for Olmstead v. United States. The Court was determining the legality of wiretaps used to convict a suspected bootlegger. While the Court ruled the wiretaps legal, Brandeis concurred with the defense that the wiretaps violated the Fourth and Fifth Amendments. His dissent stated that "[The makers of our Constitution] conferred, as against the Government, the right to be let alone -- the most comprehensive of rights, and the right most valued by civilized men". This supports Cook's appeal to privacy as a "higher law" than that of the FBI's request to open the iPhone.

Transparency and the FBI
One could argue that the FBI was not fully transparent in this case. According to FBI Director Comey, "[This] isn’t about trying to set a precedent or send any kind of message... this case is about the innocents attacked in San Bernardino". While this is a plausible stance, it wasn't convincing to personal security advocates.

Questionable tactics
Steps taken by the FBI to unlock the phone suggest that they had a deeper motive than solving the case at hand:
 * 1) The FBI "instructed a county worker to change the password for the phone's iCloud account" . This prevented the phone from backing up its contents over Wi-Fi. Therefore, the FBI couldn't get data via iCloud. This is an odd mistake for a well-equipped agency to make.
 * 2) While it wasn't the first time Apple encountered the All Writs Act, Cook's letter to Apple customers claimed that the FBI's use of the law was "unprecedented" . One would not expect such a stretch in an ordinary shooting investigation.
 * 3) Less than two months after Apple refused to comply, the agency found a third party to help unlock the phone and immediately dropped their suit against Apple.

Possible interpretations
These events suggest a few possibilities:
 * The FBI was unaware of third party hacks into the iPhone at case outset. Once they discovered one, Apple's help was no longer needed and they withdrew their suit.
 * The FBI was aware of third party hacks, but tried to conscript Apple to unlock the phone, hoping that they would do it faster. Upon realizing Apple wasn't complying, they went to a third party for time's sake.
 * The FBI was aware of third party hacks and knew that they could bypass Apple at any time, but continued to push their suit. Even though setting a legal precedent was not their manifest function of the investigation, it may have been a latent function.

Generalizations and Further Research
In high profile investigations, governments and companies should consider both the rights of individuals and the security implications of the case at hand. Future research could study public opinion on these matters, or the many similar lower-profile cases across the country. In particular, further investigation on the other invocations of the All-Writs act on phone companies, uses of National Security Letters, and other instances of court-orders requiring software companies to divulge customer information.