A recent case that’s been making headlines and putting privacy at the center of the discussion is the Apple versus FBI controversy. At the upcoming MEF Global Consumer Trust Summit, the industry will discuss drivers in the mobile ecosystem when it comes to privacy and security.

One of the panels, the Data Sovereignty Debate – the industry’s response to official-access to data – will discuss the aspects of the case and take a look at what’s at stake from an industry perspective.  Here, we  hear from one of the panelists,  Justin Olsson, Product Counsel for AVG Technologies for their views on the discussion.

So the Department of Justice and the FBI backed off, in San Bernardino and New York. Apple won, right? It’s over now?

In short, no. While the first few months of 2016 have clearly shown that companies can stand up against government requests for information, and even to assist in the investigation of terrorism, we’re technically no closer to resolution of the core issue, which is: when should companies be forced to turn over what data, and how much power does the government have to compel production of data that’s not readily available?

Are public privacy and security in better shape now than it was before the Apple v. FBI showdown?

Maybe.

One the one hand, Apple avoided being forced by the government to engineer a solution that would defeat its significant work securing iOS devices from unauthorized access. And while the New York federal magistrate judge’s decision in the one case that went to judgment can’t formally set precedent the way a federal appeals (or Supreme) court decision does, the first ruling in almost 40 years on the scope of authority exercisable under the All Writs Act was an unequivocal rejection of the government’s position and may serve as the basis for future rejections to come.

On the other hand, the FBI is now making available to law enforcement nationwide a zero-day exploit it purchased, whose workings they cannot—or will not—share with Apple. In short, the FBI can now gain unauthorized access (and share that access) to millions of Apple devices.

    Without privacy, you cannot have digital security. And without digital security, you cannot have physical security. From surreptitious location tracking by a stalker to all-out government monitoring and surveillance, our devices expose personal information that is orders of magnitude more sensitive than the personal information that could be collected even a decade earlier.

While the FBI says the exploit is limited to iPhone 5C devices and older, we have no way of knowing whether the exploit can be modified to work on newer devices, and much reason to speculate that it could be. Even the knowledge of an existing unpatched exploit can be dangerous. And knowing what devices an exploit works on can enable others to more quickly reverse-engineer and re-create the exploit. Ultimately we have no way of knowing that this exploit has not already been discovered by or shared (by the party the FBI purchased it from) with bad actors.

While the security and tech communities can for now sleep more soundly because their ability to fight government requests for data has improved, they’d better be getting ready for the next wave today.

So what should the next step be? Is legislation the answer?

There should be continuing, vigorous debate, and it should happen soon. At some point, the tension needs to be resolved, because clear interests exist on both sides, and to some degree it’s a zero-sum game. But in the current political climate, a frank conversation may be impossible. The status quo may be as good as we’ll get for now.

That the FBI is responsible for keeping us safe is not in doubt. Nor is that their job may get appreciably more difficult in an era of default end-to-end encryption. But by no means is it clear that improved digital privacy and security will lessen safety in the physical world. I’d say the opposite is true—that not only do improved digital security and privacy, even at the expense of a more difficult job for the FBI, not weaken safety, they improve it. In fact, they’re necessary for it.

How can making the FBI’s job harder improve safety?

Without privacy, you cannot have digital security. And without digital security, you cannot have physical security. From surreptitious location tracking by a stalker to all-out government monitoring and surveillance, our devices expose personal information that is orders of magnitude more sensitive than the personal information that could be collected even a decade earlier.

Giving everyone the ability to encrypt communications, even (and especially) from the prying eyes of the FBI, is a necessary condition to maintaining safe physical presence.

What will happen if no action is taken?

Apple (and every other tech industry player who can) will scramble to develop locks so tough that even the creators can’t crack them, even if that means compromising usability. Companies will continue to develop secure communication and data storage solutions such that even they can’t access data, even at the owners’ request, leading to situations in which a forgotten password spells lost access.

So what next?

Until a framework is put in place to balance the government’s need for information with an individual’s interest in preventing access to that information, the Apple v. FBI situation will just keep repeating itself.

While the government may be in no hurry to return to court compel Apple to help them break into an iPhone, the government won’t stop doing everything it can do to get the information it needs. And we shouldn’t want it to. The government needs access to data to help investigate and prevent crime. However, not all data is worth the cost of obtaining it.

We need to come together as an industry to balance interests, so we wind up with a win-win. We need to ensure the potential harms caused by enabling government data access don’t outweigh the benefits of secure communications.

How does this situation affect other companies in the ecosystem? How does it affect their customers?

The Apple v. FBI battle has clearly shown that every company has choices to make. What kind of data do you hold? Do you hire a team of engineers and lawyers and get ready to field requests? Do you quickly work to harden the security of your device or software so that when the government comes calling there is nothing to do?  Do you hunker down and hope no one asks?  Will this even affect you or your customers?

Make no mistake—the encryption standoff affects everyone. The rest of this decade—and potentially much of the following—will be spent determining who gets what access to what data. Everyone is now or soon will be in the data business—private companies, public organizations, the government. Whether that data will be able to be encrypted to prevent (even lawful) access is under significant scrutiny.


Justin Olsson

Product Counsel

AVG Technologies

color-linkedin-128 color-twitter-128 color-link-128

If you’re an American company (or want to do business in America, or for that matter simply want to use the internet), you’re in a bind. Between the Snowden revelations and near-constant onslaught of data theft news articles, customers are becoming increasingly worried about unauthorized (or at least undesired) access to their personal data. Companies want to offer what’s best for their customers, and focusing on security is rarely easy or near-term cost-beneficial. But the loss of consumer trust that will follow in a world where you’re unable to guarantee secure communication cannot be overstated.

As an industry, we can and should continue to push for more encryption, more privacy, and more security, because there’s no such thing as a safe backdoor. Without privacy, we cannot have security, digital or physical.

Join us at the 6th annual MEF Global Consumer Trust Summit in San Francisco on June 23rd to discuss the drivers in the mobile ecosystem when it comes to Privacy & Security. Showcasing a clear shift from simple compliance to business-critical, the Summit provides pragmatic insights, discussions and guidance on the value of Consumer Trust to businesses’ bottom-line.

Subscribe to our mailing list

* indicates required