March 29, 2016 at 12:46 PM
The Justice Department has called off a high-profile legal battle with Apple after it was able to unlock an iPhone used by one of the San Bernardino, Calif., shooters without the company's help. But rather than resolve the fight, this latest development is likely to motivate Apple and other companies to strengthen the security of their devices even more and force the government to keep up with any new security measures, technology executives and security analysts said.
"They're in an arms race," said Matthew Blaze, a cryptography researcher and professor at the University of Pennsylvania. "The FBI is trying to find new ways in, and Apple is trying to find new ways to defend against that."
Apple isn't the only company that is aiming to install greater encryption around products, making intrusions by hackers and government investigators alike much more difficult.
The FBI case reportedly intensified efforts among tech companies such as Snapchat and Facebook to employ better encryption – a trend that accelerated after Edward Snowden's revelations of government spying in 2013 and a massive wave of cyber-hacking in recent years.
The cloud-computing company Box, which filed a legal brief supporting Apple in the San Bernardino case, is one of the many tech firms rushing to offer new encryption-related security features. It recently launched a product, KeySafe, that allows corporate customers to hold on to their own encryption keys — a move co-founder and chief executive Aaron Levie said was as much about fighting off hackers and cybercriminals as it was about fending off government surveillance. The implementation of KeySafe means the company cannot collect and hand over the private information of a customer even when the authorities have a warrant.
KeySafe took two years to build, Levie said, not because of the complexity of the security but because of the challenge of building the feature without slowing down the company's system or making it difficult to use. "It's relatively straightforward to build secure technology," Levie said. "It's much harder to build that technology without interfering with the user experience."
In interviews, engineers across Silicon Valley said they thought the case would impact the way products are built going forward at both startups and large companies.
The case "will reinforce people's arguments," said Cameron Walters, an engineer who was a founding member of payments startup Square. "It will reinforce people's arguments," for tougher encryption and security protocols, he said. "It might push them to do it - if it was a question of effort versus return."
Tools using strong forms of encryption have historically been cumbersome, but that has been changing in recent years with the development of simple programs such as Signal, an encrypted text and voice messaging app. Facebook's WhatsApp messaging service also relies on similar encryption technology.
Still, some tech giants are struggling in their efforts to employ encryption. Related projects from Google and Yahoo aimed at giving their users a way to easily send and receive encrypted emails are still not finished almost two years after they were announced. Google's effort to shift phones running its Android mobile operating system to encryption by default also has faltered because it caused performance issues on some smartphones.
Even as companies move toward encryption, they see the limitations. "There are boundaries in play here that stop this from being a fully encrypted, hosted world," said Harvey Anderson, chief legal officer for security software company AVG Technologies, which filed a legal brief supporting Apple.
Apple, perhaps more than any other giant tech company, has heralded the push toward strong forms of encryption. In 2011, the company implemented end-to-end encryption for iMessage. In 2014, it announced that new versions of its operating system would automatically encrypt iPhones. Those moves led some law enforcement officials to warn that the technology could let criminals and terrorists "go dark" and escape justice.
Yet the government's ability to get around the security features of a phone used by Syed Rizwan Farook, who carried out the mass shooting in San Bernardino along with his wife last December, shows that there are still chinks in Apple's armor. And that may encourage the company to be even more diligent about closing gaps going forward.
"We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated," an Apple spokesman said in a statement. "Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk."
Blaze, the University of Pennsylvania professor, assumes that Apple will fix whatever vulnerability was exploited to gain access to the phone in this case — at least if it learns exactly what the method was.
It's unclear if the government will disclose the bug to the company. The administration has a process for deciding when it should reveal security vulnerabilities. [D]isclosing vulnerabilities usually makes sense," White House cybersecurity coordinator Michael Daniel wrote in a 2014 blog post describing the system. But he wrote that it weighs different factors -- including how badly the government believes it needs intelligence it may gain from exploiting the vulnerability
Stewart Baker, a former Department of Homeland Security senior policy official and now a partner at Steptoe & Johnson, argues that Apple's stance in the San Bernardino case gives the government little incentive to tell the company how it was able to break in.
"If Apple's position is, 'We aren't going to help you, and as soon as you tell us about a problem we're going to lock you out again,' you're basically saying the FBI should be complicit in locking themselves out of the phones," he said.
But the government also must consider keeping Americans' tech safe from other adversaries, including hostile hackers working on behalf of foreign intelligence agencies and cybercriminals, Blaze said.
"This vulnerability helped them get into this particular handset, but now they need to be thinking about who else could potentially use it to do the same thing," he said.
Blaze and Baker agree on one point: This isn't the end of the issue.
"This is a conflict that's going to happen," Baker said.