In this post, the third in a series, I want to discuss what I think is the policy question at the heart of the Apple case about opening the San Bernardino iPhone. The question is, what is the optimal amount of physical box security? It’s a question we’ve never asked before because we haven’t lived in a world where a lot of physical box security was possible. Computers and cellphones change that, raising for the first time the question of how much security is ideal.
My bottom line is that I don’t know the answer. I want to convince you, however, that it’s a really hard problem. The answer hinges on unknown answers to empirical questions and predictions about the future. I don’t know what answer is best because I don’t know how the empirical questions shake out and I don’t have a crystal ball. My goal in this post won’t be to provide answers, but instead to suggest a way to think about the questions.
I. The Idea of Physical Box Security
Let’s start by defining a term I will use: physical box security. I use that term to mean the degree of control that a person exercises over others opening his movable property — such as a box, suitcase, computer, knapsack, package or cellphone — when another person has physical access to the property.
Let’s imagine a scale of 1 to 10, with 1 being zero physical box security and 10 being perfect physical box security. A person who stores his property in a paper bag has physical box security of close to 1. If someone else can get control of the paper bag, it is trivially easy for that person to open the bag and see what is inside.
On the other end of the scale, a person has physical box security of 10 if he maintains perfect control over the ability of others who possess the box to open it. A physical box security rating of 10 means that no one can open the box without the owner’s consent even if that person has physical access to the box. This is just a hypothetical, of course. A perfect 10 score is impossible in the real world. But as a thought experiment, let’s assume this state of absolute control by the box owner can exist.
I’ve covered the two extremes of zero and perfect physical box security, but most cases fall somewhere between 1 and 10. Just to fill in some arbitrary numbers, we might say that the physical box security of a locked trunk is a 2 or a 3. As the means of opening the box gets harder, the physical box security goes up. The physical box security of a locked safe might be more like a 4 or 5.
II. iPhones and Physical Box Security
What does this have to do with cellphones and the Apple case? Cellphones and other computers enable an unprecedented amount of physical box security for anyone and everyone. I’ll focus on iPhones in light of the Apple dispute. Cellphones can encrypt data so that a password known only to the user is needed to decrypt it. They can also be designed to disable “brute force” guessing of the password. The new technology makes possible levels of physical box security that we just haven’t seen before. And it’s in pretty much everyone’s pocket.
The implementation of that technology is happening incredibly quickly. The first iPhones were introduced less than 10 years ago. At first, passcodes were rare. Then they came into broad use, but tools were available to easily bypass them. Then Apple’s box security improved, and the tools didn’t work; the government needed to go to Apple to break into the phone. In 2014, Apple increased physical box security again by removing its ability to break into the phone. And next Apple wants to eliminate the technological ability to disable the means to block brute-force guessing.
Recall my earlier scale of 1 to 10, with 1 being a paper bag and 10 being a mythical state of perfect security. Until computers, levels of physical box security have generally stayed around a 1 or 2 or 3, with an occasional rare 4 or 5. Computers have changed that incredibly quickly. The iPhone is the most obvious implementation of the shift. Suddenly a large proportion of the population is walking around with physical boxes in their pockets that might have had a security score of (say) 7 in 2014 and (say) 8 today. Looking ahead, a 9 in 2017 seems possible, with 9.5 or 9.7 looking possible for a few years beyond that. It’s an incredible change.
III. The Apple Case is About the iPhone’s Physical Box Security
Now we get to the specific issue in the Apple/FBI dispute. The case asks whether a court can force Apple to help lower the physical box security of its phones. The government wants Apple to create a software update that will bypass features on the phone that block password-guessing. If Apple wins, the software won’t be created and the physical box security of iPhones will stay at 8. If the Justice Department wins, on the other hand, the physical box security of iPhones could be at least temporarily lowered. How much lowered depends on how you measure it. But let’s say that if someone gains access to the software update, that locked phone would have its physical box security lowered to a 6.
You can understand the policy arguments on both sides with this framework in mind. From the pro-Apple position, more physical box security is always better. The ideal is a perfect 10, so that users have perfect control over who accesses their physical boxes. From this perspective, deviations from 10 are security flaws that ideally can be fixed or at least minimized. The more physical box security users have, the more those users can keep away criminals, hackers and oppressive foreign governments.
On the other hand, from the pro-FBI position, there’s such a thing as too much physical box security. The government says that the Fourth Amendment should be the way to deal with physical box security. When the government has a valid warrant, the argument runs, the physical box security should be low enough that agents can break into the box. We need physical box security to be low enough that the traditional balance of the Fourth Amendment can work. And at the very least, that requires lowering the physical box security of phones from an 8 to a 6 for the FBI when it has a warrant.
To which Apple responds, yes, but we can’t lower physical box security just for you. If we create a way to lower physical box security just for the FBI, physical box security won’t be an 8 for everyone but a 6 just for the FBI with a warrant. Once we create the code, the code’s way to lower physical box security from an 8 to a 6 might spread around the world. We might end up at a level of 6 for everyone. From the pro-Apple perspective, it’s really important for Apple to not be forced to create the code; it moves physical box security in the wrong direction.
Granted, even if the FBI won, Apple could take future steps that would raise the physical box security of its phones back up again. Apple could require every iPhone to use a six-digit alphanumeric passcode instead of the default four-digit number passcode. That’s an option at present, but it could be easily turned into a requirement. If so, that alone might raise the level of security to an 8.5 or 9. It would take years for a computer to break the code by a brute-force attack even if the features bypassing password guessing were disabled. But customers might find it annoying to use, so the specific issue in the case is more like the difference between an 8 score today vs. a 6 score if the FBI wins.
IV. The Big Policy Question
The big policy question in the Apple case is this: To the extent governments can control it, what is the optimal amount of physical box security that people should generally have in their phones? Is a 4 the best? Maybe 6? Is 10 the ideal? And is it practically possible to have different levels of physical box security in different contexts?
It’s a fascinating question. For all of recorded human history until now — I’ve always wanted to use that phrase, and now it actually fits — we haven’t relied much on physical box security to protect privacy. We have mostly maintained privacy in our boxes by relying on a mix of modest physical barriers, obscurity and legal barriers.
Think of some familiar examples. Imagine you keep a diary and you really don’t want others to see it. How do you make sure that others don’t read your diary? For the most part, you probably do things like keeping it in your home, hiding it away and relying on social norms and laws like trespass and the Fourth Amendment to keep others from breaking into your house to see it. You might also have a very easy-to-break lock on the diary, but it mostly just keeps out children or nosy houseguests. The physical box security of a diary is only something like a 2. Anyone can open it if they really try.
The same is true with suitcases and briefcases. It’s common for them to have locks, but usually they are locks that are really easy for a determined adversary to defeat. That’s usually fine, as we mostly only worry about briefcases accidentally coming open or pickpockets reaching in a hand. And more physical box security is usually expensive and burdensome, so we don’t think much about it.
But what happens if a company like Apple can easily create a phone with extremely high levels of physical box security? Is that good or bad? Imagine all the ways in which a phone might be accessed without the owner’s permission. There are bad accesses and good accesses. Bad accesses would include those by criminals or rogue police officers. Good accesses would be those by employers searching employee phones or the police with warrants in serious criminal cases. Different levels of physical box security mean different sets of allowable access by these different groups.
In an ideal world, we could calculate the number of each of these accesses and how much each access contributed to or took away from the overall public good. We could then sum up the overall good uses and bad uses and see which level of physical box security most advances the public interest. But we don’t live in an ideal world, so instead everyone is left to guess the levels of ideal physical box security.
That’s why I don’t have an answer to the policy question. I don’t know how common and how serious are the means of access, good and bad, and how good the good accesses are and how bad the bad accesses are, at each level of physical box security. Is the ideal number 4, 5, 6, 7, 8, 9, or 10? I don’t know. (As an aside, I realize that giving physical box security a single number is unrealistic. It would be more accurate to represent it with a matrix representing the different possible threats, especially over time. But I’m trying to keep things as simple as I can.)
One answer would be to follow past solutions to similar problems. The obvious past example is the the Communications Assistance for Law Enforcement Act of 1994, passed in response to fears that Internet and wireless communications couldn’t be tapped. CALEA reflected Congress’s view in the 1990s that a perfect 10 score for communications security was a bad idea. Should CALEA be the model? Maybe, maybe not. CALEA is controversial. You would need to have a stronger sense than I have about whether CALEA has been a success to say whether it’s a good model to follow. (I have tried to remain rationally ignorant of the details of CALEA.) Second, the calculation of good and bad accesses for wiretapping may be quite different from the calculation of good and bad accesses for physical boxes. The two cases present different kinds of security. It probably makes sense to consider the policy questions separately.
V. The Global Element of the Problem
To make matters even more complicated, the policy question is not just a question for the United States. The cellphone business is global. Last year, about 20 percent of Apple’s overall sales came from Europe, another 25 percent came from China and another 10 percent was from elsewhere in Asia. Apple’s foreign sales are growing rapidly. So the rules here are not just the rules for the United States; they may also be the rules for the rest of the world.
Let’s assume that the level of physical box security is the same in every country. If it’s a 6 in the United States, then it’s a 6 in China. In that case, the calculation for optimal physical box security gets harder. Rates of theft and rogue police vary across the world. Maybe the ideal physical box security in the United States is a 6 while the ideal level in China is a 9. If the answer must be the same everywhere, however, which level do you pick — the ideal level in the United States, in China, or somewhere in between? Is the goal to determine the best overall global solution, or should we mostly or even only worry about the best answer in the United States?
And then there’s the question of whether it’s inevitable to have the same level of physical box security in every country. Some say it is, and maybe they’re right. But maybe there are ways of having different levels in different countries. And I wonder how much the United States policy will set policy elsewhere. Some seem to think that whatever the United States states does, the rest of the world will inevitably follow. But is that necessarily true? I can imagine a wide range of different reactions from different countries, with some not trying to influence Apple and some taking a particularly hard line against Apple in that country. United States policy might make a difference around the world. But it’s not entirely clear to me how much.
VI. The All Writs Act and Beyond
Finally, the policy question raised in this case comes to the court in the specific legal context of deciding whether the All Writs Act can be used to compel Apple to assist with the existing search warrant. A lot of people worry that the precedent that will be created by a court ruling will go beyond the context of physical box security. If the government gets a decision giving it broad powers to compel assistance to lower physical box security, it might be used in other contexts such as communications security (the subject of CALEA, which dealt with a communications-level analog to the problem of physical box security). Who knows how far the court might go? And if this case might be used in other contexts, maybe the issue in the Apple case goes beyond physical box security to a more general question of keeping the government from lowering security generally.
I appreciate that concern, but I think it has two important limits. First, legally, the All Writs Act is used to compel assistance in cases where the government is executing a traditional Rule 41 search warrant. That’s the tool that would be used to open a physical box. Once you go beyond physical box security, you generally end up getting into other areas of surveillance governed by different and much more specific provider assistance laws.
Second, the legal framing of the Apple case under the All Writs Act is just the framework for this case. It’s the legal framework that applies by default because of the New York Telephone case I explored in glorious detail in my last post. But the policy question is really a matter for lawmakers to decide going forward independently of what courts happen to do in this one case.
I’m reminded of the Microsoft extraterritorial warrant case still pending in the Second Circuit. In both the Apple case and the Microsoft case, the companies and the government are duking it out based on preexisting law. One side will win, and one side will lose. In both cases, the losing side will almost certainly go to Congress seeking what it sees as a better answer than the courts produced. These are statutory questions, not constitutional ones. After the courts are done interpreting the old statutes, Congress will inevitably be the next forum in which the policy questions will be debated.