SAN FRANCISCO – Just below the surface of Apple’s dispute with the U.S. government over the San Bernardino iPhone is this question: Can a company use too much encryption?
Apple is fighting a Feb. 16 court order that it help the FBI try to get into an iPhone used by San Bernardino gunman Syed Rizwan Farook
by disabling a feature that would lock investigators out if they made 10 unsuccessful tries to determine the correct password.
Pro-privacy groups say that taken to its logical extreme, the government’s argument in the case would lead to the conclusion that it’s illegal to build unbreakable containers to hold data. In effect, that would set a limit on the amount of privacy individuals have the right to under U.S. law, they say.
The government argues that its request is more narrow than Apple and its allies contend. They've also asked whether device makers should be able to build encryption that is impervious to law enforcement.
Testifying before members of the House Judiciary Committee on March 2, FBI Director James Comey said he is concerned about the emergence of what he termed "warrant-proof spaces," where critical information cannot be obtained by law enforcement.
"The core question is this: Once all of the requirements and safeguards of the laws and the Constitution have been met, are we comfortable with technical design decisions that result in barriers to obtaining evidence of a crime?" Comey asked the committee.
The first court face-off between the two sides was scheduled to happen Tuesday afternoon in federal court in Riverside, Calif.
However late in the day on Monday the government asked to cancel the hearing. The FBI wanted time to test a possible alternate method for unlocking the phone which the agency said "an outside party" had demonstrated to it on Sunday, according to a filing Monday afternoon.
Judge Pym approved the cancellation Monday evening.
Whether or not a hearing actually happens at some point in the future, the case has brought to a head a long-simmering argument between law enforcement on one side and tech companies and pro-privacy groups on the other over how much digital privacy is too much.
“Arguably, we have reached the point of at least one court (the central district of California) is saying too much encryption is too much,” said Edward McAndrew, a cybersecurity lawyer with Ballard Spahr in Philadelphia.
The FBI and security supporters argue the request asks only to exploit an existing security loophole in the operating system of Farook’s iPhone 5, which would allow Apple to change the iPhone's operating system remotely so that it wouldn't lock the phone after 10 attempts at a password.
That update to the operating system, which Apple estimates would take between six and ten engineers between two and four weeks to create, would allow the FBI the chance to try brute-force attacks against the digital lock.
The worry raised by some government officials is that Apple and other tech device makers are intent on building products that they won't be able to break into, court order or not.
In effect, Apple wants to keep access for itself but deny it to the FBI, said Stewart Baker, a partner in the Washington office of Steptoe & Johnson.
The "FBI is saying 'If you can get in, you have to let us in,'" he said.
While specialized companies have long offered unbreakable, or at least extremely difficult to break, encryption, the case is pushing mass market tech companies to develop software and technology that lacks the loopholes the FBI seeks to exploit in the iPhone's operating system.
"The question in Congress will be whether that poses too great a risk to public safety and law enforcement's ability to investigate crimes," said McAndrew.
In the end, requiring that all software be breakable would be totally ineffective because it could easily be downloaded from outside the United States, said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, a pro-privacy non-profit based in San Francisco.
“Even if you did mandate that Apple and Google and others had to build in backdoors, nothing would stop the bad guys from just buying Chinese or Swiss or Brazilian devices that don’t have those backdoors,” he said.
The U.S. government and the FBI have in past years attempted to get Congress to pass legislation that would require companies to build backdoors into their electronic devices. None have become law.
Several members of Congress are currently working on new versions of such legislation. Should any of them pass, EFF and other pro-privacy groups are ready.
"We would gleefully file a pre-enforcement challenge — and I think we would win,” said Cardozo.
