Privacy vs. protection: Cybersecurity and the public good
This feature first appeared in the Summer 2016 issue of Certification Magazine. Click here to get your own print or digital copy.
In recent months the vexing problem of protecting the greater good while ensuring security and privacy in the digital domain has come to a head with the controversy pitting Apple against the Federal Bureau of Investigation.
The public and bitter dispute (ultimately resolved through a third-party hack purchased by FBI officials in March) has raised many intriguing questions such as: How do we keep our data secure? Who has a right to see it? To what extent do governments have a right to the personal data of citizens? How much privacy are we willing to give up in exchange for greater public safety and security?
Benjamin Franklin, printer, publisher and U.S. founding father, is often misquoted as having said, “Those who are willing to give up some privacy for security deserve neither.” (Franklin’s actual words, in a letter written on behalf of the Pennsylvania General Assembly during the French and Indian War, are: “Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.”)
That popular variation on Franklin’s original theme resonates with many as we struggle to address questions of privacy and security. How much do we value the privacy and security of personal data, and how much of that privacy might we be willing to sacrifice in the name of greater public safety?
Once upon a pre-digital era
There was a time when our finances and personal information were fairly secure. We kept our money in the bank (or safely in our wallets) and wrote personal checks in payment for our purchases.
When we corresponded with someone, we could be reasonably certain that the Postal Service would see our letter safely to its destination without the contents being intercepted or scrutinized. When we held a private conversation with someone via telephone, we could generally expect that it would be just that — private.
Evolving technology has changed all of those expectations. Cash and check transactions have given way to credit cards and such internet mechanisms as PayPal, we correspond and converse via the more instantaneous media of e-mail and text, and quite often work with the internet constantly at our fingertips.
Our lives have become much more convenient. The technology that accomplishes all of that, however, is a double-edged sword as we have, in many ways, sacrificed security and privacy for convenience.
Since our world went digital, those with malicious intent have worked tirelessly to take advantage of our convenience for their benefit. They relentlessly seek to attack and breach our digital systems. Hackers come in many flavors — some work for financial gain, while others practice “hacktivism” in the service of social or environmental causes. Some are corporate spies and some are bored malcontents, thrill seekers, and — increasingly — operatives of rogue nation and states.
These ongoing attacks have made it necessary for those who build and utilize computer systems to develop complex and sophisticated defenses against attack. Those defenses often come in the form of properly configured firewalls, anti-intrusion software, intrusion detection systems, user training, passwords, least privilege access, and ever-stronger encryption of data.
The “E” word
This last defensive technique, data encryption, lies at the heart of the Apple vs. FBI question. The concept of data encryption is complex, but in essence it takes input that a designated user creates and transforms it from plain text to encoded data that can only be accessed by the designated user.
Encryption works well in protecting personal information of all types from prying eyes. Even if a person with malicious intent manages to breach the digital defenses of a given device or storage medium, the data they recover will be useless to them in its encrypted form.
Unfortunately, criminals and terrorists have access to the same commonplace and widely deployed encryption tools that protect the rest of us. Which changes the rules of a long-established game.
The right of officers of the law to intercept messages, originally over telephone lines, between individuals involved in criminal activity, has long been upheld by U.S. courts. Legislation such as the Communications Assistance for Law Enforcement Act of 1994, Foreign Intelligence Surveillance Act, and the Patriot Act have broadened the powers of government agencies to monitor data that is transmitted electronically.
As technology has evolved, however, it has become increasingly difficult for agencies such as the FBI to monitor the correspondence of the people they are seeking to investigate. The difficulty stems from the very strong encryption now being used by manufacturers.
That same strong encryption, in light of the Edward Snowden revelations regarding spying by the U.S. National Security Agency and other officials, is now energetically demanded by the general public. As noted by Kevin Poulsen in a 2014 Wired article:
Snowden illustrated the capabilities of determined spies, and said what security experts have preached for years: Strong encryption of our data is a basic necessity, not a luxury.
Now that Snowden’s revelations have reinforced just how vulnerable our data is, companies like Apple and Google, who were painted as NSA collaborators in the earliest Snowden leaks, are newly motivated to demonstrate their independence and to compete with each other on privacy.
Equal protection for all users
Indeed, manufacturers like Apple are incorporating increasingly sophisticated encryption in their products. The encryption in the latest versions of the Apple iPhone is so powerful that Apple itself says company technologists can’t “crack” its own phones.
This has led people with criminal intent to reap an unintended consequence of the privacy guaranteed by the newly impenetrable veil of secrecy — suddenly a smartphone is a surprisingly strong repository for any information stored there. The key case in point is, of course, the San Bernardino shooting attack of December 2015.
In that instance, one of the terrorists involved received the benefit of newly upgraded security features after his iPhone was recovered by FBI agents. The phone’s built-in privacy protections prevented law enforcement agents from tracking the group’s further actions and ambitions in the aftermath of the shooting.
The FBI asked Apple to cooperate in its investigation, Apple refused, and a firestorm erupted in the media over privacy rights. As noted in a February NBC News report, Apple CEO Tim Cook defended his position by saying, “The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals.”
As reported in an iDigital Times post, Google CEO Sundar Pichai backed Cook’s play, stating, “Forcing companies to enable hacking could compromise users’ privacy.”
Still to be determined
Security versus Privacy became, and still is, the great debate. Though, as noted above, the Apple vs. FBI standoff was eventually rendered moot, the controversy remains.
On one side of the issue are those who defend absolute privacy and would deny law enforcement any access to anyone’s data. On the other side, there are those who feel that, to ensure our security as a nation, we must sacrifice some level of privacy.
Which side will prevail? Writing for CNN earlier this year, commentators Mike Rogers and Jason Grumet argued in favor of negotiating a middle-ground solution:
What is truly dangerous is the divide between our security needs and the economic interests of industry. It is time for Washington and Silicon Valley to realize that it is to their benefit to get along and work together on shared interests. Bridging this gap is not just an exercise in overcoming differences; it is critical for America’s continued international competitiveness, economic growth and national security. The U.S. economy will not grow if the nation is unable to protect its assets.
Finding this middle ground of privacy and security is imperative because technology is only going to continue to evolve and increase in complexity. With that in mind, we can ill afford to let those with evil intent stir their cauldron behind the steel curtain of encryption.
We must protect the privacy of individuals, yet we must also provide law enforcement with the tools to enforce the laws that we as citizens have enacted. Elected officials and technology companies must find common ground and put forth legislation that serves both ends: protects our privacy, yet promotes our safety.
As a nation, we rightfully guard the privacy rights secured by the fourth amendment. Yet we also must recognize that, given the right conditions, it is beneficial, and perhaps even essential, to sacrifice some level of those rights for the overall protection of the nation.
The security of our country should be paramount in our thoughts, because unless we are secure, our rights are inconsequential and our freedom is lost. As Nelson Mandela once said, “Freedom would be meaningless without security in the home and in the streets.”