Despite Apple’s highly publicized sparring match with the FBI over unlocking an iPhone that belonged to one of the San Bernardino shooters, security engineers pushed back against the idea of Apple as an opponent to the government in a meeting with reporters.
Senior Apple engineers feel that government intrusion is not their primary threat model when designing iPhone security and said they instead prefer to focus on fending off hackers.
The engineers also characterized Apple’s pushback against the FBI as motivated not by a desire to impede a terrorism investigation, but rather to defend its ability to protect users against non-governmental threats.
Apple recently revamped its internal security teams, which govern the security aspects of shipping products, conduct threat-testing against Apple’s own devices and act as a sort of filtration system that places security at the nexus of what it does. Given Apple CEO Tim Cook’s strong statements on security as a lynchpin of Apple strategy, that’s not shocking.
The security features of Apple’s iPhone have been highly scrutinized in the wake of the shooting at the Inland Regional Center in San Bernardino, CA, that killed 14 people. The FBI attempted to compel Apple to design custom software that would help unlock an iPhone belonging to Syed Farook, on the of shooters, but later dropped its case after it was approached by a third party offering another way into the phone. Law enforcement officials, from the Department of Justice to the Manhattan District Attorney’s Office, have argued that Apple goes too far in its efforts to encrypt customer data, locking out investigators along with criminal intruders.
But Apple engineers disputed the theory that the tech giant’s security features enable criminals to evade law enforcement, saying that data security is essential to the safety of society as a whole. Apple executives also pointed to the many other avenues of investigation that are available to law enforcement officials in the digital age — location data collected from cell phone towers, social media posts and transactional metadata attached to messages. The engineers’ remarks echoed a Q&A published by Apple in response to the FBI’s demands, in which the company called on the U.S. government to become an international leader in cybersecurity.
In its Q&A, Apple said the government should “form a commission or other panel of experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms.”
Engineers reviewed the features highlighted in the company’s Security White Paper today to explain to reporters how Apple secures its customers’ data, and stressed that Apple’s rigorous design philosophy doesn’t stop at the iPhone’s sleek rose gold exterior — it’s baked into the device’s security, too.
In particular, Apple emphasized its unique ability to build security into the iPhone starting at the silicon level — although other smartphone manufacturers sometimes outsource their chip production, Apple likes to keep everything in-house. Its latest phones ship with the Secure Enclave, a portion of the phone’s hardware that manages the keys used to encrypt the device, as part of the chip.
Apple also emphasized the role of the consumer in securing the iPhone, highlighting features like Touch ID and two-factor authentication for iCloud as ways for users to keep their devices and data safe from prying eyes. As Apple has previously highlighted, prior to the introduction of Touch ID, Apple found that only 49 percent of its customers protected their phones using a passcode. But after the introduction of Touch ID, passcode use jumped to 89 percent, Apple engineers said (users are required to set up a passcode in order to implement the Touch ID feature).
Although Apple has worked to build encryption into the iPhone from the beginning — it introduced end-to-end encryption in the earliest versions of iMessage and strengthened device encryption with the Secure Enclave — the iPhone’s security features have only begun to play a large factor in Apple’s marketing in recent years.
Consumer interest in encryption and security has risen in the post-Snowden era and spiked in the wake of the San Bernardino attack, which has influenced Apple to speak more publicly about the design and implementation of its security. It also means that it makes more sense now than ever for Apple to make sure that the press and public are well-informed when it comes to the technical and policy details of its security processes.
When the next San Bernardino case happens, Apple needs to make sure that the public understands the implications of the “it’s not just one iPhone” scenario.
One thing that bears consideration is how long any tech company, including Apple, can afford not to view government intrusion as part of its threat model. As mentioned above, Apple’s engineers do not currently do that, but any tech company that is the steward of huge stores of user information (or that manufactures those stores in the form of devices) has to at least be considering the “govtOS” vector.
In related news, Apple announced today that it will fight against unlocking an iPhone in a New York criminal case.
Fighting government demands to unlock phones puts Apple in a tough position — if investigators continue to demand Apple modify its iOS to allow decryption, the company will eventually have to decide whether or not to up its security even further and enable itself to refuse all government requests for data.
It’s not something that Apple wants to do — engineers say they don’t want to be viewed as government adversaries, and building in tougher encryption to the iPhone and services like iCloud might also mean abandoning some of the design and simplicity that is essential to Apple’s brand — but it may soon be time to include the government in Apple’s threat model, right alongside the hackers.
And as Apple has led the industry in smartphone innovation, it could lead in security innovation, as well. Silicon Valley widely supported Apple’s opposition to building a special operating system for the FBI, dubbed (by Apple) govtOS, in the San Bernardino case. It’s likely that other tech companies will follow Apple’s lead as it continues to advance its users’ security. As engineers said today, data security is an ever-evolving target.