Who Sets the Rules of the Privacy and Security Game?

Publication Type: 
Other Writing
Publication Date: 
February 22, 2016

Last week’s big cybersecurity news was that the FBI obtained a court order to force Apple to develop new software that would bypass several iPhone security features so the FBI can attempt to unlock the work phone of one of the San Bernardino shooters. Apple plans to challenge that order. (Full disclosure: I am planning on writing a technologists’ amicus brief on Apple’s side in that challenge.)

The ruling was one of those rare moments where digital security developments grabbed a big share of the public limelight. There were technical explanationslegal explainers, andpolicy pieces. The editorial boards of The New York TimesThe Wall Street Journal, andThe Washington Post all weighed in to say they believed the government had overstepped by seeking to force Apple to write new code that would undermine the security of its devices. The House Energy and Commerce investigation subcommittee indicated it wants to jump into the mix, asking Apple CEO Tim Cook and FBI Director James Comey to testify about the challenge.

Meanwhile, the federal government is on a full public relations tear, with Comeydisclaiming a desire to obtain legal precedent for future investigations, and cloaking himself in the PR-friendly goal of ameliorating the sorrow of the San Bernardino shooting victims and their families. Meanwhile, the DOJ wags its finger at Apple for being motivated by business interests. The government is waging this battle for the moral high ground despite last week’s leak of a confidential National Security Council “decision memo” setting out a broader Obama administration initiative to handle the so-called “Going Dark” problem by finding new encryption workarounds and identifying laws that agencies might want to change.

This story and its subsequent developments (including the government’s motion to compel and the updated briefing schedule) has been everywhere since the story broke last Tuesday. The story will continue to unfold, and as it does so, here are some things to think about.

We live in a software-defined world. In 2000, Lawrence Lessig wrote that Code is Law — the software and hardware that comprise cyberspace are powerful regulators that can either protect or threaten liberty. A few years ago, Mark Andreessen wrote that software was eating the world, pointing to a trend that is hockey sticking today. Software is redefining everything, even national defense. But, software is written by humans. Increasingly, our reality will obey the rules encoded in software, not of Newtonian physics. Software defines what we can do and what can be done to us. It protects our privacy and ensures security, or not. Software design can be liberty-friendly or tyranny-friendly.

This battle is over who gets to control software, and thus the basic rules of the world we live in. Who will write the proverbial laws of physics in the digital world? Is it the FBI and DOJ? Is it the US Congress? Is it private industry? Or is it going to be individuals around the world making choices that will empower us to protect ourselves — for better or for worse?

Some news outlets have returned to the familiar but tired and inaccurate trope of privacy versus security. This isn’t a privacy versus security case. The FBI has a search warrant that honors and overcomes the San Bernardino shooter’s privacy interests in the phone. (Of course, there won’t be a warrant in all or even most of the cases where governments demand forensic workarounds for phone security. In the US ,warrants are endangered — for international communications, intelligence investigations, border crossings, and more. Outside the US, we can’t count on even democracies to have judicial review or probable cause requirements, or human rights-respecting laws.)

Read the full post at Just Security