Is Apple a privacy champion?

February 24, 2016

The pursuit of profit in the tech industry both requires and undermines consumer privacy, explains Mukund Rathi. So which one will win out?

THE DEBATE about privacy and technology is at a boiling point in the legal battle between Apple and the FBI over whether the government may compel the tech giant to circumvent its devices' security features and give the FBI access to an iPhone's encrypted data.

During testimony before the Senate Intelligence Committee on February 9, FBI Director James Comey announced that his agency had encountered a roadblock in its investigation of the December 2 San Bernardino massacre: The FBI had obtained assailant Syed Rizwan Farook's cellphone and wanted to analyze its data, but was unable to unlock it.

On February 16, a California District Court order revealed that the phone is an iPhone 5C and compelled Apple to assist the FBI in cracking the passcode security protection, which encrypts the phone's data.

The order is justified by the All Writs Act, a 1789 law that allows courts to order entities to do things which presumably fall within the purview of other legislation or "principles of law." In this case, that principle is "fighting terrorism."

Apple CEO Tim Cook
Apple CEO Tim Cook

Since then, there have been a series of high-profile statements by Apple CEO Tim Cook against what he charges is government overreach. Apple is refusing to comply with the order, setting the stage for a legal fight, with oral arguments set to begin on March 22.

Some media outlets are (quite ridiculously) ruminating about the possibility of Cook being jailed, and the mainstream in general is portraying Cook as David fighting Goliath. This is an odd way of thinking about the CEO of the most profitable company in the world.

The iPhone 5C is locked and requires (the deceased) Farook's four-digit PIN to unlock and decrypt its data. The FBI would happily use brute force to enter all 10,000 possible combinations until the right one is found, but there is a problem: 10 incorrect entries will cause the phone to discard its system key, which is required to decrypt the data. The court order compels Apple to create new firmware for the phone where this safeguard is removed. The phone will reject any firmware that doesn't have Apple's digital signature, so the FBI can't just hack a solution.

The idea is that Apple will create firmware that only works for this specific phone, and the FBI will use it to extract the decrypted data. Given the intelligence agencies' affinity for hacking, though, it's not out of the question that the FBI would try to use this specific firmware to reverse-engineer a general solution.

"THE MOST important tech case in a decade," tweeted Edward Snowden one day after the court order. Snowden also pressured Google to publicly back Apple, which Google CEO Sundar Pichai did later that day, though in a measured way. The importance of this case doesn't derive from the direct impact on the San Bernardino investigation, but as a flashpoint in the larger debate over encryption and privacy.

Comey had announced the roadblock in the investigation in order to concretize his argument that tech companies' use of encryption in their products is causing U.S. intelligence and law enforcement to "go dark" when confronted by inaccessible data.

Following the November 13 Paris attacks and then the San Bernardino shootings, these arguments reached a fevered (and inaccurate) pitch with claims that Snowden's whistleblowing and encryption products enabled the attacks.

Though unsuccessful so far, there have been numerous discussions by Western governments about legislating against encryption (or compelling tech firms to include "backdoor" workarounds) in consumer products. Security researchers have continuously denounced this as a false method for fighting terrorism, as terrorists could easily find an encryption-enabled product to use.

The average consumer, however, would likely not go through the effort of ditching their original product (say, an iPhone) for something new. So the net effect of legislating against encryption would only be to reduce the privacy of the average consumer.

Since Snowden first made his revelations about the vast scope of the Big Brother surveillance state in the U.S., there has been a media focus on the tension between U.S. tech companies and the federal government. The earliest and most wide-ranging scandal was the June 2013 revelation of the PRISM program, through which the NSA and FBI collect data "directly from the servers" of a range of tech companies, including Apple, Microsoft, Google and Facebook.

THE COMPANIES's responses to this revelation varied somewhat, but generally fell along the lines of "never heard of PRISM." Further documents revealed them to be probable or outright liars.

Microsoft, for example, worked closely with the NSA to help it bypass encryption on its products, including Outlook chat and e-mail, Hotmail e-mail, Skype video chat and SkyDrive cloud storage. Moreover, all of these companies were paid millions of dollars by the NSA for their (legally required) compliance with PRISM, which leads one to wonder how they could be simultaneously unaware of the program and profiting from it.

Other tech companies, particularly telecommunication providers, are even more cooperative with and less critical of the intelligence agencies. The first Snowden revelation was that the NSA was collecting Verizon phone records for U.S. customers, for which it is also paid hundreds of millions of dollars.

This is the continuation of a relationship between the NSA and phone companies that dates back to the NSA's formation--it was then called SHAMROCK. AT&T CEO Randall Stephenson recently spoke out against Apple's refusal to abide by the court order.

One document notes that PRISM is "one of the most valuable, unique and productive accesses for NSA." The reason for this underpins the relationship between U.S. intelligence agencies and tech companies and also explains why the relationship is far less antagonistic than the Apple-FBI fight would suggest.

Many commentators, such as Noam Chomsky, have pointed out that it's at the very least hypocritical for Google and other tech companies to criticize the NSA's dragnet surveillance, given that they "do more surveillance than the NSA."

In fact, their surveillance enables the NSA dragnet. "It was the existence of large service firms like Google, Facebook, Yahoo and Microsoft which control the personal information of many millions of people that enabled the intelligence agencies to gain cheap and convenient access via PRISM," explains security researcher Ross Anderson.

The business model of these companies is directly opposed to protecting consumer privacy, and it is guaranteed that there will always be a hole in their "end-to-end encryption" for the NSA to exploit.

For a company like Google to analyze your data and deliver advertising, which provides the bulk of its revenue, the data has to be decrypted at some point (as it is, on Google's servers). So long as that point exists (which will exist as long as the tech oligopolies exist), the intelligence agencies will have access (through legally enforced compliance or legally dubious hacking).

And, as readers of would expect, the state returns the favor in numerous ways: lobbying to reduce European privacy (Google controls 90 percent of the European search market); spying on foreign competitors, such as Chinese tech companies; looking the other way while Apple and other tech companies save tens of billions of dollars in tax avoidance schemes; and the list goes on.

APPLE'S REVENUE largely comes not from data collection but from selling its hardware, like the iPhone and iPad, so couldn't it have a different attitude towards privacy? The problem is that the tech industry is an oligopoly--that is, dominated by a few massive firms--so Apple's business model is based on establishing a large market share for its devices and expanding it.

Apple, like every other oligopolistic tech firm, either tries to force other firms out of what it considers "its market" and acquire their share (Samsung patent wars) and/or works with other oligopolies and partakes in their share (Google paid Apple $1 billion to be the iPhone's default search engine).

Respecting privacy would mean stopping this expansion, which is based on the commodification of consumers' social interactions ("there's an app for that!")

There are, however, mitigating factors. The backlash against U.S. surveillance since the Snowden revelations has included harsh criticism of U.S. tech companies by foreign governments--as well as cynical marketing by foreign tech companies to cast themselves as more respecting of consumer privacy.

Apple controls 80 percent of the Chinese smartphone market, for example, which is a valuable market that it wants to expand its control over, not lose for PR reasons or the perception that it might easily surrender the privacy of its present and future Chinese customers.

So while Apple is publicly intransigent on the issue of encrypted devices, it is also far more acquiescent in sharing its other sources of consumer data. In fact, Apple had first told the FBI to access the Farook's phone's automatic iCloud backup, for which the company does retain its own key and was willing to hand over.

However, it turned out that the FBI had reset the iCloud account password, which stopped the automatic backup (now the password must first be entered in the unlocked phone). This bungling by the FBI only strengthens Apple's case that the federal government is asking too much (though, it's worth noting, Apple will be paid for its services.)

We need a new framework for understanding privacy and encryption that goes beyond the notion that Apple's defiance of the FBI is a David-versus-Goliath situation. The solutions on offer from the tech industry are not and cannot be comprehensive for our side.

Privacy is an essential precondition for any individual or group hoping to exercise the right to free speech and expression. And especially in a world dominated by a tightly integrated network of billionaires, corporations and nation states, those who seek to redress injustice, inequality, exploitation and oppression are some of the first people to be considered a threat to the "social order."

Thus, it's critical to oppose the state's maneuvers to invade consumer privacy, even when it targets tech oligopolies. The market shares that these firms control are actually the daily social lives of working-class people, which governments from Egypt to China to the United States consider a threat to state power.

Further Reading

From the archives