Login  |  Register  |  Contact

Do We Have a Right to Security?

Don’t be distracted by the technical details. The model of phone, the method of encryption, the detailed description of the specific attack technique, and even feasibility are all irrelevant.

Don’t be distracted by the legal wrangling. By the timing, the courts, or the laws in question. Nor by politicians, proposed legislation, Snowden, or speeches at think tanks or universities.

Don’t be distracted by who is involved. Apple, the FBI, dead terrorists, or common drug dealers.

Everything, all of it, boils down to a single question.

Do we have a right to security?

This isn’t the government vs. some technology companies. It’s the government vs. your right to fundamental security in the digital age.

Vendors like Apple have hit the point where some of the products they make, for us, are so secure that it is nearly impossible, if not impossible, to crack them. As a lifetime security professional, this is what my entire industry has been dreaming of since the dawn of computers. Secure commerce, secure communications, secure data storage. A foundation to finally start reducing all those data breaches, to stop China, Russia, and others from wheedling their way into our critical infrastructure. To make phones so secure they almost aren’t worth stealing, since even the parts aren’t worth much.

To build the secure foundation for the digital age that we so lack, and so desperately need. So an entire hospital isn’t held hostage because one person clicked on the wrong link.

The FBI, DOJ, and others are debating whether secure products and services should be legal. They hide this in language around warrants and lawful access, and scream about terrorists and child pornographers. What they don’t say, what they never admit, is that it is impossible to build in back doors for law enforcement without creating security vulnerabilities.

It simply can’t be done. If Apple, the government, or anyone else has master access to your device, to a service, or communications, that is a security flaw. It is impossible for them to guarantee that criminals or hostile governments won’t also gain such access. This isn’t paranoia, it’s a demonstrable fact. No company or government is completely secure.

And this completely ignores the fact that if the US government makes security illegal here, that destroys any concept of security throughout the rest of the world, especially in repressive regimes. Say goodbye to any possibility of new democracies. Never mind the consequences here at home. Access to our phones and our communications these days isn’t like reading our mail or listening to our phone calls – it’s more like listening to whispers to our partners at home. Like tracking how we express our love to our children, or fight the demons in our own minds.

The FBI wants this case to be about a single phone used by a single dead terrorist in San Bernadino to distract us from asking the real question. It will not stop at this one case – that isn’t how law works. They are also teaming with legislators to make encrypted, secure devices and services illegal. That isn’t conspiracy theory – it is the stated position of the Director of the FBI. Eventually they want systems to access any device or form of communications, at scale. As they already have with our phone system. Keep in mind that there is no way to limit this to consumer technologies, and it will have to apply to business systems as well, undermining corporate security.

So ignore all of that and ask yourself, do we have a right to security? To secure devices, communications, and services? Devices secure from criminals, foreign governments, and yes, even our own? And by extension, do we have a right to privacy? Because privacy without security is impossible.

Because that is what this fight is about, and there is no middle ground, mystery answer hiding in a research project, or compromise. I am a security expert. I have spent 25 years in public service and most definitely don’t consider myself a social activist. I am amused by conspiracy theories, but never take them seriously. But it would be unconscionable for me to remain silent when our fundamental rights are under assault by elements within our own government.

—Rich

No Related Posts
Previous entry: Building a Threat Intelligence Program: Gathering TI | | Next entry: Presenting the RSA Conference Guide 2016

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Thomas Peak  on  02/19  at  11:22 PM

If you’d like to support Apple’s stance on privacy, there is a White House petition at https://petitions.whitehouse.gov/petition/apple-privacy-petition

By John  on  02/19  at  11:36 PM

I think we’ve all kinda lost perspective here.  How about this as a further question.  Simply does law enforcement even have the authority or power to “force” or compel a company to create something that doesn’t exist?  This is essentially what they are “asking” for in this order.  A “hacked iOS” with open back door and no pin lock doesn’t even exist right now.  Is there any president or law which can require a company to eat costs and forcibly develop a tool from scratch?  They sure can request assistance, but I think the law enforcement has overreached by thinking they can compel a company to actually build them a tool.

Consider this as well that all Apple has to do on this order is say its too burdensome and they don’t have to comply. “To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.”  Its in the order it has no teeth and this whole thing dies once they say it is too much of a burden.

By Grzegorz Lindenberg  on  02/20  at  09:59 AM

As to foreign undemocratic governments: they have a very efficient system of biological cracking any security features, Apple included: they beat you up till you give them your password.
As to criminals abusing our lack of security: it is up to the government to make sure criminals are caught and punished.
And I think your are playing the words game: you write about “right to secrecy”, not about “right to security”. 
It all boils down to a simple question: do we care about saving lives from terrorists’ atttacks more than we care about secrecy of our bank accounts?

By GizmoDan  on  02/21  at  12:59 AM

What will be outlawed next? Shredders?

By Moe Better  on  02/21  at  09:14 AM

The court order is not only burdensome, it is illegal and against the US Constitution, specifically the 4th amendment. 

Yes “law enforcement” has over reached.  They only seem intent on enforcing the laws that will keep us “safe”.  This allows “law enforcement” to do whatever the hell they want ... which is ironic since we are facing a fascist ideology, that few in authority want to acknowledge.

By James  on  02/21  at  02:00 PM

I don’t like the idea about encryption because it is easy for criminals, terrorists and pedophiles to hide from law enforcement.  Apple should not protect those people at all and let FBI get that specific person to take a look at it.  FBI knows it is our right to privacy because of Constitution   and it doesn’t mean FBI will look everyone’s phone by using backdoor that they want Apple to make one for them.

By Rich  on  02/22  at  12:19 AM

@Grzegorzand - No- I really do mean a right to security. Encryption is foundational to all computer and online security. Everything from bank transactions to making sure you are looking at the right website. Plus, on your device, Apple put the features in to prevent criminals from being able to read everything on your phone after they steal it, since that’s what was happening before. Secrecy is nice, but security is what I care about.

@james - I actually do trust our government most of the time. However, we can’t deny there have been abuses, nor assume there won’t be in the future. What the FBI is trying to do is put policies in place so we can never have secure devices that they can’t get into. It doesn’t mean they will abuse that, but no government has ever had such powerful capabilities to track and monitor their citizens before. Never in the history of humanity.

By Kel  on  02/22  at  11:03 AM

What I worry about it access - if they have global access to information and can read whatever they want, what is to stop them from writing what they want back to the device? It’s not like there haven’t been issues with forged or contaminated evidence previously.

By Skip  on  02/22  at  03:07 PM

The thing about all this that is so sadly amusing is that it does seem that the FBI apparently is missing a ton of neurons regarding this.  I still wonder what the real problem is with the FBI techies….  Do they just thrive on ‘stupid’ pills?  Thanks.

By GMcK  on  02/24  at  01:54 AM

Let’s not just name the Fourth amendment, but understand exactly what it says. “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” In the twenty-first century, my “papers and effects” reside on my phone, PC, and in my accounts in cloud storage. You don’t need to be a trained legal scholar to understand this principle. The Constitution doesn’t say anything about “except in cases of national security.”  The current Director of the FBI, like his predecessor J. Edgar Hoover, thinks that the Constitution doesn’t apply to him or his agency.  He’s wrong.

By David  on  02/24  at  08:59 PM

Don’t forget government secrets. We’re so worried about Clinton’s email server. What about her phone (and her aides’ phones)? Are we really going to demand the creation of a tool that could undermine state secrets (that isn’t controlled by the NSA)?

Name:

Email:

Remember my personal information

Notify me of follow-up comments?