The debate over whether tech giant Apple should help the Federal Bureau of Investigation unlock an iPhone used by one of the San Bernardino terrorists moved to Congress Tuesday, where lawmakers pressed both sides on how best to balance physical security and information security.
Apple CEO Tim Cook has maintained that the FBI’s request that the company build a backdoor into the iPhone used by Syed Fizwan Farook, one of two shooters in the attack that left 14 dead and 22 seriously injured, could threaten the security of personal information stored on other iPhones, including health data.
There is also concern that an FBI win in this case could set a precedent for similar requests in other cases. In questioning before the House Judiciary Committee, FBI Director James Comey acknowledged that possibility.
Kevin Johnson, CEO of Jacksonville, FL-based Secure Ideas, said allowing the FBI access to the iPhone 5C would be “catastrophic” to privacy.
This is a “very significant issue” for anyone who uses an iPhone and must sign a business associate agreement to protect personal health information, in accordance with the Health Insurance Portability and Accountability Act, he said.
HIPAA requires that health information created by covered entities be encrypted. “If the federal government violates the privacy chain…we can never again confidently say we can store that data securely,” Johnson added.
In February, a federal magistrate judge in California granted the FBI a warrant to search the phone, based on the 220-year-old All Writs Act, which authorizes federal courts to issue warrants to aid in law-enforcement activities. To do so, however, Apple would need to create a phone-specific version of its iOS software, something the company has refused to do.
What’s more, Apple has staked its reputation on protecting its customers’ privacy. All of its newer devices, from the 5C on, have an extra layer of protection called Secure Enclave.
According to Apple, helping the government unlock an encrypted phone would upend the whole point of encryption and threaten the privacy of millions of iPhone users.
“Building a version of iOS that bypasses security in this way would undeniably create a backdoor,” Apple’s Cook said in a Feb. 16 message to customers. “And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
Johnson agrees, saying the government has proven time and again that it can’t secure its own networks. “How in the world can we believe that we can trust them with the privacy of every iOS device in the land?”
But while the privacy concerns may be real, Fatemeh Khatibloo, a data privacy expert with Forrester Research, said Apple should be prepared for a “mild backlash” from consumers who put state security ahead of personal privacy.
“Clearly, the FBI v Apple case is testing the balance between national security and peoples’ right to privacy of financial and health information,” said Vivek Kolpe, practice director at Top Tier Consulting.
Apple argues that Congress should decide that issue after serious debate involving all stakeholders. “This is not a security versus privacy issue,” Bruce Sewell, general counsel of Apple, said during a hearing. “This is a security versus security issue, and that balance should be struck by Congress.”
While the needs of law enforcement to gather evidence are real, the concern that a backdoor into one, older model iPhone would threaten data security in healthcare organizations is probably unlikely, Kolpe said.
“We have to keep in mind that the average hospital environment has numerous brands of cell phones, not just Apple, and the hospital environment has various other vulnerabilities to tackle that are as or more serious,” Kolpe said.
The real issue in this case, according to Steve Vladeck, professor of law at American University and co-editor of Just Security blog, is whether the government should be able to coerce software firms to write new code to override security on private devices in order to access private information.
“While I think that has enormous consequences for all of us, and our privacy, I’m not sure those concerns are unique or more serious in the context of medical privacy, if only because Congress has paid so much more attention to that subject than to our privacy rights on our own smartphones,” he said.
Johnson sees the situation as more black and white. “What we have here is a case of the federal government critically undermining the security and privacy of the mobile Internet,” and with it the privacy and security of health records and other personal information stored on mobile devices.