Those of us who build Internet companies need to understand encryption well. It’s our top tool for keeping customer data safe, which is important in today’s economy. The Internet is tied to the economy in nearly every way one can think of. Most commerce has some critical component that exists online. Whether it is the entire transaction or logistical steps along the way, commerce is driven by data traversing networks to and from devices. It is essential we keep the tools we have to protect our networks and devices. It is not hyperbole to say these tools drive our modern world. There is the simple truth that has been lost repeatedly in these discussions: keeping people’s data safe matters. Tech businesses of all sizes now touch our medical data, legal or banking information or other sensitive personal details, and they have as much a stake in this as Apple or any of us do.
This article will serve as a primer on what’s going on in the Apple case for those who haven’t been following it, but through the lens of the small business implications of what’s going on.
It’s hard to forget that the company at the heart of the FBI encryption debate right now is Apple, literally the biggest company in the world (by market cap). To really see what’s at stake in this debate, we need to remember that most businesses in the world are not Apple. In examining what the FBI has requested, we must remove the word “Apple” and substitute the words “private industry”. Private industry, especially in tech, may seem like it’s heavily weighted towards a few large players, but in reality tech is made up of mostly small business, struggling to survive.
Apple’s tech is cool and they have tremendous amounts of money, so it’s easy to assume that they could just use all their resources to magically ‘figure out’ a solution to the problem at hand. Now take that same government request and put it in the hands of a fifty-person Internet company with innovative ideas trying to get off the ground, compete and change the world. That kind of request would very likely be a death knell for that small business.
We do need to first pause and take a look at specifically what is happening with Apple. Let’s remember that ten years ago, the iPhone didn’t exist, and people didn’t need to worry about protecting their important personal data on any handheld device. Apple has spent the last decade trying to make its devices more secure, and that has led us to a point where the device in question is both encrypted and set up with a password. The complexity of the situation comes from features available to users where if the password is entered incorrectly too many times, the device will become inaccessible. Depending on the phone owner’s settings iOS may wipe the phone after nine incorrect attempts. These kinds of prevention mechanisms are not out of place in today’s world.
Most Internet companies these days leverage encryption for user data protection and set thresholds for password verifications so that at a certain point a user is locked out. These are common modern tools to keep user data safe. Apple has determined the only way they can comply with circumventing their security features is to build a new version of their technology that allows for that type of circumvention and load this onto the device somehow. Some are calling that circumvention a ‘back door’. With respect to the FBI, the judge’s requirement does not ask for a ‘backdoor’ to be created in the iPhone, it simply wants Apple’s help to get the data off the phone.
If you are unfamiliar with how good system design works, it may seem surprising that Apple’s “only way” to comply is to re-architect their system, but it makes sense. Simply put, you don’t build in access points you don’t expect to need. It’s a security liability to do so. Needing to build a purpose-built access point for governments is the point.
Even understanding this, it’s understandable to wonder how creating this would make us all less secure. Let’s use a real-world example. Imagine you have a cage with no doors and no locks. Now imagine the government demands that they get something from within the cage. You need to build a door, and then put a lock on it. They get what they need from out of the cage, and you attempt to return to normal. Only now your cage, which used to be secure, has a door and a lock in it. There are lots of lockpicks out there. You have introduced tremendous new vulnerabilities into your otherwise secure cage.
These aspects of the case are being talked about to death. What is more important is to examine the threat of establishing a really bad precedent that says it’s OK for the Federal government to demand compliance from a company to bypass its own security, even if that requires significant re-architecting of the company’s systems. This is where we need to put the request through the lens of a small business.
Imagine a future where technology companies are obligated to assist the government in data retrieval even if it requires the re-architecting of their systems to make them less secure. The crux is, if the courts rule against Apple, it could end up having far greater negative impact to innovative small tech than it ever will to Apple.
In a world where governments can require businesses to circumvent any security measure they can implement, small businesses are hardest hit. Who will have the most difficult path forward when it comes to managing the coding and manpower required to lock down systems then made vulnerable? Who will have the most difficult time managing the liability and risk of weaker encryption standards? In each case, the answer is that those hardest hit will not be Apple and the titans of technology, but the countless small businesses that fight to be the next Apple, Google, Facebook or Amazon.
Small businesses will also bear the worst brunt of the implications this case has on global competitiveness. How will the resolution of this case affect other governments considering the same thing? Will that create areas of the world where it is easier to use strong encryption and ones in which it is harder? Will doing so create regions of the world that are more or less competitive strictly based on economic permissiveness of existing technology? It’s hard for a small infrastructure-based business to pick up and move to another country because their own has required the weakening of the technology required to keep their networks safe.
Those of us who build and operate Internet companies have a need to defend against government mandated weakening of computer security. This isn’t about Apple, it’s about all of us, our clients, and the economy that sits upon the Internet industry’s infrastructure. Make no mistake, the scope and future implications reach much further than a single individual’s privacy.
i2Coalition is a key defender of these important issues. We also connect the leaders of the Cloud with lawmakers to help them better understand the Internet, so that smarter decisions get made. Some of those leaders and members, like SpamExperts, are doing some amazing things with encryption. Here’s i2Coalition member, Area1 Security CEO Oren Falkowitz, on CNBC.
(Note: If you cannot see the video it is due to the lack of Adobe Flash player installed on your system. CNBC uses a Flash based embedder for their videos so you may need to go to the link above to watch it natively on the CNBC site.)