Big Tech takes on Big Brother, in the fight between personal privacy and public safety. Forefront: By TSMP considers the dilemma of state-sponsored hacking in a world increasingly torn apart by terrorist threats.
The San Bernardino Shooting
On 2 December 2015, Syed Rizwan Farook and Tashfeen Malik, parents of a six-month old baby girl, opened fire with semi-automatic weapons at a San Bernardino Public Health Department party. Farook was a born and bred American citizen, and his Pakistani-born wife held a Green Card. They were eventually shot dead by law enforcement officers, but not before they had tragically killed 14 people and seriously injured 22 in what is now called the “San Bernardino Shooting”. In the aftermath of the awful massacre, the FBI’s investigations revealed that the couple were “homegrown violent extremists … inspired by foreign terrorist organizations”. There was no indication that the radicalized couple were themselves part of a broader terrorist cell or organization.
The iPhone Impasse
Further investigations by the FBI are still ongoing, and these have now led to the present and very public stand-off between Apple and the FBI over Farook’s iPhone.
Seeking to unlock the iPhone to parse the information within, the FBI had obtained an order from the Central California District Court requiring Apple to provide the FBI with a version of iOS (the iPhone’s operating system) that would not contain the auto-erase data function. This is the default function that ordinarily kicks in to erase the iPhone’s data after 10 failed password attempts. The FBI would then be able to install this special iOS on Farook’s iPhone, allowing it to safely unlock the phone without risk of data deletion by sheer and overwhelmingly repeated trial and error, a hacking technique aptly known as “brute force”.
Apple has resolutely refused to comply with the Court order, hinging its public defiance mainly on its customers’ paramount right to privacy. It says that creating the iOS the FBI are asking for would give the agency a “master key” that could be used to unlock any of Apple’s other devices at any time, a gross overreach by the US Government. Predictably, the FBI says that public safety must be paramount, a valid argument in many quarters.
The impasse raises difficult public interest issues, sparking debate and dividing opinion. New media giants, Google, Facebook and Twitter, have all backed Apple’s defiance, while Microsoft founder Bill Gates wants Apple to render the assistance ordered by the court (interestingly, Microsoft itself appears to support Apple).
So who is in the right? Which side do we come down on when the competing interests of public privacy and safety cannot be concurrently served?
What if Mas Selamat had had an iPhone?
Mas Selamat bin Kastari was the infamous head of the Jemaah Islamiyah (JI) terrorist cell in Singapore who plotted an attack on Singapore’s Changi Airport more than ten years ago. Arrested in Indonesia and extradited to Singapore, he managed to escape from detention in Singapore (after a massive but ultimately fruitless manhunt) to Malaysia in 2008. He has since been recaptured and remains detained under the Internal Security Act to this day.
What if Mas Selamat had had an iPhone? Would Singapore law have allowed our authorities to compel Apple to essentially hack his phone in order to discover his whereabouts?
Under Singapore’s Criminal Procedure Code, the police have extensive powers of investigation. These include the power to access decryption information, and to require third parties to provide technical assistance for such decryption (upon the approval of the Attorney-General). It would then be an outright offence carrying stiff penalties for someone to fail to provide such cooperation. Whilst Singapore’s Personal Data Protection Act (PDPA) specifically protects data privacy, the Act expressly preserves Singapore police and authorities’ statutory powers of investigation.
The short answer then is: Yes, Apple could probably be compelled to provide the IOS software. Whether the Singapore authorities would be able to enforce this order would depend on whether Apple would be subject to the jurisdiction of the Singapore courts on this, or if we would need to apply to the courts in the US (and if so, how they would rule is much less certain).
What does this mean for us?
With Singapore’s small geographical footprint, our status as a logistics, transportation, financial and legal hub, we must aggressively defend our public safety. Very few people would argue against an order to hack a known terrorist’s iPhone if that could reveal more information to prevent further attacks.
But the act of creating and handing over that software to the government also means that the authorities have the ability to hack into any Apple phone. With two million iPhones in Singapore, one third of all mobile phone users in our city state would be affected. Who would police the police? We may believe in the integrity of our government officials but checks and balances are a necessary pillar of any legal system. We may need to create laws specifically designed to limit access to digital information in an IT age.
Or perhaps this is rushing to shut the stable door after the horse has bolted.
We are beating our chests about the provision of software tools to the government; what about the fact that this hacking ability is or could easily be fully available to Apple? Who controls the tech giant, and what assurance do we have that the creator of our mobile phone or our social media platform is not using the information for unscrupulous ends? And it’s not just Apple. Android devices are potentially even less secure due to the open source software systems they use.
Of course, most of us are not plotting the bombing of airports or the overthrow of governments. But all of us will have information we would rather remain private. A drunken admission that could be used in divorce proceedings by your spouse; an indiscreet comment about a company where one day you may apply for a job; an ill-conceived criticism of a government that pops up as a red flag on the screen of the immigration officer who has to decide if you should be allowed entry to that country.
If we recognize the twin truths of the internet age: that what we put in cyberspace is permanent and accessible (even if not by us), and public safety trumps personal privacy in an increasingly dangerous and militarized world, we might start to view our smart devices with a touch of suspicion, and think before we tweet.
This article is jointly written by Ian Lim, Executive Director and Alexander Pang, Senior Associate, TSMP Law Corporation.