The fight for data privacy has been playing out for many years.
With a few notable exceptions, including Max Schrems grappling with and winning against Facebook, it's largely been a pillow fight. Lots of talk. Less action. A hyped up snooze fest.
But, in the past 24 hours, the fight just got real.
As of this morning, we finally have an opportunity to watch an authentic heavyweight fight that will go a long way toward determining the fate of digital privacy in the modern world.
In one corner is Apple, concerned users, the EFF, and other privacy advocates. In the other corner, you have governments, law enforcement, and intelligence organizations—themselves concerned about the possibility of losing the ability to conduct legal surveillance in the battle against crime and terrorism.
Let's get ready to rumble!
Apple yesterday announced that end-to-end encryption will soon be available to a much wider range of iCloud data, including device backups, messages, photos, and more. The move by Apple is in response to longstanding demands of users and privacy groups who have implored the company to improve end-user privacy.
Immediately after the announcement, the EFF issued a statement claiming VICTORY and applauding the new feature as an example of Apple's renewed commitment to end user privacy.
"We applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. Encryption is one of the most important tools we have for maintaining privacy and security online."
iCloud end-to-end encryption, or what Apple calls Advanced Data Protection, encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. When users opt-in to the service, data contained in iCloud accounts can only be decrypted and read by the end user via a trusted device. Neither Apple, nor law enforcement, nor any government could access such data in the Apple iCloud.
Other privacy advocates including the Surveillance Technology Oversight Project, or S.T.O.P., hailed the news as well stating that Apple is finally catching up to its long-touted commitment to data privacy.
Growing Government Demand for Commercial Spyware
A mere twelve hours later, the New York Times published a story entitled How the Global Spyware Industry Spiraled Out of Control, detailing the exploding demand for commercial spyware—with countries around the world, including both democracies and authoritarian regimes, looking to purchase sophisticated tools that make it possible to steal data from individual phones, or from backup services like Apple iCloud.
And it’s not just a few governments leveraging spyware: The Carnegie Endowment for International Peace has documented 73 countries procuring and using commercial spyware. Such tools include NSO’s Pegasus, which can be deployed on mobile phone remotely, without the user having to click on any malicious link—or take any action at all. Less sophisticated (and less expensive) tools like Paragon Graphite are available and in high demand, and reportedly utilized by the U.S. Drug Enforcement Agency.
Of course, spyware and digital forensics tools can be used for good or evil, but the simple reality is that commercial spyware is an incredibly powerful weapon—making it possible for owners of the tools to surreptitiously access personal data from smartphones. If such tools are properly utilized in concert with established law, they can be invaluable in the fight against crime and terrorism. If such tools are improperly utilized, for example by authoritarian governments, it can be a dark day for humanity.
Unhappy and Deeply Concerned (Again)
While privacy advocates have applauded Apple's decision to expand iCloud end-to-end encryption, governments have expressed significant concern. In particular, the FBI, which has long been engaged in disputes with Apple about privacy and encryption stated that it is deeply concerned with Apple's decision because it will make it harder for them to do their jobs when legally requesting access to data. In a statement to the Washington Post, the FBI said:
“This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism. In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.’”
Time will tell if pushback from the FBI will alter Apple’s plans in any way.
It's also important to note that, for the time being, the feature is opt-in only (not enabled by default) and it's only available at launch in the United States.
Neither Side Is Wrong; Both Can Co-Exist
Apple is right to implement Advanced Data Protection and enhance the privacy of users.
And the FBI is right that this will make it harder for law enforcement agencies to do their jobs because in certain situations, when users opt-in to the service, Apple will no longer hold the key to unlock any data. Therefore, law enforcement cannot simply get a subpoena or a warrant, and compell Apple to decrypt the data and hand it over in clear text.
However, just because this development is likely to make the job of law enforcement a bit more challenging, it does NOT make the job of law enforcement impossible by any means. In fact, this could serve as the perfect motivation for the FBI and Apple to collaborate together for purposes of developing the ability to conduct "privacy preserving" analytics on sensitive and fully encrypted data.
Sound impossible? It's not. The technology exists today and enables engineers and authorized data scientists to securely query sensitive information without ever decrypting the underlying data. The result is a society that can fundamentally respect an individual's right to data sovereignty, without sacrificing its ability to investigate and fight crime. Furthermore, it would finally put an end to the circular and 25-year-old debate on Capitol Hill pertaining to "clipper chips" and "backdoors."
