The Edward Snowden revelations of massive secret government surveillance and the string of data breaches at large U.S. companies have increased awareness among the American people about the need to protect the privacy of their electronic data. While public pressure has so far had no affect on U.S. law, it has prompted many technology companies to increase the security of their products, most notably Apple’s encryption systems on its new iPhone 6. This change significantly improves the protection of personal data that is stored on the device, but it also places a narrow set of information beyond the reach of anyone, including the government, and makes other communications information slightly more difficult to access.
#### Ken Gude
##### About
Ken Gude is a Senior Fellow with the National Security Team at the Center for American Progress.
Apple’s new encryption has prompted a breathtaking and erroneous scare campaign led by Federal Bureau of Investigation director James Comey. In a speech at the Brookings Institute this week, Comey went so far as to claim that Apple’s new system risks creating an environment in which the United States is “no longer a country governed by the rule of law.”
This is absurd. The only actions that have undermined the rule of law are the government’s deceptive and secret mass surveillance programs. In the absence of any changes in the law to better protect Americans’ privacy, technology companies are responding to the demands of their customers and improving many security and privacy policies.
Apple’s new operating system, iOS 8, makes two changes to the encryption of data on the device that dramatically increases the security of those data. First, it now encrypts and passcode protects virtually all data on the device---such as text messages, photos, contacts, and notes---unlike previous versions of iOS. Secondly, and most importantly, it virtually eliminates the possibility that the encrypted data can be unlocked without the passcode. Earlier operating systems allowed Apple to unlock any device with a key that it controlled. But in iOS 8, Apple has essentially thrown away the key so it can’t access the data anymore. Hackers, cyber criminals, and thieves can’t access it. And governments, foreign and domestic, can’t access it either.
>The only actions that have undermined the rule of law are the government’s deceptive and secret mass surveillance programs.
To be clear, this encryption only relates to data stored exclusively on the device. Data that is backed up by Apple’s iCloud storage system, a default setting which can be turned off, is accessible by Apple and can be turned over to the government pursuant to a warrant. The metadata regarding electronic communications and the content of those communications can be accessed by the telecommunications carrier, and turned over to the government pursuant to a warrant. And data that are stored in individual applications, such as Google search data, are controlled by the app developers and can also be turned over to the government pursuant to a warrant.
The elimination of the key is the crucial element of Apple’s improved security systems and the crux of Comey’s criticism. The existence of the key allowed Apple to unlock individual devices and gain full access to the data on the device, sometimes in response to a request from the government, but far more often from device owners who had either lost it or had it stolen. Since it is impossible to create a back door into an operating system that eliminates the possibility that other unauthorized access will occur, the key also created a vulnerability that could be exploited by hackers, cyber criminals, or foreign intelligence services. This vulnerability could have opened the door to a much larger data breach than those at Target or JP Morgan, affecting tens of millions of Americans and hundreds of millions more worldwide.
Comey wants us to believe that the elimination of the key could allow violent criminals to “go dark”---thus evading detection and arrest. It is possible to construct a hypothetical scenario in which the only evidence of criminal activity is stored on a suspect’s personal device, consists only of data not backed up in cloud storage, and is not in the possession of third parties like telecommunications carriers or app developers. But none of the criminal cases cited by Comey meet that hypothetical because in real life those instances would be extremely rare and far outweighed by the clear public benefit of preventing the very real threat of a large-scale data breach that could affect millions of Americans.
Soon after Apple released iOS 8, Google announced that its new version of the Android operating system would include this security upgrade. To be sure, technology companies have a long way to go to reassure the American people that the data they collect and store are justified and securely protected from unwarranted government or other unauthorized access. But FBI Director Comey’s claim that the “post-Snowden pendulum has swung too far in one direction” is completely wrong. The pendulum of government policy has not swung at all.
