You would have to be living on another planet to not be aware of the legal tug of war going on between Apple and the FBI. Briefly, the US Federal government (in this case represented by the FBI) asked Apple to help them ‘crack’ the password of one of the iPhones used by a shooter in the December 2015 attack in San Bernadino attack where 14 people were killed and another 21 injured (see this article among others).
Apple’s position is summed up in a letter on their web page.
They sum up their position as follows:
“When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.
We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.”
The FBI on the other hand states its position in a press release quoted below (see: fbi.gov):
“The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land. I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead.”
As a practical matter the federal government could probably send the phone to NSA and NSA would likely have little trouble in getting whatever info the FBI wants. However, assuming NSA does have this capability, it would not want anyone to know that. (Supporting this positions is non-other than Richard Clarke who served under three presidents – see this Newsweek article.
What does this mean to you?
Essentially, it means that no organization worth its salt should continue without a well-thought-of, coherent and well-understood BYOD and Company Equipment security strategy and policy.
Virtually every organization works today with stakeholders who use their smart phones. In a BYOD world the organization needs to take steps to protect itself, its assets and its stakeholders. This includes having stakeholders recognize that using their own device is a privilege and with this privilege comes certain tradeoffs.
Communication with the organization should reside inside the organization’s own IT infrastructure so that they are always accessible to the organization. The stakeholder should acknowledge (in writing) that they recognize that the organization monitors and stores communications and the stakeholders consent to those activities in return for being able to employ their own smart phones.
When the organization provides the smart phone, the organization should do all that is technologically possible to ensure that they have access to their device no matter what. They also need to ensure that the employee acknowledges that as a condition of employment and by using the device, the employee understands that this is the employer’s device and that the employer maintains the capability to access the device without the employee’s consent.
Employees should be on notice their employer has access to the device. One would argue that this is proper notice that employees would do well to have another, personal phone for their personal use and data.
While every organization is different, we feel these comments would benefit most organizations. Readers’ input, as always, is invited.’[php snippet=3]