Apple is fighting to keep your data encrypted. The tech giant has now refused the FBI's request to devise an operating system that would allow the security services access to encrypted data. We look at why Apple is so determined to secure your information

Apple chief executive Tim Cook has said the company will challenge a court order to help FBI investigators build a “master key” to access encrypted data.

The specific phone that the FBI want to access belongs to San Bernardino gunman Syed Rizwan Farook. But in a message to Apple customers, Cook stated that he believes the FBI’s current demands would only represent the beginning of their encroach on privacy and would signal a “dangerous precedent”.

The Apple CEO also criticised the FBI’s unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority, rather than asking for legislative action through Congress.

“The implications of the government’s demands are chilling,” said Cook. “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data.

“The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

Gaining access through the backdoor

The FBI has requested Apple build a version of iOS – iPhone’s operating system – that could be installed and used to circumvent current security features.

The FBI may use different words to describe this tool, but make no mistake: building a version of iOS that bypasses security in this way would undeniably create a backdoor

At present Apple says it has complied with valid subpoenas and search warrants, but has taken exception to what it sees as an “overreach by the US government “.

“The FBI may use different words to describe this tool, but make no mistake: building a version of iOS that bypasses security in this way would undeniably create a backdoor,” says Cook. “While the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

Apple has said that it objects to the FBI’s request “to expose its customers to a greater risk of attack”, and that their court-ordered mandate amounts to asking the engineers who built strong encryption into the iPhone “to weaken those protections and make our users less safe”.

Apple’s motivation

Some commentators have suggested Apple’s motives might not be quite as noble as they seem at first glance. “I’m not in a position to guess whether Apple can break the encryption on its devices – that’s one of those things where you need highly skilled cryptanalysts to bang on them for some years and not find holes,” says Open Rights Group advisory council member, Wendy Grossman.

Apple

Image courtesy of pio3 / Shutterstock.com. Featured image courtesy of Marco Prati / Shutterstock.com

“What we do know is that Apple promised its customers that it could not access their data. So either it’s infeasible, as they say, or they would be breaking their word to customers. Neither is a desirable state for a public company, so I’m not surprised they’ve gone to court.”

Whatever the tech giants rational for refusing the FBI’s request, Grossman agrees with Apple’s argument that once a backdoor has been established innocent people’s data will be exposed.

“There are always hard cases with respect to law enforcement’s desire for more information. However, Apple’s decision to provide encryption it can’t’ crack for its customers is a rational one because opening the gunman’s phone, for example, doesn’t just expose the gunman’s data but also data relating to innocent family members and friends and other contacts,” says Grossman.

Battling on multiple fronts

The FBI’s request to bypass iPhone’s encryption follows the proposals made by policy makers in California and New York to ban the sale of encrypted phones. In their letter to customers Apple point out that such a policy would “hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data,” while criminals would still be able to encrypt data, using tools already available to them.

You cannot make a hole that only good guys can use

“The difficulty with policies such as those that have been alluded to by both the US and the UK of banning the use of encryption where law enforcement can’t gain access is a really bad idea, for several reasons. One, you cannot make a hole that only good guys can use, so a law like that opens all of us up to much worse and more pervasive criminal attack that we’ve seen before,” says Grossman.

“Democratic societies have long imposed limits on what law enforcement can access in an effort to balance the right to privacy of ordinary people and their right to protection from crime. Criminals plan in houses, but we don’t require that every householder deposit a copy of their house key in the local police station –this is a close analogy.”

71% of UK companies are not prepared to face a cyber attack

A new study has revealed 71% of UK organisations don’t believe they are “cyber resilient”.

In the report, titled The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats, compiled by Ponemon Institute, businesses cited insufficient planning and preparedness, inadequate capability to respond to incidents, and a lack of clear ownership as reasons why they felt their ability to fight off and deal with the aftermath of cyber attacks was in doubt.

“When security incidents occur, organisations need to react quickly and decisively to ensure attacks are managed before they turn into serious business crises. That’s the foundation of cyber resilience,” said John Bruce, CEO and co-founder of Resilient Systems – the creators of an incident response platform designed to help companies deal with cyber attacks.

“By preparing and provisioning for these situations, and aligning the people, processes, and technology for response, organisations can improve their security posture and actually thrive in the face of cyber security incidents.”

cyber attack

Ponemon’s report is timely given the number of high-profile hacks that have occurred in recent months and years.

These include attacks on Sony, Talk Talk and the attack on Ashley Madison, who have recently taken to masking users’ profile pictures in desperate bid to avoid another security failure.

“Despite the growing importance of cyber resilience, the research shows serious issues that need to be addressed if UK organisations are to survive the next wave of cyberattacks,” said chairman and founder of the Ponemon Institute, Larry Ponemon.

“Until cyber resilience becomes a coordinated, organisation-wide effort and the necessary technology and processes are put in place, organisations will remain vulnerable.”

cyber-attack1

Despite cyber attacks becoming more frequent and high profile, 56% of the study’s respondents reported that their organisations’ leaders do not appreciate that a lack of cyber resilience represents a major risk to the well being of their enterprises and brand images.

Businesses will be forced to become wiser on these issues, however, as the regulatory burden for companies operating inside the European Union will grow with the upcoming introduction of the Global Data Protection Regulation (GDPR), which will bring mandatory data breach reporting to Europe for the first time.

The full study is available to download directly from Ponemon Institute.