The FBI's fight with Apple over access to a dead terrorist's locked iPhone could undermine software security for banks and their vendors and complicate business in other ways.
As most readers know by now, the government has demanded that Apple create software that the FBI could use to try to crack open the iPhone of Syed Rizwan Farook, one of the San Bernardino shooters. Apple is resisting the order, arguing that it's tantamount to giving the FBI a master key that it could use to open other iPhones.
Regulators and other government agencies have long required companies to provide access to information for investigations, often secretly. The Apple-FBI case is unique, though, in that the FBI is asking for more than access to information. It's demanding that Apple create new code that could be used to bypass access controls built into the phone's operating system.
"They're not just asking Apple to give them something they have. They're compelling them to create something they don't already have," said David Weiss, senior analyst at Aite Group who focuses on banking and capital markets. "That doesn't happen in our world too much. They're compelling them to create a back door that could be reverse engineered" and used again in other contexts.
Among the many problems with this, the fallout from the case could hamper banks' ability to use secure software for communications and other tasks.
"The technology community is afraid that the precedent will limit what sorts of security features it can offer customers," wrote security expert Bruce Schneier in a recent blog post. "The FBI sees this as a privacy vs. security debate, while the tech community sees it as a security vs. surveillance debate."
A reusable back door like the one the FBI has asked Apple for could not only be used covertly by governments, but exploited by criminals, noted Stephen Cobb, senior security researcher at ESET, a provider of antivirus and security software. "Perhaps the best thing about this case right now is that it has engaged the public in a much-needed debate to a greater extent than anything since Snowden," he said.
The case could also affect banks' ability to do business internationally if it causes European leaders to nix a proposed deal that would let U.S businesses import customer data from across the Atlantic. "If the FBI gets what it wants, it will further bifurcate the U.S. from Europe and presumably from Asia," Weiss said.
And it could affect banks' ability to buy cloud services. "You'll have stronger domicile rules," Weiss said, referring to foreign countries' privacy and security regulations, "and that will chill what you do on Amazon Web Services. Where's your AWS server?"
Background on Back Doors
The tug of war between the government officials who want easy access to information to go after terrorists, money launderers and other criminals and the technology providers that want to sell secure, privacy-protected products has intensified as vendors have tried to strengthen the security of their offerings — sometimes, ironically, at the urging of bank regulators — in response to the ever-growing problem of cybercrime. One of American Banker's security predictions for 2016 was that these crypto wars would heat up in 2016.
There are a lot of back doors out there. Verizon and AT&T, for instance, provide the government with access to phone calls on their networks on an ongoing basis. They have to, under the Communications Assistance for Law Enforcement Act.
Congress passed CALEA in 1994 to require telephone companies to make their phones and systems wiretap-ready to execute court orders. It provided an exception for Internet protocol communications.
"That exception helped the Internet grow tremendously, because software and hardware for the Internet doesn't have to go through an FBI approval process," said Peter Swire, professor and privacy expert at Georgia Tech's Scheller College of Business. "But now the FBI encounters difficulty sometimes. The iPhone case is an example."
Banks, too, are of course compelled to give regulators access to customer and employee records when asked. A purist might not call this a back door, but it produces the same result.
"If bank regulators or law enforcement want to gain access, they can go to the IT department and respond to court orders when they receive them," Swire said.
"Regulators worry about insider trading, and fully encrypted messages are a fabulous way to trade inside information," he said. "There are many special reasons to have financial records open to regulators because of the different ways fraud or other crimes have occurred."
Most banks use mobile device management programs for corporate phones; these programs can be used to unlock a phone's passcode restriction. (San Bernardino County, which employed Farook and issued his phone, reportedly bought but never installed an MDM program.)
"The big conflicts come when government wants access to an individual phone that doesn't have a corporate IT manager," Swire said.