Up until recently, Apple maintained the ability to provide information to the government, without loss of safety or security of the data stored on their devices, Loretta Lynch tells RSA audience.
SAN FRANCISCO -- U.S. Attorney General Loretta Lynch says she's surprised that Apple has put up a legal firewall against the Federal Bureau of Investigation in the San Bernardino iPhone backdoor case, because it has cooperated with federal law enforcement in the past.
Lynch addressed a packed house March 1 at the RSA conference here at the Moscone Center, at which a record 35,000 security professionals are gathered for most of this week.
The government's dispute with Apple is over the FBI's request for the company to develop a backdoor to the encryption security on the iPhone 5C that had belonged to a terrorist in the Dec. 2 San Bernardino shooting that resulted in the deaths of 14 people. The request already has been affirmed by one court and denied indirectly by another court in a similar case; the case is expected to evolve to higher judicial levels before a determination is finally reached.
"In fact, up until recently, Apple maintained the ability to provide information to the government, without any loss of safety or security of the data that was stored on their devices," Lynch said during an on-stage conversation with Bloomberg News' Emily Chang.
'Not Just About Apple; About All of Us'
"But we shouldn't be making this all about Apple, when in reality it's all about us. It's about how all of commerce manages and protects our data. The reality is, American industry is very good at using encryption and protecting our information and still maintaining the ability to use it for security purposes, marketing purposes and to be responsive to court orders. It happens all the time, every day of the week, all across America.
"This is a very different decision by Apple to not participate in that national directive."
While the FBI's request for a backdoor is specific only to the San Bernardino case, Apple CEO Tim Cook has warned in an open letter to customers
that to provide the code to unlock encryption and force access to the information on the phone would open a Pandora's Box of trouble for all Apple phones everywhere. Apple itself has no backdoor for its own devices, since customers themselves set passwords and personal security questions. Cook said his first obligation is to Apple's customers and that the company has a responsibility to adhere to its security promises.
Chang pointed out that since the FBI vs. Apple case made the headlines, 12 other cases involving possible evidence on 14 more iPhones are already queued up to ask for similar backdoors. There are potentially many more cases that could come to the fore.
Middle Ground Sought
"Where is the middle ground on this?" Chang asked.
"We're investigating the worst terrorist attack on U.S. soil since 9/11. For me, the middle ground is to do what the law requires," Lynch said. "This is not about me telling Apple to do something. I don't get to do that; I have to go to court and ask permission to go and do anything, whether it's a device, or a box of documents at someone's house. If there were a box of documents that I could show a court that might have evidence of a crime, and the lock on the door was such that I needed help to get in without those documents self-destructing ... that's what we're asking Apple to do.
"Don't run in and get it for us, don't take that risk, don't pull them out yourself--but in this instance, do what you did for years, until about a year ago, and essentially, help us with this particular matter."
To Chang's point that "if Apple makes a key to one door, it says it's making a key to all iPhone doors," Lynch said that Apple and other U.S. companies "do a great job with encrypted data, but it needs to comply with court orders; it has been using customer data for years for its own marketing purposes (with no security issues).
"This has been going on for years, and we have not had the parade of horribles that Apple is now asserting," Lynch said. "We just want this one particular device. They don't need to give the technology to us; they could keep it, they could destroy it. We just want the data; we don't want them to be the ones to get into it."
Other iPhone Cases Cropping Up
On Feb. 29, a judge in Brooklyn, N.Y. ruled, in a similar case involving another iPhone, that law enforcement could not force Apple to crack it open so that police could attempt to find evidence.
"I was disappointed in that decision," Lynch said. "This was a case in which Apple had actually promised to help us. It's an older version of the phone, doesn't involve encryption at all. It is one of the many cases in which they, and other companies have provided assistance over the years. Their position didn't change until the judge's request for their opinion became public.
"I think this is a case of 'Will you do what you've always done?' which is what every American citizen and company should do: Comply with the law."
These cases are a clear indicator of how ubiquitous data is on personal smartphones, and how much law enforcement wants to mine those data silos.
"This is where data does reside. Our requests have to be limited, focused, specific to what we need to find," Lynch said. "This is not a request to rummage around and hope that we find something. Whether it's a phone or a computer, we set up safeguards so that we don't go further than that."
Apple Contends Code is Protected by First Amendment
In its defense, Apple also has asserted that code is a form of expression protected by the First Amendment, and therefore not subject to such forced capture.
"I think that this is a very important topic for discussion," Lynch said, "because it has ramifications far beyond this case as to whether someone should write code to comply with legal process. But as to whether it (code) has commercial aspects: What is the answer to protecting commercial speech versus free speech, when you're talking about code?
"Those are fascinating issues, but they're not the issues that drive this particular case."
Why is the FBI focusing on this one phone, when there is a world of other information out there that possibly can be mined to investigate this case? Chang asked.
"I get asked that frequently. They say we live in a world of information, everybody has a cellphone, there's all this data out there. My response is: So what in all those datasets are responsive to law enforcement's needs to find out what the terrorists are planning to blow up next?" Lynch said. "There's not really a response to that."
'In This One Area, We're Done'
Lynch said she thinks Apple is a "great company" but that she's curious as to why their view is that "we're going to innovate, we're going to create, we're going to move forward, but in this one area, we're done. We're not even going to think about this anymore. I just find that surprising, and I'm not sure that that's really the best response to this issue.
"That's not what I expect from one of our great American companies."
Lynch said she respects Cook and Apple but added “do we let one company, no matter how great the company, no matter how beautiful their device is, decide this issue for all of us? Do we let one company say, 'This is how investigations are done, and no other way? We don't do that in any other area."
On another topic, Lynch announced that a new agreement has been struck between the U.S. and United Kingdom that would allow British authorities to directly subpoena U.S. tech companies for wiretaps and other information on British suspects in national security investigations, instead of relying on a more cumbersome mutual legal assistance treaty.
Currently, foreign governments must ask the FBI to obtain the information obtained by wiretaps, live surveillance and stored emails through mutual assistance treaties, which can cause delays in obtaining the evidence. Lynch said that the agreement would not allow the British government to directly obtain evidence on American citizens and that the court orders could only include actions taken within the U.K.
"Right now, American law says they cannot send that data overseas, but because they operate in the U.K., they are subject to U.K. process and law there, so they are in a bind," Lynch said.