Think back to a time when the computer did not exist. Now imagine you’d like to write a letter to a friend. You would have to write out your message on a piece of paper, get an envelope and a stamp, and put it all in a mailbox to be taken by your mailman the next day. Consider you may have your mom proofread the letter before you seal the envelope, or the roommate of the recipient may accidentally open the letter on arrival, thinking it is hers. Furthermore, at any point between you pressing the pen to paper and your friend reading it, the letter can be intercepted and read by anyone. A postal service worker could steal the dollar bill you sent along. A thief could steal it from your friend’s mailbox before she gets home from work on the day it is delivered. Maybe they even steal it from your mailbox before the mailman puts it in his truck (there is a flag on your mailbox screaming ‘stuff in here!’ after all). To improve security, senders might use envelopes lined with patterns to make it difficult to determine their contents. Think beyond the postal service. Every financial transaction related to you was recorded on paper or not all. At work, every paper, presentation, or drawing you produced was likely on paper.
This amounts to the sum total of all recorded information existing within large quantities of paper. Paper is tangible, so does that make it secure? One one hand, the storage of small amounts of paper probably does not include high security detail- to steal a file from a doctors office or rifle through someones recycling bin for their credit card statement would not be terribly difficult. On the other, it would be quite difficult to steal large amounts of paper from widespread locations. To steal all of the medical records from a hospital, or the credit card information of everyone who bought something from any Sears last weekend would require insane man-hours and would be impossible to do without drawing attention.
Imagine, now, all of this information has been digitized, making communications and transactions much simpler, but also opening doors to simplify the process of performing large scale interception. You wouldn’t be in ruin if a thief stole the birthday card and $20 from your aunt sent via snail mail, but you probably would be very upset if that thief intercepted every $20 gift to your Paypal account and the $300 your parents tried to direct deposit to your bank account so you can fly home to see them next weekend.
Every communication, transaction, or other piece of data you interact with today is recorded at some time, to some extent, on the internet. Even if your credit card statements are still mailed to you every month as a few sheets of paper, the company that sent them has all of that information recorded in their computer systems. Even if your grandma has never touched a keyboard in her life, all of her financial information, her grocery store purchase history, a log of her phone calls, even the number of miles she’s driven since her last oil change- it’s all stored on a computer. When many of us think of what information we have stored on the web, we think of Facebook pictures and emails we’ve sent to our coworkers, but in reality, other people/companies/governments probably have stored much more information about your life than you have about yourself.
At this point in our story, hopefully you see reason for concern. The legal collection of massive amounts of public and private information has allowed for new businesses to flourish, cities and governments to understand how to become more efficient, and scientists and researchers to learn more about how the world works. But it also leaves us vulnerable to people who are ready to use our private information, whether we ourselves have recorded/stored/transmitted it or not, for personal gain, hurting others in the act. What can be done to prevent a thief from tapping into these streams of information? One of the ways to counter any such effort is encryption.
Encryption is a method of turning words, numbers, pictures, or any sort of information, into a code that is only readable by the people who are supposed to read it. If you send an encrypted message to your brother, before that message leaves your device (laptop/phone/etc) it is translated into a jumble of numbers and letters that would not make sense to the human eye. To create the order of the numbers and letters in the jumble, your device will use a key. Think of a key as another jumble of letters and numbers that acts as a password of sorts for a piece of data. Based on the letters and numbers in the key, the original message to your brother will be turned into a final encrypted message. The software on your brother’s device will have its own key that will, in a similar manner, be able to decrypt the encrypted message you have sent him. When data is encrypted correctly (there are many different ways to encrypt), it is nearly impossible for an ordinary thief to crack/intercept, requiring automated computer programs potentially many years to solve- certainly not reasonable.
But not every interception attempt is ordinary. The National Security Agency has reportedly spent hundreds of millions of dollars building high speed computer systems that take advantage of flaws in common encryption techniques and can break them. That our own government is spending our money to weaken the security of our data is disheartening. Encryption (hopefully) secures all of the information held by our government, meaning he NSA is willfully working against our own interests. Devising methods to bypass encryption is dangerous, because preventing the techniques from leaking is no guarantee- the NSA does not have a good history of keeping information secret. It is also an incentive for computer scientists and cybersecurity experts to develop more stringent forms of encryption that can hold against larger and more powerful attempts from our government or any other organization.
Encryption is the best tool at our disposal to secure data and keep it out of the wrong hands. To a hacker, whether state-sponsored or amateur, good encryption is like a 3.5 foot thick vault door. It’s very difficult to get through and would require huge amounts of resources and time to drill through. But if someone with the time and resources, such as the NSA, were able to figure out how the door’s lock works, there now exists the ability for someone with fewer resource, less time, but with that knowledge, to break through. Is the answer to keep building thicker doors with more complex locks, or should other methods be used beyond encryption? Both.
To extend on the door analogy and to borrow from a professor I had, imagine a hacker is faced with such a thick, complex, daunting door, yet the walls around it are made of plywood. This is how most hacking occurs, by finding loopholes in a system, not necessarily technically complex wizardry.
It is this scenario that is relevant to the Apple vs. FBI case. The iPhone device in question has some information stored locally on the phone, meaning that even without an internet connection, such information would be accessible from the device. It also holds information that is stored on the internet, via iCloud. All of it is encrypted, but Apple has access to the iCloud data from its own servers, meaning it was able to hand it over to the FBI after shown a warrant. Whether you like it or not, by using iCloud, you agree to this possibility- though the data remains encrypted to keep it away from prying eyes, permission to view the data is given to Apple. No encryption was broken, nor any security bypassed to make this data available- Apple just has a backdoor to get to it, and they guard that backdoor with everything they have. But Apple does not have a backdoor for the information stored locally, and this is exactly what the FBI wanted Apple to create. The problem is that a backdoor to local information is not subject to warrant, and cannot be guarded if stolen from Apple or the government. Once it exists, it can be used to access millions of iOS devices in existence, all around the world, any time or place. Apple itself does not hold this privilege because there is no need to, and the mere existence of said backdoor is too risky.
If by this point you still are okay with weakening encryption and building backdoors, let us review. The following information is protected by cybersecurity methods the government employs but is attempting to weaken at the same time:
- your SSN
- all of your money in the bank
- every stock market in the world
- your location at any given time (if you use a smartphone)
- all of your personal information that you would probably put through a shredder if it were on paper
- top secret military documents
- intellectual property from US businesses and individuals