Quick Question for Apple HR
In the “going dark” discussion, it is a kind of orthodoxy that back doors are inherently insecure. Build in a means of someone other than the user accessing his data and you create unacceptable risk that someone will exploit that means; you also make the code unacceptably complicated and increase the attack surface for hackers to play with. As Apple put the matter in its famous letter to customers on the San Bernardino case:
Published by The Lawfare Institute
in Cooperation With
In the “going dark” discussion, it is a kind of orthodoxy that back doors are inherently insecure. Build in a means of someone other than the user accessing his data and you create unacceptable risk that someone will exploit that means; you also make the code unacceptably complicated and increase the attack surface for hackers to play with. As Apple put the matter in its famous letter to customers on the San Bernardino case:
In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.
One group of reasonable people who seem to find this arrangement “acceptable” is employers, who frequently keep a means of access to the email accounts that they provide their employees. The federal government, for example, retains the ability to monitor employee emails—and notably, for present purpose, retains the technical means of bypassing the employee’s password to do so. Most employers do the same.
Certainly, for many companies, the information contained in employee emails merits significant protection—it is likely to include trade secrets, customer information, and other sensitive corporate data. For the same reasons, this information is an attractive target for theft. Yet, because of the operational necessity of maintaining third-party access to this information, companies find methods to manage the risks. In fact, some industries with the highest need for information security do not have a choice—financial services, for example, are mandated by FINRA to monitor communications and preserve regulatory access. They manage to do so safely.
So here’s our question: Does Apple? When Apple provides devices and email accounts to its employees, is there a “backdoor” under which Apple retains the capability to examine the contents (under whatever rules) on which employees have to rely on Apple’s capacity to keep that extraordinary access private? Does Apple, in effect, have its own “master key, capable of opening” the locks associated with all of its employees?
Just asking.
