On February 16, 2016 a judge in California handed down a ruling ordering Apple to help the US government unlock and decrypt an iPhone used in a terrorist attack in December 2015. Apple responded by publishing a letter to its customers arguing that the request carries more dangers than benefits and that building a back door would create a threat to the security of all customers’ data. Regulators must be mindful of the implications this is likely to have on consumers’ trust. Promisingly, on March 1, 2016 a judge in New York backed Apple’s stance.
Policy-makers should recognize that there must be a limit to surveillance
Apple’s letter to its customers exposes one of the greatest tensions facing the digital age, that between privacy and the fight against crime. This tension is likely to remain unresolved for some time; the judgment issued by the court in New York backing Apple’s stance argues that the FBI is trying to unduly expand its law enforcement powers.
Apple’s denial of the FBI’s request is a manifestation of the conflict between tech companies and governments, with the latter trying to get as much access to personal information as possible from the former. This is particularly evident in the US, where existing laws give public bodies extensive access to personal data, but governments in other countries are also taking steps to increase their surveillance power. A debate has taken place in the UK in recent years as the government has sought to require tech companies to bypass encryption and to restore data retention laws for telcos, despite the European Courts of Justice striking down the data retention directive of 2014.
Tech companies are rightly worried about retaining customers’ trust. Building a back door is likely to enable not only public bodies, but also hackers to access personal information which, in theory, should be safely stored and protected.
Apple’s refusal to comply with the court ruling has parallels with the ongoing legal battle between Microsoft and the US Department of Justice (DoJ). In that case the DoJ wants the company to grant access to emails stored in a data center in Ireland, whereas Microsoft maintains that it is not obliged to accept the request. Regulators and policy-makers should be mindful of the need to foster consumers’ trust and should acknowledge that there must be clear limits to surveillance if they do not want to hamper the growth of the tech industry, especially in light of the development of IoT services.
This tension reflects another conflict, in which governments’ efforts to have more control of online data are clashing with some regulators’ recent attempts to improve data protection and privacy. Reforms of data protection rules, such as those recently passed in the EU, could become a pointless exercise if users start to expect to be spied on by the government at all times.
“The replacement for Safe Harbor will have more red tape, but no surprises,” TE0007-000990 (February 2016)
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Luca Schiavoni, Senior Analyst, Regulation