This was my final assessment for the cyber ethics course, it was a great topic that brought together the ethical theories with a real world example. I’m now a third of the way through my master’s and qualify for the graduate certificate of cybersecurity, I’ll just be continuing the degree though.

Question

Do you think Apple and the relevant cybersecurity professionals involved had a moral obligation to assist the FBI in building a backdoor into the relevant system? Justify and thoroughly explain your answer.

Introduction

In December 2015, 14 people were killed in a terrorist attack in San Bernardino, California. One of the terrorists phones, an iPhone 5c was recovered by authorities but was locked with a four digit pin. A common security measure to erase all data after 10 failed attempts was in place. The FBI requested that Apple create a method for bypassing the physical input as well as the 10 attempt limit, so that they could proceed to brute force the phone. Following the Snowden leaks, Apple moved to encrypt iPhones in a manner that they couldn’t decrypt (Sanger & Chen, 2014), so in order to help the FBI they would have needed to create a new tool which “would have the potential to unlock any iPhone in someone’s physical possession” (Cook, 2016). When Apple refused to do this, the FBI issued a court order, however the day before the hearing they delayed the hearing and six days later announced that a third party had obtained the information they required from the device.

Apple acted to protect their users’ privacy, the interest of all owners of encrypted data and cybersecurity robustness as a public good. In this essay I will outline the importance of privacy, how its intrusion can impact upon: individuals’ ability to express themselves; individual security in a connected world; the ability of society to remain cohesive and inclusive of diverse beliefs and opinions; and other rights and values which are core to ethical theories. I will demonstrate that Apple’s response is justified through a deontological and utilitarian lens using the principlism and rights based frameworks and we will see that although the FBI request can initially be justified using utilitarian theory, further examination weighs against it. This will lead into an examination of how individual security is an important part of the public good of cybersecurity robustness, adding further justification to Apple’s position. In this essay, I will: overlook that the data related to a deceased person; refer to (Tim) Cook and Apple interchangeably, and; not consider jurisdictional limits to legislation.

Response

Privacy is valuable and Apple recognises this. In a letter to the public, Apple CEO Tim Cook stated that iPhones “store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.” (Cook, 2016) and goes on to confirm the importance of privacy because “Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us”, he is not just defending the privacy of this one iPhone user, or all iPhone owners, but of all people using encryption to protect their privacy.

Privacy is a human right outlined in Article 12 of the United Nations Universal Declaration of Human Rights (United Nations, 1948). It plays an important role in our lives by providing political and personal freedom whilst also supporting the rights to freedom of speech, due process, non-discrimination and data protection (Christen et al. 2020). A lack of privacy can lead to self censorship and makes dissent difficult (The Transnational Institute, 2017), both of which can enable government overreach and empower authoritarian regimes. Privacy also helps at a social level, our society is diverse with many conflicting views and beliefs, it is privacy which allows us to cooperate and remain civil (Stalla-Bourdillon et al., 2014, p. 66). 

Apple’s position is justifiable using deontological theory. The ability to leverage a backdoor on an iPhone would breach the right to privacy with Cook claiming it would “​​make our users less safe” (Cook, 2016) from hackers and criminals and Burum, (2016) agreeing that once a backdoor is created that law enforcement will want continued and expanded access to it. Deontology acknowledges people’s fundamental rights by applying maxims universally: if everyone applied this rule, is this a world we would want to live in? The right in this case being privacy, the maxim being: do we want to live in a world where the norm is to allow governments to create encryption backdoors? As mentioned, this would breach the right to privacy and infringe on individuals’ autonomy, ownership of data and devices as well as the rights to freedom of speech, due process, non-discrimination and data protection. This would create a world where individuals are at risk of continued surveillance by their government as well as attack from criminals and authoritarian regimes. Given that number of rights infringed upon and the risk to our security, it is fair to say that this is not a world many of us would want to live in. Cook (2016) makes a clear deontological position when he gives examples of what will happen in a world where a maxim that allows encryption backdoors is adopted:  “Once created, the technique could be used over and over again, on any number of devices.” and “it (the government) would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy”. 

By defending human rights it is clear that Apple’s position is using a rights based ethical framework. How does it perform when assessed against a principlist framework, where we judge it against key principles? The Menlo Report is a principlist framework intended to guide ICT research, but it can also be used in cybersecurity operations (Christen et al., 2020) and is based on these principles:

• Respect for persons – this includes consent and can include respecting data that is linked to a person, including their communications
• Beneficence – minimising harm including psychological, reputational, emotional, financial and physical
• Justice – treating all people fairly without bias

Applying this to Apple’s position we can see that they are respecting persons: firstly, consent is implicit because they are treating privacy as default; secondly they are respecting individuals’ data, again by protecting privacy. This is providing beneficence and minimising harm by defending the human right of privacy and the aforementioned benefits it affords for individuals and society. Apple is acting justly by standing up for the privacy of not just their customers, but all individuals using encryption to protect privacy. The FBI could also claim to be upholding respect for persons by thwarting terrorists and making society safer, which implies beneficence and justice because they are concerned with the safety of all. Let’s look at how the FBI’s request stacks up through a utilitarian lens. Like deontology, utilitarianism is an action based normative theory, it is concerned with outcomes of actions, not the motive or morals behind the action. Utilitarianism is based on the Greatest Happiness Principle, decisions are based on choosing an action that maximises positive (or minimises negative) outcomes.

The FBI believes that in order for a society to be secure, people need to give up a little privacy (Burum, 2016), thus framing this as Kidder’s (2003) individual vs community. Is the FBI’s position justifiable? The privacy of one known terrorist is breached to potentialy prevent futher terrorist attacks, protecting the public. This appears justifiable using utilitarianism, the FBI is acting in a way that will create the greatest happiness. The government suggested this was a one off occurrence (Cook, 2016), and they specify the actions requested of Apple only apply to this particular iPhone (Decker, 2016). But would it be a one off and would it just be this iPhone? We’ve already seen that Cook (2016) and Burum, (2016) don’t believe this and we can also look to the ‘war on encryption’ for evidence that it likely would not be. In recent years the Australian government has introduced numerous Acts and Bills to make surveillance easier (Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, 2021; Identity-Matching Services Bill 2019, 2019; Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, 2018). Around the globe there have been decryption programs including Bullrun and Edgehill in the USA and UK respectively (worryingly, both named after major civil war battles (Borger et al., 2013)). In China backdoors or key escrows are required for government access (Laskai & Segal, 2021). And specific to this case, the UK’s Investigatory Powers Bill which could also be used to demand a backdoor to the iPhone if one is created in Apple’s home country of the USA (Computerphile, 2016). These cases demonstrate the appetite of governments across the political spectrum and around the globe to breach individuals’ privacy. So we are not just weighing up the privacy of a terrorist versus protection from terrorists as the FBI suggested, but the privacy of the terrorist and the right of individuals not to be surveilled versus protection from terrorists. Even if we trust the government to keep this backdoor safe, as we weigh up the impacts on these rights across the globe, the scales of happiness are now not so in favour of the FBI’s demand. 

In practice governments cannot keep information safe, this has been demonstrated in: the USA with the Snowden leaks, a relevant example being the NSA backdoor in Juniper routers that was used to attack US entities (Robertson, 2021); the UK with classified documents being left at a bus stop (Adams, 2021); and we’ve also seen numerous government data breaches in Australia in the last two years alone (Hally, 2021a). This combined with the rise in state-sponsored cyber operations (Hanrahan, 2019) and cybercrime (Australian Cyber Security Centre, 2021) demonstrates that we need to consider the backdoor making its way into the hands of cyber attackers. We are now weighing up the privacy of a terrorist and the right of individuals not to be surveilled and the security of individuals against cyber attack versus protection from terrorists. 

Apple’s position shares an alignment with Taddeo’s (2019) case for cybersecurity robustness as a public good. Each unencrypted iPhone – and by extension each unencrypted device – is a potential attack vector (Rizvi et al., 2018), which can impact on the rights of, and cause harm to others. The potential to infringe on privacy combined with the ability to connect with remote data storage creates more potential for harm: in scale, geographic and temporal reach. Connected devices expand the burden of security from corporations to include individuals (Hally, 2022). So, now we are weighing up the privacy of a terrorist and the right of individuals not to be surveilled and the security of individuals against cyber attack and the public good of cybersecurity robustness versus protection from terrorists. From a utilitarian perspective, these negatives outweigh the benefits presented by the FBI’s case. And in doing so they weigh onto Apple’s side of the argument, justifying its position with utilitarian theory as well as a deontological one.

Conclusion

On initial inspection, this ethical dilemma appeared to centre around community security versus individual privacy. I outlined the importance of privacy, that it: 

• is a human right and it supports other rights and ethical issues. 
• is also valuable in preventing government overreach and authoritarianism.
• allows a society with diverse opinions and beliefs to remain civil and cohesive. 

We looked at Apple’s deontological position that applied the maxim of: what if all encrypted devices contained backdoors for the government to use? This revealed a world where individuals were under constant government surveillance, at threat from cyber criminals and from state-sponsored cyber attack. We found alignment with Apple’s position with a rights based framework, and that it could also be justified using the principlism framework of the Menlo Report. Being a utilitarian framework, this naturally led to an assessment against the utilitarianism theory. 

At first the FBI position of individuals needing to give up a little privacy for a more secure society – intruding on the privacy of a terrorist to protect us from terrorists – seems justifiable using utilitarianism. But as we dug deeper, accounting for the government desire to surveil and its inability to keep secrets, we discovered that the FBI’s position was too narrow in scope, and that we could broaden it to include all individuals relying on encryption for privacy and further to the public good of cybersecurity robustness. Thus reaching the conclusion that we need to consider: the privacy of a terrorist and the right of individuals not to be surveilled and the security of individuals against cyber attack and the public good of cybersecurity robustness versus protection from terrorists.

After taking these considerations into account and weighing up the ethical justifications, I believe that Apple had no moral obligation to assist the FBI in building a backdoor to the iPhone. Quite the opposite. I believe they had a moral obligation not to create a backdoor and they did the right thing by refusing the FBI’s request and bringing this case to the public’s attention.

References

Adams, B. P. (2021, June 27). Classified Ministry of Defence documents found at bus stop. BBC News. https://www.bbc.com/news/uk-57624942

Australian Cyber Security Centre. (2021). ACSC annual cyber threat report 2020-21. Cyber.Gov.Au. https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21

Australian Law Reform Commission. (2010, August 16). 8. Privacy of deceased individuals. Australian Law Reform Commission. https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/8-privacy-of-deceased-individuals/

Banta, N. (2016). Death and privacy in the digital age. North Carolina Law Review, 94(3), 927.

Borger, J., Ball, J., & Greenwald, G. (2013, September 6). Revealed: How US and UK spy agencies defeat internet privacy and security. The Guardian. https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Burum, S. (2016). Apple v. FBI: Privacy vs. security? National Social Science Journal, 48(2), 9–21.

Christen, M., Gordijn, B., & Loi, M. (2020). The ethics of cybersecurity. Springer Nature.

Computerphile. (2016). The Golden Key: FBI vs Apple iPhone – Computerphile [Video]. On YouTube. https://www.youtube.com/watch?v=6RNKtwAGvqc

Cook, T. (2016, February 16). Customer letter. Apple. https://www.apple.com/customer-letter/

Decker, E. (2016, February 16). Order compelling Apple, Inc to assist agents in search. https://s3.documentcloud.org/documents/2714001/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf

Dressler, V. (2018). Framing privacy in digital collections with ethical decision making. Morgan & Claypool Publishers.

Hally, L. (2021a, August 2). NSW government data breaches. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/cyber-news/1838/

Hally, L. (2021b, December 3). The war on encryption. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/government/the-war-on-encryption/

Hally, L. (2022, February 14). Learning Log Week 4.1: What obligations do cybersecurity professionals have towards the public? Cybersecurity Ethics ZZCA9204; UNSW. https://moodle.telt.unsw.edu.au/mod/oublog/view.php?id=4281422

Hanrahan, C. (2019, February 19). Australia is a growing target for cyber attackers — but is it a hacker itself? ABC News. https://www.abc.net.au/news/2019-02-20/is-australia-cyber-hacking/10825642

Identity-matching services bill 2019, House of Representatives (2019) (testimony of Parliament of Australia & Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6387 

Kidder, R. M. (2003). How good people make tough choices. HarperPB.

Laskai, L., & Segal, A. (2021, March 31). The encryption debate in China: 2021 update. Carnegie Endowment for International Peace. https://carnegieendowment.org/2021/03/31/encryption-debate-in-china-2021-update-pub-84218

Lindsay. (2005). An exploration of the conceptual basis of privacy and the implications for the future of Australian privacy law. Melbourne University Law Review, 29(1), 131–178.

Rizvi, S., Pipetti, R., McIntyre, N., & Todd, J. (2018, July). An attack vector for iot networks. 2018 International Conference on Software Security and Assurance (ICSSA). http://dx.doi.org/10.1109/icssa45270.2018.00019

Robertson, J. (2021, September 2). Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role. Bloomberg. https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers

Sanger, D. E., & Chen, B. X. (2014, September 27). Signaling Post-Snowden Era, New iPhone Locks Out N.S.A. The New York Times. https://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, House of Representatives (2021) (testimony of Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6623 

Stalla-Bourdillon, S., Phillips, J., & Ryan, M. D. (2014). Privacy vs. security. Springer.

Taddeo, M. (2019). Is cybersecurity a public good? Minds and Machines, 29(3), 349–354. https://doi.org/10.1007/s11023-019-09507-5

Telecommunications and other legislation amendment (assistance and access) bill 2018, House of Representatives (2018) (testimony of Parliament of Australia & Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195 

The Transnational Institute. (2017, November 30). Understanding and challenging authoritarianism (N. Buxton, Ed.). Transnational Institute. https://www.tni.org/en/publication/understanding-and-challenging-authoritarianism

United Nations. (1948, December 10). Universal Declaration of Human Rights. United Nations. https://www.un.org/en/about-us/universal-declaration-of-human-rights

Whittaker, Z. (2016, August 23). Juniper confirms leaked NSA exploits affect its firewalls. ZDNet. https://www.zdnet.com/article/juniper-confirms-leaked-nsa-exploits-affect-its-firewalls/

Woods, L. (2019). Digital privacy and article 12 of the universal declaration of human rights. The Political Quarterly, 90(3), 422–429. https://doi.org/10.1111/1467-923x.12740