Insights into Editorial: What Apple versus FBI means for India

Insights into Editorial: What Apple versus FBI means for India

24 February 2016

Article Link

The ongoing tussle between FBI and Apple in the US has generated mixed reactions among experts across the world.

What happened?

It all started when the FBI sought access via a court warrant to the locked iPhone of Syed Rizwan Farook — a U.S. citizen who in December 2015 killed 14 people and injured scores in a mass shooting in San Bernardino, California. But, Apple has challenged the court’s order and has refused to provide the information.

What has the court ordered?

The US court has asked Apple to provide “reasonable technical assistance” to investigators — which means help bypass an auto-erase function that gets activated when the wrong pin or password is entered for a fixed number of times.

• The court has also asked Apple to allow FBI to submit unlimited passcodes via a computer, a programme or whatever protocol they determine and ensure that the Apple software doesn’t purposely add any additional delay between password attempts to unlock the device.
• Apple is also required to load a specific iOS recovery file on to the device so that FBI can recover the passcode. This version of iOS will ensure that the auto-erase function doesn’t get enabled. FBI basically wants to ensure that it doesn’t spend an indefinite length of time trying to unlock this iPhone.

But, why Apple is refusing?

Apple argues that technologies that allow the FBI to force its way into the shooter’s iPhone will compromise the operating systems of all iPhones.

• It also argues that such action will set a dangerous precedent, and put consumer data at risk from hackers and cyber criminals.
• The company also believes that breaking encryption means breaking consumer trust, and putting their devices at risk from hackers and criminals. Breaking encryption once opens a Pandora’s box. Tomorrow, other governments could ask for access too, and it might not just be in cases of terrorism.
• Since smartphones contain enormous amounts of personal data, giving governments access means Apple would be giving up control over how this data is secured, something that no tech company wants.

Concerns:

This order has raised concerns among tech companies. The order challenges the heart of their business: How they keep their data safe and secure, from governments and rivals.

• Indeed, Apple’s biggest worry is about setting a precedent for similar requests in the future, from the US and other countries.

Suppose, consider if this case was between Apple and the Indian investigating agencies. Then, it would have been really difficult for India to obtain the information. Why?

• Apple is not an Indian company and can refuse to comply with Section 69 of the IT Act, claiming the provision violates California law (where it is based).
• Apple India Private Ltd, its Indian subsidiary, is registered under the Companies Act but mostly performs administrative and financial functions.
• Apple does not provide Internet services, and has no software licensing agreement with Indian telecom operators.
• Besides, Indian developers whose content is featured in the App Store sign agreements directly with the parent company.

What lessons does the San Bernardino case hold for India, where Apple’s market share is less than 1%?

1. The first lesson is for Indian regulators:

Find the right mix between protecting user data, while allowing law enforcement agencies to retrieve it for investigation. The U.S. does not have high data protection standards but law enforcement agencies have met with increasingly steep judicial barriers to extract electronic data. As a result, companies like Apple have been encouraged to invest in strong encryption, as the evolution of its operating system iOS shows.

• India, on the other hand, has low data protection standards as well as low legal thresholds for intercepting information.
• For instance, the Department of Telecommunications continues to prescribe low encryption standards for Internet Service Providers (ISPs), while subjecting them to liability for attacks on the network.
• Such dangerous mix of low data protection standards and legal barriers against monitoring puts India alongside China.

2. The second lesson is for Internet companies based abroad:

Cooperate with law enforcement agencies on legitimate requests for user data. Popular Internet applications and social media platforms in India today are all based in the U.S. or Europe, and host data in servers abroad.

• To retrieve any information, companies like Apple would need to create a sophisticated backdoor to break encryption protocols. This is an extraordinary instance, involving a drastic solution.
• But even in the majority of cases where law enforcement agencies can solve crimes based on information available with data giants, their compliance with government requests has been abysmal.
• For instance, the Indian government in 2013 placed 3,598 requests for user data from Facebook with a 53 per cent compliance rate, while the U.S. government made nearly 12,600 requests with a compliance rate of 81 per cent.
• There is simply no basis or justification for the differential treatment of compliance requests but for the fact that Facebook is a U.S.-based company.

How different is India’s position from the US?

For the reasons mentioned above and various other reasons, the Indian debate over encryption is very different from the discussion that Apple’s ongoing tussle with the U.S. Federal Bureau of Investigation (FBI) has generated.

• The ‘Apple v. FBI’ debate in the U.S. has generated much controversy because nearly half of America’s mobile users today own an iPhone.
• The Indian context is far from comparable. Most Indians, especially first-generation Internet users, own unencrypted devices.
• The competing pressures of the market have only contributed to the overall insecurity of India’s Internet infrastructure. The rush towards cheap smartphones like Freedom 251 — whose vendors could not even offer a secure website to process phone bookings — has seriously compromised the integrity of user data.
• Added to this, to secure their data and to retrieve it for investigation, Indian authorities need the assistance of foreign Internet companies, who appear more interested in bottom lines than law enforcement.

Conclusion:

There is no side to choose in this fight, since India needs its own variants of Apple and the FBI: high-security devices that protect data, and a law enforcement agency that can effectively retrieve electronic information.