The SBDPH & the FBI: Forcing the Apple from the Tree

The recent news surrounding Apple, the FBI, and data privacy and ownership has sparked national debate and raised countless questions. Consumers and organizations are seeking answers. The existing focus on privacy and device encryption impacts everyone, especially technology professionals and the clients they serve. So, many are asking, should Apple give the FBI what it wants?

If your answer is yes, privacy and security on all devices may be at risk for individuals, corporations and even governments. If the answer is no, ….. what?

However, there is a bigger question hovering in the background. Is this an issue of compliance by the manufacturer or an issue of information governance by the owner?

As experts in digital forensics and data security, we consult daily with clients on these very issues. We advise in the handling of digital security, information governance and data collection. The analysis we perform is intertwined with the related legal matters. Those matters invoke the obligation to collect, preserve, and analyze digital evidence from networks, computers and mobile devices.

When consulting on data collections, we seek to define the entities who own and/or use the device. Usually, the device owner retains the authority to approve or deny access to the device and the collection of data from it.

If a device is issued by an entity, whether it is a business, organization or government, to an employee, the employee becomes the physical custodian of that device, but the entity remains the owner of the device and the data therein.

This is a legal based ownership. The question is, could the SBDPH have also ensured technological ownership, i.e. the digital ability to access, control, and manage the data that it owned by right.

The custodian should understand that content created on the device belongs to the issuing entity. The same rules apply for desktop and laptop computers, issued by an entity and used for that entity’s work. The owner of the device may employ trained technology professionals to be “stewards” of the device, and authorize this person or group to execute steps for device management and security during its lifecycle.

The Facts as We Know Them

In the Apple/FBI case, the owner, the San Bernardino Dept. of Public Health (SBDPH), issued the device to its employee and approved the access, collection and analysis of the device by the FBI, but did not have, and thus could not provide, the proper passcode to access the device.

Apple dutifully provided support to the investigation via the iCloud account associated with the device and also explored known weaknesses within the operating system.

Many third party vendors (including Apple) provide tools for the management of mobile devices deployed within a corporate or government environment.  We call this Mobile Device Management (“ MDM”).  MDM gives the owner the ability to remotely access, wipe, lock, or provision devices within its portfolio. With greater frequency, large scale deployments of mobile devices include MDM, as organizations look to manage items such as App Store downloads or whitelists of approved corporate applications. MDM allows the owner to keep control of a device in use by a custodian.

It appears that SBDPH may have had an MDM solution at its disposal prior to deploying the device to the user, yet did not utilize it. If this is true, the ability to maintain control over access to the device was available, but not used.

In summary, the device was obtained via a legal search and seizure. The device owner allowed FBI access to both the device and associated iCloud services. SBDPH, (the device owner) had access to existing technology that would allow it to maintain control over the device, but neither it, nor it’s stewards, deployed that technology before issuing the device to the user.

It is valid to ask if Apple should comply with the FBI’s request, and the judge’s order, from a legal standpoint. From a technology perspective, it appears Apple has been cooperative during the investigation up to this point. One might ask if we should be focusing less on Apple’s reluctance to build a weakness for their system and more on poor information governance by a government entity.  Did the SBDPH meet the responsibility of an organization to properly secure and control access to data?

In light of the above, I have outlined a series of questions for the various parties involved below.  We will discuss these in more detail over subsequent posts and articles.

Questions

For the San Bernardino Dept. of Public Health:

1. Does the SBDPH have a responsibility to protect records and information under its control from all employees, hackers, etc.?
2. Is the SBDPH taking action to secure future devices and their data from custodial hijacking?
3. What data is secured by the SBDPH, and is it already in the wrong hands?
4. Did their lack of control constitute a breach in security and public confidence?
5. Within SBDPH, who is responsible for the policy regarding mobile devices and security of data?
6. Should/will the owner and/or steward(s) be held accountable if a failure in information governance becomes the focus?

For the FBI:

1. If Apple complies, how do they plan to secure access to this tool/weakness?
2. What polices or procedures will govern the use of the tool/weakness?
3. If the FBI has its own difficulties with hacking and intrusion, should the public trust them to keep the data secure?
4. What additional investigative information do they hope to find?
5. Will the FBI be held accountable if Apple creates an access point exploited by hackers or thieves?

For The Public

1. Can/should the federal government protect individual citizens against cyber-crime in the digital age?
2. Can/should organizations be trusted to protect the data and information of private citizens?
3. Do you secure personal and private information on your personal devices and networks?
4. Would you relinquish control over your device, often used for banking, medical, school, and personal records, to the government for safe keeping?
5. Once the encryption on a device is weakened, are we qualified to secure our own devices?
6. What data do you have on your personal device? What about your corporate device?
7. Are you using a single device for personal and business?

For the Information Technology Community:

1. Do we understand the data security solutions at the organizations disposal?
2. Are we vetting MDM solutions and providing device owners with comprehensive guidance?
3. Are we correctly deploying the solutions, with proper monitoring and user awareness training?