Apple's refusal to help the government unlock the San Bernardino shooter's iPhone may have some surprising consequences. Remember, Apple is defying not only the Justice Department but also the wishes of the iPhone's owner. That's because the iPhone in question is actually owned by the San Bernardino County Department of Public Health, which issued it to Syed Farook to use at work.
As a practical matter, Apple's technical and legal position elevates Farook's privacy over the interests of the iPhone's real owner. This may well be consistent with Apple's corporate marketing strategy, which seems to be making the iPhone so sexy that employees will simply demand that companies buy it for them. But the San Bernardino case is a wakeup call for companies who think that, because they are the customers, Apple owes them some allegiance.
Nope. Instead, Apple's technical and legal war with the United States government is turning its corporate customers into collateral damage.
As that lesson sinks in, enterprise purchases of iPhones may take a hit. Indeed, in the financial industry, the fallout could be worse. Given Apple's decision to privilege users' privacy above all else, it may well be unlawful for banks and brokerages to let their employees use iPhones at work.
Why? Because, in the financial industry, allowing yourself to be locked out of your employees' communications isn't just a bad idea, it's a violation of federal law. Since 2007, financial industry regulators have made clear that "FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm’s business." (Emphasis in original.) In 2014, financial institutions were fined under this policy for failing to capture all of their employees' text messages.
There are probably ways to solve this problem technologically, if the employees cooperate. Their iPhones or their apps can be modified so that text messages are routed through servers where the encryption is stripped and the messages stored. But what if an employee instead chats with customers using his iPhone and an off-the-shelf messaging app that features end-to-end encryption? Then, I suspect, the only way to recover those messages is to get access to the iPhone itself, something Apple is trying its best to make impossible.
Maybe there's another way for the industry to justify the use of iPhones after the San Bernardino controversy. I'd welcome further comment from those closer to the industry.
One thing is for sure, though. The consequences of Apple's stand for corporate communications hasn't yet received enough attention.
I am not in the financial industry, but as someone who works in the Information Security industry I'll take a crack at this.
The failure on the part of San Bernardino County was to not deploy a Mobile Device Management (MDM) solution. If they had, then they would have the capability to unlock the phone and this entire issue would be moot.
A MDM would allow the administrators to remove the lock and access information on the device, for example Apple's MDM has the capability of removing a lock code altogether if the device is enrolled in a MDM:
"The ClearPasscode command requires the device’s UnlockToken (which was provided to
the server during the enrollment phase, in the UpdateToken message):"
(https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf)
Any CISO worth their salt is going to deploy an MDM solution as part of good GRC especially if those devices are firm owned, or can access firm data as a MDM can not only let you back into a locked device but can remotely wipe a device that is no longer in your control.
Posted by: Andrewshumate | Feb 20, 2016 at 07:08 PM