When technology and public policy collide, it invariably creates waves. However in the case of iPhone security versus FBI evidence collection, it’s more like a tsunami. The technical and legal details of the FBI’s case against Apple and the inevitable back-and-forth that will likely only be resolved by Congress or the Supreme Court are nuanced and deserving of a thorough public discussion.
The case is the latest example of a clash of cultures I characterized as the authoritarian (DC) versus libertarian (SV). Yet a key fact buried in the details about this incident suggests the entire fiasco is the result of carelessness by the San Bernardino County IT department, which owned and issued the phone to the employee-turned-terrorist. A precedent-setting chain of events could have been prevented with proper IT oversight. Unless of course you fall into that crowd that sees a conspiracy to deliberately force Apple into doing something it is fighting tooth and nail to avoid. That discussion is for another day.
Even though it was an employer-supplied device, the iPhone in question was unmanaged, meaning the County IT department had no way of monitoring the employee’s usage, controlling access to applications or resetting the passcode. This sorry incident is a painful reminder of the importance of proper mobile device governance including the use of enterprise mobility management (EMM) software. Although EMM is often cited as a prerequisite for BYOD programs where organizations need control over sensitive data on an employee’s personal phone, the San Bernardino case shows that it’s just as necessary on employer-provided devices because you never know when an employee might lose a phone, forget a passcode, contract some malware or, regrettably, go postal.
The sad irony here is that the County IT department already uses one of the most popular EMM suites from Mobile Iron on some of its devices. A spokesman says it requires some, but not all employees to install the software, but didn’t know why this particular department chose not to. He went on to say that the County might review this policy in light of events. I should hope so. Here’s why.
Start with the basic facts of this case. When the FBI seized the terrorist’s iPhone 5C (no Touch ID on this device), it was locked. Since iOS includes a feature that increasingly delays the time between incorrect passcode entries after the fifth try and erases the phone after the 10th attempt, it makes guessing the passcode by brute force impossible since the FBI has to assume the latter ‘nuclear option’ is enabled. Lacking direct access to the data, according to a County statement,
A logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack. The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the County owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data.
Unfortunately, officials then learned that the last backup was 6-weeks old, hence the fight over direct access to the phone’s data via an Apple-assisted unlock. Here’s how EMM could have prevented this. The foundation of EMM is device management, namely the ability to provision software and remotely view, control and wipe the device. This includes forcing a data backup, which the FBI could have recovered via the newly-assigned iCloud password (or from the County’s servers if IT had its own backup system) and passcode reset. Had the County actually deployed the software on every device, MobileIron’s VP of Strategy, Ojas Rage describes how it could have bypassed any need for Apple’s involvement,
If an employee forgets the passcode, he or she calls the company’s IT department for help. If the device is using MobileIron, the IT department can, after confirming the employee’s identity, send a command to the device to clear the passcode. The employee can then set a new passcode.
Note that even when the passcode is cleared, only the person holding the phone can see all the data that is on that phone — the company’s IT department cannot. In other words, the IT department cannot get remote access to the data on the phone simply by unlocking the phone. The phone must also be physically present. This protects the employee’s privacy.
Since the FBI has the phone, it would set the new passcode and have full access to the device. End of story. Of course, that’s water under the bridge since as Rage explains,
San Bernardino County cannot use MobileIron to unlock the shooter’s phone because it is too late to install MobileIron once the device is locked. So now neither the County IT department nor Apple can clear the passcode.
Ironically, the County, or any other organization using Apple devices, didn’t need to deploy expensive EMM software to perform basic tasks like remote device configuration, app installation, passcode reset, lock or wipe. Apple includes these features in OS X Server, which runs on any Mac, even a MacBook and costs a whopping $20. Of course, most organizations won’t want to replace their Windows file sharing, Exchange servers and backup systems with services running on OS X, but the device management features alone are worth setting aside an old Mac and $20.
As Apple points out in defense of its actions,
The passcode lock and requirement for manual entry of the passcode are at the heart of the safeguards we have built into iOS.
I agree that weakening this technology is unwise and if done, very unlikely to be confined to this case, including potential exploitation by cyber criminals. Yet for employee-provided phones, weakening the passcode is entirely unnecessary since EMM provides the means to securely reset it and/or remotely backup or wipe the device. In most circumstances, this allows employees to gain access to their own device, however in situations like the San Bernardino terrorist, EMM allows law enforcement unfettered access to any device properly held as part of an investigation.
Of course, EMM isn’t a universal law enforcement tool since it does no good for personally-owned devices. However, the Apple-FBI standoff provides a teachable moment for IT departments that employees’ mobile devices do contain valuable data and some will become inaccessible. You’d better have a plan in place to recover the data.
Image credit - Image credit: concept of computer security © lucadp - Fotolia.com