Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute (WPI), was one of four individuals invited to testify today before a hearing of the U.S. House Judiciary Committee titled, “The Encryption Tightrope: Balancing Americans’ Security and Privacy.” Also testifying were James Comey, director of the Federal Bureau of Investigation (FBI); Bruce Sewell, senior vice president and general counsel for Apple Inc.; and New York County district attorney Cyrus Vance.
The hearing focused on the balance between the need for strong security measures to protect the often private, sensitive, and commercially valuable information people keep on their smartphones and the desire of the FBI and other law enforcement agencies to access information on those phones when they become evidence in the investigation of criminal cases or acts of terrorism, such as the December 2015 attack on the Inland Regional Center in San Bernardino, Calif., by Syed Farook and his wife.
At the FBI's request, a judge on the Central California District Court has ordered Apple to write new software that will permit the FBI to circumvent built-in security safeguards that are preventing investigators from unlocking Farook's iPhone and gaining access to the encrypted information it contains. The FBI has argued that the safeguards, which will delete all data stored on the phone if investigators make 10 incorrect attempts to guess the phone's four-digit passcode, are hindering an investigation that could reveal future security threats. Apple has contested the order, arguing that if it is forced to create this software to circumvent the security features on one phone, such software could fall into the hands of criminals or foreign governments, putting all iPhones at risk. "It would be the equivalent of a master key, capable of opening hundreds of millions of locks," Apple wrote in a communications to its customers.
In her testimony, Landau urged Congress to weigh the intelligence gains that might be realized by unlocking a single phone against the potential risks of making all smartphones vulnerable to attack. She noted that because smartphones are now ubiquitous, and because most people use a single phone for both personal use and work, our phones contain all manner of proprietary information: "And so access to U.S. intellectual property lies not only on corporate servers—which may or may not be well protected—but on millions of private communications devices."