The Apple, the Fall and the Exile: The International Effect of Hacking One iPhone

By Dan Regard

Dan Regard, the co-founder and CEO of iDiscovery Solutions, is an electronic discovery and computer science consultant with 25 years experience in consulting to legal and corporate entities. Mr. Regard is a member of the Sedona Conference WG1 and WG6, as well as a board member of Georgetown Advanced Institute for e-Discovery.

The recent saga of whether or not to force Apple to open the iPhone of self-proclaimed terrorist Syed Farook has taken on historic and international dimensions.

Borrowing From the Bible

In the original story of Genesis, the serpent tempts Adam and Eve to bite an Apple from the Tree of Knowledge of Good and Evil. The bite gives Adam and Eve a surfeit of information, including awareness of their nakedness.

This is the “Fall” that brought sin into the world, corrupting the natural world. Adam and Eve are then “Exiled” from the Garden of Eden.

Like a modern day version of Genesis, in the iPhone encryption case, we see the lure of an Apple, which promises knowledge but may trigger the loss of security and privacy; a fall whereby the world of data security might be corrupted and, should the story continue, potentially a form of data and economic exile for the United States.

The FBI takes the position that access to the iPhone is a necessary, one-time event that falls within the capability and duty of Apple (thanks to a writ issued by the local federal district court).

In their First Amendment defense, Apple takes the position that it cannot be forced to program that which has not been programmed. In addition, Apple argues that it should not be forced to weaken security protocols and that doing so is a slippery slope from which privacy and data security shall be lost forever. (Apple also makes a convincing argument that this is far from a one-time event.)

Culture Clash

Internationally, the story takes on an additional facet—a collision of fundamental differences in how data privacy is protected.

In the United States, data privacy is protected through a patchwork quilt of federal and state laws, generally defined by industry, such as healthcare or financial services. This is tempered by a strong presumption that corporate data belongs to the generating (or collecting) company, and by a system with more laws granting access than preventing access.

In Europe, data privacy is considered a fundamental human right. It is protected by the Data Protection Directive (Directive 95/46/EC).

When compared to the EU data privacy regime, the U.S. is much weaker; so much so, that the EU has declared the U.S. legal system inadequate to protect the transfer of personal data. Canada's legal regime is adequate. Argentina's legal regime is adequate. The United States' data privacy regime is not.

In 2000, in order to overcome the shortfalls of the U.S. regime, the U.S. Department of Commerce negotiated the EU-U.S. Safe Harbor agreement. This letter agreement allowed the transfer of EU personal data to the U.S. on a company-by-company basis, provided those companies register for the self-administered Safe Harbor program and adhere to a stricter set of guidelines and requirements akin to those of the EU Data Protection Directive.

As of 2014, over 3,000 companies were registered for the EU-U.S. Safe Harbor program. For these companies, the ability to transfer personal data from Europe to the U.S. is as crucial, and as second nature, as the ability to make a phone call from Europe to the U.S.

Without Safe Harbor, these companies would potentially be faced with not doing business in Europe at all, or relying on two more-difficult-to-implement mechanisms called “Binding Corporate Rules” or “Model Contracts.”

International Law Suits

In 2013, Austrian privacy activist Maximillian Schrems brought suit in Ireland, challenging the legality of Facebook's handling of his personal information under European privacy law.

As a result, in October 2015, the European Court of Justice (ECJ) declared the Safe Harbor agreement invalid (Schrems v. Data Protection Authority, (E.C.J., C-362/14, 2015). The ECJ found that in the U.S., “national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.”

Once Safe Harbor had been ruled invalid, the U.S. and the EU started working on a new scheme. On February 2, 2016, they announced a new agreement: the EU-U.S. Privacy Shield. Since that decision, Schrems has filed three new lawsuits in Ireland, Belgium and Germany challenging Facebook's reliance on Model Contracts.

Given that the ECJ is already skeptical that the U.S. can craft and implement a scheme that is “adequate” for the protection of personal data, a decision in favor of the FBI will further weaken our likelihood of finding such a solution.

Given the ECJ's opinion of prevailing requirements in the U.S., it is very likely that the Model Contracts exception for data transfer may also be ruled invalid. The same logic is applicable to the Binding Corporate Rules exception.

Dire Consequences

That history brings us to the current case and the request of the FBI. Given that the ECJ is already skeptical that the U.S. can craft and implement a scheme that is “adequate” for the protection of personal data, a decision in favor of the FBI will further weaken our likelihood of finding such a solution.

Moreover, not only will it set a precedent that the government should trump any data security interests (a legal precedent), it accomplishes this through the weakening of data security mechanisms (a technical precedent). Hence it has a two-fold impact, and is twice as concerning.

Should the FBI and DOJ continue to press Apple to unlock this particular iPhone, and should the U.S. Supreme Court agree, then the EU may be well justified in believing that there is no data transfer agreement that will be adequate to protect EU personal data, including the newly-inked, but not yet fully implemented, EU-U.S. Privacy Shield.

Should this occur, companies will be forced to keep data locally in Europe. For large companies, like Microsoft, Facebook, or any of the other Fortune 50, this will be a costly proposal. For smaller companies, it will be an insurmountable hurdle. For the global Internet, it may well be a death knell.

And there lies the “Exile”: U.S. companies excluded from the lucrative markets of fortress Europe.

So, if you feel religious about data security, then this case is very much a religious play of global implications. Little wonder that so many people are following it so closely.