It happened first with the 2014 Sony Pictures hack. In the aftermath of the hack that leaked the names and personal information of studio employees, threats of terrorist attacks were made against theaters scheduled to release the Seth Rogan–Evan Goldberg comedy The Interview. As it became clearer that North Korea was behind these incidents, Homeland Security Secretary Jeh Johnson issued a statement encouraging businesses to evaluate their cybersecurity practices in cooperation with the Cybersecurity Framework, a best practices tool developed by government in consultation with the private sector.
A little over a year later, US government officials are again encouraging cooperation—or, perhaps, compliance is the more accurate word—of a California-based media and technology company in relation to an internal corporate cybersecurity decision. In response to government requests, Apple has refused to decrypt iPhones in the service of the FBI investigation into the San Bernardino terrorist attacks. Taken together, the Sony and Apple incidents point to a troubling trend: the public use of the issue of national security as a tool to extend unwarranted control over media and technology companies.
Both the Sony hack and the Apple-FBI imbroglio demonstrate that cybersecurity jurisdiction is fuzzy. Government overreach is growing. Consumers are caught in the middle both as stakeholders and as audience.
Like the Sony hack, the Apple-FBI debate is playing out in public. The FBI is making the case for why all of us should want Apple to open its (back)door to regulators. When industry surrogates shoot out public missives supporting government intervention into technology firms, they are putting legal protections for new technologies in the crosshairs. Bill Gates weighed in on the importance of compliance with government requests. He speaks as a respected figure in technology. Yet Gates also benefits directly from Microsoft’s government contracts of more than $1 billion, a much larger exposure than Apple’s. But because of the publicness of the debate, Gates’s stake becomes clear.
Public debate is necessary because the rights involved in the Apple-FBI case are fragile. In 2014, University of VIrginia media studies professor Jennifer Petersen pointed out that the limited legal decisions related to code indicate that the bar for protecting this type of communication is low—so far restricted only to internal communications between programmers. Apple’s refusal to open encrypted phones without a legal order because of its free-speech rights could establish new important precedents. As author and attorney Jonathan Zittrain notes, asking the judiciary to weigh in on complex issues like whether or not to decrypt phones for FBI cases is precisely the point of the rule of law. The fact that the case will now play out publicly further magnifies its importance.
More civilian oversight of US cybersecurity policy is essential. But this is not only because establishing coherent legal standards is important in this still inchoate area of law. It is because, as the FBI’s pleas to Apple have demonstrated, our most advanced knowledge of key cybersecurity issues like encryption is located in the civilian world. Therefore, paradoxically, private sector involvement in cybersecurity is likely to produce better policy than the government could produce without public or corporate scrutiny. (The question of public and private domains in relation to Apple's fight with the FBI was also recently examined by Ned O'Gorman at The Infernal Machine blog.)
As the Snowden PRISM leak demonstrated, individual liberty is often secretly sacrificed on the altar of national cybersecurity. Fortunately, through Apple’s—admittedly self-serving—media extravaganza, FBI access to personal iPhones will never be an obscure technical question again. Just as the Sony hack brought attention to US cybersecurity policy via the marketing team for The Interview, Apple has brought government cybersecurity practices into public debate by revealing a threat to our beloved devices.
Public attempts to define the relationship between individual and corporate freedoms in relation to government protection do not provide the final answer for US cybersecurity policy. However, they are a substantial improvement over private negotiations between corporate and government stakeholders to the exclusion of other citizens. The news cycle surrounding the Apple-FBI events may be a circus, but it shines light on an important problem. Ultimately, our collective obsession with entertainment media and the devices that deliver it will create more open debate about the intersection of the media and technology industries and cybersecurity.
Aynne Kokas is Assistant Professor of Media Studies at the University of Virginia, and a non-resident scholar in Chinese Media at the James A. Baker III Institute of Public Policy at Rice University.