February 26, 2016
In the ongoing debate between federal authorities and Apple regarding access to data contained on an iPhone used by one of the alleged San Bernadino shooters, the focus has been on the potential impact of that case on the millions of iPhone users around the world. We should recognize that the impact of this case extends far beyond the universe of iPhone or even smartphone users. The actions of federal authorities in this case could set precedent which would threaten the privacy of everyone around the world who uses any type of data collecting device.
The “Internet of Things” is the description commonly used for today’s environment in which a wide range of devices collect, process, and share data through the Internet. The devices integrated into the Internet of Things include consumer electronics products such as game consoles, watches, and televisions, as well as automobiles and other vehicles. The Internet of Things also includes medical devices (heart pacemakers for example) and even household appliances (refrigerators, for instance).
Currently, there is active discussion as to the extent to which the various data collecting devices that are now part of the Internet of Things should secure the data they collect. Privacy for information gathered through the Internet of Things is an important policy issue. The actions in the iPhone case threaten to undermine privacy initiatives for the Internet of Things.
Apple is now resisting demands by the FBI and a federal court that the company use its resources to create computer code which will circumvent privacy protection measures the company builds into its products. If federal authorities prevail, the same process now being applied to Apple in the context of its iPhones could be applied to any manufacturer of any product which is part of the Internet of Things.
Imagine for example, a television manufacturer which has embedded a voice command capability into it products, In order to function properly, that system records sounds where the television is located, but that capability can invade the privacy of users so assume the company includes some form of limitation on the recording capability for privacy purposes. Under the principles applied by the FBI in the iPhone case, it seems federal authorities would take the position that they could obtain a court order compelling the television maker to develop and use software that overrides the privacy protections and thus extends the scope of the sound recordings collected by the device.
Consider another scenario. Geo-location tracking and data recording capabilities are now routinely included in cars and other vehicles. Assume an automaker chooses to incorporate some limitations on the scope of such location tracking capabilities in its vehicles for the sake of user privacy. Based on the Apple case, it seems that federal authorities would contend that they should be able to compel that automaker to apply its resources to develop software that circumvents the tracking limitations, thus enabling broader location tracking of the vehicle.
These government mandated privacy intrusions could be extremely invasive. For example, imagine a situation where an individual suspect in an investigation is in hiding and uses a heart pacemaker that is Internet enabled. The iPhone case seems to suggest that federal authorities might take the position that they should be able to compel the pacemaker manufacturer to develop new code which could fool the device into believing that it was malfunctioning. Based on that false failure indication, the suspect would presumably seek medical attention from his physician, and would thus be easier to find.
If courts support the requests of the law enforcement authorities in the Apple iPhone case, privacy for the Internet of Things will be severely threatened. That case would establish precedent enabling authorities to compel manufacturers of devices that collect data to circumvent privacy protection measures. In such an environment, even the most aggressive embedded privacy protection systems become virtually worthless, as they do not provide protection against government access.
No matter what privacy safeguards device manufacturers embed in their products, federal authorities would have the ability to force those manufacturers to create software that overrides the safeguards. In that environment, privacy commitments made by the product manufacturers to their customers would be undermined. Privacy protections mandated by consumer protection agencies including the Federal Trade Commission and state consumer protection authorities would be negated. The current case would, in effect, transform the Internet of Things into a built in infrastructure for government surveillance. It would create a tracking and monitoring platform, paid for entirely by consumers and product manufacturers, which could be accessed on a case-by-case basis by government authorities.
The current debate over iPhone privacy is, in reality, one of the first major battles in the fight to preserve meaningful privacy in the context of the Internet of Things. Viewed from this perspective, it seems clear that the stakes associated with the current Apple case are extraordinarily high. The impact of the current case extends far beyond a single investigation, and it has the potential to undermine personal privacy and civil liberties on a massive scale.