From a distance, it looks like the shoe is on the other foot, but it’s really not. Now that the FBI, with the assistance of an undisclosed third party, has successfully cracked the security of the work iPhone of San Bernardino, California, terrorist Syed Farook, can Apple demand that the FBi show them how?
The story we all know by now is that the FBI and the Department of Justice had gone to federal court to try to force Apple to write code that would help weaken the phone’s security and let them try to brute force their way through Farook’s passcode. Apple resisted the demand, claiming that providing such information, even if it remained in Apple’s hands, could potentially weaken the cybersecurity of all its customers’ data, opening them up to potential hackers or cybersurveillance.
We don’t know whether Apple would have won that fight in California because FBI withdrew its demand after figuring out on its own how to break into Farook’s phone. But now the big question is whether the information will flow back in the other direction. Typically when the U.S. government uncovers a security vulnerability in the private sector, it has a process of letting these businesses know so that it can be fixed. But we have a surveillance security state where transparency and your privacy and cybersecurity ranks second behind the feds trying to keep its processes secret because of the war on terror. So we don’t know whether the FBI will have to provide this info to Apple. Reuters explains:
The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.
Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. “There are no hard and fast rules,” said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.
If a review is conducted, many security researchers expect that the White House group will not require the FBI to disclose the vulnerability it exploited.