You're not the boss of me: Cybersecurity pros fear government overreach in iPhone fight

Just like Apple, the companies trying to stop hackers would say "no" to the federal government's demands for new software code.

US Attorney General Loretta Lynch told RSA conference participants that making encrypted data completely inaccessible is a risk.

Shawn Thew/EPA

The US government isn't winning any fans in the cybersecurity community in its fight with Apple over a phone used by one of the San Bernardino shooters.

The support for Apple is no surprise, considering that cybersecurity companies are in the business of keeping your data safe. Experts worry that weakening one iPhone could eventually make other phones vulnerable too.

What really gets their goat, though, is the government's demand that Apple to cook up special-order software that it wouldn't otherwise create. This crosses an invisible line for an industry that doesn't like to be told what to do by any government.

Many cybersecurity companies attending this week's RSA cybersecurity conference in San Francisco say they would give the US government the same answer as Apple: You can't make me.

"How can a government tell a company, 'Go create something that doesn't exist'?" Mikko Hypponen, CEO of Finnish privacy company F-secure, said Tuesday at a luncheon a block from the RSA conference.

Apple declined to comment for this story, but its lawyer, Ted Olson, made a similar point on Bloomberg News on Wednesday morning. "You cannot conscript a private company such as Apple to do something to change its products," he told Bloomberg.

The stakes in the Apple-FBI battle are high, touching on hot-button matters of both national security and personal privacy. The standoff, which started in mid-February, has turned up the heat on already-simmering tensions between Washington and Silicon Valley over encryption, the technology that scrambles information to prevent unauthorized readers from seeing it.

The US Department of Justice did not respond to a request for comment for this story. At RSA on Tuesday, US Attorney General Loretta Lynch argued that the federal government can and should be able to access the data.

"The law has a wonderful elastic quality to cover the issues that develop," she said during a question-and-answer session. "Having the inability to actually obtain evidence that would save lives is a real risk."

Certainly, cybersecurity is a major concern when it comes to the Apple-FBI standoff, which came to light last month after a federal judge granted a Justice Department request seeking Apple's help in cracking open an iPhone 5C tied to December's deadly terrorist attack in San Bernardino, California. Apple publicly denounced the court's order, which would require Apple to write new code to help the FBI gain entry to the phone, disabling the lock screen's auto-erase function en route to accessing the encrypted data. The iPhone maker has said that the government's request violates its First Amendment right to free speech.

Cybersecurity experts and civil libertarians worry that creating this new software could potentially make vast numbers of iPhones vulnerable. The very existence of such software would be dangerous, they argue, because it could be abused by governments, as well as criminals, if it got leaked. Apple and its supporters say that's true even if the government has a warrant for an important criminal investigation.

"The worst way to make the country more secure is loosening security," said Miller Newton, chief executive of encryption company PKware.

But as they hurry to protect your encrypted phone, cybersecurity experts also balk at the idea of being pulled by the ear to write code for the government.

"You can't compel us to do something we weren't already doing," said Harvey Anderson, chief legal officer of AVG, an antivirus company.

It's a matter of control. When it comes to how strong to make their products against hackers and government investigators alike, cybersecurity experts want companies to make that call themselves, without any changes after the fact mandated by the government.

Not every cybersecurity or privacy expert at RSA voiced this opinion. Craig Spiezle, executive director of privacy-oriented nonprofit Online Trust Alliance, said there needs to be a discussion about when companies should give up control of user data.

If there's a threshold that should be considered, "it's the seriousness of the crimes," Fowler said.

At a conference dedicated to making data as unhackable and untraceable as possible, this doesn't seem to be the majority opinion.

Correction, April 8, 2016 9:50 p.m. PT: This story has been updated with the correct name of the Online Trust Alliance.

Featured Video