Apple CEO Tim Cook: Health info at risk in FBI request to unlock iOS

Apple chief defies government demands to unlock the iPhone of one of the San Bernardino terrorists, creating a backdoor into the system's software.
By Bill Siwicki
04:19 PM
Share
Undermining the strong encryption found on Apple’s iPhones would be disastrous for healthcare users.

Apple CEO Tim Cook on Wednesday cited backdoor access to health records as just one of many violations of privacy the FBI would be guilty of if the iPhone maker agreed to create a means to unlock a user’s smartphone.

Cook made the argument in an open letter strongly rebuffing the U.S. government’s efforts to get Apple to unlock an iPhone owned by one of the terrorists involved in the December attack in San Bernardino, California.

[Privacy, security hot topic at HIMSS16]

Cook said the protection of consumer privacy is paramount, and that Apple creating a program to unlock an iPhone and turning that program over to the FBI would endanger the security of the data, including personal health information, on every iPhone user’s device.

“We oppose this order, which has implications far beyond the legal case at hand,” Cook wrote. “Smartphones have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.”

All of this information must be protected from hackers and criminals who seek to access, steal and use it without the knowledge or permission of consumers, Cook said, adding that when the security of personal information is compromised, it can ultimately put personal safety at risk, which is why encryption has become so important.

Apple has provided the FBI with data in the company’s possession, and has made Apple engineers available to advise the FBI, offering ideas on a number of investigative options, Cook wrote.

“But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create,” he added. “They have asked us to build a backdoor to the iPhone. Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software – which does not exist today – would have the potential to unlock any iPhone in someone’s physical possession.”

Building a version of Apple’s iOS mobile operating system that bypasses security in this way would, without question, create a backdoor to the iPhone, Cook wrote.

[Also: Hollywood Presbyterian declares emergency after hackers demand $3.4 million ransom]

“And while the government may argue that its use would be limited to this case, there is no way to guarantee such control,” he said. “Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks.”

The clash centers on how the iPhone locks. Users of the iPhone select a numeric passcode to lock their devices, a passcode typically known only to them. The iPhone then ties device encryption to an individual user’s passcode, which becomes the encryption key, so that even Apple cannot access the device.

Should the FBI win and gain a precedent for forced circumvention of security capabilities, then all data that resides on any device could be at risk, said Jeff Pollard, a principal analyst at Forrester Research Inc. who specializes in data security and hacking.

“This should force consumers and creators of apps to think in broader terms about healthcare and other data used, stored and transmitted,” Pollard said. “However, when building an application that relies on sensitive data, developers of said application shouldn’t rely on any individualized aspect of a device’s security, but instead approach their application and the data it uses from a security standpoint including use of certificates and encryption where available.”

Undermining the strong encryption found on Apple’s iPhones would be disastrous for healthcare users, whether the users are consumers with mobile health apps or clinicians with clinical apps on their respective iPhones, said Lynne A. Dunbrack, research vice president at research and consulting firm IDC Health Insights.

“HIPAA mandates that protected health information created by covered entities be encrypted,” Dunbrack said. “If the FBI succeeds and forces Apple to create a backdoor to unlock the iPhone, then what happens if that backdoor technology falls into the wrong hands? Information stored on the device would be vulnerable to hacking, and if the device was owned by a clinician or healthcare organization, the covered entity responsible for that data could face stiff HIPAA penalties if protected health information is compromised.”

[Like Healthcare IT News on Facebook]

Digital rights group Fight for the Future is calling for nationwide protests outside Apple stores to demand that the U.S. government drop its request, which the group said would undermine the safety and security of millions of iPhone users worldwide.

Fight for the Future said iPhone users and civil liberties supporters will rally outside Apple stores at 5:30 p.m. local time on Feb. 23.

“Governments have been hoping for an opportunity to pressure companies like Apple into building backdoors into their products to enable more sweeping surveillance – it’s shameful that they’re exploiting the tragedy in San Bernardino to push that agenda,” said Evan Greer, Fight for the Future’s campaign director. “Security experts agree that any weakening or circumvention of security features on a phone puts everyone in danger. Encryption is what protects our airports, power plants and hospitals. If the FBI succeeds in forcing Apple to help them hack into an iPhone, it will open the floodgates and set a dangerous precedent.”

Twitter: @SiwickiHealthIT