Apple vs FBI: when the code is more effective than the law

by bold-lichterman

It has been six months since Apple and the FBI have fought a strong media battle which, in the eyes of the general public, can be boiled down to the FBI’s desire to have a solution allowing it to hack a terrorist’s iPhone, and to Apple’s refusal to provide the FBI with such a solution that the Cupertino company qualifies as “backdoor”. But the media noise hides key political issues as well as a little-known aspect of the technology business, that of IT security breach market, these “solutions” that Apple refuses to deliver to the FBI and which would allow the latter to digitally penetrate the Apple firm.

Yet it is the adage “Code is Law”Which prevailed once again, and the harsh technological reality imposed itself on Apple, offering it only a facade legal victory, by abandonment. Cellebrite, an Israeli computer security company, would have sold to the FBI the security flaw that would allow the latter to access the encrypted contents of the iPhone, leading it to end the standoff which opposes it to Apple – while preserving its brand new hype marketing positioning of White Knight of Privacy.

A black market

The reality of this security breach market is increasingly imposed on the world of computer security, and, through the outcome of the Apple vs. FBI, to technology in general. Because to understand what happened behind the scenes of this confrontation, we must dive into the world where the security loopholes are sold and bought which allow to penetrate the defenses of a multitude of technologies, which it is the bowels of an iPhone or the infrastructure of a state or a company.

The “black market” of security breaches is arguably the most worrying. Here, anyone can acquire a security loophole and do whatever they want with it: spy, sabotage, racketeering, economic intelligence or surveillance. The clientele is made up of intelligence agencies – state or private – from all countries, as well as criminal organizations focused on cyber. This market tried for a time to professionalize itself, as when the Swiss startup

WabiSabiLabi launched in 2007, by offering an eBay-like platform and by posing as an intermediary in this more than doubtful trade. An attempt that will fail, the founder, Roberto Preatoni, will be arrested a few months later in a dark spy case touching Telecom Italia, and which made the front page of the Italian press for months. Nowadays, this black market takes place, out of sight, on obscure forums or in the famous darknet.

Gray market negotiations

But it is obviously not on the black market that the FBI found the loophole that should allow it to decipher the iPhone, but on the gray market. A completely legal market, more and more regulated, but particularly discreet. On the gray market, security breaches are traded in tens, or even hundreds of thousands of euros. Criminal organizations are a priori excluded: only legitimate companies and state or para-state organizations can buy and sell there security breaches.

The fact remains that, legal or not, these black and gray markets pose a real danger to us, and compromise the computer security of States, companies and individuals.

To counterbalance this, a white, transparent and strictly regulated market offers IT security experts to buy them any flaws they can discover with the sole aim of fixing them and improving everyone’s security. For example, there are competitions richly endowed like Pwnium, organized by Google, or the ZeroDay Initiative, supported for more than ten years by Hewlett Packard, and who sometimes buys security vulnerabilities very expensive in order to plug them.

But the white market for security breaches is increasingly turning to the Bug Bounty, a concept from across the Atlantic, where Google has moreover recently ended their Pwnium competition in order to integrate it into its own Bug Bounty program, with bonuses of up to $ 100,000 [full disclosure, l’auteur est associé dans Yogosha, une plateforme de Bug Bounty].

On these marketplaces, companies set the price and buy the flaws in their technologies from the “whitehat” hackers who discover them, in order to correct them. The principle has been a hit in the USA for a few years, where it is practiced by almost all the big names in the technology sector … with the exception of Apple, which is paying dearly today for having neglected to counterbalance the gray market with a richly endowed Bug Bounty, like Google did. In Europe, the Bug Bounty trend is starting to take hold: two players are on the line in France: Bounty Factory and Yogosha, who has just joined the Hewlett-Packard Startup Promotion 2016.

But on the surface, in the end, less than three years after the Snowden affair, and after six months of a media-legal standoff, the Apple vs. FBI will have established privacy as a real marketing positioning, for Apple as for more and more companies in the technology sector. There is a lot to say about the legitimacy of such companies to claim this positioning and these values, but we should not be blinded: this trend of “pro-privacy” will accelerate. The future European directive on cybersecurity will strengthen it considerably: within two years, when this directive will come into force, all companies on the European continent will be forced to position themselves in this way. It’s a safe bet that many will use it for marketing positioning. Apple, as always, is just a precursor.

fabrice-epelboinFabrice Epelboin is a digital serial entrepreneur, he teaches the impact of information technologies on institutional and corporate governance at Sciences Po. Paris and advises large groups on their digital transformation.

LinkedIn: epelboin

Twitter: @epelboin