Third-party encryption: Why a backdoor to the iPhone won’t stop future terrorist attacks

Let’s assume for a minute that the FBI got its way. It coerces Apple into disabling the self-destruct function on the San Bernardino terrorist’s iPhone, allowing it to brute force the password. Effectively, the FBI and Apple create a backdoor that theoretically works the same across all iPhones. Police even use the same tactic on the dozens of other iPhones that are currently involved in active investigations. People across the world sacrifice their privacy, while the police have a new tool to fight terrorists.

Except they don’t, really. Sure, iMessage and other iCloud services could be decrypted without a password, but what Apple critics often fail to realise is the abundance of third-party encryption tools widely available. Free, open-source alternatives exist to encrypt chats, phone calls, files, and even entire hard drives. That pesky self-destruct function the FBI is so eager to remove? Alternatives for that exist as well, and they are all easily accessible with nothing more than a Google search.

By removing the default encryption built in iPhones, the FBI isn’t stopping terrorists. It’s merely inconveniencing them.

Alternative encryption methods

Want to encrypt live phone calls? The Signal app does that for free. Encrypted, burn-after-reading messaging? Try Signal, Cryptocat, TorChat, and Burn Note. Anyone can use file encryption apps like Boxcryptor and CloudFogger to encrypt files before sending them to someone else or uploading them to the cloud. Email encryption is made possible through PGP and S/MIME protocols, which have been around for years and have great track records for never being cracked.

VPNs encrypt Internet traffic and mask the original IP and location of the user, preventing surveillance. The good ones don’t even log user activity, so they have nothing to give to authorities.

An entire hard disk can be encrypted using FileVault and Bitlocker, which come pre-installed on Mac and Windows machines, respectively. If you don’t trust Apple or Microsoft, then use a third-party option like DiskCryptor or VeraCrypt. Many Android phones come with flash memory encryption built in, and those that don’t can still use a third-party app like Whispercore.

Let’s not forget about Tor, which is compatible with a whole suite of apps for anonymous web browsing, chat, and even an entire operating system that can be run from a USB drive.

Toshiba now makes self-destructing hard drives, or you can use any of the many disk wiping tools like Darik’s Boot and Nuke and Eraser. Secure Drives, a British company, makes solid state hard drives that self-destruct when you text them a specific pass code.

“Good job, Paul. You went and made a how-to guide for terrorists,” you might say. But again, all of these tools are not much more than a Google search away, complete with documentation, support, Github repositories, and user forums. It’s easy.

These are not tools solely used by terrorists and drug dealers, either. Lawyers, journalists, business people, scientists, and of course government officials are but a few of the professions where encryption is vital.

A Sisyphean endeavour

“Let’s ban all encryption!” say the politicians and activists with little to no technical expertise. “Put backdoors on everything!”

They fail to realise that encryption uses but a handful of the same open-source, free protocols worldwide. Banning encryption would be like trying to create a master key for every lock that has ever existed and ever will exist. It’s impossible, and even trying would put them at a major competitive disadvantage to competing economies. It also leaves a huge security gap to be exploited by hackers. Not only is it a big gap, but the hackers will also know where and what to look for.

The point is, if you think terrorists will no longer be able to secretly communicate and keep authorities out of their devices because Apple leaves a backdoor open for the FBI, you are mistaken. Most of these encryption tools are free for anyone to download, be they a terrorist or a school teacher, and they aren’t difficult to learn.

If you want an example of what happens when encryption is compromised, just look at the recent Drown hack. Drown made about one-third of all servers worldwide that use the HTTPS protocol vulnerable to attack and breach. HTTPS, for the uninitiated, is what keeps your credit card details, email, and passwords safe when doing pretty much anything that requires security on a web browser. It’s often represented by a padlock icon in a browser’s URL bar.

We tend to think of the FBI-Apple case as a choice between security and privacy. But even if law enforcement gains access to valuable data on a few iPhones in the short term, backdoors threaten privacy for all of us in the long term and do relatively little to improve security. This is a Sisyphean endeavour for law enforcement. The free market will fill in the security hole left by the FBI and Apple. The third-party encryption tools we have now will continue to improve and become even easier to use.

Terrorists can and will learn to adapt. If the FBI wins its case against Apple, perhaps we all should.

Paul Bischoff is a researcher for Comparitech.com