Why Didn’t San Bernardino County Officials Have Access to the Terrorist iPhone?
You’ve heard the story: The FBI wants to break into the iPhone belonging to the San Bernardino terrorists, but it’s locked, so they’re stuck.
A federal judge has ordered Apple to write a new operating system to bypass the security on the device, but Apply says it won’t comply. Doing so, argues CEO Tim Cook, would put everyone’s data at risk.
Our own tech reporter Rich DeMuro wonders why San Bernardino County does not have access to the content and passcodes for that iPhone.
After all, it was a device issued by the County to the terrorist Syed Farook, who worked as a health inspector.
We asked the spokesman for San Bernardino County, David Wert. He writes:
The county has longstanding email and Internet use policies that state, “NO USER SHOULD HAVE AN EXPECTATION OF PRIVACY”, meaning everything on county-owned devices, everything communicated using county Internet access, and everything on the county’s email system is subject to storage and review by the county, and in most cases can be requested for review by the public. The policies pre-date smartphones, but most certainly apply to them.
The issue at hand is that iPhones allow the user (in the county’s case, individual employees) to create their own passcode and disengage from the cloud, and iPhone does not allow the owner (the county) to override or disable those functions. The county could issue an iPhone to an employee with a “county” passcode and have it synced to the cloud, but it is not possible with iPhone to prevent that employee from immediately changing the passcode and disengaging from the cloud. Doing so takes about 10 seconds.
Many of us work for companies with the same policy. We know that everything we communicate on our corporate-issued device is subject to review by our bosses. But the technology seems to have advanced so far that individual employees can override that scrutiny.
The county could adopt a policy requiring employees to provide their supervisors with their passcodes, or use a county-issued passcode, and to not disengage from the cloud. But in practice, the only way the county could enforce that policy would be to physically inspect each device on a regular basis, and even at that, it would be easy for an employee to quickly switch back to the county passcode and re-engage the cloud prior to inspection, and quickly switch back following the inspection without the county being able to tell that anything had been changed. There would be no way to centrally or remotely determine if employees are setting up unauthorized passcodes or disengaging from the cloud.
So now we know: the iPhone can be a secret hiding place, even if it belongs to your employer.