While the company's legal team fought the order, Apple CEO Tim Cook published a letter arguing against being forced to build a so-called backdoor that would subvert the encryption that not only kept the shooter's phone secure, but also the smartphones of millions of other Apple users.
Most in the technology community rallied around Apple at the time, arguing that weakened encryption might help government investigators, but it would also make customers vulnerable to hackers. Now, with a massive top-secret archive of some of the NSA's own exploits having been leaked online, it appears they were right.
But Cardozo believes the FBI's exploit of the San Bernardino shooter's iPhone 5C, its still unknown exploit of the Tor web browser in another case, and NSA's apparent hoarding of exploits that have now been made public, raises a larger issue around the legalities of government hacking. "When the government finds, creates, or discovers a vulnerability in a system, there are essentially two things they can do: They can disclose it, or they can use it," he said. "But the rules around that are completely broken." There are some guidelines around how the government is supposed to deal with vulnerabilities in what is called the Vulnerabilities Equities Process, a framework that is supposed to outline how and when it would make sense to disclose a vulnerability to an affected company if the larger security risk is greater than the reward it could yield. But the VEP is just nonbinding guidance created by the Obama administration — not an executive order or law — that has no legal standing.
"We need rules, and right now there aren't any," Cardozo said. "Or at least none that work."
Writer - Liam McClelland | @Liamicy