Privacy in a Connected World: Apple, the FBI and the Internet of Things (IoT)

Date:
Mar 1, 2016
 
A family office is more often than not founded around the concerns about the family’s privacy and data security. So the current news around the FBI request for Apple to unlock the password of the iPhone belonging to one of the San Bernardino terrorists does have a passing interest. If you go beyond this specific case and look at the potential precedents it might set, then forward thinking is needed around its impact on our connected world—not to mention the future with the Internet of Things (IoT).
 
The crux of the Apple/FBI wrangle is around a process that happens frequently to all the connected, software driven devices we have. In order to keep that software up to date, the device manufacturer relies on a “trust” process between themselves and a device. The new software update is delivered via the internet and the device “knows” it can trust this update because of a security feature in the operating system called “code signing”. The court in the Apple/FBI case has ordered a new version of the operating system be created that bypasses several security features. The court also ordered Apple to sign the custom version of the software, since without this digital signature certifying the software’s authenticity, the phone would refuse to run it.
 
For many observers, these actions could open a Pandora’s Box around privacy and trust in a connected world. Some see the precedent that the FBI is seeking could enable the government to force other technology companies to do exactly the same. They also point out that given the many ‘hacks’ into government technology systems, this “backdoor” into connected devices could be stolen and exploited by criminals and terrorists.
 
The enormity of this question then comes into real focus when you consider the future potential of the Internet of Things. When we live in a totally connected world, who will make the decisions on what data and communications can be private and secure, and how will they make them? The process of updating software automatically, via trusted authentication that we all take for granted could be viewed as a compromised process, and we might no longer be able to trust the software of our security camera, car, house, etc.
 
Although these events might be seen as peripheral to the work of a family office, they should be of strategic concern. This Apple/FBI case is about software authentication and, in a connected world, this is inextricably tied to data security and encryption.
 
When advising family offices on technology, I always try to have the office focus on what I call the “Technology Ecosystem”—essentially, the creation of an infrastructure and applications platform that provides secure encrypted access, business continuity and full disaster recovery. In our current era, the “cloud” provides the most cost efficient and effective way to create such an ecosystem for the vast majority of family offices.
 
Secure and private communications between family members and the family office is the next area of technology focus I advise on, and it is here that the impact of the Apple/FBI case may be felt. Just as Apple has given the responsibility for security of a personal phone to the individual, there are ways a family office can apply similar “rights management” to both documents and to text communications. With documents, this management can be done via an online “vault” approach, or a simple application “plug-in”, and this enables a policy driven “rights management” for all communicated documents. This provides functionality like encryption, authentication and access controls around read/write/print/use/geo-fence/revoke/etc., and it can be used to meet particular compliance needs and provide full audit trails. This can include email and covers all types of devices.
 
In the world of the text message, there is a messaging platform that works with a phone to provide a similar level like encryption, authentication and access controls, together with the functionality to meet the needs of compliance in a financial services world.
 
An essential part of what I have described above is that a secure system requires encryption “keys” that are only known by the intended user. These technologies use “two-factor” authentication (at the least). A good example from everyday life is the withdrawing of money from a cash machine—only the correct combination of a bank card and a PIN number allows the transaction to be carried out. The encryption keys can be a lot more sophisticated than this in order to ensure they can provide the level of privacy and security their users want. In most of these technologies, there is the option for encryption keys to be stored within the provider’s application (but encrypted so only the designated user can use them), or the user can opt to store at least one “side” of that key themselves. Like the Apple/FBI case, who can access these keys and how is the defining question in such a system.
 
A secure, encrypted technology platform and communications protocol is readily achievable by a family office. It requires planning and a strategic approach, but it provides the best opportunity for the family office to meet its obligation for best efforts around data security and privacy.