Now that the FBI has magically cracked an iPhone used by San Bernardino gunman Syed Farook, the vitriol has calmed down in Apple’s very public battle in defense of privacy. Apple’s hardened stance in its 6 week defense against the FBI raises a broader question about the tension between commercial interests and public safety in modern free economies. While this heated skirmish appears to be over, the broader war between security and privacy is just beginning.
On one extreme, privacy advocates treat the sanctity of digital identifiers and customer privacy as absolutes. On the other, security advocates treat public safety as an absolute. The truth lies somewhere in the middle and both public and private organizations are scrambling to find their footing amid increasingly blurred boundaries.
Privacy and security are not opposite ends of a spectrum in an interconnected and insecure world. Rather they are two equally important goals that must work in co-movement in order to maintain a safe, global and digitally-dependent economy. In short, the tug-o-war analogy between privacy and security belongs in a bygone era. A more apt description is two equally important objectives tethered by an elastic band. Under normal circumstances privacy and security lie at rest at opposite ends. Certain forces or conditions however may cause them to spring back together and even overlap.
The terror attack in San Bernardino was such a case. However, tragically, the loss of 14 lives and serious injuries sustained by 22 others proved to be an insufficient calculus in the favor of security. Framing the legal battle between Apple and the FBI as one of privacy versus security misses the symbiotic nature of their relationship. In our times, defined by a worldwide tragedy of the commons calling for frequent public bailouts, cyber risk, terrorism and climate change you simply cannot have one without the other. Greater transparency, accountability and, above all, cooperation are needed between public and commercial interests.
Few may remember the name José Padilla who was found guilty of plotting to detonate a so-called dirty bomb scattering radioactive material that could have claimed thousands of lives turning a major city into a ghost town. This case took place in the heady days after 9/11 in May of 2002 when the biggest cyber threats were rudimentary phishing and ID-theft scams. While the dirty bomber case is not free of legal controversy, it also occurred 5 years before the launch of the now ubiquitous iPhone, in a time when a little more than 10% of the world’s population were using the internet according to the World Bank. It is reasonable to assume the risk of such a mass casualty event, if it were to occur today, would engender starkly different positions from privacy and security proponents if a locked iPhone held clues for public safety. Clearly no one wants an omniscient state any more than one wants mass casualty events or cyber ne’er-do-wells. Sadly these forces are colliding in the real world with real consequences and we all need to come to terms with areas where commercial, public and security interests will overlap.
The Germanwings airline tragedy provides another example where these very issues are playing out in Europe pitting aviation safety versus medical privacy. In this case investigators have learned that Andreas Lubitz, the co-pilot of the doomed flight, was suicidal and numerous (private) red flags were missed just days before he crashed the plane into the French Alps claiming 150 lives. French accident investigators and lawyers for the victims’ families are calling for laxer medical privacy standards when possible risks to public safety emerge. Clearly loosening privacy rules singling out certain professional classifications like airline pilots will create a raft of new challenges, however, some conciliatory ground must be found to avoid these preventable losses. Insidiously the reinforced cockpit doors meant to protect the public from another 9/11-style hijacking amplified the once unthinkable exposure to a suicidal pilot.
The San Bernardino terror attack and the Germanwings tragedy underscore the tension that can arise between public and commercial interests under the threat of man-made risks. There are also cases where public safety, commercial interests and natural risks collide. One example was the 2010 Icelandic volcano eruption, which halted commercial air traffic over much of Europe for fear volcanic ash would cause engines to seize up jeopardizing safety. As grounded airlines, flight maintenance crews and engine manufacturers jostled for a position against air traffic regulators, mounting economic costs and millions of stranded travelers soon trumped safety and flights took off. It was not without a principled confrontation pitting an industry leader against the regulator, much like Apple’s principled stance against the FBI.
Willie Walsh, British Airway’s former CEO, took on safety regulators in a very public fight during the height of the travel ban. Shortly thereafter restrictions were lifted signaling the crossover point where business interests superseded public safety. The next time public interests in the form of safety or security are pitted against commercial interests or privacy, companies would be wise to remember the public largesse that kept many of them afloat during the financial crisis. In short, safety, security and privacy are not tradeoffs in a modern free economy, rather they remain locked in a complex relationship for which a series of new ground rules are desperately needed.