Case study 9

profileneelpatel
CaseStudies2.pdf

6/21/22, 1:08 PMCase Studies

Page 1 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

Case Studies

Case One FBI Orders Apple to Unlock iPhone

On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik burst into a holiday

gathering of county employees at the Inland Regional Center in San Bernardino,

California, and began shooting—ultimately killing 14 people and wounding another 21.

In the hours after the attack, the couple became involved in a shootout with police, and

both were killed.

With their deaths, the investigation into the deadliest terrorist attack in the United States

since September 11, 2001, entered a new phase, as hundreds of FBI agents in

California and around the world began investigating the attackers’ online and offline

activities in the hours, weeks, and months leading up to the shootings. In addition to the

stockpile of weapons and homemade pipe bombs found in the home of Farook and

Malik, investigators found multiple electronic devices. While attempts had been made by

the couple to delete data and damage some of the devices, FBI Director James Comey

reported two weeks after the attack that investigators had found private messages

between the two that showed their “joint commitment to jihad and to martyrdom.” In

addition, Malik posted a note on Facebook shortly after the shootings, pledging the

couple’s allegiance to the leader of ISIS, a terrorist network also known as the Islamic

State.

Book Title: eTextbook: Fundamentals of Information Systems Chapter 10. Ethical, Legal, and Social Issues of Information Systems Case Studies

6/21/22, 1:08 PMCase Studies

Page 2 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

In order to further investigate possible connections to extremist groups, the FBI

attempted to access the data on an iPhone used by Farook. The phone, which belonged

to Farook’s employer, the San Bernardino County Health Department, was locked by a

passcode, and neither the county nor the FBI were able to unlock the phone. The iOS

software installed on Apple’s phones allows only 10 unsuccessful passcode attempts

before it wipes the phone’s memory clean. This security feature prevented the FBI from

attempting a “brute-force” attack, which is essentially a trial-and-error method in which

all possible passcodes are tried systematically until the correct one is uncovered.

In the weeks following the shootings, Apple representatives cooperated with the FBI’s

investigation, providing some older data backups from the phone as well as suggesting

possible methods the agency could use to access the data on the phone itself. The

company balked, however, when the FBI demanded that the company develop new

software that would disable the functionality that wipes the phone’s memory when too

many wrong passcodes are entered in a row. The FBI also wanted Apple to eliminate

the built-in delay between passcode attempts, which, by Apple’s estimates, meant that a

brute-force attack on a phone with a six-digit passcode could take more than five years

to complete.

The FBI’s demand that Apple develop new software that would allow it to unlock the

phone in this case is an extension of an ongoing debate about whether tech companies

should be compelled to build a “backdoor” into their software that would allow the

government to access data even when secure encryption has been used to protect it.

Without it, some law enforcement experts warn, the United States could be faced with

the prospect of what has been dubbed the “Going Dark” problem, which some experts

fear would lead to the inability of law enforcement to access electronic data even with a

6/21/22, 1:08 PMCase Studies

Page 3 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

warrant. That concern was heightened for some when Apple announced in 2014 that it

had altered its software so that it was no longer “technically feasible for us to respond to

government warrants for the extraction of data from devices” running iOS 8 or later

versions of that software.

On February 16, 2016, a U.S. magistrate in California ordered Apple to assist the

government by creating a custom version of iOS that would run only on the iPhone in

question and that would provide the functionality demanded by the FBI. In its motion

requesting the order, the Department of Justice cited the All Writs Act, a law signed by

President George Washington, which, among other things, gives federal judges the

power to issue court orders compelling people to do things within the limits of the law

and which has frequently been used as the basis for court orders compelling

telecommunications companies to install and operate call-tracking devices. In its filing,

the DOJ alleged that Apple “deliberately raised technological barriers that now stand

between a lawful warrant and an iPhone containing evidence related to the terrorist

mass murder of 14 Americans.”

Apple challenged the judge’s order, arguing that it would set dangerous legal precedent.

The company also issued a statement on its Web site that said, in part, “The

implications of the government’s demands are chilling. If the government can use the All

Writs Act to make it easier to unlock your iPhone, it would have the power to reach into

anyone’s device to capture their data. The government could extend this breach of

privacy and demand that Apple build surveillance software to intercept your messages,

access your health records or financial data, track your location, or even access your

phone’s microphone or camera without your knowledge.” According to Apple, “Opposing

this order is not something we take lightly. We feel we must speak up in the face of what

6/21/22, 1:08 PMCase Studies

Page 4 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

we see as an overreach by the U.S. government.”

The case took another turn before the scheduled court hearing on the issue in March

2016, when the Justice Department announced that it had successfully accessed the

contents of the phone using a tool provided the government by an unnamed third party.

After its announcement, the Justice Department withdrew its motion to compel Apple to

develop the requested software; however, according to a Justice Department

spokeswoman, “It remains a priority for the government to ensure that law enforcement

can obtain crucial digital information to protect national security and public safety, either

with cooperation from relevant parties, or through the court system when cooperation

fails.”

Critical Thinking Questions

1. Why did Apple object to the court order in this case? What was the government’s rationale for

compelling Apply to comply with the order?

2. Do you think Americans should be willing to surrender some of their privacy for increased

security by allowing backdoors that enable law enforcement access to smartphones and other

devices after a search warrant has been issued? Why or why not?

3. The FBI and Apple are involved in similar disputes in other cases, including one in New York

involving an alleged drug conspiracy. Shortly before the government dropped its legal action

against Apple in the San Bernardino case, the judge in the New York case ruled against the

government, rejecting the argument that the All Writs Act gave prosecutors the authority to

compel Apple to bypass the lock on the seized phone. Do your opinions about the issues

involved in the San Bernardino case change when they arise in connection with a case that

does not have national security implications? Why or why not?

6/21/22, 1:08 PMCase Studies

Page 5 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

SOURCES: Almasy, Steve, “FBI Asks for Help Filling in San Bernardino Terrorist Attack Timeline,” CNN, January 5, 2016, www.cnn.com/2016/01/05/us/san-bernardino-terrorist-attack; Nelson, Joe, “Investigation into San Bernardino Mass Shooting Will Be ‘Expansive and Expensive’,” San Bernardino County Sun, www.sbsun.com/general-news/20151220/investigation-into- san-bernardino-mass-shooting-will-be-expansive-and-expensive; Medina, Jennifer, Richard Perez-Pena, Michael S. Schmidt, and Laurie Goldstein, “San Bernardino Suspects Left Trail of Clues, but No Clear Motive,” New York Times, December 3, 2015, www.nytimes.com/2015/12/04/us/san-bernardino-shooting.html?_r=0; Goldman, Adam and Mark Berman, “FBI: San Bernardino Attackers Didn’t Show Public Support for Jihad On Social Media,” Washington Post, December 16, 2015, www.washingtonpost.com/news/post-nation/wp/2015/12/16/fbi-san-bernardino-attackers-didnt-show-public-support-for- jihad-on-social-media; Green, Chloe, “Brute Force Attacks: How You Can Stop Hackers Breaking Your Door In,” Information Age, May 11, 2016, www.information-age.com/technology/security/123461414/brute-force-attacks-how-you-can-stop- hackers-breaking-your-door; “Operational Technology: Going Dark Issue,” Federal Bureau of Investigation, www.fbi.gov/about-us/otd/going-dark-issue, accessed May 9, 2016; Panzarino, Matthew, “No, Apple Has Not Unlocked 70 iPhones for Law Enforcement,” TechCrunch, February 18, 2016, http://techcrunch.com/2016/02/18/no-apple-has-not-unlocked- 70-iphones-for-law-enforcement; Palazzolo, Joe and Devlin Barrett, “Roots of Apple-FBI Standoff Reach Back to 2008 Case,” Wall Street Journal, www.wsj.com/articles/roots-of-apple-fbi-standoff-reach-back-to-2008-case-1460052008?mg=id-wsj; Timberg, Craig, “Apple Will No Longer Unlock Most iPhones, iPads for Police, Even with Search Warrants,” Washington Post, September 18, 2014, www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f- de718edeb92f_story.html; Lewis, Danny, “What the All Writs Act of 1789 Has to Do with the iPhone,” Smithsonian, February 24, 2016, www.smithsonianmag.com/smart-news/what-all-writs-act-1789-has-do-iphone-180958188/?no-ist; Hollister, Sean and Connie Guglielmo, “How an iPhone Became the FBI’s Public Enemy No. 1 (FAQ),” CNET, February 25, 2016, www.cnet.com/news/apple-versus-the-fbi-why-the-lowest-priced-iphone-has-the-us-in-a-tizzy-faq; “A Message to Our Customers,” Apple, February 16, 2016, www.apple.com/customer-letter; Barrett, Devlin, “FBI Paid More than $1 Million to Hack San Bernardino iPhone,” Wall Street Journal, April 21, 2016, www.wsj.com/articles/comey-fbi-paid-more-than-1-million- to-hack-san-bernardino-iphone-1461266641; Zetter, Kim, “Apple’s FBI Battle Is Complicated. Here’s What’s Really Going On,” Wired, February 18, 2016, www.wired.com/2016/02/apples-fbi-battle-is-complicated-heres-whats-really-going-on; Barrett, Devlin, “Judge Sides with Apple in N.Y. Drug Case Involving Locked Phone,” Wall Street Journal, March 1, 2016, www.wsj.com/articles/judge-sides-with-apple-in-drug-case-involving-locked-phone-1456785910.

Case Two Protecting Health Care Privacy

The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among

other things) the privacy of health information. Title 2 of the act regulates the use and

disclosure of protected health information (PHI), such as billing for patient services by

healthcare providers, insurance carriers, employers, and business associates.

Email is often the best way for a hospital to communicate with off-site specialists and

insurance carriers about a patient. Unfortunately, standard email is insecure. It allows

eavesdropping, later retrieval of messages from unprotected backups, message

modification before it is received, potential invasion of the sender’s privacy by providing

6/21/22, 1:08 PMCase Studies

Page 6 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

access to information about the identity and location of the sending computer, and more.

Since healthcare provider email often includes PHI, healthcare facilities must be sure

their email systems meet HIPAA privacy and security requirements.

Children’s National Medical Center (CNMC) of Washington, D.C., “The Nation’s

Children’s Hospital,” is especially aware of privacy concerns because its patients are

children. CNMC did what many organizations do when faced with a specialized problem:

rather than try to become specialists or hire specialists for whom the hospital has no

long-term full-time need, it turned to a specialist firm.

CNMC chose Proofpoint of Sunnyvale, California, for its security as a service (SaaS)

email privacy protection service. Matt Johnston, senior security analyst at CNMC, says

that children are “the highest target for identity theft. A small kid’s record is worth its

weight in gold on the black market. It’s not the doctor’s job to protect that information.

It’s my job.”

Johnston explains that he likes several things about the Proofpoint service:

“I don’t have to worry about backups.” Proofpoint handles those.

“I don’t have to worry about if a server goes down. [If it was a CNMC server, I

would have to] get my staff ramped up and bring up another server. Proofpoint

does that for us. It’s one less headache.”

“We had a product in-house before. It required several servers which took a full

FTE [full-time employee] just to manage this product. It took out too much time.”

“Spam has been on the rise. Since Proofpoint came in, we’ve seen a dramatic

6/21/22, 1:08 PMCase Studies

Page 7 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

decrease in spam. It takes care of itself. The end user is given a digest daily.”

Email can be encrypted or not, according to rules that the end user need not be

personally concerned with.

“Their tech support has been great.”

Proofpoint is not the only company that provides healthcare providers with email

security services. LuxSci of Cambridge, Massachusetts, also offers HIPAA-compliant

email hosting services, as do several other firms. They all provide the same basic

features: user authentication, transmission security (encryption), logging, and audit.

Software that runs on the provider’s computers can also deliver media control and

backup. Software that runs on a user organization’s server necessarily relies on that

organization to manage storage; for example, deleting messages from the server after

four weeks as HIPAA requires.

As people become more aware of the privacy risks associated with standard email, the

use of more secure solutions such as these will undoubtedly become more common in

the future.

Critical Thinking Questions

1. What requirement does HIPAA institute to safeguard patient privacy?

2. Universities use email to communicate private information. For example, an instructor might

send you an email explaining what you must do to raise your grade. The regulations about

protecting that information under the Family Educational Rights and Privacy Act (FERPA) are

not as strict as those under HIPAA. Do you think they should be as strict as HIPAA’s

requirements? Why or why not?

6/21/22, 1:08 PMCase Studies

Page 8 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html

3. How does Proofpoint safeguard patient privacy? Could Proofpoint do the same for university

and corporate emails? Why or why not?

SOURCES: Children’s National Medical Center Web site, www.childrensnational.org, accessed August 28, 2014; LuxSci Web site, www.luxsci.com, accessed August 28, 2014; Proofpoint Web site, www.proofpoint.com, accessed August 28, 2014; Staff, “HIPAA Email Security Case Study: Children’s National Medical Center,” Proofpoint, www.youtube.com/watch? v=RVaBaNvwkQE, accessed August 7, 2014.