Case study 9
6/21/22, 1:08 PMCase Studies
Page 1 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
Case Studies
Case One FBI Orders Apple to Unlock iPhone
On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik burst into a holiday
gathering of county employees at the Inland Regional Center in San Bernardino,
California, and began shooting—ultimately killing 14 people and wounding another 21.
In the hours after the attack, the couple became involved in a shootout with police, and
both were killed.
With their deaths, the investigation into the deadliest terrorist attack in the United States
since September 11, 2001, entered a new phase, as hundreds of FBI agents in
California and around the world began investigating the attackers’ online and offline
activities in the hours, weeks, and months leading up to the shootings. In addition to the
stockpile of weapons and homemade pipe bombs found in the home of Farook and
Malik, investigators found multiple electronic devices. While attempts had been made by
the couple to delete data and damage some of the devices, FBI Director James Comey
reported two weeks after the attack that investigators had found private messages
between the two that showed their “joint commitment to jihad and to martyrdom.” In
addition, Malik posted a note on Facebook shortly after the shootings, pledging the
couple’s allegiance to the leader of ISIS, a terrorist network also known as the Islamic
State.
Book Title: eTextbook: Fundamentals of Information Systems Chapter 10. Ethical, Legal, and Social Issues of Information Systems Case Studies
6/21/22, 1:08 PMCase Studies
Page 2 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
In order to further investigate possible connections to extremist groups, the FBI
attempted to access the data on an iPhone used by Farook. The phone, which belonged
to Farook’s employer, the San Bernardino County Health Department, was locked by a
passcode, and neither the county nor the FBI were able to unlock the phone. The iOS
software installed on Apple’s phones allows only 10 unsuccessful passcode attempts
before it wipes the phone’s memory clean. This security feature prevented the FBI from
attempting a “brute-force” attack, which is essentially a trial-and-error method in which
all possible passcodes are tried systematically until the correct one is uncovered.
In the weeks following the shootings, Apple representatives cooperated with the FBI’s
investigation, providing some older data backups from the phone as well as suggesting
possible methods the agency could use to access the data on the phone itself. The
company balked, however, when the FBI demanded that the company develop new
software that would disable the functionality that wipes the phone’s memory when too
many wrong passcodes are entered in a row. The FBI also wanted Apple to eliminate
the built-in delay between passcode attempts, which, by Apple’s estimates, meant that a
brute-force attack on a phone with a six-digit passcode could take more than five years
to complete.
The FBI’s demand that Apple develop new software that would allow it to unlock the
phone in this case is an extension of an ongoing debate about whether tech companies
should be compelled to build a “backdoor” into their software that would allow the
government to access data even when secure encryption has been used to protect it.
Without it, some law enforcement experts warn, the United States could be faced with
the prospect of what has been dubbed the “Going Dark” problem, which some experts
fear would lead to the inability of law enforcement to access electronic data even with a
6/21/22, 1:08 PMCase Studies
Page 3 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
warrant. That concern was heightened for some when Apple announced in 2014 that it
had altered its software so that it was no longer “technically feasible for us to respond to
government warrants for the extraction of data from devices” running iOS 8 or later
versions of that software.
On February 16, 2016, a U.S. magistrate in California ordered Apple to assist the
government by creating a custom version of iOS that would run only on the iPhone in
question and that would provide the functionality demanded by the FBI. In its motion
requesting the order, the Department of Justice cited the All Writs Act, a law signed by
President George Washington, which, among other things, gives federal judges the
power to issue court orders compelling people to do things within the limits of the law
and which has frequently been used as the basis for court orders compelling
telecommunications companies to install and operate call-tracking devices. In its filing,
the DOJ alleged that Apple “deliberately raised technological barriers that now stand
between a lawful warrant and an iPhone containing evidence related to the terrorist
mass murder of 14 Americans.”
Apple challenged the judge’s order, arguing that it would set dangerous legal precedent.
The company also issued a statement on its Web site that said, in part, “The
implications of the government’s demands are chilling. If the government can use the All
Writs Act to make it easier to unlock your iPhone, it would have the power to reach into
anyone’s device to capture their data. The government could extend this breach of
privacy and demand that Apple build surveillance software to intercept your messages,
access your health records or financial data, track your location, or even access your
phone’s microphone or camera without your knowledge.” According to Apple, “Opposing
this order is not something we take lightly. We feel we must speak up in the face of what
6/21/22, 1:08 PMCase Studies
Page 4 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
we see as an overreach by the U.S. government.”
The case took another turn before the scheduled court hearing on the issue in March
2016, when the Justice Department announced that it had successfully accessed the
contents of the phone using a tool provided the government by an unnamed third party.
After its announcement, the Justice Department withdrew its motion to compel Apple to
develop the requested software; however, according to a Justice Department
spokeswoman, “It remains a priority for the government to ensure that law enforcement
can obtain crucial digital information to protect national security and public safety, either
with cooperation from relevant parties, or through the court system when cooperation
fails.”
Critical Thinking Questions
1. Why did Apple object to the court order in this case? What was the government’s rationale for
compelling Apply to comply with the order?
2. Do you think Americans should be willing to surrender some of their privacy for increased
security by allowing backdoors that enable law enforcement access to smartphones and other
devices after a search warrant has been issued? Why or why not?
3. The FBI and Apple are involved in similar disputes in other cases, including one in New York
involving an alleged drug conspiracy. Shortly before the government dropped its legal action
against Apple in the San Bernardino case, the judge in the New York case ruled against the
government, rejecting the argument that the All Writs Act gave prosecutors the authority to
compel Apple to bypass the lock on the seized phone. Do your opinions about the issues
involved in the San Bernardino case change when they arise in connection with a case that
does not have national security implications? Why or why not?
6/21/22, 1:08 PMCase Studies
Page 5 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
SOURCES: Almasy, Steve, “FBI Asks for Help Filling in San Bernardino Terrorist Attack Timeline,” CNN, January 5, 2016, www.cnn.com/2016/01/05/us/san-bernardino-terrorist-attack; Nelson, Joe, “Investigation into San Bernardino Mass Shooting Will Be ‘Expansive and Expensive’,” San Bernardino County Sun, www.sbsun.com/general-news/20151220/investigation-into- san-bernardino-mass-shooting-will-be-expansive-and-expensive; Medina, Jennifer, Richard Perez-Pena, Michael S. Schmidt, and Laurie Goldstein, “San Bernardino Suspects Left Trail of Clues, but No Clear Motive,” New York Times, December 3, 2015, www.nytimes.com/2015/12/04/us/san-bernardino-shooting.html?_r=0; Goldman, Adam and Mark Berman, “FBI: San Bernardino Attackers Didn’t Show Public Support for Jihad On Social Media,” Washington Post, December 16, 2015, www.washingtonpost.com/news/post-nation/wp/2015/12/16/fbi-san-bernardino-attackers-didnt-show-public-support-for- jihad-on-social-media; Green, Chloe, “Brute Force Attacks: How You Can Stop Hackers Breaking Your Door In,” Information Age, May 11, 2016, www.information-age.com/technology/security/123461414/brute-force-attacks-how-you-can-stop- hackers-breaking-your-door; “Operational Technology: Going Dark Issue,” Federal Bureau of Investigation, www.fbi.gov/about-us/otd/going-dark-issue, accessed May 9, 2016; Panzarino, Matthew, “No, Apple Has Not Unlocked 70 iPhones for Law Enforcement,” TechCrunch, February 18, 2016, http://techcrunch.com/2016/02/18/no-apple-has-not-unlocked- 70-iphones-for-law-enforcement; Palazzolo, Joe and Devlin Barrett, “Roots of Apple-FBI Standoff Reach Back to 2008 Case,” Wall Street Journal, www.wsj.com/articles/roots-of-apple-fbi-standoff-reach-back-to-2008-case-1460052008?mg=id-wsj; Timberg, Craig, “Apple Will No Longer Unlock Most iPhones, iPads for Police, Even with Search Warrants,” Washington Post, September 18, 2014, www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f- de718edeb92f_story.html; Lewis, Danny, “What the All Writs Act of 1789 Has to Do with the iPhone,” Smithsonian, February 24, 2016, www.smithsonianmag.com/smart-news/what-all-writs-act-1789-has-do-iphone-180958188/?no-ist; Hollister, Sean and Connie Guglielmo, “How an iPhone Became the FBI’s Public Enemy No. 1 (FAQ),” CNET, February 25, 2016, www.cnet.com/news/apple-versus-the-fbi-why-the-lowest-priced-iphone-has-the-us-in-a-tizzy-faq; “A Message to Our Customers,” Apple, February 16, 2016, www.apple.com/customer-letter; Barrett, Devlin, “FBI Paid More than $1 Million to Hack San Bernardino iPhone,” Wall Street Journal, April 21, 2016, www.wsj.com/articles/comey-fbi-paid-more-than-1-million- to-hack-san-bernardino-iphone-1461266641; Zetter, Kim, “Apple’s FBI Battle Is Complicated. Here’s What’s Really Going On,” Wired, February 18, 2016, www.wired.com/2016/02/apples-fbi-battle-is-complicated-heres-whats-really-going-on; Barrett, Devlin, “Judge Sides with Apple in N.Y. Drug Case Involving Locked Phone,” Wall Street Journal, March 1, 2016, www.wsj.com/articles/judge-sides-with-apple-in-drug-case-involving-locked-phone-1456785910.
Case Two Protecting Health Care Privacy
The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among
other things) the privacy of health information. Title 2 of the act regulates the use and
disclosure of protected health information (PHI), such as billing for patient services by
healthcare providers, insurance carriers, employers, and business associates.
Email is often the best way for a hospital to communicate with off-site specialists and
insurance carriers about a patient. Unfortunately, standard email is insecure. It allows
eavesdropping, later retrieval of messages from unprotected backups, message
modification before it is received, potential invasion of the sender’s privacy by providing
6/21/22, 1:08 PMCase Studies
Page 6 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
access to information about the identity and location of the sending computer, and more.
Since healthcare provider email often includes PHI, healthcare facilities must be sure
their email systems meet HIPAA privacy and security requirements.
Children’s National Medical Center (CNMC) of Washington, D.C., “The Nation’s
Children’s Hospital,” is especially aware of privacy concerns because its patients are
children. CNMC did what many organizations do when faced with a specialized problem:
rather than try to become specialists or hire specialists for whom the hospital has no
long-term full-time need, it turned to a specialist firm.
CNMC chose Proofpoint of Sunnyvale, California, for its security as a service (SaaS)
email privacy protection service. Matt Johnston, senior security analyst at CNMC, says
that children are “the highest target for identity theft. A small kid’s record is worth its
weight in gold on the black market. It’s not the doctor’s job to protect that information.
It’s my job.”
Johnston explains that he likes several things about the Proofpoint service:
“I don’t have to worry about backups.” Proofpoint handles those.
“I don’t have to worry about if a server goes down. [If it was a CNMC server, I
would have to] get my staff ramped up and bring up another server. Proofpoint
does that for us. It’s one less headache.”
“We had a product in-house before. It required several servers which took a full
FTE [full-time employee] just to manage this product. It took out too much time.”
“Spam has been on the rise. Since Proofpoint came in, we’ve seen a dramatic
6/21/22, 1:08 PMCase Studies
Page 7 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
decrease in spam. It takes care of itself. The end user is given a digest daily.”
Email can be encrypted or not, according to rules that the end user need not be
personally concerned with.
“Their tech support has been great.”
Proofpoint is not the only company that provides healthcare providers with email
security services. LuxSci of Cambridge, Massachusetts, also offers HIPAA-compliant
email hosting services, as do several other firms. They all provide the same basic
features: user authentication, transmission security (encryption), logging, and audit.
Software that runs on the provider’s computers can also deliver media control and
backup. Software that runs on a user organization’s server necessarily relies on that
organization to manage storage; for example, deleting messages from the server after
four weeks as HIPAA requires.
As people become more aware of the privacy risks associated with standard email, the
use of more secure solutions such as these will undoubtedly become more common in
the future.
Critical Thinking Questions
1. What requirement does HIPAA institute to safeguard patient privacy?
2. Universities use email to communicate private information. For example, an instructor might
send you an email explaining what you must do to raise your grade. The regulations about
protecting that information under the Family Educational Rights and Privacy Act (FERPA) are
not as strict as those under HIPAA. Do you think they should be as strict as HIPAA’s
requirements? Why or why not?
6/21/22, 1:08 PMCase Studies
Page 8 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_10_closer_10.html
3. How does Proofpoint safeguard patient privacy? Could Proofpoint do the same for university
and corporate emails? Why or why not?
SOURCES: Children’s National Medical Center Web site, www.childrensnational.org, accessed August 28, 2014; LuxSci Web site, www.luxsci.com, accessed August 28, 2014; Proofpoint Web site, www.proofpoint.com, accessed August 28, 2014; Staff, “HIPAA Email Security Case Study: Children’s National Medical Center,” Proofpoint, www.youtube.com/watch? v=RVaBaNvwkQE, accessed August 7, 2014.