Manhattan D.A. Says Apple-Level Security Hurts Consumers

If asked to name America’s greatest “outlaw” brand, it’s easy to imagine some familiar (and oddly similarly structured) there are probably lots of names that might slug it out for that title.

But Apple isn’t one that would make anyone’s short list. Their products are beautifully designed, mostly associated with affluent, law-abiding users who choose their tech products on the basis of how nice they look and how easy they are to use. In fact, Apple might have more justly been thought of as the “anti-outlaw” brand; since its mobile payment platform, Apple Pay, is nearly universally praised for its combo platter of tokenization and biometric TouchID which make it a highly secure way to transact in a store in a store or in an app.

But, ironically enough, Apple’s strenuous efforts to protect their user’s data through encryption on the iPhone has apparently landed them on the outlaw brands list, at least as far as Manhattan District Attorney Cyrus Vance is concerned.

Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Vance told press during an interview an FBI-hosted cybersecurity conference in New York earlier this week.

Admittedly going “rouge” in the conference’s keynote speech, he offered a public challenge to Apple and Google, over their data encryption protocols on smartphones that came part of their new operating system releases last year. That protocol essentially seals off documents, contact histories, and photographs from any unauthorized access, including law enforcement’s.

“It’s developed into a sort of high-stakes game,” Vance said. “They’ve eliminated accessibility in order to market the product. Now that means we have to figure out how to solve a problem that we didn’t create.”

Both Apple and Google did specifically note in late 2014 that their new phones would automatically scramble data so that a digital key kept by the owner is needed to unlock it. Without that key, law enforcement officials would find it very difficult to access any information on a mobile device, and certainly not in a time frame that might end up being helpful to law enforcement to track a perpetrator.

These measures sprang up in response to pressure on two sides that technology firms have been feeling for the last year. On the one side, cybercriminals are getting increasingly aggressive and sophisticated about hacking into devices of all kinds - as several high profile data breaches at the merchant POS in 2014 demonstrated. On the other side, tech firms are also dealing with a suspicious consumer base following 2013 revelations by former NSA-contractor Edward Snowden about the degree to which industry players had cooperated with government surveillance programs.

Whatever their basis, Vance says the law enforcement-proof encryptions systems are a threat that needs to be eliminated.

“This is an issue of public safety,” Vance said. “The companies made a conscious decision -- which they marketed -- to make these devices inaccessible. Now it’s our job to figure out how we can do our job in that environment.”

Vance further noted that he has reached out to several lawmakers to craft new legislation that would legally require firms like Apple and Google to give police access to customer data necessary to investigate crimes. Vance declined to name which specific lawmakers he has spoken to.

Representatives from both Apple and Google have declined to comments on District Attorney Vance’s proposal.

Apple has repeatedly said that it is not up to them to “turn over” data to law enforcement since the data isn’t theirs – it belongs to the user - and that even if they wanted to and were asked, they wouldn’t be able to comply since they don’t have the keys necessary to decrypt the data.

That aspect of security – data ownership and access - was also a major selling point of Apple Pay. Tokenized account credentials, the Device Account Number, is stored in the Secure Element of the iPhone 6 and 6 Plus phones. Those credentials are activated by TouchID at the point of sale. Tokens are only decrypted and turned into an account number when it reaches the payment network. Only the user’s bank and its respective payments network has information about the person and the transaction. Apple and its payments partners have reiterated continually that its inability to access the data associated with the user’s account nor the transactions taking place at a particular merchant makes it safer for consumers who transact using Apple Pay and non-threat to the existing payments ecosystem since they lack access to any kind of valuable payments transaction data.

The card networks have also asserted that tokenized card credentials will make transacting via any mobile device safer and more secure, and will enable the acceleration of the “internet of things” by eliminating the risk of having sensitive consumer data circulating in cyberspace. This was a concern noted earlier in the week at CES when the FTC Commissioner, Edith Ramirez, delivered a keynote address flagging her concerns over the volume of data that the internet of things initiatives will produce.



About: Accelerating The Real-Time Payments Demand Curve:What Banks Need To Know About What Consumers Want And Need, PYMNTS  examines consumers’ understanding of real-time payments and the methods they use for different types of payments. The report explores consumers’ interest in real-time payments and their willingness to switch to financial institutions that offer such capabilities.

1 Comment