February 18, 2016
Apple's refusal to follow a court order to support the FBI's San Bernardino shooter investigation was the right move for the company and for its customers, as my colleagues and I cover in Fatemeh Khatibloo's blog post here, and in our full, detailed report, here. As we discuss, there are many constituents with a large stake in the outcome of this case, but I will focus on security and risk management decision makers in this post.
There are four key implications to consider:
- Addressing the regulatory landscape is going to get more difficult. Things were already tough for those of you working through the fall of Safe Harbour and rise of Privacy Shield, and we know that global perceptions of increased US government surveillance can bring negative economic pressure. If the FBI prevails here, expect the legal precedent to turn circumventing privacy controls into common practice, but if Apple prevails, expect the debate to continue among the legislative and judicial government branches as well as among candidates for the executive branch, which we predicted here.
- Your policy decisions have to be more nuanced than before. Enterprise mobile programs often prefer Apple products for their inherent security; however, this case shows that Apple favors consumer privacy over enterprise control. Notably, the shooter's employer provisioned the device and gave the FBI permission to access it, but Apple still refused to cooperate in the investigation. This standpoint could ultimately weaken your corporate policies that govern employer ownership of devices and data, records management, and eDiscovery. For example, can you now reasonably expect to enforce eDiscovery policies if your employees use Apple devices?
- The power and risk of brand promises deserve more attention. Two years ago, Apple threw down the gauntlet on customer privacy with a series of new product features and even swipes at the competition. Associating with issues like this doesn't work if corporate behavior diverges from the promise. Risk managers should help the executives understand the risks of taking a stand against government authorities, customers, or other interested parties, and more importantly explain the risk of making aspirational statements without backing them up. Apple had created an expectation that it would fall on the side of privacy long before this case came up, and the risk seems to have paid off.
- Choosing customers first is good business and good risk management. There are potential benefits and risks inherent in every business decision, but here Apple demonstrated that it would rather take on a powerful government agency than violate its customer expectations. This could very likely cost the company customers who fall on the side of law enforcement and antiterror surveillance programs, but it appears to be a calculated business decision — and a prudent decision at that, as we predicted that 2016 will see loss of customer trust having a more negative impact than legal and regulatory damage from at least one major risk event.
This is just the most recent battle in a drawn-out war between privacy and surveillance. The implications of this case are substantial, but the issue will be far from settled for the foreseeable future.