There are many fascinating dimensions to the unfolding #ApplevsFBI conflict, but one particular dimension we haven't seen much written about is the degree to which the parties involved are responsible, ethically, for the decisions they make that impact individual liberty and privacy.
This is an enormous question—one we have been discussing with industry folks and inquisitive reporters such as Katie Benner at The New York Times, who published a thoughtful piece on this subject yesterday.
What is the potential for silent rebellion by software engineers and cyber security team members at Apple? How many would walk away, quit, or refuse to do the work if asked to backdoor or undermine the privacy of product security features they worked hard to create? Could a certain amount of cash or stock be more persuasive than ideology? If they walked away, would it matter? Would other engineers at Apple be willing to take their place?
There are plenty of talented, highly skilled software engineers in parts of the world in which personal privacy and digital security have long been extinct—parts of Eastern Europe come to mind. I believe there are engineers there capable of mastering the bits of iOS knowledge and Objective-C needed to implement a back door or weaken the auto-lockout feature enough to comply with the FBI's request. Initially, such work wouldn't even require the rest of iOS to be fully functioning, assuming such weaknesses were not implemented in a production distribution of iOS. So even If every Apple engineer involved resigned, what stops Apple from simply hiring more talent from parts of the world without expectations of privacy?
Many of the people I know in the Information Security industry are drawn to questions like these by nature. We value individual liberty and recognize that privacy is its foundation. All too often, we see how historical breaches of privacy are a prelude to more heinous deeds that negatively impact individual liberty. Working with these subjects daily gives us a healthy paranoia and a firm understanding of how easily—and how often—abuses can happen. For example, my identity has been cloned four times over the past 15 years, at least three of which during trips through sketchy parts of Eastern Europe (it can be painful to clean up). It’s easy to see why I take personal privacy, and individual liberty, very seriously.
That said, I know some folks in the industry that have chosen to go to the dark side. I am also fairly certain once folks have families to feed, their priorities are subject to change.
What are your thoughts on this subject? We are curious about what the broader Infosec community thinks! Let us know.