Paranoid Technology All things cybersecurity

2Mar/16Off

Lessons on Trust and Apple’s Stance Against the FBI – Learned from the Syrian Refugee Crisis



Our team has been researching trust networks for a while, and this example from the Syrian Refugee Crisis was worth sharing as there are several hidden lessons in the story. You've probably been following the news about the Syrian refugee crisis.  This article is not about the significant humanitarian and political challenges and complexities of that situation, but rather what we can learn from their ordeal about trust-networks and apply it to Information Security, specifically to the current stand-off between Apple and the FBI…

Large numbers of men, women and children are trying to journey from Turkey to Greece every day, hoping for a better life and to escape from the horrors of war...The success to death ratio is quite high, but people keep trying; one can't help but ask oneself, why?  Why do the refugees trust these people traffickers, why do they get on leaky boats and make the trip, knowing there is a good chance that they will never make it? The answer to this question is Trust...

The traffickers are probably not the most honorable people, as they are preying on people in need, giving them malfunctioning equipment and knowingly sending them toward a likely death.  But they have figured out that they should not betray their customers' trust; if the trust is broken, the operation will fail and that is why even though the success rate is low, Refugees keep trying and they never give up their traffickers.

The primary source for this blog is an article we found on the Turkish News Media - Police in the town of Izmir, Turkey did a yearlong investigation of how these human smuggling networks operate and their findings are a testament to power of money and human psychology.

So, how does this work?

Why it Happens:
Concern for self-preservation and a hope for a better future in European Countries. Induced by war, uncertainty, and lack of opportunity.

Cast of Characters:

  • Refugee: Person looking to make the journey to the EU; people from countries like - Syria, Afghanistan, Pakistan, Nepal and others...
  • Broker: Person who makes the initial contact with the Refugees Safe Deposit Box: A trusted business that keeps the records and maintains the financial transactions for the human smugglers
  • Safe Deposit Box: Where the cash is deposited – gives out a password to be used in the “Circle of Trust”. One other interesting function of these "Safety Deposit Boxes"(s) is that Refugees who do not want to take the risk of carrying excessive cash  can also utilize available money transfer and insurance services.
  • Journey Coordinator: Mid-level operator that coordinates the logistics and connects the refugees with the Exit Operators
  • Exit Operator: Is the person that takes the Refugees on their journey...

What Happens:

  1. Initial Contact - Refugees coming into Turkey inquire about how to make the journey to Greece. People called Brokers who hang out in the refugee dense areas make the initial contact.
  2. Information Exchange - Broker gives the refugees the information on the journey; payment conditions, routes to take, what to expect during the journey and etc... Refugees are given some time to think about the process and come up with the finances.
  3. Accept/Deny Offer - After a given time period, refugees either accept or deny the offer
  4. Offer Accepted - If the offer is accepted the Broker takes the Refugees to a location called a "Safety Deposit Box", these are trusted businesses (by the traffickers) that operate exactly like a Safety Deposit Box.  The Refugees make a deposit (in Euros) to the "Safety Deposit Box"; in return they receive a password. This password makes the refugees a part of a "Circle of Trust". The Circle of Trust guarantees them access to Journey Coordinators, and assures that money will not be touched until the journey is successful, and in the case of failure the Refugees have multiple chances to retry and in the case of death, next of kin (with the password) will get the refund! And of course they exchange contact information.
  5. Contact the Journey Coordinator - With the given password the Refugee contacts the Journey Coordinator, who in turn tells the Refugee  the logistical details of the journey (date, time, location and the name/contact of the Exit Operator) - If you do not like your Journey Coordinator you can always change...
  6. Prepare for the Journey - This is the stage where they buy leaky boats and other items like malfunctioning life vests. They make the journey to the beach, where they will board the vessel for their journey on the designated date and time.
    • Journey starts:
      1. If successful - they send an SMS message to the "Safety Deposit Box" - The SMS contains the name of the Broker and the password received (a unique identifier) - this verifies that the journey was successful and the transaction is complete; the "Safe" in essence, the trafficking network, is entitled to the funds
      2. If failed and alive - the Refugee has another opportunity to go through the ordeal. No funds are touched.
      3. If failed and dead - given that the refugees shared their password with a next of kin, this entitles the next of kin to contact the "Safe" with the password. He may choose to get the money or try to make the crossing himself, but the idea here is that the Trust is maintained. Transaction Complete!

We tried to articulate the above process in the below diagram (click to enlarge):

lessons-on-trustNot unique, but an interesting example of a Circle of Trust Relationship. In information Technology Ed Gerck defines Trust as something that has nothing to do with friendship, acquaintances, employee-employer relationships, loyalty, betrayal and other overly-variable concepts. Trust is not taken in the purely subjective sense either, nor as a feeling or something purely personal or psychological - Trust is understood as something potentially communicable. The above example certainly contains most points from Gerck's definition, but the power of human psychology is undeniable for this system to continue its operations. Gerck also says that Trust can be mathematically proven and calculated, this definitely has its uses in machine to machine transactions. Until we fully lose our humanity and completely use computed trust in everything we do, we still need to account for human psychology in designing effective software solutions, then again intelligence sector and advertising vendors are already aware of that!

Having said this, if we took Apple’s case and apply it to the above model it might look like this:

Why it Happens:

People want convenience and a mobile way to access the Internet. The phone is a part of their daily lives acting as a de facto archive for their activities and the common consumer is not aware of the amount of information stored on the phones.  The context is not as dire as in the case outlined above – hence the tendency to forego the Trust is stronger (at least on the Refugee side).

  • Refugee – Customer (and Our privacy)
  • Broker – Apple Store
  • Safe Deposit Box - iPhone
  • Journey Coordinator - Apple HQ
  • Exit Operator – Network Operators (the weak link) – Silently watches all the communications originating from/to iPhone and records meta data on behalf of the government.

Also in this model there is one more additional actor:

  • Government – Giver of justice and protector of national security – maintains a reasonable amount of fear to attain goals.

What Happens:

Global brands collect ungodly amount of personally identifiable information on their users and the government wants a piece of it. Security related incidents justifies and manufactures the necessary consent to gain access to such information in mass scale in order to maintain the illusion of security.

Traditionally a hardware (product) company Apple morphed into a product/services company with iPod and iTunes, eventually iPhone, AppleTV and etc… This transition to stronger services portfolio brought some challenges with it, wanting to know what your customers do so that they can provide better services… Resulting in privacy infringement on its customers; this may not be a problem in iPods, MacBooks, but it is a different story when it comes to iPhones (SmartPhones in general). SmartPhones are an interesting beast  – they have motion sensors, cameras, microphones on them, they provide your geo-location information real time so you can get targeted ads… They contain your contacts, pictures, e-mails, other communication history (SMS, Chat etc…) and even your health information obtained via wearable devices. In short they are as personal as they get… Now let’s put this into the context of current cyber security threat landscape and the on-going encryption debate… In cyber security there is no such thing as an impenetrable device that is connected to the Internet, when you connect you assume a certain level of risk, but of course you put reasonable defenses in place. In the era of crypto-malware and relentless cyber-attacks by criminals and nation states – having back doors is not the way to solve the problem.  Trends in governments mass information surveillance and Snowden revelations are definitely eye opening and the threat of terrorism ever present; the government uses the national security card for getting what they want time and time again…

Imagine Journey Coordinator (Apple) betraying the trust of the Refugee, would you want to trust your life to them going forward? They do not necessarily want to betray your trust, but they are mandated to… One can also ask the question of is Apple’s Brand Image (Trust in this case) as important as national security? Certainly not, but is knowing everything about everyone and leaving backdoors that are exploitable by cyber criminals and nation states, is that going to solve a new lone wolf attack? The answer to that is another certainly not! If it is information they want, the FBI  has other ways of solving this problem – such as going to the Network Operators and checking to see what type of software traffic this phone generated (part of so called meta-data collection), once identified sending over a subpoena to the software service providers for their logs and records. This is done all the time. You might say what about the iMessage activity and pictures taken? There is always the local computer backups and then again some things you will have to live without 😉 This approach would certainly be smarter than tarnishing the trust relationship of a global company (not to mention the largest tax payer to the Federal Government) has with its customers and to leverage a failed pre-incident intelligence collection case to potentially gain unconstitutional access to all U.S. citizens’ phones and create global distrust – this will not stop lone wolves, it will just create opportunities for other global technology players to step up…  Thinking that we can enjoy the global leadership position in the technology field with betraying people’s trust will not be countered by other nations is a naïve assumption, it is only a matter of time… (and this is true for any nation that betrays the trust of others) Maybe ironically we will see a shift from globalism to technology nationalism going forward… Hints of thing to come are visible in EU’s actions against U.S. technology giants in the EU privacy act, the recent revocation of Safe Harbor Agreement, Russia and China’s demands on technology companies in order to do business in their respective countries others will follow...

In closing, threats out there are undeniable, but Federal Government should also consider providing a sense of trust to its citizens as well as security and that can be done without far-reaching measures with more effective outcomes.

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.

Stop SOPA