Apple vs. FBI Case Study
Ann Skeet and Markkula Center Staff
In the wake of the December 2015 terrorist attack in San Bernardino, attention turned to the perpetrator’s iPhone. A federal judge asked Apple, maker of the iPhone, to provide “reasonable technical assistance” to the FBI in accessing the information on the phone with that hope of discovering additional threats to national security.
Apple provided the FBI with data it had in their possession and sent Apple engineers to advise the FBI, but refused to comply with the court order to bypass the phone’s security measures: specifically the 4-digit login code and a feature that erases all data after ten incorrect attempts. The FBI argued that the bypass could only be used for this phone, this one time. The agency also cited national security concerns, given the phone may lead to better understanding the attack and preventing further incidents.
Apple CEO Tim Cook issued a public letter reiterating Apple’s refusal to cooperate. Cook advocated for the benefits of encryption in society to keep personal information safe. He stated that creating the backdoor entry into the iPhone would be akin to creating a master key capable of accessing the tens of millions of iPhones in the U.S. alone. Cook also had concerns that the FBI was outstepping its bounds - by using the court system to expand its authority - and believed the case should be settled after public debate and legislative action through Congress instead.
Public opinion polls on the issue were split. A number of major tech firms filed amicus briefs in support of Apple. The White House and Bill Gates stood behind the FBI. In anticlimactic fashion, the FBI withdrew its request a day before the hearing, claiming it no longer needed Apple’s help to assess the phone. It is speculated that an Israeli tech firm, Cellebrite, helped the FBI gain access.
Questions
a. Was Apple wrong for not complying with the FBI’s request? (5 marks)
b. If so, why? If not, why not? (5marks)
c. What ethical issues are involved in this case? (10marks)
d. Who are the stakeholders in this situation? (5marks)
e. Is the company’s decision consistent with its values? Is that important? (10marks)
Answers
Answer:
• Overseeing the aggregate funding of IT at a bank-level, and ascertaining if the
management has resources to ensure the proper management of IT risks
• Reviewing IT performance measurement and contribution of IT to businesses
(i.e., delivering the promised value)
Risk Management Committee:
• Promoting an enterprise risk management competence throughout the bank,
including facilitating development of IT-related enterprise risk management expertise
• Establishing a common risk management language that includes measures around
likelihood and impact and risk categories
Executive Management Level:
Among executives, the responsibility of Senior executive in charge of IT operations/Chief
Information officer (CIO) is to ensure implementation from policy to operational level
involving IT strategy, value delivery, risk management, IT resource and performance
management.
Business Unit Level:
IT Steering Committee:
An IT Steering Committee needs to be created with representatives from the IT, HR, legal
and business sectors. Its role is to assist the Executive Management in implementing IT
strategy that has been approved by the Board. It includes prioritization of IT-enabled
investment, reviewing the status of projects (including, resource conflict), monitoring service
levels and improvements, IT service delivery and projects. The committee should focus on
implementation. Its functions inter-alia include:
• Defining project priorities and assessing strategic fit for IT proposals
• Performing portfolio reviews for continuing strategic relevance
• Reviewing, approving and funding initiatives, after assessing value-addition to
business process
• Balancing between investment for support and growth
• Ensuring that all critical projects have a component for “project risk management”
• Sponsoring or assisting in governance, risk and control framework, and also directing
and monitoring key IT Governance processes
• Defining project success measures and following up progress on IT projects
• Consult and advice on the selection of technology within standards
• Advice on infrastructure products
• Provide direction relating to technology standards and practices
• Ensure that vulnerability assessments of new technology is performed
• Verify compliance with technology standards and guidelines
• Consult and advice on the application of architecture guidelines
• Ensure compliance to regulatory and statutory requirements
• Provide direction to IT architecture design and ensure that the IT architecture reflects
the need for legislative and regulatory compliance, the ethical use of information and
business continuity
The IT Steering committee should appraise/report to the IT strategy Committee periodically.