Apple CEO Tim Cook’s open letter defying a court order to hack into an iPhone — and asking for an open discussion about data privacy — has dramatized and widened the debate over encryption as never before.
In a pointed “message to our customers,” Cook said the government’s request to circumvent a security protection mechanism on an iPhone could “undermine decades of security advancements that protect our customers.” The CEO’s letter set off a firestorm of commentary and reporting as soon as it went online early this morning.
Cook was responding to an order handed down by a federal magistrate judge in California Tuesday that compelled Apple to help the government break into an iPhone belonging to Syed Rizwan Farook, who along with his wife, Tashfeen Malik, killed 14 people in San Bernardino, California, in December.
Judge Sheri Pym did not order Apple to break the encryption on the iPhone. Instead, she asked the company to develop a new version of the iPhone’s iOS operating system that would allow the FBI to use its computers to guess the passcode quickly, without getting locked out for making too many guesses. This approach, sometimes referred to as a “brute force attack,” circumvents the iPhone’s encryption without actually breaking it.
The judge gave Apple five days to respond. But Cook issued his letter to customers within hours, clearly establishing Apple’s position in the case.
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand,” he wrote.
“Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution,” he added. “But it ignores both the basics of digital security and the significance of what the government is demanding in this case.”
“In today’s digital world, the ‘key’ to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.”
Beyond Apple’s big-picture objections, it’s not entirely clear whether the company can actually do what the judge has asked: design a software update that would first stop the phone from erasing its data after 10 failed password attempts, then allow the FBI to input passwords electronically and rapidly rather than by hand.
The government likely benefits from the fact that it is trying to break into an older iPhone model, the 5C, according to several computer security experts. The 5C, introduced in September 2013, limits password guesses primarily via the operating system. Later iPhone models limited guesses via a miniature onboard computer known as the “Security Enclave,” which apparently introduces delays of up to an hour after repeated guessing.
“The 5C model iPhone lacks … the single most important security feature produced by Apple: the Secure Enclave,” wrote Dan Guido, CEO of computer security outfit Trail of Bits, in a blog post. “Since the iPhone 5C lacks a Secure Enclave, nearly all of the passcode protections are implemented in software by the iOS operating system and, therefore, replaceable by a firmware update.”
Although the government’s request asks Apple to help bypass security on just one device, the company is alarmed by the precedent its compliance would set, fearing it could be asked for further such assistance down the line.
In the future, “if [law enforcement] is going to arrest somebody, what they could do is force the user to update their phone” to the security-weakened version of iOS Apple has been asked to create for the San Bernardino case, said Amie Stepanovich, U.S. policy manager for Access Now, a group that advocates for digital rights. The government could be setting up a precedent to force Apple or other companies “to continually hack [their] users,” she said.
“They’re basically compelling speech,” she continued, referring to the demand to produce code that enables malicious attacks. “It’s a slippery slope. They could compel other companies to build code in order to facilitate other intrusions.”
Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, has said that a government victory over Apple in the San Bernardino case could have implications for other companies, including Open Whisper Systems, which under co-founder Moxie Marlinspike released a popular encrypted calling app known as Signal. “If the FBI’s argument against Apple succeeds,” Cardozo recently tweeted, “nothing prevents them from ordering Moxie to backdoor Signal.”
Critics have also taken aim at the legal avenue through which the government is trying to compel Apple’s cooperation. To get its way, the government is leveraging the All Writs Act, a federal statute that allows it to require Apple to take extra steps to help fulfill an earlier lawful request, in this case the warrant to search the iPhone. The government turned to the act after the FBI spent two months trying to figure out a way into the phone and was unable to find one. The act’s lineage traces back to the Judiciary Act of 1789, though it has been updated numerous times since it was introduced.
“The court is ordering Apple to create a backdoor into an iPhone’s operating system, citing a law adopted in 1789,” said Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology in a statement. “If the order stands, the defective operating system (iOS) could be installed over any existing version of iOS, enabling law enforcement officials to guess the password on a cellphone. If the order stands, Apple and other technology companies could be ordered to build backdoors — essentially defects — into other devices, rendering them insecure and vulnerable to attack by law enforcement and by others as well. We will fight against this result.”
Other, authoritarian governments — as well as clever criminal hackers — could also take advantage of any malware developed by Apple to exploit its own products. “If the U.S. government dictating iPhone encryption design sounds ok to you, ask yourself how you’ll feel when China demands the same,” wrote Matthew Green, a cryptography professor at Johns Hopkins University, in a recent tweet.
Sen. Ron Wyden, D-Ore., who is pro-encryption, also expressed concerns Wednesday about the consequences of compelling Apple to cripple its own products’ security. “This unprecedented reading of a nearly 230-year-old law would create a dangerous precedent that would put at risk the foundations of strong security for our people and privacy in the digital age,” he said in a statement emailed to The Intercept. “If upheld, this decision could force U.S. technology companies to actually build hacking tools for government against their will, while weakening cybersecurity for millions of Americans in the process.”
To me it is the equivalent of saying that possible future evidence must always be accessible to us, even if there is no crime. It would be like declaring that any papers in your house must be written in plain english, without slang and without codes, in case we later determine that we need it in evidence for a potential future crime. It is preposterous really. Leonardo Davinci wrote in code as have done others. Would they make that illegal? Just because the info is on a device is irrelevant; or should be. Suppose the encoding happens before the data is put on the iPhone by the owner? Apple would have no way of decrypting it. Is that to be considered illegal too? Would the next step be to demand that they inspect everyones personal papers at home and decode and explain them too? Absurd.
Amen.
Russian company Oxygen Forensic Suite helps “specialists” access and analyze data from a variety of mobile devices such as cell phones, smartphones, communicators, PDA and tablet PCs. Currently supporting more than 5,200 different models
Spyware allows analyzing logs and activities performed by common spyware applications, and allows accessing chunks of data that would be otherwise inaccessible to an investigator. Apple iOS analysis can retrieve user passwords stored in keychain backups created
Parsing and analyzing keychain allows investigators getting access to most passwords stored in Apple iOS devices such as iPhone and iPad.
Investigators can track user location at every moment.
The global search quickly reveals any connections (e.g. common contacts, exchanged calls, texts or emails) between the phone owners.
Oxygen’s statistical analysis tools allow investigators discover social connections between the users of multiple mobile devices. Calls, text messages and Skype conversations.
Oxygen Forensic Suite leaving no traces and making no modifications to the content of the devices, making it the tool of choice among government and law enforcement agencies, security services and forensic organizations in more than fifty countries.
http://gabtatiana.livejournal.com/54372.html
Only Apple, Google and Microsoft are allowed to see our data! From what Tim’s letter says they did help try and break into that phone, which is all they should do. FBI is looking for a silver bullet so they don’t have to work. Their data isn’t in icloud, google drive, onedrive, evernote, dropbox or any of those services? Most of their data is probably in emails between the two of them. FBI is fishing for more and for future laziness.
Very true. Apple probably has most of the activity from that phone stored somewhere on their servers, as well as a list of all the software installed on that phone, and hence a list of what other vendors’ servers have the app data. All the FBI needs is a handful of warrants to get the data directly from Apple and the app vendors. The FBI is obviously leveraging this high-profile case as a tactic to end encryption, which is one of the FBI’s goals, rather than just doing the standard investigative work. The judge failed to realize the game being played here and thus erred in granting the court order.
Part of me thinks that Apple should reach a compromise, where there is a valid requirement to search a device, Apple could do it under controlled conditions, on a case per case basis, keeping control of the software, so that the FBI couldn’t go off and do it independently on other phones.
(Imagine a safe manufacturer helping the police open one of their safes)…but not showing the police how it is done.
But Apple, part of what they are selling is an impregnable phone. If they then go and make it …(pregnable?), they are reducing the value of their own phone, and then there is the reality of government bad faith. Since the NSA has demonstrated the ability to hack into companies, even high tech companies such as Apple, could Apple hope to succeed at creating and then keeping a back-doored version of IOS away from government hands, even if they tried?
Then you get into conspiracy territory of course, are Apple only pretending to refuse the government? But cooperating behind the scenes? Would they want to risk the world market discovering such a subterfuge? I doubt it.
Until the real crimes presented by covert surveillance are exposed and the rogue criminals hiding in secret using various technologies, including stingray/dirtboxes, then we will never have an informed public or debate in this country.
https://www.youtube.com/watch?v=O0U-Y9wKmHs
https://www.youtube.com/watch?v=Kg1-vao5Ta8
This has the feeling of raping a whore, more shoplifting than felony. If Apple can update their phone to break into records, then surely their fiduciary duty to their shareholders demands that they do it – provided they do it in secret, for a large amount of money. The FBI doesn’t want to be the NSA’s little brother – it may be older, but is it stronger?
>> raping a whore, more shoplifting than felony
Thanks. I’d had the feeling you were some slimy shit, and you’ve cleared that right up. Ambiguity gone.
I long ago began began to scroll past, and have continued to scroll past, any and all Wnt comments .
I remember way back that the US required PGP (us version) to have a backdoor…
Wouldnt the same laws then apply now? or is this 3rd party encryption app by which they are stonewalled?
Following what larry said, this case must be considered in the context of what we know are the data collection and interception capabilities of the US government’s security apparatus. Although I believe there is an element of good faith in Apple’s efforts to protect its customers’ data, neither Apple nor the government will admit the extent to which there are already backdoors to people’s iPhones (even though so much has been revealed about this already).
The fact of the matter is that this investigation is playing out publicly, where both the government and Apple’s positions will be a matter of public record. This is not the case when matters of intelligence gathering are being negotiated between the players that have power over people’s privacy and data. Insofar as the FBI made this public request for Apple to grant it a backdoor into its operating system, it is seeking to use a high profile case where public opinion is in its favor to legitimize a breach of privacy already happening in other corners of the government.
As far as Apple is concerned, in terms of its public pronouncements, it has no choice but to play its part and defend the security they offer their customers. They are defending their own interests in doing so. Of course, the inevitable extent of Apple’s cooperation with intelligence gathering agencies makes Tim Cooke’s public pronouncement hypocritical.
But I do agree with Cooke when he says we need to have this conversation (one which both the tech companies and the government have avoided for so long).
The USG is using this case to ram through a dangerous precedent – a master key. Cook’s response was indicative of how seriously Apple views this.
That’s not how evidentiary discovery is supposed to work — break open the iPhone in question after the fact, sure. Open a possible fishing-expedition tool for future, unpredictable inquiries, no.
I’d be curious just how a backdoor fits the Federal Rules of Evidence on admissibility, relevance and other parties’ evidence, just for starters.
https://www.law.cornell.edu/rules/fre
Not to mention 4th Am. case law.
THANK YOU, Jenna.
Glad to see TI is on this. Glad to see Tim Cook reacting and others expressing outrage. This ruling shows NO respect at all for citizens nor privacy, nor civil liberties.
I’ve been seriously considering getting a cell phone again – but I’m going to hold off for just a bit — see how this shakes out. These are indeed perilous times… sigh.
I don’t understand. If the NSA is “collecting it all” why is it that they don’t already have the contents
of that phone? Furthermore it’s hard to believe that a simple password is preventing them from opening
it. Is the NSA completely inept?
A cynical person might conclude that Apple and the NSA are staging this fight, to obscure the extent of their cooperation.
The feds may plan to arrest some people based on their examination of the contents of this particular iPhone. They need to demonstrate they obtained the information legally via a court order.
The fight also assists Apple’s marketing efforts in overseas markets.
So it’s a win-win.
Of course, cynical people can be wrong.
Thats simple. It’s illegal for the NSA to spy on people within the United States (not that they care, but getting caught again wouldn’t be good PR). Thats the FBIs job and they’re only allowed to with a warrent (not that they care either, but they’de rather not have the evidence tossed out of court for being in violation of the fourth amendment). So either apple opens the phone so the FBI gets the Data they already have, but now can accually use it, or the FBI can’t use the Data that they captured illegally anyway.
Simple enough?
USG is going to kill the goose that lays the golden eggs.
The Feds are lurching into authoritatianism.
What will the consequences be,for Apple, if they refuse to comply with the court order?
What will the consequences be,for Apple, if they refuse to comply with the court order?
I’m willing to speculate that Apple’s CEO will end up facing consequences the likes of which Wall St’s CEOs never will.
Something along the lines of what happened to Qwest’s CEO after he refused cooperation with the feds:
Joseph P. Nacchio (born June 22, 1949 in Brooklyn, New York) is an American executive who was chairman of the board and chief executive officer of Qwest Communications International from 1997 to 2002.
He was convicted of 19 counts of insider trading in Qwest stock on April 19, 2007[1] – charges he and many others claim are U.S. government retaliation for his refusal to give customer data to the National Security Agency in February, 2001.[2]
https://en.wikipedia.org/wiki/Joseph_Nacchio
Come on, we all know that the FBI and the surveillance community want to destroy encryption and all they need to do is link encryption to a terrorist attack and they will have public opinion in their pocket again.
They will keep trying until they get it done.
Encryption which may be worthless when quantum computing comes on line anyway is going to be defeated if it hasn’t been already. It will only be useful to the truly dedicated enthusiast or jurno or whomever and more and more difficult to find and use.
I loathe shoddy reporting which repeats unproven assumptions
as if they are facts.
Within this otherwise interesting article is the statement,
*** “Syed Rizwan Farook, who along with his wife
killed 14 people in San Bernardino, California…” ***
This statement is based upon the word of the militarized
organizations which made sure these two people would not
have a trial in a court of law.
There were a number of contradictory stories associated with
those horrifying murders and now we are to accept the word
of reckless officials who sabotaged one of the locations
crucial to this case as if they are trustworthy.
There is more corpus than habeas in this case.
I am not saying that Farook and his wife are innocent, but it is
a gross assumption to state that they are guilty.
Ted Cruz and TI on the same side… Does that apply to social policy as well?
Hilarious that Cruz infers that citing a 200 year old law is wrong, at the same time as banging on about the Constitution.
Where do you see Ted Cruz in this article? If not here, where did you see him siding with TI someplace else on this issue?
Wow. Tim Cook makes me want to buy an Apple something device for his badassery and standupedness. Unlike decades of overrated Steve Jobs, who for some bizarre reason movies were made about as if he were fucking Da Vinci, much less ever invented anything on his own. Hell Carnegie etc. weren’t inventors either but cared about people and phianthropized. WTF did Jobs do for anyone other than himself?
Just this hard-hitting, no-nonsense, bold bit by Cook already makes him >>> than Jobs. Who is dead. As some movies and retrospectives will point out. Great job at business, dead asshole who did nothing else, ever.
Yeah – and what’s great about Cook is that he’s acting out of moral principle, rather than in Apple’s commercial interests.
Nothing says they can’t both be the same thing, from time to time.
Funny how those great moral principles always seem selective to align with securing profits. Protecting encryption (a good thing) ensures their product’s legitimacy and future profits. Avoiding taxes? Thin on principles, thick on profit.
http://www.taxjusticeblog.org/archive/2015/12/what_apples_tim_cook_gets_wron.php#.VsTRxWNkyBo
I think he is acting out of moral principle, but it is also certainly in Apple’s commercial interests to provide its customers with products that meet their needs. Because it is under attack, privacy and its protection have value. A company positioning itself as a champion of its customers certainly stands to gain from that.
A dictionary attack is probably what the FBI wants to attempt. If Apple products are vulnerable to dictionary attacks, I think they need to fix their passcode requirements. They should have the brute force prevention on top of it, either way. If the FBI is able to engage in brute force attacks, it’s only a matter of time until ordinary criminals can as well.
You misunderstand. What the FBI seeks is for Apple to develop a software patch that disables the 10 password tries and memory gets erased feature so that it will be vulnerable to a dictionary attack. Apple’s objection is that by providing such a patch, every iPhone5 on the planet will then be compromised.
(Because as we all know, once the FBI has the capability of eavesdropping on every iPhone5, they will do it, and soon so will every intelligence agency on the planet, not to mention criminals, friendly and unfriendly police departments, and so on.)
Why should Apple destroy it’s business over this?
If they allow this then they are toast. No one would buy their products if they were leaky.
Thanks for the lucid reporting — excellent.
I wonder if Tim Cook will seek asylum in Ecuador or in Russia.
He can afford to seek it in dollars.
Hopefully he has Covington & Burling on retainer.