Apple vs. The FBI
I’ve been reading a lot about the controversy surrounding the court order compelling Apple to help the FBI break into the phone used by one of the San Bernardino killers, Sayed Farook. I think at this point, I mostly understand the technical issues although the legal issues still confound me. And there’s a significant question that I’m not seeing many people discuss but would help me to understand the situation better.
Here’s what the case is about. The iPhone used by one of the killers is owned by his employer, San Bernardino County. The FBI sought and received a court order to confiscate the phone with the intention of gathering the data stored on it. The County willingly turned the phone over. As an aside, there is currently a controversy with the FBI saying that a County employee, working on his own, reset the password for the phone after giving it to the FBI which means one possible method for retrieving the data from the phone is no longer available. The County claims that its employee reset the password under the direction of the FBI. Somebody is lying. If the FBI really did direct the employee to reset the password, they need to hire more adept technologists. The news stories about this controversy neglect to mention that the method in question would only have worked if Farook had not changed his password after he turned off the automatic iCloud backup. I think that’s pretty unlikely.
So, the FBI has physical access to the iPhone but the problem is that the phone has two layers of security. The first is that it will automatically delete all of its data if someone enters an incorrect password 10 times. The second is that the data on the phone is encrypted which means that it can’t be read unless the password is entered. The FBI sought and received a court order to require Apple to “bypass or disable” the feature that wipes the phone clean. Doing so would then allow the FBI an unlimited number of password attempts to decrypt the data stored on the phone. Apple’s response to the court order is that to comply would be to put the data of every iPhone user in jeopardy.
One of the things that confused me about this story was that I kept hearing and reading reports about Apple helping law enforcement to unlock iPhones many times in the past. The folks over at Tech Crunch helpfully explained that Apple’s current response is not hypocritical. For iPhones running the operating system iOS 7 (and previous versions of iOS), Apple had the ability to extract data from the phones. And so it complied with court orders requiring it to extract data from iPhones. For iPhones running iOS 8 and later, Apple removed that capability. Apple has stated that the company wants to protect its users’ data even from Apple. The iPhone in question is running iOS 9. So Apple does not currently have to capability to extract data from the phone in the ways that it has in past cases. In order to comply with the court order, Apple would need to write some new software, a version of iOS with the phone wiping feature disabled, and then install it on the iPhone in question. The court order requires Apple to provide “reasonable technical assistance.” Is writing new software “reasonable technical assistance”?
But here’s the question that I haven’t found an answer for. Is there a precedent for the government compelling a person (remember: corporations are people so Apple is a person, right?) to build something that doesn’t already exist? The case that’s being cited as a precedent seems to me (admittedly, not a lawyer) to be pretty different. In that case, the Supreme Court said that the government could compel The New York Telephone Company to put a pen register (a monitoring device) on a phone line. But the telephone company already had the technology to monitor phone lines so it wasn’t as though they were being compelled to create a new technology. Apple is being asked to write a new piece of software, to build something that doesn’t already exist. This diversion of resources is one of their grounds for objecting to the court order. So, John McAfee has offered to write the software for free. It isn’t clear, however, that writing the software is enough since iPhones will only work with software that has been signed by Apple. Even if McAfee was successful, the government would still need Apple’s cooperation. And that’s unlikely since Apple’s philosophy is that their products should provide their customers as much data security as possible.
Ultimately, I agree with Bruce Schneier that the American public is best served if Apple does not comply with the government’s order. The government says that this request would be a one time thing, that they would not ask for such assistance again. I don’t believe that. Even if I did believe that the government would not ask again, I don’t think we can keep such software, once it exists, out of the hands of the many, many hackers who want to steal your data. That is a threat to our everyday lives that far outweighs the threat of terrorism.
Addendum (2/21/16): I’ve read some articles that take issue with Apple CEO Tim Cook’s “slippery slope” argument. His argument has been that if Apple complies with this order to circumvent the iPhone feature that wipes the phone clean after 10 incorrect password attempts, they will have no basis to refuse to do so in the future. Every time the US government asks them to circumvent the feature, they will have to do so. Government lawyers have said that this request is about this phone only and that they won’t ask in other cases. Tell that to Cyrus Vance, Jr., the district attorney in Manhattan. On Weekend Edition this morning, Vance argued that Apple should comply with the order because they are circumventing law enforcement’s ability to view the data on more than 175 phones related to criminal investigations. If this software is available for use by law enforcement officials, it will be available for use by the “bad guys.” That puts everyone’s data in jeopardy. Apple is protecting your ability to keep your data out of the hands of hackers (whether they work for the government or not).
Thanks for writing this. It’s been difficult for me to follow the entire story. I agree with your conclusion that we would all be better off if Apple does not comply. But I wonder about your argument that Apple is being asked to create NEW technology. As you said, Apple had the ability to extract the data prior to iOS 8. Was that code simply removed/commented? In other words, are we talking about more or less reinstating existing code, OR, as you suggested, is the government trying to compel Apple to invent a new technology?
I hope courts agree that it’s the latter!
Good question, Scott. There seem to be two major changes in iOS from version 7 to 8. The first change is that iOS 8 (and later) allows the user to set the phone to destroy its contents if someone enters 10 incorrect password attempts. That’s what the government is asking Apple to help them bypass. So they don’t have code that would bypass this feature since it didn’t exist in previous versions of iOS. The second change is the reason new software would need to be written in order to extract data. In iOS 7 and previous, the encryption mechanism used the unique device identifier as an encryption key. Given the device identifier, which Apple would know, Apple appears to have been able to extract data from a phone. But Apple wants their customers’ data to be protected from everyone, even from Apple. So beginning with iOS 8, the encryption key was directly tied to the phone’s password. Since Apple doesn’t know the password, Apple can no longer extract the data from the phone. It is notable that the government is not asking Apple for help in extracting data from this phone, just for bypassing or disabling the phone wiping feature. So Apple’s previous techniques for extracting data from phones will no longer work and they will have to new write code to bypass or disable the phone wiping feature on this phone. Since iOS is proprietary software, only folks at Apple know how much work that would involve but a big part of their objection to the court order is about the amount of work required to accomplish this task. We might ask why they can’t just install iOS 7 (which doesn’t have the phone wiping feature) on the phone. I don’t know what hardware differences prevent iOS 7 from working on the iPhone 5c but I would guess that if it were possible, the FBI would have already done it. Or the court order would have demanded that Apple do it.
I think it is also worth noting that Apple has already provided all the data that it has access to–that is, the data stored in iCloud.
Ah, I just realized why installing iOS 7 won’t work. The encryption mechanism for that operating system (tied to the phone’s device identifier) is different than the encryption mechanism that was used to encrypt the data on the phone (tied to the phone’s password). Again, fixing that issue would require Apple to write a new piece of software. Of course, there may be other reasons that iOS 7 won’t work.
Pingback: Prometheus or Misogyny on a Blog | Desert of My Real Life