Apple vs. FBI: Where We Are Now, and Where We’re Going

Much has happened since a California magistrate court originally granted an order for Apple to assist the FBI under the All Writs Act. For one, most of us now know what the All Writs Act is: An ancient law that was passed before the Fourth Amendment even existed, now somehow relevant to modern technology a few hundred years later. Use of this act has exploded into a legal argument about whether or not it grants carte blanche rights of the government to demand anything and everything from private companies (and incidentally, individuals) if it helps them prosecute crimes. Of course, that’s just the tip of the iceberg. We’ve seen strong debates about whether any person should be allowed to have private conversations, thoughts, or ideas that can’t later be searched, whether forcing others to work for the government violates the constitution, whether other countries will line up to exploit technology if America does, and ultimately – at the heart of all of these – whether fear of the word “terrorism” is enough to cause us all to burn our constitution.

Over the past few weeks, the entire tech community has gotten behind Apple, filing a barrage of friend-of-the-court briefs on Apple’s behalf. Security experts such as myself, Crypto “Rock Stars”, constitutionalists, technologists, lawyers, and 30 Helens all agree that Apple is in the right, and that backdooring iOS would cause irreparable damage to the security, privacy, and safety of hundreds of millions of diplomats, judges, doctors, CEOs, teenage girls, victims of crimes, parents, celebrities, politicians, and all men and women around the world. Throughout the past month, legal exchanges have escalated from ice cold to white hot, and from professional to a traveling flea circus as ridiculous terms such as “lying dormant cyber pathogen” have been introduced. Congress, the courts, and the public have seen strong technical and legal arguments, impassioned pleas from victims, attempts at reason by the law enforcement community, name calling, proverbial mugs-thrown-across-the-room, uncontrollable profanity on media briefings, and just about any other form of pressure manifesting itself that one can imagine.

Apple and FBI have traded jabs in court filings this week starting with a hostile attack on Apple from the Department of Justice, where a number of veiled threats were made, including going after Apple’s source code and signing keys, if Apple did not comply. Of course, this would also imply a complete seizure of Apple’s servers and network address space, as Apple’s entire infrastructure would need to be commandeered in order for the government to forcibly sign and push any custom software to Apple devices. Yet this is what Apple believes the government is threatening to do.

In the midst of the legal circus, the technical details about this case continue to paint a more complete picture of mistakes that were made. Both Apple and the FBI admitted that the field agent’s decision to change the iCloud password on Farook’s device ultimately led to the demise of a viable method for retrieving the evidence. Under the surface, this raises significant suspicion that changing the iCloud password might have only been the first of a second, larger mistake: allowing the device to be powered off. In spite of DOJ’s latest brief, which insists it was off when found, Apple’s lawyers have made no bones about their confidence that an iCloud backup would have worked, to which they and the FBI would know wouldn’t have – if the device had been found off.

Other technical details that have stuck out in legal briefs include those by one of Apple’s own engineers, Erik Neuenschwander, the only person whom I can honestly say I feel more empathy towards for his last name than myself, debunked a number of statements made by the FBI’s examiners, and effectively schooled the FBI in iOS with the humility of a Genius Bar employee. Neuenschwander pointed out something that I, and others, had missed about the iCloud backups: there was no finding of mail, notes, or photos, lending to the notion that there’s nothing on that phone. The original FBI examiner had cited that those options were likely shut off in Apple’s iCloud settings, however Neuenschwander (yes, I’m copying and pasting his last name) pointed out that those switches don’t control the data in an iCloud backup: they only control iCloud sync. In other words, the finding of no mail, notes, or photos in Farook’s iCloud backup really means that the device had none of these artifacts on the device. Other great technical points that were made include the fact that the security Apple is using was endorsed by the scientific body of our own government – NIST – the same scientific body of government that criticized mobile device manufacturers in 2012 for having poor security. In the rush to demonize Apple for making “warrant-proof” devices, the Department of Justice failed to realize that Apple’s security is based on industry standards that were introduced by our own government. In contrast, the backdoor that Apple is being ordered to create could be classified under our own laws as a weapon.

Another important technical aspect of these briefs were Apple’s own belief that they could not control such a dangerous backdoor if it got out… and it will get out. Apple stated very clearly that they believe they’re the most hacked company in the world, and demonstrated this by noting that even recent versions of iOS 9 have been hacked by the Chinese for the use of black market app stores, like the one delivered with the Pangu jailbreak. Apple even acknowledged their own failure to be able to prevent the lockscreen from being hacked by teenage kids on a frequent basis. As I wrote about in a prior blog post, the security mechanisms cited by the FBI for controlling the backdoor are merely a leash; the backdoor itself is the digital equivalent of a nuclear bomb, and can be stolen, hacked, or reverse engineered to create a new bomb without the leash. Indeed, Neuenschwander admitted that, should someone compromise Apple (either from the outside, or from the inside) that it would literally only take minutes to make that backdoor bomb explode on any Apple device. Apple needs to (and likely is working on) some important security improvements to prevent the hacks that the FBI is talking about are no longer possible, as they open up just as much of a liability to criminal hackers.

Apple also gave us a great example of what warrant friendly encryption looks like by admitting that iCloud data is not encrypted with the user passcode, as it is on the phone.

One of the most poignant points made by Apple in their latest brief are the claims of being a carrier of electronic communications. This is very critical, as it puts them under the protections of our CALEA laws, which protect communications carriers from having to decrypt any encryption that is controlled by the user. What Apple is essentially saying here is that because iMessage and FaceTime are considered electronic communications, that part of their service qualifies them as a carrier… and because helping to break the encryption on the device would also decrypt this content automatically, that they should be protected under CALEA from being forced to assist.

At the end of the day, I sit here and look at the core questions that are on the table. Should the government have carte blanche rights to force anyone to work for them? Should the privacy of people’s entire past be subject to a warrant? Should people be allowed to have private conversations, private thoughts, private ideas – all things stored on people’s iPhones – subject to search by the government? I am honestly in shock, and saddened by the fact that any of these questions could be raised at all in this country. The fundamental construct of our constitution, and the basic human rights they were based on, have answered these questions for hundreds of years – a free society cannot live without privacy. A free society cannot live without freedom from tyranny. A free society cannot live without free speech, or under the fear that your speech and thoughts will be used to imprison you. The questions that the Department of Justice is posing, at the very core of the matter, are questions of whether or not we should be a free people. The very government that we founded to protect our liberties is now, in a very raw way, questioning them.

This should shock you. It should shock every American, and it is no doubt shocking the rest of the watching world. How can the freest country in the world, a beacon for those in oppressive countries, lay down their speech, their privacy, their identities over a dead terrorist’s iPhone? The shootings that took place in San Bernardino were horrible and flat out evil, and I mourned for the victims… but the greatest damage that Syed Farook stands to cause is to our country and our constitutional rights as a whole; giving up our rights will ultimately affect the liberty and safety of generations to come. Make no mistake about it – Syed Farook would be pleased to see this agenda being played out in the court system today. We should not be pleased. We should be indignant. We should be deeply offended. Offended that anyone would attempt to curtail rights that our families have died, and continue dying, to protect.