Apple, the FBI, and Data Security

Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you:

No adverts like this in the forums anymore.
Times and dates in your local timezone.
Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance.
Email notifications for threads you want to watch closely.
Being a part of the oldest wargaming community on the net.

If you are already a member then feel free to login now.

**Manchu**

In a nutshell, the FBI obtained a court order compelling Apple to unlock an iPhone owned by one of the San Bernadino terrorists.

Apple published this letter to customers yesterday:

February 16, 2016

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Tim Cook

http://www.apple.com/customer-letter/

**Ouze**

I think what the FBI has asked for has gone beyond reasonable.

**Manchu**

Tim Cook's letter makes it seem like the FBI is too dumb and/or zealous to understand what they are demanding.

**whembly**

Ouze wrote:
I think what the FBI has asked for has gone beyond reasonable.

Agreed.

This is a very interesting debate as how far do we want this level of privacy?

**HiveFleetPlastic**

They almost certainly know what they're asking, which is really unfortunate. People generally don't seem to care about the sort of thing they're doing, though. All government surveillance is warranted because it's to stop the terrorists and they don't expect it to ever be used against them.

There are two big issues with any kind of electronic surveillance:

1. even if you trust "the government" in general, the government is made up of individual people who may abuse whatever power they're given if they don't have sufficient oversight, and
2. whatever "the government" can do, others (such as criminals) can also do. Surveillance can also create data that can be stolen by criminals.

In this particular case, it sounds like there's also concern about the particular legal mechanism they're trying to use to compel Apple to do this and what else they might be able to compel companies to do in the name of catching criminals.

But it's all very abstract and that seems to make it hard for citizens' rights and the security of information and commerce to compete with the attention-grabbing threat of "The Terrorists."

**whembly**

The more I read this, the more I think Apple should just tell the government to go feth off (in legal parlance of course).

I think this is one of the cases that'll have to work its way up to the Supreme Court.

What's the level of privacy do we want on our mobile devices?

Also, should the government "force" a software company to design a program to "help" the government's investigation?

**Kilkrazy**

The government is already entitled to get a court order to search a device, and if you fail to give them your password to unlock the encryption it is a criminal offence.

The purpose of this change is to deal with cases where the phone owner refuses to give the password and prefers to go to prison, or else he is dead so there is no way to unlock the encryption.

The danger is that once there is a backdoor, or a third party access to your private password, any fether might be able to get into your encryption whether legally or not.

Apple are quite right that people use their phones for all kinds of secure purposes these days, such as Apple Pay and Google Pay giving access to bank accounts. Therefore there is considerable risk in making phone much more easily unlockable.

**Manchu**

HiveFleetPlastic wrote:
But it's all very abstract and that seems to make it hard for citizens' rights and the security of information and commerce to compete with the attention-grabbing threat of "The Terrorists."

The optics factor is what makes Apple's letter so fascinating. Apple is literally marketing its legal argument. It seems to me that anti-liberal interests in the West, which often include commercial interests (including media companies), have enjoyed a lucrative partnership with Jihadi terrorism over the last 15+ years. The resulting security state, however, is finally making this alliance a matter of diminishing returns.

**skyth**

You are not required to unlock your devices...you have the right to not incriminate yourself.

**Manchu**

skyth wrote:
You are not required to unlock your devices...you have the right to not incriminate yourself.

I think this is more of a searches and seizures question.

**Ouze**

Kilkrazy wrote:
The government is already entitled to get a court order to search a device, and if you fail to give them your password to unlock the encryption it is a criminal offence.

At least in the US, this isn't generally true - it's only true if the government already knows what the content of the files are. I don't think there has been a SCOTUS running on compelling disclosure of encryption keys.

**reds8n**

whembly wrote:

I think this is one of the cases that'll have to work its way up to the Supreme Court.

Good job they're at full strength and not being messed around with due to crass party politics.

**Kilkrazy**

Manchu wrote:
HiveFleetPlastic wrote:
But it's all very abstract and that seems to make it hard for citizens' rights and the security of information and commerce to compete with the attention-grabbing threat of "The Terrorists."
The optics factor is what makes Apple's letter so fascinating. Apple is literally marketing its legal argument. It seems to me that anti-liberal interests in the West, which often include commercial interests (including media companies), have enjoyed a lucrative partnership with Jihadi terrorism over the last 15+ years. The resulting security state, however, is finally making this alliance a matter of diminishing returns.

Do you mean a partnership in the sense that the security response to terrorism has for example created a billion round a year requirement for ammunition to equip Department of Homeland Security personnel? This obviously is a massive commercial opportunity which didn't exist 15 years ago.

**whembly**

reds8n wrote:
whembly wrote:

I think this is one of the cases that'll have to work its way up to the Supreme Court.

Good job they're at full strength and not being messed around with due to crass party politics.

It'll be filled by then... it takes awhile for cases like this to reach the Supreme Court.

Many of the Scalia-haters would miss Scalia's staunch privacy rights on the bench.

**Ouze**

whembly wrote:
Many of the Scalia-haters would miss Scalia's staunch privacy rights on the bench.

Yeah, I know exactly what you mean.

jfc

**Ratius**

Forgive my ignorance but surely the FBI or whatever agency has tech experts that can crack or hack phones for info without needing apples experts to do it?

**Grey Templar**

Ratius wrote:
Forgive my ignorance but surely the FBI or whatever agency has tech experts that can crack or hack phones for info without needing apples experts to do it?

Remember this is the Government. Everything goes to the lowest bidder. Apple can pay more than the government.

**whembly**

Ouze wrote:
whembly wrote:
Many of the Scalia-haters would miss Scalia's staunch privacy rights on the bench.

Yeah, I know exactly what you mean.

jfc

Well..., he's right from a textualist view of the Constitution imo.

But, i was thinking of that one case where the po-po but a bug on someone's car that far exceeded the original warrant. He wrote a blistering dissent to that in support of the 14th Due Process. (but, anyways we're getting sidetracked here).

**Steve steveson**

Ratius wrote:
Forgive my ignorance but surely the FBI or whatever agency has tech experts that can crack or hack phones for info without needing apples experts to do it?

Possibly not. It may well be that the encryption is strong enough that they can't hack it, and they can't brute force it.

Apple are quite right. The FBI are not asking them to unlock the device, but to re-write iOS to be less secure, but it seems to me that the FBI don't understand what they are asking for.

**Ratius**

Possibly now. It may well be that the encryption is strong enough that they can't hack it, and they can't brute force it.

Interesting. I would have though the govt would have all sorts of tech boffins and wizardy to hack, well pretty much anything these days.
Is apples security absolutely top of the line or just very hard to crack i.e easier to cojole them into cooperation them employ a team to crack stuff open?

**Manchu**

reds8n wrote:
Good job they're at full strength and not being messed around with due to crass party politics.

The Court is always mired in politics, and here in the US all national-level politics are partisan. I suppose it's all crass, as well, although that is obviously a matter of taste. Second, even assuming all possible efficiency, there is no way this case would get to the Supreme Court in 2016.

Kilkrazy wrote:
Do you mean a partnership in the sense that the security response to terrorism has for example created a billion round a year requirement for ammunition to equip Department of Homeland Security personnel?

Yes, although I'd wager that manufacturing ammunition for government agents, even at that scale, is one of the least significant transactions in the Terror/Security Industry.

Automatically Appended Next Post:

Ratius wrote:
Is apples security absolutely top of the line or just very hard to crack i.e easier to cojole them into cooperation them employ a team to crack stuff open?

When you consider that the FBI believes it has the authority to demand that Apple hack its customers, and at least one federal court already agrees with them, it's just a cost/benefit analysis. A real-life Q Branch is probably far more expensive than leveraging existing legal resources. Mind, not to say the US Government does not have a Q Branch. I halfway suspect there is some Homeland Security protocol in place to afford the FBI access to the NSA or some other agency's data collection program but maybe there is some kind of evidentiary problem with that route (not least the legal and political risk such programs entail). In short, no one would be surprised if Apple could hack its customers. Only some people would be surprised if the FBI could legally order Apple to do it. But a lot of people might be surprised and angry to learn federal agencies can already do it/are looking to get into the business.

**HiveFleetPlastic**

Manchu wrote:
HiveFleetPlastic wrote:
But it's all very abstract and that seems to make it hard for citizens' rights and the security of information and commerce to compete with the attention-grabbing threat of "The Terrorists."
The optics factor is what makes Apple's letter so fascinating. Apple is literally marketing its legal argument. It seems to me that anti-liberal interests in the West, which often include commercial interests (including media companies), have enjoyed a lucrative partnership with Jihadi terrorism over the last 15+ years. The resulting security state, however, is finally making this alliance a matter of diminishing returns.

People at Apple probably do care about encryption and government surveillance, and it probably helps that appearing to care might align with their commercial interests. An interesting thing about this particular situation is Apple does not actually have the information the government wants. Often, intelligence agencies can just piggyback on corporations' existing customer surveillance. I think if you are a company and want to be ethical, you have a responsibility to collect as little information as possible and, if possible, deny yourself access to information that you do have to collect. But this is often in opposition to actual or potential corporate interest - what if the data is useful for something later? What if we could have a robot mine your messages and use it to target advertising, or use it for some other demographic purpose?

For that reason, I don't think it will go away without government intervention. Right now, it's mostly an externality. But since governments are allied to big business on the one hand and have intelligence agencies whispering into their ears on the other, they don't have much incentive to change it. In Australia we have recently made a law that ISPs must surveil their customers and record the data for two years in case it is wanted later, and there does not seem to be a lot of control over what government agencies can access this data. This was supported by both major parties. On a similar note, our attorney-general has just come out saying that Apple should comply with the order. Here's a nice creepy quote:

ABC News wrote:Although Senator Brandis said he is not proposing similar compliance in Australia, adding a problem like this has not yet arisen in Australia.

"My department has established very cooperative and collaborative relationships with companies in the tech sector and we're happy with the level of cooperation we are receiving," Senator Brandis said.

Link to story

It is possible that Apple's statement will have more effect on public opinion and that will finally apply meaningful pressure to politicians to protect citizens appropriately, but I'm not about to place any bets on it. It really seems like conservative parties have latched onto the political possibilities that terrorism provides to them and many modern, more-liberal parties are so averse to anything that looks like a wedge issue that they cede any moral authority to them.

**Manchu**

I don't know the detail but apparently Tim Cook has been involved with activism along these lines before.

**Kilkrazy**

Ratius wrote:
Possibly now. It may well be that the encryption is strong enough that they can't hack it, and they can't brute force it.

Interesting. I would have though the govt would have all sorts of tech boffins and wizardy to hack, well pretty much anything these days.
Is apples security absolutely top of the line or just very hard to crack i.e easier to cojole them into cooperation them employ a team to crack stuff open?

The Code Book by Simon Singh has a very good section on computerised encryption.

http://www.amazon.co.uk/dp/B003VWDOK2/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1

Basically, encryption done with two large prime numbers (private key, public key) is uncrackable within a feasible amount of computing time, and unguessable. The only way in is to have a backdoor into the key storage.

What I don't understand is how the phone itself, where the key must reside, cannot be broken into. The user locks the phone with a numerical code or in some modern phones a fingerprint. I would have though you could brute force crack the numerical code, and the fingerprint could be got from the user's finger.

**AlexHolker**

Kilkrazy wrote:
What I don't understand is how the phone itself, where the key must reside, cannot be broken into. The user locks the phone with a numerical code or in some modern phones a fingerprint. I would have though you could brute force crack the numerical code, and the fingerprint could be got from the user's finger.

From what I've read, you can't use brute force because doing so will cause the software to destroy the data you are trying to steal. The FBI wants Apple to rewrite their operating system so that you can install a sabotaged OS on somebody's phone without logging in, and then give them a copy of the sabotaged OS installer.

To anyone who is not a fething moron, this is obviously a terrible idea. Just ask yourself what your reaction would be if it was the Chinese government and not the American government demanding that Apple sabotage the security on all iPhones everywhere, including those owned by people in the United States government. Even if Apple didn't give them the malware to exploit this manufactured weakness themselves, this would still be unacceptable, right?

**Breotan**

Kilkrazy wrote:
What I don't understand is how the phone itself, where the key must reside, cannot be broken into. The user locks the phone with a numerical code or in some modern phones a fingerprint. I would have though you could brute force crack the numerical code, and the fingerprint could be got from the user's finger.

The iPhone erases all data on the hard drive after ten failed attempts.

**Steve steveson**

AlexHolker wrote:
The FBI wants Apple to rewrite their operating system so that you can install a sabotaged OS on somebody's phone without logging in, and then give them a copy of the sabotaged OS installer.

To anyone who is not a fething moron, this is obviously a terrible idea. Just ask yourself what your reaction would be if it was the Chinese government and not the American government demanding that Apple sabotage the security on all iPhones everywhere, including those owned by people in the United States government. Even if Apple didn't give them the malware to exploit this manufactured weakness themselves, this would still be unacceptable, right?

Ask for it or not, once it has been made it will get out.

This is annoying me:
http://www.bbc.co.uk/news/technology-35595840

Lee Rigby's family criticises Apple policy

The family of Fusilier Lee Rigby, who was murdered by extremists in 2013, has criticised Apple for opposing a court order.

On Wednesday, Apple said modifying its software to help the FBI access data on San Bernardino gunman Syed Rizwan Farook's device would be "dangerous".

Mr Rigby's uncle Ray McClure said the company was "protecting a murderer's privacy at the cost of public safety".

No, protecting everyone's privacy. Including everything from sensitive emails to bank information up to information on the phones of dissidents living under oppressive regimes who rely on good encryption avoid being executed by their government.

**Manchu**

Besides privacy/security, a couple other issues have been bugging me: (1) writing software is work and not incidental work; it's troubling that a corporation can be forced to create something (in this case, something quite expensive) without compensation; and (2) if Apple wrote the software in question, I imagine that could negatively affect its brand and therefore the value of the business generally; should the government be able to leverage courts to force businesses to undermine themselves in this way? I think not.

**Kilkrazy**

If Apple were successfully compelled to write a crippled encryption system for iOS, logic would demand that the same compulsion be applied to the Android and Windows phone OSs, and to all computer OSs, since terrorists and criminals would otherwise simply switch to a more secure system.

**Manchu**

As I understand it, those platforms do not have the kind of security Apple has created. That is to say, what's at stake for Apple is the result of expensive R&D and marketing. The iPhone's security features are not some kind of coincidence or industry standard; they are a competitive edge into which the company has invested God knows how much money. My firm, for example, uses iPhones because of this feature. So the court order is really shocking in terms of negatively impacting Apple as a business.