You own the software, Feds tell Apple: you can unlock it Apple's battle to avoid handing over user data to the US government has taken an unwelcome turn, with the Feds claiming in court that Cupertino's license agreement gives it the right to do what the government tells it. In a case being heard by US Federal Court magistrate James Orenstein, the government has argued that the …
Then the government will counter that in order to do business in America, there MUST be a US office subject to government-mandated scrutiny, basically fording them to either come back or abandon 350 million potential customers.
Remember that the first iPhones were deliberately GSM based so as to work well world wide rather than being CDMA2000 based, which would have been far better in the USA. World market first, USA second has been their phone philosophy...
Remember that there's only 350 million Americans, but there's about six billion people everywhere else. If Uncle Sam ruins that world wide market then Apple will have to pack up their bags and move. Same for Microsoft, Amazon, Google, Facebook, Twitter... At least some of those companies don't need a physical presence in the US.
Moving their HQ out of the US would change nothing in this case. They would still be selling in the US and they would still have a presence in the US, as such they would all be in the same boat. It would however damage th eir reputation much more than staying. Abandoning the US would definitely put off a lot of US consumers. At the moment they can still pretend they are buying an American product, while conveniently ignoring the fact that it is manufactured in a Chinese sweatshop. If Apple were not headquartered in the US then their products would be no different to Samsung or HTC.
Moving their HQ out of the US would change nothing in this case. They would still be selling in the US and they would still have a presence in the US, as such they would all be in the same boat.
Not quite. If Apple were no longer a company with a US HQ with only a small sub in the US it would be in a far better position, but Apple can't change that. Not only is it building a massive HQ there, it is also engaged in a current court case so it can't just up sticks, and all of its capital is US based.
So it's screwed, basically.
"I foresee US companies not having another option than moving their headquarters to outside the USA..."
They can just move their R&D - particularly anything involving encryption - outside of the USA. I know of one that moved this type of development to Russia specifically to escape US legal reach.
One part of me wants to mock iUsers for willingly sacrificing their freedom to live within a walled garden.
But a greater part of me is concerned that Uncle Sam is using the wording in the EULA that basically says "Don't steal our shit", in order to force Apple to allow the feds to steal someone elses shit.
Don't mock 'iUsers' when, as the article pointed out, it is the EULA that every company uses that is the point of attack. It is not 'Apple', it is every company. It is not 'iUsers', it is everyone using proprietary software.
Damn, the only three-letter agency that is going to win at the end of all this is RMS.
You are aware that nearly all non-open-source software has more or less the same conditions in the EULA (we own the software and you get to use it at our discretion), right? Doesn't matter which brand phone you've got in your pocket, if the feds make that stick you're screwed. This is not an issue to be gloating over just because it happens to be a tech firm that you don't like for whatever reason that's the current target. "First they came for the jews..."
presumably you own your encryption key?
If not license wording can be changed to something like 'Apple gifts you your encryption key which becomes your personal property and you have the right to do wtf you like with it. Apple relinquishes any ownership or rights over your key, blah blah blah' and so forth.
Not that this helps older software but then Apple could happily spin it as a reason to upgrade (again)
This isn't one of the instances where certain three letter groups are simply telling Apple to hand over user information, The court has an actual search warrant. This means there is good reason for the courts to look at what is on the device, otherwise the judge wouldn't have signed off on it.. It follows due process. Good chance that all Apple is doing is protecting a criminal. And for failing to comply with the search warrant should be held in contempt.
'I think that Apple is saying, "This is not *our* information to hand over, it's his or hers," and pointing the feds at that individual.'
However, the point is that there is a search warrant. Due process of law is being followed. We complain when the authorities don't follow due procedure. When they do we should acknowledge the fact.
"However, the point is that there is a search warrant."
Yes, but to my mind, at least, that warrant is being improperly served, which is my biggest gripe with most cyber law as it stands. I don't care who runs/owns the Operating System/Application/Datacenter etc. It's still my data! You want a look at it, come talk to me. In that way, I, who am familiar with the requested data, can decide what rights I wish to pursue with an attorney.
The existence of a search warrant does not mean that there's a good reason for the courts to look at what's on the device, it only means that someone convinced a judge that there is something incriminating on said device.
Based on a search warrant which was later proven to be invalid, my home was once searched, late at night, with me held at gunpoint. Nothing was found, apparently the police found something incriminating in a rubbish bin in front of my home - one of several identical bins lined up in a row, and this was the basis for said warrant.
Btw, no one ever said oops, sorry, wrong house. Hey but I have nothing to hide, right. Damn I've gone OT again.
But who decides who is the criminal. A presupposition is being made that because courts and feds want information the person is guilty. How can it be said that Apple is protecting the criminal before the evidence becomes avaiable. Once again the so-called war on terror becomes a tool to snoop upon anyony whose views may differ.
That's a bit naive, if you don't mind me saying so. We know that the FISA court that oversees these orders rubber stamps them (since the justices that are hand picked for it are guaranteed to do the right thing and not ask embarrassing questions) and the warrants are themselves overly broad. There is a clear conflict of interest between 'We, the People' and what these agencies believe is good, orderly, government.
In America we are allowed to be skeptical of government. In most countries people are brought up to obey government, its a hangover from the power of a monarchy as God's representative on Earth, so the notion that a government itself has to play by the rules and can be challenged if you think they are not behaving themselves might seem a bit weird. In this case Apple, like a lot of us, think the government has clearly overstepped its authority. Trying to tie user data to program code confidentially is one example of how government lawyers are trying to stretch logic beyond breaking point to suit their purposes (one that should fail -- as we all know, program logic and program data are two different things so I think the government is about to get a crash course in software design).
What a mess... I guess the Feds have possession of the phone in question? Then what they're asking Apple to do is unlock the door. If this goes through, then all software companies will be forced to unlock any device* the Feds wish. Bad precedent... very bad. Which would/could lead to forcing encryption with a back door. Which may effectively kill tech in the US. If there's a backdoor, others will find it and use it.
If the Feds don't have possession of the phone, they are asking Apple to unlock the door and bring everything out of the room and hand it to them. Not a good precedent either.
It would seem that if they have possession, then they also have the owner/user of the phone. He/she should be in contempt if they refuse to unlock the phone. In which case, refusing and being held in contempt is an excuse for the court and government to hold him/her forever or until they do unlock it.
What a flustertruck of epic proportions. It would serve the government right if the tech companies moved their headquarters overseas somewhere and re-incorporated as their tax money would go with them and to the place they moved. Uncle Sam wouldn't be able to grab any of it.
*Not just phones... PC's, hard drives, basically everything.
@Mark 85
Not quite so because there is one crucial point you're missing here: Apple are technically able to unlock this phone.
As the article said, Apple could not say that they unable to do what was required and that is why they have taken the tack that they are not allowed to do so. If they couldn't do it anyway then it would be a moot point.
Of course, there is still an interesting and troubling precedent waiting to be set but it is - at least conceptually - easy to avoid without having to change a line of the EULA: design the software and hardware such that it is impossible for Apple to unlock their phones.
As I understand it, that is already the case in some instances so it just needs to be a policy that this is always done. Perhaps, and I am no engineer, but one can imagine a system that would allow an Apple store to unlock the device but still actually require the customer's input, for example with a secondary code that the user can choose.
This case actually ties in with other issues around cloud services being asked to hand over data* because the the whole issue comes about because the companies can hand over the data. If they were technically unable to do so then all the warrants and national security letters in the world wouldn't help.
Yes, it would be great it this wasn't an issue because law enforcement agencies actually respected privacy and proper process (which does appear to have happened here) but it is obvious that that is not the case so the only way to secure data is with real 'no knowledge' systems, meaning that the vendors cannot access the data at all.
This is something that needs to happen and needs to happen as quickly as possible and in as concerted an manner as possible so that it gets done before these agencies can cry to law-makers demanding back doors.
* - Like the MS Ireland case.
They've already done that, the problem here is that the phone is running older software - probably because this case has been winding its way through court since iOS 7 was the current version.
http://www.reuters.com/article/2015/10/21/us-apple-court-encryption-idUSKCN0SE2NF20151021
So they don't really need to do anything to help current Apple customers, assuming they are running iOS 8 or newer on their devices which the vast majority are. However, having a precedent set where the court can compel Apple's help would get the Feds after them to try to help hack into iOS 8 and newer devices. Since Apple designed the thing, it may be possible for them to disassemble my phone, desolder the chip containing the secure enclave, hook it up to some specialized equipment that knows how to talk directly to it (which only they would know since they designed it) and get it to provide the key required to decrypt my phone's contents. Even if that's not possible, with the precedent in hand the Feds would try to make them do it anyway.
@DougS
That was my understanding - that it was something that has been done but I wasn't sure if it was actually a deliberate policy of Apple to do this or whether the situation depends not on a conscious decision on the part of Apple Management but instead is down to the idiosyncrasies of the iOS software such that in one instance it is unlockable and the next it isn't and then the one after that it is again, simple because they're using different code which has a side effect of enabling this.
So what I am saying is that it needs to actually be a requirement such that if the software is tested on this front and patched/corrected if it fails.
When you talk about opening up the phone, however, that - to me - falls into Apple tampering with something the customer does actually 'own': the phone itself. Thus Apple would presumably have a defense against being compelled to do this as the EULA no more allows them to dick-around with peoples' phone hardware than it allows them to break into their home.
How it would actually go down is another question but it is a markedly different situation when judged by the argument being made in this case, which is that the EULA means Apple owns and controls the software.
Dan it was a very conscious and deliberate decision on Apple's part to do this. There isn't anything to 'fail', because your password generates a certificate which is stored in the secure enclave and never backed up whether via a tethered iTunes backup or an iCloud backup. The side effect of that is that if you forget your password you're screwed and will have to restore from a backup (though I'm not sure exactly how you'd even reset that phone back to factory defaults, but maybe Apple can help there)
But yes, since it was a design decision that was deliberate, if a way around it is ever found I'm sure they'll correct it.
"What a flustertruck of epic proportions. It would serve the government right if the tech companies moved their headquarters overseas somewhere and re-incorporated as their tax money would go with them and to the place they moved. Uncle Sam wouldn't be able to grab any of it."
Wouldn't Uncle Sam count this as an export and therefore subject it to an exit tax?
Yep interesting situation. The Accused can taken the 5th. the Cops have a valid search warrant wanting to get at the information that no doubt confirms their suspicions And for the first time Ever I am agreeing with Apple with them pleading in court. Hey please don't use our own EULA against us. It is used to screw the user over , not us.
"I suspect what the Feds are saying is, you control what software runs on the device, so push software to the device that allows us to get unfettered access; i.e. you have the capability to backdoor the device so we are ordering you to do it."
It's not what the Feds are saying. From the article: "the device in question is an iPhone 5s running iOS 7 – one of the devices that Apple can unlock" (my emphasis).
However, it's worth looking at the point you make. If the device isn't unlockable by Apple the likelihood is that it requires key input by the user. In the absence of such input it would make no difference what S/W Apple were to push on to it it would stay locked so no amount of huffing & puffing by the Feds would help them in the least.
I would say not because the key differentiator here is that the people you sell the locks to own those locks. In the case of software, such as iOS, the software is not owned by the end user; it is owned by the vendor. (In this case Apple.)
This is relevant because it is not the phone per se that is locked but the software and while the user may own the phone hardware, they are merely using the software under a strict and limited license, with Apple retaining actual ownership.
Not that I support what is being asked for but it does seem to hold up.
"users have no rights under the EULA "
Well thank you for making that official, Mr. FBI Agent.
Now we know that, after having to change our habits to incorporate encryption everwhere, we're also going to have to totally review the bog-standard EULA and change the way we do commerce all over the world.
All that because of the paranoid behavior of a scant few thousands of people in one country.
A precedent set in the US wouldn't be binding elsewhere. In any event I'd guess that Apple will push this to the Supremes.
If the judgement stays I'd also guess that it will provoke some changes to EULAs to make them more customer friendly which might not be a bad outcome in the long run.
iOS like any software is a tool to process data and it is the data that is the subject of the debate. Allowing the FBI to access the data is surely not related to the nature of the tool used to process that data.
The argument can be brought into the physical world by example. It I borrow a hammer from a tool store I do not own the hammer, I have a licence to use it. If I use the borrowed hammer to hammer in the nails I have bought to build my house the house I'm building is still mine. The person who owns the tool store does not have claim on the house I have built using the borrowed hammer just because that person owns the hammer.
In the same way, Apple does not own the data on the phone because it licensed iOS (the hammer) to a user. There may be many legal reasons why Apple will be compelled to cooperate but existence of a EULA is not one of them. That a Federal prosecutor feels it is necessary to introduce this argument surely must be a measure of desperation.
If it were different, the US government and US corporation would be in a hopeless situation. Imagine all the software used to process government corporate data which has been used under the terms of a EULA. If the argument before the court is accepted then Microsoft, Google, Amazon, Oracle and other corporation will be deemed to own the data their software has processed.
... that EULAs which say "you don't anything, we just give you permission to use it" are being used against the companies who wrote them, if it wasn't for the fact that this is being used to circumvent the rights of users.
I sincerely hope that 1) The Feds get told by the Courts to take a running jump and 2) The EULA writers sort their bloody game out ASAP!
"Not only that but if at the end of that 2 years they still will not unlock it they go back round for another lap."
This is one of those myths that is frequently mentioned in these very forums, but has never happened in real life, and is highly unlikely to. After 2 years a defence of "I've forgotten it" could be considered valid. The length of time passed since a password was suspected to be last used, is something the CPS and the judiciary consider before cases like this are brought to court. The CPS wouldn't attempt to bring it back to court a second time, when the defence can prove that the accused has spent the last 2 years in jail, without the use of a computer, and is therefore likely to have forgotten it.
This is one of those myths that is frequently mentioned in these very forums, but has never happened in real life, and is highly unlikely to. After 2 years a defence of "I've forgotten it" could be considered valid.
That is *NOT* how the law is written & a strict interpretation of the law regarding the compelled disclosure of passwords/pins/keys etc clearly indicates that any attempted defence of 'i forgot guv' is to be ignored & considered an attempt at circumventing the law.
Also the law clearly lays out provisions for a revolving door prison sentence without the use of the courts, using instead the secretary of state (in this case the home or justice secretary) or their approved representative in your area (ie any judge or magistrate with a peice of paper from the secretary of state & therefore someone who can be relied upon to do their bidding) to authorise your detention without recourse to the courts usually as a 'national security matter' or as a limited liability matter (limited liability crimes in the UK have no legal defence, you did it ergo you are guilty)
Care to quote specifics?
Take a look at page 53, section 10.5 for the phrase "The prosecutor has to prove the contrary beyond reasonable doubt" using the Home Office's code of practice https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97959/code-practice-electronic-info.pdf .
Then take a look at this http://www.newstatesman.com/blogs/the-staggers/2010/10/police-drage-password-sex , a write up to the Oliver Drage case. Scroll down to the section where when interviewed, the CPS explained how they had to prove beyond a reasonable doubt that the claim to have forgotten a password was false.
So I'll repeat. Stop perpetuating a myth. The claim of forgotten passwords is a viable defence, and the burden of proof rests solely with the prosecutor to demonstrate beyond a reasonable doubt that this isn't the case.
This post has been deleted by its author
Please read the following links;
http://www.legislation.gov.uk/ukpga/2000/23/part/III/crossheading/power-to-require-disclosure
&
http://www.legislation.gov.uk/ukpga/2000/23/part/III/crossheading/offences
Then weep at the loss of the rule of law in this country as you realise it is not a myth & next time check the actual law as written & approved by parliment
Clearly you have not read the links you, erm, linked. And I'm assuming Kit Fox by your return to reply to this 3 old day topic, that you are the initial Anonymous Coward. Well done on fessing up.
Anyway back to my point. I refer you to the contents of your second link:-
Section 53 Failure to comply with a notice.
3 For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—
(b)the contrary is not proved beyond a reasonable doubt.
So, I'll reiterate again. Stop perpetuating a myth. Resonable doubt has to be demonstrated to a jury, and accepted by them. It was this way before (as demonstrated by your own link), it is this way now (as demonstrated by my referring to an ACTUAL case).
This post has been deleted by its author
I don't have any Apple kit but probably the EULA can only say "you don't own this software"? I mean you do own the phone hardware. I'm guessing that Apple cannot do a remote unlock and would need actually do hardware things to the phone, connect something to it at least. Why can't they say "OK it's our software but not our phone".
I see one option or Apple. Invalidate the EULA.
Apple needs to appeal this decision if they lose. Then, they need to put forward a very weak argument supporting the EULA. When the court finds that the EULA is invalid, Apple can say that "We don't lease the software, the EULA (as a concept) is invalid. The end-user owns the software."
This might not get them out of hot water, but it would (hopefully) invalidate many other EULAs out there, and change the whole way software is delivered. Software should be a purchase, but if you want support or new versions, you have to pay for that. If you want to take our software, reverse engineer it, whatever, have at it. However, if the company finds that you used copyrighted code in a similar product you sold, then they would have a potential copyright issue against you.
The first sale doctrine should apply to hardware, software, and firmware. If I buy it, I should own it outright. If I want to flash it, potentially brick it, whatever, that's my business. If I ruin it, then I'll have to buy another.
Or they can just turn the argument on its ear and pit the leasing and rental industry against the government. Any kind of rent or lease stipulates that what you do with it is YOUR responsibility. Otherwise, by the government's argument, a rental car company would become liable if their rental car was used in a robbery or as a car bomb.
If a rental car was used in a robbery, the authorities would confiscate it until the appropriate part of the investigation was complete. They would also expect the hire company to provide the keys to unlock it.
If it was used as a car bomb, it probably wouldn't need keys to gain entry to what's left of it.
... is it only because its apple? If I remember clearly when the Mega cases went down they collected servers and stuff owned by among others ISPs and took data for a lot of people with legit and non legit stuff. So this is just another case of the same plan. Now if people want to change this then a lot changes too. Taking some of the analogies, then the ISP hosting a file sharing site can not have his equipment confiscated and the likes of stuff. Also an ISP can not and should not be forced to give up data encrypted or otherwise either. Its not their data.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
