The FBI lost this round against Apple – but it aims to win the war While fans of strong crypto and privacy are celebrating the US Department of Justice decision to back down in the San Bernardino case against Apple, it's important not to get too giddy – this is going to be a long battle and the FBI has nothing but time. The FBI still hasn't explained quite how it managed to unlock the …
The apparent claim here of equivalence between lawful search and totalitarianism is rubbish. For more than two centuries there has been a balance in the US between the government and citizens as to how far the government may intrude into citizens' personal and private matters, and on what basis. Statutory and case law based on the fourth amendment has increasingly narrowed the scope of government action, and that generally is to the good. The basic arrangement, in which a government official must petition a judge for a search warrant, citing facts to support a claim of probable cause to believe a crime has been committed or is about to be, and describing the search target with reasonable precision, has not changed and is not likely to. The fact that the government can obtain a warrant, seize a personal communication device, and with or without the manufacturer's help access the stored contents will not be a disaster any more than the fact that the government can obtain and execute a search warrant on a home, automobile, or office.
The fact that the government can obtain a warrant, seize a personal communication device, and with or without the manufacturer's help access the stored contents will not be a disaster any more than the fact that the government can obtain and execute a search warrant on a home, automobile, or office.
At some point I'll introduce you to a novel invention called paragraphs :).
Although I would agree with that principle, that is not what the FBI wanted - it wanted a precedent that would allow it to compel a manufacturer to break its own security.
In my opinion there was more to this than just device crypto - most people have missed the strategic component to this case. The FBI was testing a "you make it, you break it" argument that it could later mutate into compelling companies that offer client side crypto to break their own service so they could get in.
The defence "the client encrypted it with our software so we cannot get in" has as yet not actually been tested in court as a valid reason why client data cannot be provided in cleartext (IANAL, please correct me if I missed something) and for people who don't know Kerckhoffs' principle in cryptography (not linking to Wikipedia to avoid exposing you to people that don't know English grammar), this may appear a perfectly acceptable argument.
This was effectively the first case ever that had the potential to harm US providers who do the right thing when protecting client data, such as AWS. Imagine ProtonMail being hosted on US soil with such a precedent looming over them (they're not entirely off the hook because they still have a US passport holder involved who is at risk of being leveraged).
I would keep a very sharp eye on the FBI because they have just shown their hand, and it is clear to me that their leadership has zero problems with playing dirty. The irony is that if they did not engage in such activity there would be a basis for a debate on how to find an acceptable modus operandi - if they really think that due process is not for them, an open, frank and honest debate on what can be done would be the democratic thing to do. By attempting to bully their way past democratic principles they have achieved the opposite. Unfortunately, it unlikely that that has resulted in a learning experience, they're going to try again unless reigned in.
@First AC: All legal decisions become part of the body of case law and as such have some value as precedents, and so also would this one have, whether it went for Apple or for the government. The "strategic" component mentioned almost certainly could not have flowed from it, however. There is a basic legal principal with varous Latin formulations that translate roughly as "the law does not the impossible." A defence that "the client encrypted it with our software so we cannot get in" would be likely to succeed if the facts in evidence showed the impossibility of the task (as they did not in the case of the Farook iPhone). I think it very likely that ProtonMail could offer that defence successfully, and as I understand it Lavar Levison had a problem when the FBI came calling because he could not, in a practical sense, make such a claim stick with respect to Lavabit.
I quite agree that we always need to keep an eye on the police, and even more so the prosecutors, for behaviour beyond what is reasonable and appropriate, and all too often, the law. That does not mean, however, that everything they do is dodgy. In the Farook iPhone case, they appear to have made demands that were tailored quite carefully to the specifics of the device and included a requirement that the solution (whether the one they suggested or another) work only on that device and not alter the installed OS software. Contrary to the assertion, they followed normal legal processes that they had used successfully dozens of times in the past. Bullying, if it occurred, involved no more than an increase in the work required of Apple and invoking the terrorism section of the moral panic handbook.
As for having "a debate on how to find an acceptable modus operandi," it certainly appears that FBI Director Comey has made some obvious efforts at that in the last couple of years and fairly consistently been shouted down by some of those now demanding it.
In the Farook iPhone case, they appear to have made demands that were tailored quite carefully to the specifics of the device and included a requirement that the solution (whether the one they suggested or another) work only on that device and not alter the installed OS software.
Hi Tom, the issue I've had with that case was that they made assertions they MUST have known not to be achievable with the way US law works. Because of the precedent mechanism, the "one off, limited scope" claims they were making were simply impossible to achieve, and because all parties involved can be assumed to be rather well versed in US law I can only conclude that this was a wilful attempt at misdirection, if not the Court, than the public and public opinion.
Contrary to the assertion, they followed normal legal processes that they had used successfully dozens of times in the past.
Unfortunately, here too I must disagree, this was new. Demanding service access, fair enough, that's what the process is for, and that has worked with service providers because they have the ability to reset a service password - that is simply asking for an established process.
But what the FBI asked here was access to HARDWARE that was engineered to be secure, which is equivalent to demanding a super safe manufacturer to break their own product after it has been installed and the client has chosen their own combination using tools they would have to create themselves. Not only is that asking a company to prove that their product does not work as described (equivalent to asking them to commit commercial suicide), but again (as before), it sets a precedent that such can now be done to ANY organisation that creates secure products.
"Nice company you have there, it would be a shame if we dragged you into Court and made you break your own product, eh? How about giving us a backdoor?"
In summary, I disagree with your assessment that this demand was in any way normal, benign and in keeping with natural justice and democratic principles of law creation and enforcement. It screamed politics from the moment I laid eyes on it, mainly because I have seen such tactics before. This was a government agency attempting to set policy by force and from a democratic perspective I would have asked questions who was behind it and get that person or team in front of an enquiry.
This should have had political consequences for the FBI. Not that it will, but it should.
"For more than two centuries there has been a balance in the US between the government and citizens as to how far the government may intrude into citizens' personal and private matters, and on what basis....The basic arrangement, in which a government official must petition a judge for a search warrant, citing facts to support a claim of probable cause to believe a crime has been committed or is about to be, and describing the search target with reasonable precision, has not changed and is not likely to."
The first statement applies pretty widely to any legal system that inherits from the English. It was the second that was in danger here as success for the FBI would undoubtedly have been the first step in attempting to gain a chain of precedents that would end by compelling vendors to supply skeleton keys on demand.
If such a change were made it would require a wide consideration of public policy which includes considerations such as does the US (or any other specific country debating this) want a tech industry.
When Stingray is used, the law hoovers up everyone on that cell, not just their target.
Did their warrant cover this? Did they explain that to the judge? No, which is why they tried to hide what they were doing for so long.
The trouble with your post, Tom, is that it is based on a degree of trust in those who have these powers over us, and that trust has been badly shaken in recent times.
That this would be a logical conclusion of their activities which was communicated to them many years ago seems to be ignored, because they now claim that the loss of trust is *because the public now know what they are doing due to whistleblowers like Snowden*.
It's a crock.
When Stingray is used, the law hoovers up everyone on that cell, not just their target.
Did their warrant cover this? Did they explain that to the judge? No, which is why they tried to hide what they were doing for so long.
Hmm, that has potential. Monitor court sessions where its use has been reported, then find people who were in the area at the time of collection and do that a few times - class action suit material. That could actually prove to be an entertaining pastime for the EFF..
Search warrants often, possibly in most cases, expose things not relevant to an investigation or the purpose of the warrant. The law has been dealing with that issue, on a much smaller scale to be sure, for centuries. A frequent case would be search of a house occupied by a number of people, of which only some are targets of investigation, where the police may not search beyond the warrant limits (although they may be able to act based on something "in plain sight" that indicates a law violation). Much the same would be true of the information scanned by a Stingray (if it does not automatically filter out untargeted communications).
"... success for the FBI would undoubtedly have been the first step in attempting to gain a chain of precedents that would end by compelling vendors to supply skeleton keys on demand."
There is not really any evidence for that, and while I think courts ordinarily grant most search warrant requests, they do not grant all, and sometimes narrow those they do grant. Courts also do not ordinarily go too far in the direction of extending government powers, although the increasing politicization of the US Supreme Court and demands that it take care of problems that because of basic disagreements cannot be handled legislatively put that at risk.
The fundamental issue is well worth public debate and possibly legislation, but those now demanding that need to be a bit careful what they ask for. I know of no Constitutional limitation that would invalidate a law requiring devices and cryptographic software sold in the US to be open, either with manufacturer/vendor support or without it, to search based on a search warrant. Although that would not prevent individuals from using cryptographic systems that effectively prevented search, it could pretty much shut down Apple's security marketing model, although in the Five Eyes and many other countries without great practical effect (for nearly all people, nearly all the time).
PGP software already does hard encryption - and there are multiple public domain versions of this software available. (If feeling paranoid then follow the PGP encryption up by padding (at both ends) the PGP encrypted data with random bytes and then doing an AES-256 encryption of the result.) If the data is encrypted by this software and the user has properly protected his passphrase then decryption will require forcing the person to divulge the passphrase (maybe by torture of the person or his/her loved ones or by imprisonment). If (as was the case here) the person is dead then the data cannot be recovered.
Usenet has many millions of encrypted files posted on it. For anyone who wants to keep data secure and out of the hands of the FBI/CIA/NSA etc, posting the data as an encrypted file hidden inside one of the many encrypted RAR files on Usenet provides a good method. (if done carefully there will be very little to associate any given file on Usenet with any given person.) The big Usenet providers keep a copy of all files for several years.
" ... Statutory and case law based on the fourth amendment has increasingly narrowed the scope of government action ..."
You are correct in terms of history, but it seems that the narrowing has reached the low-water mark, and is now being reversed. The State is finding lots of new ways to involve itself in ordinary people's lives - interception of internet records, for a start - and the assumption of innocent unless proven guilty seems to be under threat in at least some areas. Your comments seem to relate to a time that will need lots of work to return to.
Just curious, but why is everybody blindly accepting what the FBI are telling us when they say that they unlocked the phone? Surely they're capable of lying?
They could have equally failed to unlock it but used the 'we did it anyway' excuse as a way of avoiding having to admit complete defeat. In other words they were more interested in saving face at that late stage since it seemed increasingly unlikely they would win their case against Apple.
And as a nice final touch, although perhaps not intended, that excuse could have also been used as a way of denigrating the security surrounding Apples products (they would only have been able to unlock the phone if other exploitable weaknesses were found after all).
"Just curious, but why is everybody blindly accepting what the FBI are telling us when they say that they unlocked the phone? Surely they're capable of lying?"
Of course they're lying. They saw a possibility of loosing the case and thus weakening their next try. So they came up with this plan. They know they can't be forced to give proof, but I say pix or it didn't happen.
This post has been deleted by its author
Do I trust the FBI to tell the truth? No, I do not.
Do I have a "need to know?" No, I do not.
Do I think the FBI really cracked the phone? No, I do not.
Will I ever know the truth about who killed JFK? No, I do not.
Think the FBI will ever come clean on this matter? No, I do not.
OBSERVATION
What a incredible and miraculous convenience for the FBI's "fat" to be pulled from the fire at the last instant. Even more miraculous is the fact the they were able to extricate their collective embarrassed butts from the public's scorn.
Does the FBI plan on a second bite at Apple? Sorry - unable to resist :)
I think so.
The FBI made a horrific miscalculation. They thought the combination of a terrorist attack in the USA combined with multiple murders would sway the public opinion and Apple would knuckle under and install a backdoor in all their products. And in the process, justify a legal precedent to place backdoors in every electronic data device. They even had a backup plan - demand the manufacturer's source code. They got neither and rightly so.
However, this was only the first round. A warm-up round if you will.
Expect more shenanigans :(
JB
...Congress is clueless about technology and could easily make the kinds of laws that put us all at risk
We're talking PATRIOT ACT-level unpopularity, without a 9/11-level pretext. It'd be good for them to try though -- gives people a reason to vote them out of office, just for starters.
I, for one, am willing to push back pretty damn hard on this issue.
and the "war on terror" loosing steam (there are much less boots on the ground in the middle east now, even though ISIS seems more involved in terror acts than the Taliban ever were), maybe the war on crypto could be next. It does check some boxes:
- Requires continuous government spending (check)
- Can be extended ad-infinitum (check)
- Vague goals that allow to declare success (or need for increased efforts) as politics demand (check)
- Creates sufficient emotions in the public to support the "war"???
Well, their test case against Apple failed that last point. Maybe the war on crypto should then just stay part of the bigger war on terror. Carry on.
Apple is treating this as a warning shot and has redoubled their efforts to make their devices and user data secure. Now they know they must keep user data secure against even themselves, lest the FBI order them to hack their OS! The next time the FBI tries this on Apple, perhaps with a newer model of iPhone running a later version of iOS that includes these changes, Apple may be unable to help them - even their code and signing keys won't help if its impossible to install a new OS onto a locked phone - which it will be no later than iOS 10.
And others will follow. Some companies may have limited options to do so: Facebook and Twitter can't encrypt regular posts since they have to be readable by the world, or at least hundreds of people. But they might secure Facebook Chat, WhatsApp, and Twitter DMs.
Google and Microsoft will be interesting wild cards. Google should want to secure everything, but securing everything so even they can't read it will ruin their data collection ability, so they probably won't. Microsoft could add a lot of security to the world if they allowed (or especially defaulted to) encrypted volumes for Home versions of Windows. They've previously considered that an enterprise capability, maybe they will rethink that position.
So what then, does the FBI lobby congress for a law that makes selling a phone with that level of security illegal? That would be like their failed strategy of treating encryption as "munitions" back in the 80s and 90s, thinking they could keep the genie in the bottle. If they deny Apple the legal right to sell secure phones, some company elsewhere in the world will (probably with an Android fork that locks Google out of all that juicy data, hurting them too)
@DougS
This whole case centered on the fact that the 5c was vulnerable to a change in the behavior of the failed attempts and wipe feature, making brute force of the pin a valid option. The later versions of iPhone are not susceptible to the same vulnerability making brute time consuming and worthless after 10 unsuccessful attempts regardless of what version of IOS the device is running. In summary 5c and below are vulnerable to brute force, all later models are already protected by 10 fails and wipe unless explicitly disabled by someone with the pin.
Coming soon: FBI vs The Tech Industry, round two! Stay tuned, and pass the popcorn.
Right now the FBI has made a tactical retreat, combined with a couple of smoke grenades. But it ain't over 'till the fat lady sings. I wonder what they will try next, and how they are going to do it.
What really could spice up the proceedings would be a whistleblower from the FBI. I'm pretty sure there are feds who still have the fidelity, integrity and bravery to consider this.
If there is a legal backdoor for one country, then surely there must be a legal backdoor for all countries. That was the problem with the "Clipper chip" - it only worked for the US. I don't see Germany or France accepting devices sold in their home countries where they can't use the backdoor controlled by the US government.
If the choice comes down to a suspected backdoor owned by your own government or a suspected backdoor owned by the Chinese government, which do you choose and why?
I'm afraid that will be the point where I will go rogue and off grid. I have worked too much in government to extend ANY trust so it's not going to happen.
The FBI were not certain of winning the case and in fact had had a pretty good chance of losing it,
If they won the case they would have had a precedent that would have allowed them to compel any tech company to effectively circumvent security on any devices they made.
If they lost the case it would have set the opposite precedent and the FBI would never be able to compel a tech company to break into it's own products that were secure from, or even just difficult to access for, the FBI.
So they found another solution* and dropped the case to avoid any precedent but left the door open for a more winnable case.
This hasn't ended by a long shot, the FBI are probably looking for a less high profile company, with less expensive lawyers, who also provide 'uncrackable' end to end encryption on one of their products that the FBI finds it needs access to. This company won't be allowed to go public as they'll be hit with a gag order first, the battle will be fought in secret & the FBI will win, then once the precedent has been set, the likes of Apple won't be able to say no any more.
So in short the FBI are playing the odds & waiting for a more favourable case, shouldn't take them long.
* Told everyone they cracked the phone whether they did or not, probably in order to cast FUD or to save face, cracking the phone was never the issue or the aim
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
