A pedestrian walks by the Apple Store on Fifth Avenue in New York City as a small demonstration is held outside on Feb. 23. (Photo: Julie Jacobson/AP)
It’s been less than a week since Apple submitted an appeal to a California court, challenging the FBI’s order to help it break into a San Bernardino shooter’s iPhone. Now the hard work begins. Leading up to a March 22 hearing, both sides will wage public relations campaigns to win political support for their arguments.
Apple’s essential claim is that helping law enforcement break into one of its devices would set “a dangerous precedent” in both the technical and legal realms. The company wants customers to believe their right to encryption is at risk and that we can’t trust the legal system to protect it. But in so passionately objecting to the FBI’s order, both the company and privacy activists have obscured exactly what’s at stake in this particular case.
The technological aspects in this debate are, naturally, very complicated. To break into the iPhone in question, the FBI wants Apple to develop a new mobile operating system for the iPhone 5C used by San Bernardino shooter Syed Farook. This new OS — something an Apple executive described on a call with journalists last week as “GovtOS” — wouldn’t erase a phone’s data after 10 failed passcode attempts, as other iPhones are programmed to do. It would allow the FBI to run hundreds of thousands of computer-generated passwords through the access code screen in something called a brute-force attack.
The FBI says that Apple could create this tool, use it once on the iPhone in question, and then store it in one of its secret vaults on the Cupertino campus — away from cybercriminals or foreign governments that might want to abuse it. New York City Police Commissioner William J. Bratton and the department’s commissioner for counterterrorism and intelligence, John J. Miller, supported this claim in a New York Times op-ed, arguing that until Apple released its new iOS 8 operating system in September 2014, it was able to use its “master key” to override protections and break into phones to comply with legal requests.
Apple CEO Tim Cook, on the other hand, says the FBI’s request amounts to creating a “backdoor to the iPhone,” and said that the “technique could be used over and over again, on any number of devices.” This, he reasoned in a letter to customers this month, would irreversibly weaken encryption protections.
Neither the FBI nor Cook is entirely right. For any privacy activist, the warning that companies may be required to build backdoors in their encrypted projects is the equivalent of a tornado siren. And that’s because if compromising code is written into a securely encrypted system, it can’t be reversed, and would make everyone’s data more vulnerable to attack. But many experts who oppose the FBI’s request and care deeply about the preservation of encryption still disagree with Apple’s characterization in this case.
“I’m on Apple’s side, but not for Apple’s stated reasons,” Ben Adida, a vice president of engineering at the startup Clever, wrote in a blog post the day after Apple published its public letter. “We’re not dealing with a universal backdoor request, and we’re misleading the public if we say that.”
Phillip Rogaway, a professor and cryptographer at UC Davis, agrees, arguing that the threat to encryption is much more subtle than Apple has stated.
“It’s not really the encryption that’s being broken,” he told Yahoo News. “It’s a piece of the security architecture. What’s sidestepped are the surrounding operating system protections that limit the rate at which pin codes can be entered into the phone. These aren’t really cryptographic matters; these are operating system protections.”
Demonstrators Peter Brockmann, of Northborough, Mass., center, and Chris Gladney, of Boston, right, display iPads with messages outside an Apple Store in Boston on Feb. 23. (Photo: Steven Senne/AP)
Anna Lysyanskaya, a computer science professor at Brown University, says that Apple has deliberately framed the case as part of the larger encryption-rights conversation as a public relations strategy. Typically, a locked iPhone always requires a passcode for access. But Apple designed iOS so that the company can install new software on an iPhone directly, without requiring someone’s passcode, for the purpose of easy repairs and updates. Even if Apple hasn’t yet created the OS that the FBI wants, Lysyanskaya argues that the company’s existing ability to bypass passcodes means that the damage the company has warned about is theoretically already done.
“What Apple is doing is conflating the two things because people’s attention spans are limited,” Lysyanskaya told Yahoo News. “Apple is saying: ‘We could break into our system, but doing so is wrong because that would create a backdoor.’ But that’s a completely different type of issue. Apple already has a backdoor. Apple has the sign-in key that allows it to boot a malicious operating system on an Apple phone if they chose to do that.”
On the legal side, Cook has argued that if the FBI can compel it to create new software to break into an iPhone under a new interpretation of the 1789 All Writs Act, then it could also force the company to build other potentially invasive software for law enforcement’s benefit. That argument was echoed in the company’s motion to vacate last Thursday.
“Given the government’s boundless interpretation of the All Writs Act, it is hard to conceive of any limits on the orders the government could obtain in the future,” the filing reads. “If Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing.”
Law enforcement has done little to challenge that point. During a congressional hearing on Thursday, FBI Director James Comey said the outcome of this case would “guide how other courts handle similar requests.” Meanwhile, the Department of Justice is seeking Apple’s assistance in unlocking iPhones in nine other cases, seven of which Apple plans to challenge.
Former U.S. counterterrorism chief Matt Olsen argues that aside from ordering Apple to create this software, there’s nothing unusual about using the courts to gain access in relevant cases, and that other companies are able to comply without compromising their customers’ data.
“Companies like Apple or banks across the board comply routinely to provide records in response to lawful court orders, without making the ability to hold those records any less secure.”
FBI agents search outside a home in Redlands, Calif., on Dec. 3, 2015, in connection with the shootings in San Bernardino. (Photo: Ringo H.W. Chiu/AP)
Legally, however, this case is not about whether law enforcement has a right to search Farook’s phone, but how much help it can ask Apple for in the process. The FBI is basing its argument for help on a Supreme Court decision it won in 1977 involving a gambling ring. Officials had reason to believe that the ring was using phones to run its operation and wanted a telephone company’s help in setting up a monitoring system. Ultimately, they won the case based on a new interpretation of the All Writs Act because of two main facts: The phone company owned the equipment, and the effort to aid the FBI didn’t cause an “undue burden.”
Apple’s situation is very different. It doesn’t own the phone, and, according to its affidavit, the procedure would require about six to ten engineers working on this system for as long as four weeks. Michael Froomkin, a law professor at the University of Miami, says that kind of manpower is wholly unprecedented.
“That’s pretty burdensome,” he told Yahoo News. “If their facts hold up, they may deserve to win just on that point.”
This is a key part of Apple’s argument — that if the company can be forced to dedicate significant time and resources to comply with an FBI request under the All Writs Act, there are few limits on the government’s ability to conscript private resources.
“There’s a much larger point this case raises: If a third party to a transaction can be drafted to help the government, why just phone companies? We could be drafted whenever they really need us,” Froomkin speculated. “Maybe they need a search party. Maybe they need electricians. They’ll need other things the government doesn’t have. And legally you could do this with other companies, too. Apple’s got a very good case there, that this is a slope and it feels a little slippery.”