Wednesday, February 17, 2016

Magistrate Orders Apple to "Unlock" iPhone of Deceased Shooter

A California Magistrate has issued an "Order Compelling Apple, Inc. to Assist Agents in Search" exactly as requested by the government, with the exception of the word "Proposed" crossed off in Order's title, that requires Apple to provide "reasonable technical assistance in obtaining access to data on the subject device."  The subject device is an Apple iPhone seized from a black Lexus; this is the black Lexus that was driven by the so-called "San Bernardino shooters."  The government's motion explains some of the technology involved and argues that the All Writs Act, 28 USC §1651, authorizes the Order.

Iphone_3GS-1The Order specifies that the "reasonable technical assistance" shall accomplish these functions:

  • (1) it will bypass or disable the auto-erase function whether or not it has been enabled;
  • (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE; and
  •  (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

Apple is resisting the Order.  In an "open letter" to customers, the CEO of Apple has stated:

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Over at ars technica, Dan Goodin argues:

It would be one thing for the court to order Apple to brute force this one device and turn over the data stored on it. It's altogether something else to require that Apple turn over powerful exploit software and claim that whatever digital locks are included can't be undone by a determined adversary. That's why it's no exaggeration for Cook to call Tuesday's order chilling and to warn that its prospects for abuse of such a backdoor are high.

Although the Order is directed at one "subject device," Apple's compliance with the Order would make all our devices subject to government search.

Courts and Judging, Criminal Procedure, Current Affairs, First Amendment, Fourth Amendment, Privacy, Web/Tech | Permalink


I don't know the specifics of the security features of this particular phone. but I know how they could be done that would make it impossible to comply with the court order, discussed next.

There is an old maxim of law: Lex non intendit aliquid impossibile. The law intends not anything impossible. 12 Co. 89. What the FBI is demanding is essentially impossible, not perhaps theoretically, but practically, at a reasonable cost. It is clear that that is not understood by the FBI or by the judge.
Once a strong keypair is generated, which is done by hardcoded algorithms, the cyphertext produced is essentially unhackable. The user passcode is not part of that strong keypair generation. The codes in a keypair are deleted after each conversation. The passcode provides access to use the local member of a current keypair, but not to past, deleted ones. About he only way to install a back door would be to install circuitry that would save every keypair used, and that would need to be done on both phones, if both used the same algorithm. Having only one phone wouldn't help. Knowing one key of a keypair doesn't enable finding the other. It is essentially impossible to recover past-used keypairs. That would require the reengineering of every phone sold, and a cottage industry of making phones secure by removing the key-capture circuitry. It is too late to try to put a back door in a single existing phone.
Other than refusing to try to help the feds, Tim Cook needs to explain the theoretical constraints, and why it is too late to recover conversations from a particular phone. They are not stored there. He should agree to cooperate and then report it impossible.

Posted by: Jon Roland | Feb 18, 2016 9:49:33 PM

The Government’s motion and affidavit (linked in the blog post has an accessible discussion of the technology involved. It's obviously from the government’s point of view, but I haven’t seen anything in the tech writing on this topic that essentially contradicts it.

The government argues that the operative test is derived from New York Telephone (1977) one of the prongs is that the burden on the entity to comply must not be “unreasonable.” The government is essentially arguing “Apple does this sort of work all the time.” Apple’s argument in its public statement, also linked above, seems to be that just because we can, doesn’t mean we should given the slippery slope consequences.
Here's my interview on NPR/Wisconsin Public Radio about the Apple/DOJ controversy;

Posted by: Ruthann Robson | Feb 19, 2016 4:57:49 AM

I won’t get too much into the technology issue, since I’m certainly not an expert on iPhone encryption. My impression, though, is that Apple acknowledges the ability to make the phone accessible, but the dispute revolves around whether the operating system required would be capable of limitation to the specific phone at issue, or whether all other phones would become vulnerable once the technology was developed. Basically, they are not being asked to extract the password, they are just being asked to download software that would shut down the feature that automatically deletes data when an incorrect password attempt is made ten times within one hour; deactivating that defense would allow for “brute force” entry using a stream of computer generated passwords. The government believes that the software could be coded to a unique identifier for the phone at issue, while Apple worries that the program would actually represent a grave danger to the privacy and security of all iPhone users. They may also be concerned about setting precedent for providing this kind of assistance to governments, when China, etc. may very well decide to follow suit.

As to the legal aspects, I think that the “undue burden” analysis should take into account not only the technological difficulty of adapting the operating system, but also the burden that may result from an actual or perceived lessening of general iPhone security, which may affect Apple’s market standing. Unlike previous All Writs Act cases (United States v. New York Telephone Co., as one example, involved the installation of a pen register to record numbers for outgoing calls on a phone line) this case involves significant implications for a debatable issue of national security, and may greatly affect the primary behavior of numerous private, third party actors outside the court system. As such, I think the order could be considered a violation of prevailing constitutional principles of the separation of powers; without a far more specific statutory imperative than the All Writs Act, this kind of policy decision should be made by a legislature, not a court.

In addition, an argument could even conceivably be made that the order represents a judicial Taking. If Apple’s iPhone design is constitutionally protected property (and Ruckelshaus v. Monsanto made it clear that a great deal of intellectual property is protected by the 5th Amendment) and if the adaptation of the operating system lessens the value of that property in ways not foreseeable within the current regulatory framework and defeats Apple’s distinct “investment backed expectations” per Penn Central Transportation Co. v. New York City, perhaps the company is entitled to just compensation.

Bottom line is, while I understand the urge to take any step necessary to fight terrorism, I think this order is a judicial overreach. U.S. courts are normally very hesitant to impose intensive affirmative obligations on private parties to assist with law enforcement, and our societal hesitancy to mandate “involuntary servitude” to goals people do not share and projects they do not believe in is even enshrined in the 13th Amendment. There is no real historical precedent for this kind of mandatory technological R&D assistance (it’s far beyond the common law concept of posse comitatus) and unlike other impositions of individual servitude to the alleged common good, such as the draft, there is no clear legislative policy underlying it either. Let’s leave the important decision of whether a government “backdoor” to encrypted iPhones makes our country and its citizens more or less secure to Congress, which is elected to make exactly that kind of determination.

Posted by: Josh | Feb 19, 2016 7:44:53 AM

Post a comment