I want to share my (fairly unoriginal) thoughts regarding the Apple/FBI issue that has been in the news for the past month or so. Let’s start off with a quote:
“I can tell you, the first time we do have trouble getting into a cell phone, we’re going to seek a court order from Apple. And when they deny us, I’m going to go lock the CEO of Apple up…I’ll lock the rascal up.”
Who do you think would have the cojones to make such a statement? None other than Polk County Sheriff Grady Judd, a sheriff in Central Florida who delivered the statement at a press conference regarding the murder of a drug dealer in his county. “The CEO of Apple needs to know he’s not above the law,” he exclaimed, “and neither is anybody else in the United States.”
Ever heard of him? Neither have I. And whether or not he has the authority to make such an arrest is irrelevant, since I’m fairly certain that his comments were the law enforcement equivalent of political grandstanding (not to mention the fact that his county’s biggest criminal issue is most likely the frequent theft of pink flamingo lawn ornaments).
But regardless of your opinions on Sheriff Judd’s stance, I’m just happy to see spirited discussion and enthusiasm in the first place. I’ve been writing about digital privacy and security since I was an undergrad, and it can be a pain to get the average person to care. Snowden made waves (and he still comes up in the news every once in a while, on slow days), and Aaron Swartz is mentioned from time to time, but I truly believe that the past few years of NSA-related security news has helped Americans think about their privacy much more than in the past.
For those who are out-of-the-loop (or simply haven’t taken the time to understand the complex debates surrounding the FBI’s legal slapfight with Apple), here’s a brief (and humorous) John Oliver segment that can bring you up to speed. If you want an abbreviated text version, though, I’ll indulge you.
–A California judge ordered Apple to unlock the iPhone that belonged to Syed Farook, one of the shooters in the San Bernardino shootings last December. The phone is currently locked by a user-generated passcode, the same passcode that you and I are able to use on our own iPhones. Ten failed attempts at entering the password can both lock the phone and erase the data, eliminating any chance of recovering possible evidence stored on the phone.
–On February 16th, Apple responded with a public letter, signed by Apple CEO Tim Cook, that argued that complying with the judge’s order could set “a dangerous precedent” when it comes to encryption and data security. “The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by ‘brute force,’ trying thousands or millions of combinations with the speed of a modern computer.” The letter is short, and worth a read.
— On February 19th, the Justice Department filed a motion that claimed that Apple’s refusal to cooperate was based on the concern that the issue would negatively affect their business and public relations. A senior Apple executive responded that their refusal to help the FBI was about “principles rather than marketing.”
–On February 22nd, FBI Director James B. Comey made a personal, passionate plea on lawfareblog.com in a letter titled, “We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead.” He explains how narrow this particular legal issue is and tries to explain that it will not have widespread implications when it comes to encryptions and backdoors, which Apple has been suggesting. “We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land. I hope thoughtful people will take the time to understand that.” The letter does not specifically mention Apple by name.
Fast forwarding a bit…
–On March 11th, President Barack Obama attended SXSW (South by Southwest Interactive) to deliver a wide-ranging keynote address to attendees. He made several comments regarding the San Bernardino case (though he didn’t reference the case directly), specifically referring to those who believe that the government should never be able to access an individual’s smartphone. “That I think does not strike the kind of balance that we have lived with for 200, 300 years…It’s fetishizing our phones above every other value.” His comments have recently drawn criticism.
–Also on March 11th, the formal legal rebuttal to Apple was released by the Justice Department. They address the fact that it would be “burdensome” for Apple to be forced to write the code that would remove/unlock security features on Farood’s iPhone, and they suggest an alternative: that Apple turn over the source code to the entire operating system. “The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labour by Apple programmers.”
Plan A (forcing Apple to write the code necessary to disable the security functions on the terrorist’s iPhone) may not work due to legal precedent. I did some digging around and read up on “unconstitutionally compelled speech” and whether or not that applies to code. I found an interesting article on the Electronic Frontier Foundation’s website that discusses this particular issue. According to the author, “courts that have examined First Amendment protections for computer code have been clear that software has both functional and communicative elements. Just like musical scores, code communicates ideas, and it is interpretable by (some) people. To use the language of First Amendment law, code is “expressive.”
In the brief that the EFF filed in support of Apple, they argued that the FBI’s request is “akin to the government dictating a letter endorsing its preferred position and forcing Apple to transcribe it and sign its unique and forgery-proof name at the bottom.” I’m pretty sure they know what they’re talking about, especially since the EFF represented Daniel J. Bernstein in a landmark case (Bernstein . United States) that classified software code as speech protected under the First Amendment. If code is speech, and the US Government is trying to force Apple to code, it seems that they are actively infringing on Apple’s First Amendment rights. For Apple, it can be argued that their code has been one of the company’s most important assets since the company was founded, and the protection of that code (and the security measures that accompany it) are of the upmost importance.
Regarding the Justice Department’s “Plan B” option (handing over entire source code for the iPhone to the FBI), the main issue is that the government simply cannot be trusted to hold onto that code without accidentally leaking it and giving malicious individuals the opportunity to take advantage of it. That would be catastrophic, and FBI Director James Comey is on record discussing the fact that the chance of Apple’s signing key getting out into the wild is “a concern” (at 2:43:12). It would undoubtedly be a high profile target for hackers to try and nab, especially since approximately 1.35 billion iOS devices have been sold to date. At the risk of sounding cliché, whoever holds that code holds IMMENSE power.
If the US government is as incompetent as I think they are, hackers can and will be able to obtain Apple’s tools. If they want to cause damage, studying every nook and cranny of the source code would undoubtedly reveal a countless amount of exploits that they could take advantage of, forcing Apple to virtually rewrite the entire OS. This type of large-scale data breach has happened before; last September, it was revealed that approximately 5.6 million fingerprints belonging to people applying for or receiving security clearances were stolen from the Office of Personnel Management by Chinese hackers from. In total, approximately 21.5 million former and current federal employees and job applicants were affected by the attacks in what is now known to be a Chinese espionage operation that can have huge consequences to our national security.
With that being said, my main concern regarding the entire issue is this: if the FBI were to obtain access to Apple’s signing key and source code, they could do virtually anything that Apple could do with regards to iOS. Hypothetically, they would have the two tools needed to create their own version of the software, send it out to any device they wanted, and make it look like one of the standard-issue Apple software updates that pop up in your settings.
They could even take over your cell service provider’s DNS service and send a signed iOS update over the air, an update that was customized by the feds themselves in order to spy on you for whatever reason they can come up with. It might sound Orwellian, but literally all they need is the signing key and the source code.
I can’t wait to see how this entire situation shakes out. It’s not often that we can see a powerful company like Apple publicly defy orders and vow to fight for the rights of the users who rely on their encryption software to protect their data. It shouldn’t be a “refreshing” feeling to see a company stand up for the people, but hey, I’m not complaining. Between this legal battle and the 2016 election season (and the Golden State Warriors’ historic NBA season, and Kanye’s twitter rants), I’m quickly running out of popcorn.