The government caused all of this. First they collect the communications of essentially the entire planet (including citizens) and now they act like a victim when consumers want data privacy.
I feel like they are using this case as the poster child even though they don't expect to actually get anything meaningful from the phone. Especially since this was a work phone and the guy's personal phone had been destroyed beyond repair. To me that says anything meaningful would have been on that destroyed device.
The Verge podcast walt-ctrl-delete was talking about this. Nilay Patel, editor at the verge, raised a pretty interesting point which was Supreme Court cases are often picked.
Actors can pick what case they want to appeal or prosecute. They pick the case with the best facts and the right time and try to maximize their chance a decision will be written into law. Roe v. Wade was brought up, although I don't know enough about the case to argue, but it was an example they referenced.
This is a good case for the Gov't. You have 2 people ruthlessly kill a bunch of civilians and they are already both dead. They can't testify and it is fairly likely the data on the phone is meaningless. So the government can make a strong case, their are really no known parties who are alive and have intimate knowledge of the attackers, and Apple can be represented as being "pro terror".
So you raise a good point. Caveat, I would change "The government" to Governments as the U.S. is certainly violating the U.S. constitution but also certainly not the only government involved.
This is the case with most court cases in which social reform is desired...you don't want to risk your case losing because of obvious flaws, because the case will be used as precedent for future cases...nevermind that the court tends to not revisit the same issues, over and over, in a short time span. One of the more recent famous ones I can think of was DC vs Heller (2008), which ruled that the 2nd Amendment applies to D.C. and other federal enclaves, which challenged D.C.'s strict gun control laws.
> In 2002, Robert A. Levy, a Senior Fellow at the Cato Institute, began vetting plaintiffs with Clark M. Neily III for a planned Second Amendment lawsuit that he would personally finance. Although he himself had never owned a gun, as a Constitutional scholar he had an academic interest in the subject and wanted to model his campaign after the legal strategies of Thurgood Marshall, who had successfully led the challenges that overturned school segregation
It's not just court battles, but grassroots movements, too. Rosa Parks was not the first person to fight back against Montgomery's bus seating, but she was the one whom civil rights leaders thought would be the best person to rally around when organizing the boycott and pursuing a court case:
> NAACP organizers believed that Parks was the best candidate for seeing through a court challenge after her arrest for civil disobedience in violating Alabama segregation laws, although eventually her case became bogged down in the state courts while the Browder v. Gayle case succeeded
> Actors can pick what case they want to appeal or prosecute. They pick the case with the best facts and the right time and try to maximize their chance a decision will be written into law.
Looking at it from that perspective, would it have been better if Apple had picked another case to make its stand?
Devil's advocate: Consumer preferences or the fact that it was a work phone don't matter, as long as a warrant has been attained.
This case is a constitutional matter from the beginning-- the Federal government does possess the ability to search a citizen's belongings and communications, given that it has a proper warrant. The Fourth Amendment checks this power.
So, if a Federal judge has issued a warrant, and it is possible, even if difficult, to serve that warrant, the government does have the authority to make that material available to the court.
What I'm getting at is that encryption can make subpoenas and serving warrants impossible for the courts, and that's something that I understand the government being concerned about.
Could this be a power play to establish a precedent, and say the party withholding is aiding terrorism? Probably. Despite that, I understand the government's case.
They are coercing companies into using their resources to produce software and introduce backdoors that can hurt honest customers. And this will hurt companies like Apple, since security is something they sell.
In regards to subpoenas, can the government read your mind? Should they be able to? Well, our devices are an extension of our mind and if you make the case that the government should have access, that's a slippery slope imho.
Furthermore, this will only work against small time criminals. Crime syndicates on the other hand have the resources to acquire knowledge and protect themselves. There's always the analogue loophole and some would argue that such tactics do nothing but to misuse resources, instead of good old detective work, ultimately hurting the honest taxpayers.
I know that this particular case makes access to subpoenaed resources a relatively more nuanced and impactful situation.
The ideal situation for the government is:
'We need that communication. It is locked to us. We unlock it, given that we have a warrant.' The matter ends. (Ignoring bulk collection, for the moment).
The ideal situation for the private consumer is:
No one has access to my communications, because I believe in my own privacy strongly.
So, in the ideal world, the government requires a method that, if they need to, can decipher communications that occur with a US citizen involved, provided there is a warrant.
This is difficult because of the nature of cryptography. What solution shall we find that marries the needs of the government and the private citizen? I don't know. We'll find out.
Mind reading is not applicable. That's a problem for a future world. What the government cares about now in terms of subpoenas, and has always cared about, is communication between criminal individuals that they have probable cause and a warrant to search.
Again, arguing who it will or will not work for isn't really the concern of the government. They care about the achievability of their enumerated powers, whether they be against terrorists or petty criminals. They are working for a solution, and they will approach some simulacrum of that solution.
My analogy does not, but neither does the hypothetical scenario it was a response to.
> "should they be allowed to use EEG to get your phone's PIN code regardless of your consent?"
On the point of compelling labour, I question where Apple's sense of civic responsibility is. They should be eager to help their community and provide any assistance the FBI needs, provided the FBI is acting legally. They should not need to be compelled to help.
You can't compel Apple to have a sense of civic duty of course, but it sure is disappointing that they lack one.
> So, if a Federal judge has issued a warrant, and it is possible, even if difficult, to serve that warrant, the government does have the authority to make that material available to the court.
This goes FAR beyond that. This is coercing a company to do something beyond simply turning over information.
There is a big difference in turning over something which already exists and compelling a company to perform work to create something which does not yet exist.
Picture this if served to a small company. Even if the company was compensated for the work, what happens if it takes all of the company resources over 3 months? Will the government compensate for lost clients? Will the government compensate for lost opportunities?
This kind of government demand is much more like quartering troops (government compulsion to perform an action), and we know full well what the Founding Fathers thought of that.
I think, though, that the government will take this as a sign that they need to never have the need to ask this question again. The demand that encrypted communications devices have some back door wasn't some capricious whim this year: it's been brewing for years, and only accelerated with the widespread adoption of distributing encrypted operating systems.
While I agree that this particular request is similar to demanding that citizens (or corporations), quarter troops, I think it's an error to look too far outside of the realm of communications with regard to the Constitution.
There is an incredibly strong national interest to build and maintain the most secure systems possible. Whether it is banking communications or nuclear reactor controls, the integrity of these systems needs to be treated as a critical asset of both economic and physical security. This is damn hard enough to maintain as is and is completely taken for granted by most of the population who do not need to think about hackers on a daily basis.
Hijacking top comment here but the latest news is that the passcode changed while in government custody.
Also mentioned in the same TechCrunch article is that Apple had provided the iCloud backups. Which begs the question, are local backups of the iPhone crackable too?
If so, the mere presence of having iCloud or local backups means that the government have a way in. So not the latest info but some.
For local backups, Apple says [1] that "There is no way to recover your information or turn off Encrypt Backup if you lose or forget the password." so I'm inclined to thinking it's done with a secure symmetric encryption scheme with the key held by the user. If that's the case, since iTunes prompts you for a separate backup password (only used when restoring a backup), a security-conscious user would probably make that password sufficiently long as to be impossible to brute-force, regardless of any help from Apple.
I think the article's premise is right... whenever I see the U.S. Government encroach like this, or try to undermine domestic security, I always want to ask those Senators, and other government representatives if they'd be okay with China, Russia, Iran and the like also having these tools... because they rarely stay secret when they're created.
Those same government representatives don't see any problem with asymmetry between governments, because of course a good American company should respect the American government (or more to the point, is subject to US jurisdiction).
It's not about the U.S. having tools other countries don't have.... when it comes to something like this, if created, it's a matter of when they have them.
Strong security is strong security... creating artificial back doors, regardless of intent, weakens security... We already have a three letter agency whose job it is to crack these things, why isn't the FBI making these demands to the NSA to build?
Or, China could acquire Apple's signing keys and/or source code through espionage, and then unlock any device -- now, or at any point in the future. We already know this occurs:
The backdoor already exists; Apple is just being forced to admit that they designed their security (in this case, the security of the KDF-performing hardware) around the idea that Apple can neither be coerced, corrupted, nor compromised.
Pin numbers are weak passwords, and Apple built tamper-resistant hardware to provide a physical solution to this inherent weakness in the keying process. They also left a door open for themselves to subvert this physical solution in the 5c, and also in later devices with Secure Enclave.
If they hadn't left that back door in place, then the FBI would have nothing to ask for, and Apple wouldn't be an extremely high value target for authorities in states like China. They did leave that door open, however, and whether or not the FBI compels Apple to use it now limited bearing whatsoever on the risk going forward.
Code signing isn't a backdoor. It's the only door. Coercing or bribing someone into giving up their private key also does not make it a backdoor. But it does violate the explicit promise of code provenance, and thus very broadly and indiscriminately will reduce trust in the entire computing ecosystem, not limited to just Apple.
I believe the parent comment was referring to "allowing updates of the OS without requiring either unlock of the device or a wipe of stored data" as the backdoor.
Correct; more specifically, leaving the KDF retry enforcement behavior writable on locked devices, and in the case of secure enclave, possibly exposing fingerprint-protected keys themselves to Apple-signed updated firmware.
Do you have a source that confirms this? So far everything that I've seen, including the story on Hacker News [1], indicates that we don't know whether the Secure Enclave code can be updated without already knowing the key.
Is there a secure enclave in the 5C? My understanding is that there is not, and that if there was, then what the FBI is requesting simply wouldn't be possible.
However, I believe the issue is that phones that do have a secure enclave are still vulnerable because the secure enclave firmware can be updated and basically neutered to the point where the same attack on the 5C works on those phones as well. I think the attack is just a brute force attack.
The attack is a brute force attack. My understanding is that if a secure enclave is present, then the PIN timeout feature which prevents brute force is implemented in the secure enclave. If the secure enclave did not permit updates, then this logic would be relatively unassailable.
But since the 5C has no secure enclave, the PIN lockout logic can simply be overwritten by updating the OS.
I believe if you have apple's key you can use this to deploy "updates" to locked phones. If a locked phone is powered on and capable of reaching a network, it will automatically grab the signed updates and run whatever code contained therein.
Now I'm not an iphone user and wondering if the auto-update feature can be disabled?
tl;dr - USGOV master access to Apple's encryption gives repressive regimes the moral and political cover to publicly conduct the same surveillance they are already doing, but also to make similar demands of US Manufacturers. It will provide some competitive advantage to a hardware manufacturer from a country who refuses to backdoor their equipment, but not in markets where decryption keys will be required (eg. US)
Great to see that China requested Apple to prove that the US government could not snoop data on their iPhones, while at the same time the US government is scared that China gets encryption keys.
I thought Apple was an Irish company (like Google,Pfizer Tyco, etc all those companies that have done tax inversions). How can they be compelled to follow US law? Just because they have an office here?? What if they moved ALL THEIR JOBS to Canada and Mexico? Would the CIA then have the right to engage them because they were foreign? Would drones accidentally crash into their headquarters? Or is the CIA going to start a campaign against Apple? This looks a lot like cancer when the body attacks itself.
Though I agree with the sentiment that terrorist behavior is abhorrent, we cannot allow the terrorists to win by succumbing to the pressures they create. I understand the need for improved intelligence to predict and prevent future incidents, and I think there is no better example for the value of human intelligence (humint). Rather than engaging in the dirty business of scouring everyone's dirty laundry, I think the gov should crowdsource this effort. The gov's role should be in developing infrafrastructure, methods and plans on how to assess, verify and value the information they receive-rather than pursue the acquisition of data themselves. Ultimately it's still the same problem they have with their own agents-how do you know the information you are getting is true? Wasn't the search for WMDs in Iraq an example of unverified intel acquired by our own agencies?
As Snowden pointed out, no one lives in a vacuum. The gov has the metadata of every tel no and IP address that phone connected to. Those are probably much lower hanging fruit. The individuals that own those devices may be couriers, innocent bystanders or unrelated websites. But that is the job of the agency-to rank these leads, pursue them and prosecute the highest risk ones.
No country needs another's precedent to proceed with their own laws based on their own basic laws.
They are not "waiting to see how country X handles this". If they want to they will. They have large enough markets to force or persuade companies to comply. China is not waiting to see if the US will censor news outlets to see if they can censor journalists. They'll just go do it. They'll do it like India did to BBM a few years ago, if they so wish.
They don't need the imprimatur or precedent from anyone else.
Sure, technically, they can pass whatever laws they want as a sovereign nation. This would make it less costly from a "political capital" standpoint, though, and thus presumably more likely for them to do it. FTA:
The White House has told Beijing that it has major concerns about its new counterterrorism law, a somewhat vague piece of legislation that may require American companies to hand over encryption keys and provide backdoor access to their computer systems.
“This is something that I’ve raised directly with President Xi,” President Obama told Reuters last year. “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”
Those demands will be harder to make if the federal government succeeds in getting Apple to give up its fight, according to one of the Senate’s leading voices on technology policy.
That probably explains their acquiescing to American concerns about human rights, torture, press and reproductive freedoms as well as their speedy roughshod trials of dissidents and others.
I really don't see them persuaded by that logic. They'll do what they want to do regardless so long as its impact on their economy is minimal.
And yet within the US, legislation originating in California is often used as a model by other states when writing their own statues. No one is forcing Rhode Island (way over on the other side of the continent) to do this, but they do because it's easier to copy/modify/paste.
That does not follow. RI has to pass the same constitutional muster as CA. We share the same basic ( constitutional ) law, so it would make sense that one provides a basis for another's law because they are under the same purview of the federal courts system.
I gotta say, for someone who is very much pro-TPP, Ron Wyden seems suddenly concerned about entities overseas using legal power to push around US businesses.
I feel like they are using this case as the poster child even though they don't expect to actually get anything meaningful from the phone. Especially since this was a work phone and the guy's personal phone had been destroyed beyond repair. To me that says anything meaningful would have been on that destroyed device.