Apple CEO Tim Cook has launched a high-profile battle against the U.S. Government opposing an order to effectively bypass iOS security so that the FBI can get to the contents of an iPhone used by one of the shooters in the killing of 14 county workers Dec. 2, 2015 in San Bernardino, Calif.
Unfortunately, the claims and counter-claims surrounding the order are shaping up as an all-or-nothing battle in which the government seems to be asking for the keys to Apple’s kingdom, while Apple is refusing to give an inch, a position that seems certain to result in a protracted legal battle.
In reality, this is an extraordinary situation in which there should be some middle ground that provides a way to allow the FBI to do its job and fight terrorism, while not giving out a key that would submit every smartphone to random plundering by curious bureaucrats. The FBI has a legitimate need for the data and Apple should work with the government to find a way to make this work.
The iPhone in question was used by Syed Farook, but was actually owned by San Bernardino County, Calif., for whom Farook worked. Farook and his wife Tashfeen Malik were killed in a shootout with police Dec. 2, 2015 after they conducted a terrorist attack on a county government office that killed 14 people and wounded 22 others.
U.S. Magistrate Judge Sheri Pym actually ordered Apple to provide reasonable technical assistance to the FBI in its efforts to get past the 10-try limit that Apple’s iOS places on attempts to access devices running iOS 8 and above. Apple first put the limit in place following a series of high-profile breaches of celebrity accounts that resulted in private information being exposed.
While the order doesn’t specify how Apple is to help the FBI, a letter from Cook says that a new version of iOS would need to be created that didn’t contain a number of security features. “Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation,” Cook wrote in his letter to customers. “In the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone’s physical possession.”
The judge’s order was accompanied by a memo from the FBI that suggested that the new software could be limited to one use on a single phone, but Cook isn’t buying that. “The government suggests this tool could only be used once, on one phone,” Cook wrote, “But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.”
Cook said that Apple can find no precedent for forcing an American company to expose its customers to a greater risk of attack. He said that all such a back door would accomplish would be to hurt law-abiding customers, since the bad guys would still use strong encryption.
It’s notable that the government in this case is relying on the All Writs Act of 1789 as the authority to impose the order on Apple. In the past, this act has been used to force the release of information under court order.
Apple Faces Legal Dilemma With Refusal to Provide iPhone Backdoor
The act has never been used (as far as anyone can tell) to force Apple or anyone else to write new software. Considering the provenance of the Writs Act, it’s unlikely that the Framers of the Constitution ever considered that possibility.
It’s no surprise that Apple is gathering some powerful allies in its upcoming battle with the government. The Software and Information Industry Association has announced that it’s in Apple’s corner in this issue.
“Our industry is committed to working with law enforcement to keep Americans safe, but we strongly believe that the government’s position in the Apple case will do more harm than good,” SIIA’s senior vice president of public policy Mark MacCarthy said in a statement issued by the association.
“This case is not about one company or one device. It will ultimately affect the trustworthiness of every device where data is secured. The government wants to force companies’ engineering staff to create malware that weakens security on a mobile phone’s operating system,” MacCarthy’s statement said.
The Electronic Frontier Foundation sided with Apple saying that it expects the government to use such a capability frequently. “The U.S. government wants us to trust that it won’t misuse this power. But we can all imagine the myriad ways this new authority could be abused,” the EFF said in its statement.
Support for Apple seems to be growing. The advocacy group Fight for the Future says it’s planning rallies at Apple stores protesting the court order.
But protesting the court order can do only so much. Ultimately, Apple is still under a court order to produce a means for the FBI to gain access to Farook’s iPhone. Presumably, the company will appeal the order, going all the way to the Supreme Court if necessary. Unfortunately, this is a risky strategy because the high court can decide that the government is right and that Apple must comply.
The risk goes beyond Apple being forced to do the FBI’s bidding. It will also create a precedent that allows such demands in the future, at which point such refusals would fall on deaf ears. Because this case is unprecedented, there’s little reason to assume that the Supreme Court would see things Apple’s way.
But maybe there’s another approach that would solve the government’s problem, while still keeping a “master key” out of the hands of the government. Suppose Apple were to create software that would remove the 10-tries limit, but not share the software with the government. Apple could simply modify the iPhone software and give the phone back to the government.
Then the FBI investigators could run a brute force procedure for as long as they needed to find the right access code to break into Farook’s phone. While it might not satisfy the government’s desire for instant gratification, it would eventually provide the access they are demanding.
Because the iOS 8 lock codes are only four numbers long, giving a total of 10,000 possible combinations, it may take a while, but it won’t take forever. While this would deny the government the master key it wants, all it’s really asking for is access, and it would get that.