How the FBI’s Fight With Apple Could Change the Future of Smartphone Security
Congress heard testimony yesterday in an important security case. The FBI demands help in jailbreaking the iPhone. Apple, with support from other tech companies, is refusing. It looks like iPhone users will worry about an isolated issue, but the ramifications of this struggle will affect all of us.
What the FBI is asking for and why Apple won’t do it
At the center of this debate is a telephone belonging to Syed Rizwan Farouk, a criminal involved in the San Bernandino massacre . The FBI has a search warrant for Farouk’s work phone (as well as permission from his employer who owns the device). However, the phone is encrypted and password protected. In addition, Farouk included a feature in iOS 7 that erases data from the phone if someone tries to enter a password 10 times and cannot enter it.
This puts the FBI in a difficult situation. They have the right to search the phone, but – at least according to the FBI – they don’t have that ability. That’s where Apple comes in. The FBI has received a court order requiring Apple to create a version of iOS that would make it easier to hack an FBI phone. To be clear, the FBI is not asking Apple to hack into the phone itself . Rather, the court order requires Apple’s iOS update to do three things:
- Disable the feature that erases data from the device after entering 10 incorrect passwords.
- Let the computer enter passcodes fast enough to allow brute force attempts (instead of physically entering them using the onscreen keyboard).
- Remove time delays between attempts to enter the wrong password so that guesses can be entered without waiting.
At this point, the FBI will have to hack the phone using conventional brute force methods . However, in an open letter to its customers, Apple claims the FBI has no authority to ask for it. In addition, the company claims it will set a dangerous precedent. This will effectively jeopardize the security of every iPhone in the world and every smartphone by association, as Google and other companies will comply with the same requirement if the FBI (or any other law enforcement agency) demands it.
On the other hand, the FBI bases its claims onthe All Judgments Act of 1789 . To simplify a complex law, the law states that a court can order an individual or legal entity to assist law enforcement agencies in an investigation if the following criteria are met:
- The ordered side cannot be too far from the body.
- The government cannot place an undue burden on the ordered party.
- Party assistance should be needed, and there are no other judicial methods.
- The action must already fall under the jurisdiction of law enforcement and must not accidentally create or expand jurisdiction.
Apple claims that not only allow it to gain access to the iPhone Farouk (over which it has jurisdiction), but also that it will allow access to any iPhone (in the jurisdiction of the FBI missing) a request by the FBI. They say this is tantamount to creating a backdoor, and as long as it exists, there will be no way to prevent it from being used on every iPhone in the world by anyone who gets it. In other words, Apple cannot unlock just this iPhone, as the FBI requires.
While this particular case is getting a lot of attention, there are several similar cases over which the FBI and Apple have disagreements. In one case, when the US government forced Apple to make a “workaround” for a drug dealer’s iPhone, a judge ruled that “the constitutionality of such an interpretation [of the All Litigation Act] is so questionable that it makes it unacceptable as a matter of statutory interpretation.” In other words, in this judge’s opinion, it is highly unlikely that the FBI has the right to make a request.
It’s not just about encryption, it’s about constitutional rights
Privacy laws in the United States are generally a mess . No matter how contradictory or confusing laws may be, tech companies still have a duty to comply with any legal request from the government. However , Apple ‘s default encryption means that it cannot transfer the data stored on your iPhone even if it wanted to. There are currently no laws requiring Apple to have access to encrypted data in order to pass it on to the government. This is why the FBI can’t get Apple to hack Farouk’s iPhone.
This distinction makes this case so important. The FBI does not instruct Apple to transfer data to which it has access (they can already do it), and does not order Apple to hack into the phone itself (which is illegal). Instead, the FBI is ordering Apple to create entirely new tools to bypass iPhone security without Apple’s help.
Apple claims it violates several constitutional rights. First, in many cases federal courts have ruled that the code is considered a protected word under the First Amendment . Apple claims the court order is effectively a forced speech, meaning the government is forcing Apple to “say” something that is generally illegal except in very specific circumstances . Apple also claims that due to the fact that an iOS update had to be signed to fix the phone in question, the company would have to sign the software as genuine and approved by Apple. Even if the courts can force Apple to create a tool to circumvent its own security measures, they cannot force Apple to declare (via software signature) that the allegedly compromised code meets company standards. According to Apple, this government is ordering the company to make false statements.
In addition, Apple says the order also violates its Fifth Amendment rights . Here, the company argues that the FBI is essentially forcing Apple to become an agent of the government, requiring it to create tools that it is not required to create by law. Apple claims the order is an undue burden on the company. According to Apple’s release statement, this “violates Apple’s essential right to due process to be free from” arbitrary deprivation of [its] liberty by the government. “
Apple argues that if the FBI is allowed to force Apple to create this modified version of iOS, it would set a dangerous precedent. Then the US government could force other tech companies to create additional tools to bypass any form of security. In essence, this could lead technology companies to create forensic laboratories in order to undermine their own security functions.
Even setting aside the First and Fifth Amendments, the immediate consequence of the FBI’s ruling is that there is a tool that undermines the security of every iPhone on Earth. This would violate the rights of every person under the Fourth Amendment, which protect against unreasonable search and seizure. While the FBI has a warrant for Farouk’s iPhone, it doesn’t have a warrant for every iPhone that he could potentially unlock with a code it asks Apple to develop. As Apple explains, once a backdoor is in the wild, you can’t get it back. While the company will not release the said backdoor – or even publish details about it – publicly, there is no guarantee that neither how it was made nor how it was created will be leaked or duplicated. Apple also fears that if the US government can get Apple to hand over such a tool, foreign governments – countries with far worse privacy and human rights records – will do the same.
FBI Says Encryption Will Make Smartphones Guaranteed
The FBI’s counter-argument is that if Apple succeeds, a warrant and court order to search phones will be meaningless. At a congressional hearing on the topic yesterday (which you canview in full here ), FBI Director James Comey said widespread consumer-level encryption would create “warrantless spaces” where law enforcement is allowed to search but is unable to do so.
The main response to this argument is that device encryption does not make it impossible to access device data. It’s just harder . In fact, the FBI was able to retrieve one old iCloud data backup from Farouk’s iPhone (and could possibly have accessed more if they hadn’t reset his password ). Apple’s argument is partly based on the fact that the FBI doesn’t need outside help.
However, New York District Attorney Cyrus Vance acknowledged that this precedent is not limited to the FBI. Vance cited over two hundred telephones over which his office has jurisdiction and which may be affected by the decision. While the FBI may have the resources to invest in Farouk’s iPhone, New York County law enforcement probably won’t be able to devote that much time and effort to more than two hundred phones. Instead, Vance advocated for a structure that would allow the court to authorize access to the device. However, it is unclear how exactly such a plan will be implemented.
The FBI is painting a desperate picture for law enforcement. Indeed, even if the FBI could have jailbroken Farouk’s iPhone without Apple’s help, there will likely be plenty of other cases where local law enforcement has the legal right to search the phone, but not that. However, the FBI has not resolved the problems associated with the company’s order to allow them to pass to the encrypted device. In fact, Director Komi even admitted during yesterday’s hearing that he did not take into account that China could similarly order Apple to hand over the same code requested by the FBI.
Nearly all participants agree that the FBI has jailbroken Farouk’s iPhone. However, the more serious implications here will have a huge impact on security in the future. There is not much you can do about it at this point. You can always write to your government to let you know how you feel and keep an eye on how your preferred presidential and congressional candidates respond to privacy-related issues. This is a year of big elections, and this controversy could lead to new laws being passed in the future. Depending on who gets elected, their interpretation of confidentiality law will go a long way, and how your elected officials deal with security issues will have a big impact on how such cases develop in the future.