DoJ v. Apple: It’s all about the precedent

By now, you’ve probably heard something about the ongoing legal battle between Apple and the Department of Justice. “DoJ v. Apple” coverage has been abundant, on blogs and TV news shows alike, but in case you haven’t here’s a quick recap. The FBI obtained the work iPhone of Syed Rizwan Farook, who, along with his wife Tashfeen Malik, murdered 14 people in a shooting rampage at a holiday party in San Bernardino, California. The government suspects that iPhone may hold critical information about the couple’s contacts in the weeks leading up to the attacks – contacts that may uncover future plots. They have a warrant, but they can’t access the data on the phone because it is using the strong encryption that comes with iOS 9 and up. Not even Apple can bypass the encryption, at least directly.

TL;DR? Watch John Oliver (NSFW)

DoJ v. Apple: The order

A federal judge granted the DoJ’s motion for an order under the All Writs Act, compelling Apple to create a modified version of iOS for the shooter’s iPhone with the following changes:

  • Disable the automatic wiping function that can be triggered if too many bad attempts and made when entering the PIN
  • Disable the delay that occurs between bad PIN entries
  • Have an automated method of brute-force guessing all possible PINs

Such modified software would provide access to the iPhone within minutes.

One and done?

The DoJ contends that the software could be allowed to remain on Apple’s campus, and would only be used for this one phone in this case. However, there are many, many more cases where an encrypted iPhone is suspected to contain information relevant to a violent crime, including 175 devices in NYC alone.  If the order were allowed to stand, Apple would surely receive similar orders from law enforcement agencies around the country and beyond, including countries with dismal human rights records. It would set a precedent that would allow courts to compel companies to do anything. As a result, Apple and others would need to keep a weakened copy of their software on hand at all times to be able to comply with such orders, greatly increasing the risk of the software being stolen by an insider, or outside attacker.

Apple appealed the order on grounds that the order:

  • Would violate its First and Fith Amendment rights by compelling speech
  • Would cause an unreasonable burden
  • Would set a dangerous precedent

Judge Orenstein granted the appeal on the grounds that:

  • The government’s request fails to satisfy the requirements of the All Writs Act
  • The government’s request fails to satisfy the needs of judicial discretion
  • Congress has already clearly defined what can be required of telecommunications companies
  • Congress considered legislation that would have authorized such a request, but did not pass it, thus neither explicitly allowing or prohibiting such a request
  • Accepting the government’s interpretation of the All Writs Act would likely render it unconstitutional, based on the separation of powers in the branches of government

Politicians and Encryption

High profile cases, such as the San Bernardino massacre have prompted uninformed calls from politicians for the tech community to come up with a solution that would allow law enforcement to access to encrypted devices and communications.

“I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together…”
– Hillary Clinton, ABC News Democratic Debate – December 19th, 2015

Does a former Secretary of State really not know how quickly Manhattan Project secrets were leaked?

Encryption is global and here to stay

“In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.”
David Cameron

Strong encryption cannot be outlawed, because math cannot be outlawed. The algorithms have been known around the world for decades.

According to A Worldwide Survey of Encryption Products, Feb 2016, v 1.0 by Schneider et al., encryption projects can be found all over the world:

CountryOpen SourceProprietaryUnknownGrand Total
United States1012021304
Germany4666112
United Kingdom183654
Canada153247
France251641
Sweden102333
Switzerland61925
Australia51621
Netherlands91019
Italy711119
Russia8917
Unknown8715
Finland459
Israel189
India189
Japan3519
Czech Republic268
Austria178
Seychelles077
Spain077
Grand Total2705003

773+

The following are high-quality, open source end-to-end encryption tools. Many of these have global teams.

UseProjects
Mobile messaging/voiceSignal
Files at restGnuPG/Gpg4win/GPGTools
Email frontend for GPGThunderbird/Enigmail
Instant message (IM)OTR on Jitsi
A/V conferencing ZRTP on Jitsi

There’s no magic solution

President Obama has a more detailed proposal that may seem reasonable at first, but it has the same flaws.

“I suspect the answer is going to come down to how do we create a system where the encryption is as strong as possible, the key is as secure as possible, it is accessible by the smallest number of people possible for a subset of issues that we agree are important.”
– President Obama at SXSW 2016

That’s not going to work. Why?

  • How valuable would such a key be? Priceless
  • Who would want to steal such a key? Every hacker ever. Especially the same kinds of people who stole the HR and security records of every federal employee and job applicant, a breach that many consider to be more damaging than the Snoden leaks, especially when combined with other stolen data.
  • Would there be temptation for abuse? Definitely.

Outlawing strong encryption only hurts the good guys

“[Apple CEO] Tim Cook is living in a world of the make believe. I would come down so hard on him—you have no idea—his head would be spinning all of the way back to Silicon Valley.”
Donald Trump

It can be tempting to try and simplify a complex issue to “You’re either with us or against us”. Encryption is not that simple. It’s true that recent advancements in consumer technology have made it easy for anyone, including criminals, to use unbreakable encryption. However, the underlying technology has been around the world for decades. Trying to force everyone to use weak encryption will make everyone who uses it extremely vulnerable, disrupting trust in the internet and global commerce. It will criminalize anyone who values their privacy and security, and make little difference in the ability to read the communications of real criminals. If a criminal knows (like everyone would, given the press) that the lawful encryption is weak, but that unbreakable encryption can be had with a bit more effort and knowledge, the choice is obvious.

Some are living in a world of make believe, but not Tim Cook. It would be nice if more politicians actually learned about a topic before making broad statements about it.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.