The FBI's Warrant to Apple and Apple's Security Concerns
So nearly everyone is talking about Apple and security, but almost no one is providing the facts in the conversation. On the one side you have SECURITY, PRIVACY, GOVERNMENT OVERREACH, on the other side you have NATIONAL SECURITY and SAFETY OF ALL AMERICANS. But around the hype what are the actual facts?
For anyone unfamiliar with the case, this surrounds an iPhone recovered by the FBI that belonged to one of the San Bernadino terrorist's who attacked a holiday party, December 2, 2015, killing 14 and wounding 22. The phone in question is reported to have belonged to Syed Farook.
Tim Cook wrote in a letter issued to their customers, "We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone." That reads so pro Apple customers and the protection of their devices that how can you possible disagree with Apple?
Tim Cook continued in the letter, "Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority. The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer." So right now are you thinking, yes we will forever remain loyal Apple customers, Tim Cook really understands the security that is important to us?
But wait a second, we have the feel good, we're protecting our customer's side, but now let's see what the warrant actually said. A little known fact, because TV makes us all less knowledgeable, warrants are not broad spectrum things that give the police / FBI / government limitless power to violate our 4th Amendment rights. More often than not, especially in technology, they are incredibly limiting to the scope of what is being searched for. Take a case where a server is seized because there is evidence that it is being used to commit identity theft, the owner of the server is also suspected of selling arms illegally, but there is no evidence. The professionals examining the server will have a warrant that allows them to search for very specific items related to the identity theft, but not look in any other programs or documents. Oops I found a document outlining arms deals while looking into the identity theft ring has not been upheld in court in the same way that someone who is pulled over for speeding and the officer sees drugs in the back seat of the car is upheld. "Plain site" has been historically held to a different standard in technology. Now if you hand your device over to the police, of your own accord, without a warrant for something specific, then the consequences of what they find are yours and yours alone.
Back to the warrant, issued February 16, 2016 by Sheri Pym United States Magistrate Judge. "IT IS HEREBY ORDERED that: 1. Apple shall assist in enabling the search of a cellular telephone, Apple make: iPhone 5C, Model: A1532, P/N: MGFG2LL/A, S/N: FFMNQ3MTG2DJ, IMEI: 358820052301412, on the Verizon Network, (the "SUBJECT DEVICE") pursuant to a warrant of this Court by providing reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE." As would be expected of a legitimate warrant, great specificity it used in describing the device access is ordered to.
"2. Apple's reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE; and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any delay between passcode attempts beyond what is incurred by Apple hardware." Item 1 is to stop the device from destroying the data. Item 3 is to stop the device from giving a timeout message. Item 3 seems irrelevant as the issue is with the device destroying data after a certain number of tries not the annoying you're locked out for 20 minutes type message.
"3. Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory ("RAM") and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis."
"4. If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set for in paragraph 3, using an alternate technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way."
In paragraphs 3 & 4 we find the meat of the both the Order and Tim Cook's statement that Apple does not want to comply. It also probably looks like gibberish to most people so we'll pull it apart for clarity and understanding.
Let's start with iPhone Software file, recovery bundle, or other Software Image File (SIF), what the FBI is looking for here would amount to custom software for them to use on this device. They are looking for it to be loaded and run from the RAM, which allows for no alteration to the data on the phone, this is important when you think of that data like any other piece of evidence, an altered or damaged piece of evidence has less value than how it was originally recovered. The FBI wants this custom written software to be written with a unique identifier of the device so that it will only load and run on this particular phone. Here the argument is rightly made that this new software could be reverse engineered, by anyone with the technical know how, to be used against any number of Apple devices. Towards the end of paragraph 3 the FBI includes safeguards to this custom written software when they say, "the SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively at an Apple facility...with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis."
As clear as it is that in the wrong hands this software could be reverse engineered against many Apple devices, that the next sentence allows Apple complete control over this software to the extent that they are allowing the device to remain at an Apple facility during testing. This tends to negate Apple's concerns, unless they are concerned that someone on their own team creating this software might leak it.
Lastly in paragraph 4 the FBI provides yet another option for Apple, "If Apple determines that it can achieve the three functions stated above...as well as the functionality...using an alternate technological means...Apple may comply with this Order in that way." So Apple doesn't want to create custom software, but has another way to facilitate access to the device then great, no security risk is posed to Apple by creating a new software.
Apple, in a case in New York, has said, "forcing Apple to extract data...absent clear legal authority to do so, could threaten the trust between Apple and its customers and substantially tarnish the Apple brand." Going on to say, "This reputational harm could have a longer term economic impact beyond the mere cost of performing the single extraction at issue." These statements have led observers to conclude that Apple has the know how in place to facilitate the FBI, but is refusing to do so for the singular reason to protect their brand. It also raises the question of that if an order from Sheri Pym, United States Magistrate Judge does not represent clear legal authority to Apple, then what does meet that standard?