Encryption

Apple to Judge: Forcing Them to Write Code for FBI Violates Their Free Speech

Company reveals formal opposition plan to demand they help weaken phone security.

|

Oh hey, corporations have free speech rights. Almost like they're people.
Credit: matsuyuki / photo on flickr

Believe it or not, despite all the press and debate surrounding a judge's order that Apple should create tools to help the FBI break into the iPhone owned by dead San Bernardino Terrorist Syed Farook, the company hasn't yet actually formally replied to the order.

We know the company is resisting, arguing to the public that it's not possible for Apple to create a device that would help bypass the security of just one phone. Their public position is that any tool Apple creates to help break the security of a phone could be subsequently replicated, either by government demand or if it somehow got out of Apple's control and were reverse-engineered.

But the judge in the case gave Apple time to give its actual formal response to the court, and the Los Angeles Times just heard from one of Apple's lawyers. The attorney told the Times that they are going to argue that the judge overreached in the application of the All Writs Law in her order and violated Apple's rights to free speech:

"The government here is trying to use this statute from 1789 in a way that it has never been used before. They are seeking a court order to compel Apple to write new software, to compel speech," [Theodore] Boutrous said in a brief interview with The Times.

Boutrous said courts have recognized that the writing of computer code is a form of expressive activity—speech that is protected by the 1st Amendment.

He indicated that Apple would argue that Congress, not the courts, is the proper venue for a debate about "the security and privacy of citizens and law enforcement needs."

"It is not appropriate for the government to obtain through the courts what they couldn't get through the legislative process," he said.

People have been comparing the case to a 1977 Supreme Court decision that allowed the courts to compel phone companies to provide technology to help authorities track phone calls in an investigation. But Boutrous noted that the phone company was a heavily regulated government utility at the time and that the technology the company was being ordered to provide already existed. The phone company didn't have to create it at the government's demand.

Read more here. And our coverage of this encryption fight is here

Advertisement

NEXT: Rand Paul, Ted Cruz, Nevada, and the Silent Armies of the Non-Voting

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. pretend code = gay wedding cake and they’d be fine with it.

    1. Or if it were China asking

      (Not saying they should comply, just that their principles are very selective)

      1. “their principles are very selective”

        Not regarding this particular issue of consumer encryption. They’ve complied when it didn’t involve implications for all other similarly encrypted devices the way this case does.

      2. Jer,

        Apple is promoting their resistance to opening security as a PR help to them in current company slump. The actual judicial order was described by a regular fox guest on “Red Eye” and “Gutfeld” named Mike something, who used to be CIA and has a security company called “Diligence.” He was a guest on some Fox show the other day, and noted that the actual order was only asking for Apple to take possession of the phone, open it however they do, dump the data, deliver the data to the Feds.

        Apple keeps for storage or destruction all ways, means and tech they used to break into the phone, as well as the phone itself. That obviates all of the scare stories. Thats why I think Apple is just blowing smoke for PR purposes.

        1. Devil,

          Even assuming that your source can be trusted, which I doubt, that doesn’t change anything.

          Government hands Apple the phone and says “crack this and get the data off it”.

          Apple says “we have no existing tech that does that and don’t feel like developing any” and hands back the phone.

        2. Or maybe that’s just entirely wrong.

          “There’s been a lot of confusion about what exactly the FBI is asking Apple for…. The FBI is requesting that Apple create and digitally sign a special version of iOS which is modified in three ways, as specified on page 8 of the court order:

          – iOS can be set to erase its keys after 10 incorrect passcode guesses. The FBI wants software with this feature disabled.
          – iOS imposes increasingly long delays after consecutive incorrect passcode guesses to slow down guessing. The FBI wants software that accepts unlimited guesses with no delays.
          – iOS requires individual passcodes to be typed in by hand. The FBI wants a means to electronically enter passcodes, allowing it to automatically try every possible code quickly”

          The problem with the FBI’s request is twofold. First, the risk of this piece of software getting into unauthorized hands is very high, and the damage that it could do is obvious.

          Second, writing this code would probably encourage more government requests?potentially from other governments around the world. Even if you trust the U.S. government, once this master key is created, governments you don’t trust will surely demand that Apple undermine the security of their citizens as well.”

          1. The problem is that the iPhone 5c hardware and softwrae does not implement PIN code verification securely. PIN codes should be verified in secure hardware, but the iPhone 5c does it in software.

            Apple’s refusal to create a tool to take advantage of that inherent vulnerability does little to improve security. Foreign governments, the NSA, and criminal organizations probably already have tools for bypassing this. It’s a bit of work to do it without Apple’s assistance, but it isn’t that hard either.

            An iPhone 5c with PIN authentication is intrinsically not secure; use a pass phrase or throw it away and get a more recent model.

            As for broader implications of Apple complying with this order: if they win this, it will be a win for security-by-obscurity. It will encourage the misconception that the way to secure our data is to rely on courts and governments respecting legal boundaries. That’s not real security or privacy, it’s a lame excuse for companies that make insecure products.

        3. And while the FBI request was ostensibly limiting itself to its interest in this specific device… any software “Solution” that Apple provided could fairly easily be re-purposed for other devices

          (from same link above)

          ” it would be possible to craft the cracking software to only run on Farook’s phone by checking its hardware ID. The court order was actually quite specific that this is all that is being requested. Many commentators have claimed that binding to a specific phone is “easy”, but again, writing secure software is never easy. For example, it might not be simple for the cracking software to determine for certain which phone it is running on. In this case, one risk would be that the software attempts to only run on Farook’s phone, but there’s a way to modify other phones to fool the cracking software into running on them as well, turning a device-specific key into a master key.”

          As Apple wrote to its customers “while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

        4. this claim here ?

          “”[my cousins friend’s uncle jimmy who watched fox] noted that the actual order was only asking for Apple to take possession of the phone, open it however they do, dump the data, deliver the data to the Feds.

          Apple keeps for storage or destruction all ways, means and tech they used to break into the phone, as well as the phone itself.”

          Is complete bullshit. See pages 7 and 8 of the court order. They want Apple to provide software specially tooled for them to do their own cracking of the device’s security features. And despite their request it be tailored for the specific device… what they’re asking for could easily be re-purposed.

          1. “Is complete bullshit.”

            A sincere ‘thank you’ G. It is nothing other than bullshit.

            1. As someone else noted in a different context = what he (devil) describes would be useless from a point of law in any case. The state wouldn’t be able to certify that evidence apple provided wasn’t adulterated, wouldn’t be able to certify it was actually from that device, etc. IOW, it would be a violation of basic evidentiary procedure

              that hadn’t occurred to me before, but makes sense from POV of any actual investigative process

          2. How exactly do you think it can be “easily repurposed”? If the phone boots only signed code, then they can make it specific to that phone. If the FBI can circumvent signed booting or modify RAM directly, then they don’t need Apple at all for creating such a tool.

            Furthermore, even if the tool could be repurposed, so what? The problem with the iPhone 5c is that the way it implements PIN numbers is fundamentally broken so PINs are never secure on that phone, with or without Apple’s help. Asking for Apple’s help makes sense for the FBI because it saves them a bit of work. It’s pretty much a given that both spy agencies and crooks already have tools for breaking into that phone.

            If you care about security, throw away your iPhone 5c and get a new iPhone.

        5. Well, if “Mike something” said it on some show you think you remember, it must be true!

        6. DevilDocNowCiv|2.23.16 @ 10:32PM|#
          “…Apple keeps for storage or destruction all ways, means and tech they used to break into the phone, as well as the phone itself.”

          And you are the source for us to know this because?
          You work for the gummit? You’re a statist who lies?

  2. Magic words doctrine. Can’t make them say “open sesame”. Dubious.

  3. If we hadn’t allowed people the freedom to have cell phones we wouldn’t be in this mess.

    1. As Tony would point out, this isn’t a problem in North Korea.

      1. The Norks do have this problem. People are finding ways to get their hands on all manner of tech.

      2. “All your fones are belong to us.”

  4. “The attorney told the Times that they are going to argue that the judge overreached in the application of the All Writs Law in her order…”

    Which is basically the same argument the EFF summarized last October

    ” the All Writs Act is not a backdoor to bypass other laws. … Reengineering iOS and breaking any number of Apple’s promises to its customers is the definition of an unreasonable burden. As the Ninth Circuit put it in a case interpreting technical assistance… private companies’ obligations to assist the government have “not extended to circumstances in which there is a complete disruption of a service they offer to a customer as part of their business.” What’s more, such an order would be unconstitutional. Code is speech, and forcing Apple to push backdoored updates would constitute “compelled speech” in violation of the First Amendment… Apple’s choice to offer device encryption controlled entirely by the user is both entirely legal and in line with the expert consensus on security best practices. It would be wrong-headed for Congress to require third-party access to encrypted devices, but unless it does, Apple can’t be forced to do so under the All Writs Act.””

    Again – i think people need to be reminded that this legal fight isn’t “new” in any way. The Govt is using ‘terrorism’ as a lever here to get what they’ve been demanding for years.

    1. Like the Patriot Act and CISPA, etc. They were just waiting around for an excuse to be introduced.

    2. FBI response:

      “If the Secretary of State doesn’t need secure email, civilians don’t need secure phones.”

    3. But the user is the San Bernardino county government.

    4. The EFF quote is highly misleading. When it talks about “reengineering iOS”, what that means is a one line change. And when it talks about “pushing backdoor updates”, it sounds like they are being forced to install backdoors on all iPhones, but what it means is download the firmware to exactly one phone, the one being analyzed forensically.

      And at issue isn’t “Apple’s choice to offer device encryption controlled entirely by the user”, something that I strongly defend, it is their failure to implement device encryption correctly.

      If you want a phone where you control device encryption, don’t get an iPhone 5c; it is broken. Apple’s refusal to cooperate with the FBI doesn’t change that and is a feeble attempt at covering their ass and achieving security through obscurity. The iPhone 7 apparently fixes these problems (the iPhone 6 may as well), so just upgrade.

      1. “don’t get an iPhone 5c; it is broken”

        i see you getting hung up on this in several of your posts….. first, how is an imperfect security system an argument for breaking what functionality it has? (if the government want to steal my truck, is the fact that it leaks oil compelling evidence that i must give it to them?) second, if it is so flawed, then why do they need apple?

        “but what it means is download the firmware to exactly one phone, the one being analyzed forensically.”

        a process that would be very easy to replicate,once designed. take your “single purpose” firmware code, and change the bit that correlates to phone id. either through the precedent being set, and apple being forced to do it for other cases (just saw an article that there are 9 others already), or through the code being leaked (almost an eventuality), this would result in compromised security on other phones. (that would have been protected, even if not “perfectly”, before)

        1. first, how is an imperfect security system an argument for breaking what functionality it has?

          I’m not making an argument for or against “breaking what functionality it has”; I really couldn’t care less what happens to this particular iPhone or iPhone users in general.

          I’m saying that Apple’s reasoning is bullshit: they are covering their asses, obfuscating the issues, and advocating security through obscurity. If Apple’s arguments are accepted as valid by the public and the legal system, it hurts everybody’s security and privacy in the long run.

          second, if it is so flawed, then why do they need apple?

          They probably don’t “need” Apple; going through Apple is a convenience. They could take out an in-circuit debugger and get a forensic expert to work on this for a few weeks, and develop a procedure to do this themselves. It would be costly, and it would make unlocking each iPhone more costly, but it is feasible. And while the FBI may not have done that, you can be sure that other US and foreign government agencies have.

          a process that would be very easy to replicate,once designed. take your “single purpose” firmware code, and change the bit that correlates to phone id

          Then the code wouldn’t be signed anymore and couldn’t be booted anymore.

  5. Apple can also use the 13th Amendment as support — “Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.”

    Apple has not committed a crime and therefore cannot be pressed (involuntary servitude) to perform such work.

    1. It’s a tax!

      1. Or is it a penalty? Who can tell?

    2. Refusing to serve voluntarily is a crime, punishable by involuntary servitude.

    3. Well, traditionally citizens can be pressed into helping to beat or kill criminals without it being taken as involuntary servitude. One could analogise to this. I think it would be wrong, as there’s something fundamentally different between subduing a rampaging violator and performing valuable labour.

    4. What the court is ordering Apple to do is probably less work than going into a file room and searching for a paper file, something they can certainly do and do frequently.

  6. Why fuck around with some long ass letter? Just say no. Or say nothing and do nothing. Fuck you.

  7. The Golden State Warriors are having one of the best seasons in NBA history and yet they can’t shake the elderly Tim Duncan led Spurs who are only 3.5 games back.

    They’re the teams that should play for the championship. Not one of them versus whatever crud limps out of the East.

      1. Jealous or envious? And what of?

    1. Agreed. Take the 16 best records in the Nba, regardless of division, and re-seed them for the tournament. Some years, one conference nay be underrepresented, but oh well. The East sucked donkey dicks last year, and didnt deserve playoff slots.

      1. All the leagues should do this. In the NFL winning your division shouldn’t be an automatic trip to the post season.

        1. I know. Texans and Redskins, right? It’s annoying to have to watch an 11-5 side lose out to a 9-7 team because of the weight given to divisions.

          1. Reward such a team with a higher draft pick though. Gives them something at least.

        2. All of the major sports leagues have unbalanced schedules, so simply comparing records between. teams in different conferences is not apples to apples. This is especially true in the NFL where any given team only plays 11 out of the other 31 clubs in a given season.

    2. In a league with 30 teams only three teams (GS, Spurs, Cavs) have a legit shot at the title.

      1. I don’t think the Cavs even have a shot. I’m not sure the Cavs can qin the East.

        1. Are you saying Toronto can take the east because I don’t see a whole lot there.

          1. I don’t see much either. But Cleveland isn’t really impressing me either. Could Cleveland lose to Toronto? Yes. Hell, I could see the Cavs lose in round 1 or 2. They’re not good.

      2. Conversely, no one has any idea who will win the World Series this year because of how shockingly balanced and competitive the MLB has become in recent years. Going to be awesome.

        1. Adding playoff spots gave teams a reason to play hard through the season.

  8. Appears to be a shit-show going on in Nevada – Trump has apparently complained about Rubio poll watchers illegally using their phones to take pictures in the polling places. The pictures they’re taking are of the elections workers wearing Trump T-shirts and caps and pins.

    1. Just wait until Trump wins the caucuses with 104% of the votes to Rubio’s 3%!

      1. Rubio, nice guy but so low energy! Sad!

      2. You’ll eventually get tired of winning so much.

        1. I think I just realize now why all those African and Asian tyrants win elections with 92% of the vote. Gotta keep raising the bar!

    2. Those photo-takers are traitors no different than Edward Snowden.

    3. I haven’t tested the waters, but it strikes me from my times in Nevada of the past that Rubio wouldn’t stand much of a chance, unless people were voting him as a surrogate “No”.

  9. “Their public position is that any tool Apple creates to help break the security of a phone could be subsequently replicated, either by government demand or if it somehow got out of Apple’s control and were reverse-engineered.”

    “Could” is not the proper adverb. It’s “will” [be replicated by the government].

    1. The government can reverse engineer how to reset the PIN count from other iPhones; they don’t need the modified firmware from Apple. Asking Apple for their help is a convenience, not a necessity.

      It would be astounding if the NSA couldn’t already do this. In fact, it would be astounding if the NSA didn’t already have both Apple’s source code and their signing keys. But the NSA just doesn’t like to show its capabilities in court.

      The source of the security problem is the design problem in Apple’s iPhone 5c (and other older iPhones). Apple’s refusal to cooperate with the FBI is an attempt at security-through-obscurity, but such approaches don’t work. If you care about security, the only option you have is to throw away your old iPhone and get a new one; it sounds like Apple fixed this problem in the iPhone 7.

      1. “Asking Apple for their help is a convenience, not a necessity”

        they are not asking… they are ordering.

  10. Apple uses AES 256 bit encryption for which the algorithms are publicly available. The strength of the encryption is in the number of possible passwords that would have to be tried to crack it. A password length of 8 characters that may include upper case, lower case, numbers, and special characters would have 6.6 x 10^15 possible passwords. If you could manage to try 10 million passwords per second it would take 21 years to go through all the possible passwords. OTOH, if the password were only 4 characters they could crack it in about 8 seconds.
    .

    For lawyers this is all magic, and in their mind, a court order is sufficient to crack the code. I suspect the higher ups at the FBI operate under the myth that if you know how something works then you should be able to circumvent the security. This is equivalent to thinking that knowing how the lottery works helps you pick the winning number.

    1. “If you could manage to try 10 million passwords per second it would take 21 years to go through all the possible passwords. OTOH, if the password were only 4 characters they could crack it in about 8 seconds.”

      No techy here, but as I understand it, there is a self-destruct feature that locks all data if you try X times and fail.
      I, for one welcome our new Apple overlords as opposed to our current, slimy gov’t ditto.

      1. No techy here, but as I understand it, there is a self-destruct feature that locks all data if you try X times and fail.

        There is a feature to erase all the data after 10 failed attempts but it may or may not be set to on.

        1. Which is exactly the point:

          “A password length of 8 characters that may include upper case, lower case, numbers, and special characters would have 6.6 x 10^15 possible passwords. If you could manage to try 10 million passwords per second it would take 21 years to go through all the possible passwords. ”

          After 5 minutes, you can forget it, or if it’s not, the gummint can do it.

    2. Your description is half right, but you’re confusing PIN numbers and passwords. Passwords are intended to be secure against brute force attacks, since an attacker can keep trying different passwords. PIN numbers are not intended to be secure against brute force attacks because they are verified in hardware and you only get a small number of tries.

      The phone in question seems to be protected by a PIN number. The problem is that on the iPhone 5c, the number of tries can apparently be reset in software, which allows an attacker to brute force the PIN number. That is a design flaw; for a PIN number, the number of tries should not be resettable in software, not even for the manufacturer.

      The court order is for Apple to provide a version of their firmware that disables the limit on the number of PIN entry attempts. That’s an easy thing for Apple to provide and it is effective. The FBI could get around the limit in other ways, but it would be a lot more work and probably not worth it for this phone. And the NSA almost certainly can disable the limit already and probably has Apple’s source code and signing key, which is why Apple’s posturing doesn’t actually protect anybody.

      1. Your description is half right, but you’re confusing PIN numbers and passwords.

        Apple calls it “Passcode” as it can be alpha numeric if the user so chooses. It is a password by any reasonable definition of the word so the chances of success at brute forcing the “Passcode” is dependent on the strength of the “Passcode”. OTOH, a PIN is limited to numeric characters which is clearly not what the “Passcode” is.

        The court order is for Apple to provide a version of their firmware that disables the limit on the number of PIN entry attempts.

        The iPhone allows the Passcode to be alphanumeric which, after checking my iPhone also allows special characters which means there are 95 possible characters. If the phone in question has a passcode of 8 alphanumeric characters (including special characters) bypassing the limit on the number of tries will likely be futile as the number of possible passwords makes brute force cracking unlikely to succeed.

  11. For fucks sake the phone was NOT owned by Farook! This story has been going on for days and they can’t get that simple fact right.

    1. OK, but does it matter? If so, why?

      1. First it’s basic journalism to present the correct facts. Second the owner, who is not dead, has given permission to retrieve the data.

        1. How would the fact of the phone’s owner have any relevance to Apple’s position? Is it OK for the phone’s owner to compel Apple to break it’s encryption?

          1. Apple’s encryption is already broken, otherwise the FBI couldn’t make this request. The FBI is only asking for assistance, because something that costs Apple ten minutes of effort by an intern with the keys would take an FBI expert a few days and expensive testing hardware without the keys, and that’s not worth it since there is probably little of interest on the phone. You can be that the NSA could get into the phone already if it wanted to.

            1. I don’t think any of that is true. Again they want Apple to circumvent the wipe drive password protection not crack the encryption.

              1. I didn’t say they wanted to “crack” the encryption; I said that their “encryption is broken”. Specifically, the way they handle keys and pins is broken.

                Playing word games isn’t going to change the fact that data on the iPhone 5c isn’t secure when locked with a pin because of a design flaw that that phone has that other phones don’t have.

          2. Apple says it’s protecting the privacy of the owners but in this case the owner has waved any privacy concerns. Obviously a private party can not compel another private party to do anything. I’m not a lawyer but these issues may come in to play.

  12. If the government were trying to do what Apple is claiming, namely “create a device for breaking into iPhones”, the equivalent of machining burglary tools, I’d side with Apple.

    But what the government is actually asking Apple to do should take all of ten minutes and is something Apple does every day: modify a couple of lines of source code, recompile the OS, sign it, and load it onto a specific iPhone. That is a reasonable level of assistance to law enforcement, the equivalent of “go into your file room and retrieve this file” in terms of how burdensome it is. And the reason why the government can demand this is because Apple screwed up on their security.

    Maybe Apple can find a legal way of weaseling out of this, I don’t know. What I do know that this appalling degree of government intrusiveness is possible because Apple built a deficient product, yet they are trying to present this as if they are the good guys that are protecting privacy for the rest of us. Privacy is only safe when tech companies implement security measures correctly. What Apple is saying, namely that we should rely on legal protections instead of technological ones, is idiotic and has been proven over and over not to work: legal protections are worth nothing abroad, and even in the US, government agencies are ignoring them widely.

    Apple: admit your mistake, fix your phones, and move on. Don’t defend bad security with your posturing and legal shenanigans.

  13. Screw the Feds and tha kangaroo courts! They should do their own legwork! In the meantime, everyone should be using full disc or at the very least folder encryption for personal data.

    http://www.Anon-Net.tk

  14. In advance of Apple’s legal team arguments before the magistrate judge, the best technical explanation and arguments in favor of Apple’s stand have come from Jonathan Zdziarski’s blog–he is an independent forensic scientist accepted by courts. http://www.zdziarski.com/blog/ He argues that the FBI is demanding from Apple two things: an instrument that would be accepted by a judge as evidence, and a special data dump of the phone, not just the iCloud backup. In each case the instruments would have to be provided to defense attorneys and independently tested and would inevitably be leaked or reverse engineered. There would be countless demands on Apple from prosecutors of various crimes or fishing expeditions based on no probably cause or strict scrutiny. Then various repressive governments would demand the same. t appears that the FBI is only interested to obtain Apple’s software backdoor for use in further cases and not evidence for national security here. Apple should argue against code as speech under compulsion, but if that is not accepted then some adult in Congress should straighten out the FBI and tell them as Michael Hayden did that strong encryption is essential and FBI backdoors endanger national security and would allow future terrorists to go free when courts did not accept their flawed forensic activities.

Please to post comments

Comments are closed.