Apple and Justice Dept. Trade Barbs in iPhone Privacy Case
SAN FRANCISCO - Apple on Tuesday emphasized its opposition to a court order requiring it to help unlock an iPhone for law enforcement purposes, saying in a new legal brief that the government's "methods for achieving its objectives are contrary to the rule of law, the democratic process and the rights of the American people."
The company's argument quickly drew a response from the Justice Department, which upbraided Apple for trying to stand above the law. "The Constitution and the three branches of the federal government should be entrusted to strike the balance between each citizen's right to privacy," a Justice Department spokeswoman, Emily Pierce, said in a statement. "The Constitution and the laws of the United States do not vest that power in a single corporation."
The company said a ruling on unlocking the phone of a gunman in a mass shooting had to take into account the national debate over data privacy.
I suppose that reporters at The Old Gray Lady have to dumb-down their stories for the eighth-grade level that is now the de facto standard for television news, but this is the kind of event that brings out all the boogeymen of the journalist's profession -
It's complicated - and so much so that college graduates have trouble understanding it.
There aren't enough heroes.
There is no clear-cut villain.
As usual, Bruce Schneier has done a better job at explaining the technical dilemma in his monthly security blog:
My take on this is less kind than Mr. Schneier's: this isn't about "security". IMNSHO, it is bare-knuckle election-year politics at its worst, with the FBI (always the best and most agressive self-promoter of all the federal agencies) seeking to press-gang Apple into giving it the software it can use to "brute force" (an appropriate metaphor in this case) any password on any Apple IOS 8 device that it may come across in the future.
There's no surprise in that, as distasteful as it seems to me: as a ham radio operator, I've seen first hand how the Red Cross takes every opportunity to put its brand in the public eye, while disappering any competing organization's name, such as that of the Amateur Radio Emergency Service (ARES). Althought the head of the Red Cross enjoys a princely salary and benefits to perform the job of providing emergency services, it's primary focus during disasters seems to be to keep the serfs - I mean volunteers - from ever doing anything that distracts from the public image which the Red Cross seeks to project.
However, and as much as it may anger me that these civil servants are primarily interested in lining their own pockets instead of doing good for the citizenry, there remains the very real, and important, debate about what the Hooverites are up to, and neither the New York Times, nor any other publication I've read, seems to be contributing anything to that debate.
For the Telecom Digest readership - a group with (no joke) above- average intelligence - I'll set out the events as I understand them.
A county government in one of the United States issued an Apple iPhone to an employee.
The employee who had that phone was accused, post-mortem, of a crime.
An employee of that county government used remote-access software to reset the password of the iPhone in question. This is common practice for devices issued to employees by their employer: most companies have the capability, for use when employees forget their password, lose their phone, or report it stolen.
A. I do not know if the FBI has access to the password the county government which owns the iPhone set by remote control.
B. I do not know why the FBI has not used that password if it has access to it.
The Federal Bureau of Investigation subsequently sought Apple's help in order to access the information on the iPhone which was used by the alleged terrorist.
In order to comply with the FBI's writ, which I, as a non-lawyer, understand to be a decree of specific performance issued by a court, Apple would have to create and turn over to the FBI a custom verion of its IOS 8 Operating System, one without the security protections that prevent brute-force attacks on the password.
A. Although NSA experts could probably reverse-engineer the IOS 8 software to provide a special version of IOS 8 for use in retrieving the data, the iPhone will not run a version of the operating system which has not been digitally signed by Apple.
B. It is possible that the NSA already has the code-signing key that would be needed, but (as Mr. Schneier pointed out) they may be unwilling to admit it, since that capability is invaluable to an agency charged with decrypting secret information in the hands of foreign governments or other actors.
C. The FBI may be reluctant to admit that its highly publicized laboratories can't do the job in-house.
D. The custom-made software, if created, signed, and surrendered to the FBI by Apple, could be used to attack, but not always decrypt, the information on any iPhone running IOS 8.
E. "Dictionary" attacks have long been the first line of offense in the codebreaker's arsenal, and if the FBI were to gain access to the NSA's legendary library of dictionaries (which are reported to contain every word in every known language, plus common misspellings and "leetspeak" variants), the feds could gain access to somewhere between 70 and 99% of the iPhones they come across.
No matter what the outcome of this case, Apple is obviously concerned about the precedent which would result if it is forced to comply with the FBI's writ.
A. It's a lot easier for investigators to say that a manufacturer decoded ecrypted data than to admit that they or some other government agency was able to obtain it, especially if the public realized that they routinely do so.
B. Having forced Apple to comply once, the FBI will probably expect Apple (and other providers of encryption software or hardware) to continue to do so, ad infinitum.
C. Apple, not the government, would pay the cost of lost sales, competitive advantage, and reputation which would follow from users realizing that their "secure" information is subject to search without warrant or appeal.
Copyright (C) 2016 E.W. Horne. All Rights Reserved.
I think companies which distribute iPhones have the ability to reset passwords via remoate access. They also have the capability to "brick" a phone, but I don't know the specifics, only that it has happened, to BYOD users who didn't realize that they were giving up that much control to their employers.
It's logical to expect that remote password-reset capability would be included in the remote-management software, since no employer would want their IT staff working on BYOD hardware directly, and because it would give them the capability to outsource their IT password-reset function, both for BYOD and corporate iPhones.
Of course, in the Apple v. FBI matter, the question is whether the IT staff (of the county government which owns the device) acted to reset the password, or to brick the device. If the former, the FBI could ask them for the new password and be done; the later case, however, gets a lot more complicaed, since the FBI won't want to risk turning the phone on outside a Faraday cage, and might even have demanded that the one-of IOS 8 version they want from Apple be written so as to disable any remote software management capability and/or the cellular radio.
There are wheels within the wheels here: I think the FBI is trying to brute-force both the password assigned to a single iPhone, and the complicity of U.S. corporations in installing a software version of the "Clipper chip" through a legal back door.
It's also possible that both Apple and the FBI are content to get free publicity that makes each appear to be interested in truth, justice, and the American Way - without changing anything.