Thursday, March 3, 2016

Poisoned Apples & Privacy: Apple vs. the FBI

By B. Lana Guggenheim, Staff Writer

Update: On Monday, March 28, 2016, the US Department of Justice asked the federal judge overseeing the suit to drop the case, as the FBI had found another way to access the iPhone's information without assistance from Apple. Read more updates on the case here.

On December 2, 2015, in San Bernardino, CA, Syed Rizwan Farook and his wife, Tashfeen Malik, committed mass murder inspired by Islamic extremist terrorist organizations, having evidently become self-radicalised via the Internet. Neither had a criminal record, nor were they on Terrorist Screening Database lists. But on that day, the two nonetheless killed 14 and injured 22 in a mass shooting and attempted bombing. Since then, there has been a massive investigation underway, which naturally includes the couple’s technology.

The couple had already destroyed their personal phones, but Syed’s employer-provided phone was recovered intact. Apple was handed a warrant for the information the couple stored in their clouds, and the company cooperated. A great deal of information is already in the hands of the FBI; however, not all the data was uploaded to the cloud, particularly the shooter’s online activity in the months immediately leading up to the attack, as well as where they traveled and who they might have contacted just minutes after the attack. The FBI has thus far been unable to unlock the phone, in part due to Apple’s encryption of user data, which itself was a development to foil government surveillance of civilian personal data, a fact that garnered a lot of attention due to Edward Snowden’s whistle-blowing in 2013.

However, the FBI is partially in a mess of its own making; they lost the chance to capture much of that encrypted data when they ordered the password to Farook’s storage in the iCloud be reset shortly after his criminal rampage. They had believed that resetting the password would enable them to access the information stored on the iPhone. Instead, it locked them out and eliminated any other means of getting in. Apple had wanted them to try to connect the phone to a “known” Wi-Fi connection - in other words, one that Farook had used and stored in his phone, as doing so might have recovered some of the information saved to the phone since October, after which it had not been connected to the iCloud. Once connected, the phone would have automatically backed up the data to the Cloud, and Apple would have been able to access it and hand it to the FBI. However, the automatic update would likely not have backed up all relevant data, and thus the FBI asserts they would have been forced to seek Apple’s assistance anyway.

In order to access this information, the FBI has requested that Apple write a program - essentially a crippled version of their iOS software - that would act as a back-door to their own technology, disabling the feature that wipes all data on the phone after 10 incorrect password attempts. This would allow the FBI to use a computer to cycle through any number of PIN combinations, eventually hitting the correct one to unlock the phone, a process that would take less than half an hour were Apple to provide the back-door as requested. Though the FBI told Apple that the key they demand from them would be for this one application only, James B. Comey Jr., the director of the FBI, admitted that “of course” they would seek to unlock other encrypted phones were they to prevail in the San Bernardino case.

Apple has refused to cooperate, with its CEO Timothy D. Cook arguing that this would set a dangerous legal precedent for all user privacy, as such a program could be used against any and all Apple users, both in the hands of the US government, foreign governments, and bad actors alike. Apple attorney Marc Zwillinger states that “This case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe.”

Several other tech companies have also voiced their concerns about creating such encryption-breaking back-doors for the government. Speaking at a congressional hearing last week, Microsoft’s president and chief legal officer Brad Smith said “We at Microsoft support Apple and will be filing an amicus brief next week.” An amicus brief, or amicus curiae, literally “friend of the court,” allows someone not party to a case to offer information that bears on said case, even if it has not been solicited by any of the parties involved. “My experience in security technology tells me that the creation of the firmware….would give enough blueprint for the government (and the hackers who have demonstrated proficiency at hacking government) to exploit millions of other iPhones,” wrote Pravin Kothari, CEO of cloud security specialist CipherCloud in a statement emailed to Fox News. Some legal analysts say this is a “Pandora’s box” of unknowns. “If a court has the power to order a third party like Apple to devise software that it does not already possess [to aid in surveillance], what can’t a court order a company to do?” asks Stephen Vladeck, a law professor at American University. “There’s a real search for a limiting principle here that we haven’t identified.”
The FBI says they are requesting custom software that would apply to only that device, and offered to let Apple install the program itself to ensure it doesn’t leave Apple’s campus. But while that proposal seems to ensure the containment of the code, in practice, once the code is created, it is only a matter of time until it leaks - whether through incompetence by the ones holding it, or from being targeted by hackers. Andy Sellars, a lawyer specializing in technology issues at the Cyberlaw Clinic at Harvard Law School says that “the privacy benefit right now comes from the fact that nobody knows how to do this. Not Apple, not the FBI, and we think not the NSA...As soon as Apple does this, there’s no way this wouldn’t get out, be stolen, be leaked. There is no way that would stay a secret.” Apple’s lawyers write that “given the millions of iPhones in use and the value of the data on them, criminals, terrorists, and hackers will no doubt view the code as a major prize and can be expected to go to considerable lengths to steal it, risking the security, safety, and privacy of customers whose lives are chronicled on their phones.” Nor would the security breaches be limited to Apple technology. “In the meantime...criminals will continue to use other encryption technologies, while the law-abiding public endures these threats to their security and personal liberties,” adding that this is an “especially perverse form of unilateral disarmament in the war on terror and crime.” Apple contests that heeding the FBI’s request will result in less security, not more, and very quickly at that.

But the government counters that the public safety is at stake. This case of domestic terrorism resulted in more deaths than any other case since 9/11. New York City Police Commissioner William J. Bratton said the government’s requests are reasonable, especially in a case that has ties to the so-called Islamic State, or ISIL, as this case seems to. “No device, no car, and no apartment should be beyond the reach of a court-ordered search warrant. As the threats from ISIL become more divergent and complex, we cannot give those seeking to harm us additional tools to keep their activity secret,” he said. The NYPD’s Counterterrorism Bureau says that phones that can’t be cracked leave the city and country at large vulnerable to terrorists and criminals. “Do we want to create an army of devices where they are impenetrable to a search warrant signed by a court?” said NYPD Deputy Commissioner for Counterterrorism and Intelligence John Miller. “It should probably be decided by someone other than just Apple.”

In order to force compliance from Apple, the FBI invoked the All Writs Act of 1789. This Act allows the courts to compel people to perform actions within the limit of the law, so long as it is not unduly burdensome. It is a vaguely worded piece of legal literature, and as such is open to constant re-interpretation. The government has used this Act before to gather information from phone companies. In 1977, they forced New York Telephone Co. to give them technical assistance in accessing phone calling records. The phone company cited undue burden in order to deny the government this assistance, but the Supreme Court ultimately ruled that the phone company could be compelled to assist as it was already collecting this information itself for business purposes, such as billing customers, detecting fraud, and troubleshooting. The government used the All Writs Act again more recently when they linked the All Writs Act to the Wireless Communications and Public Safety Act in 1999 when the government required all cellphone providers to be able to geo-locate their customers’ phones. However, the Act has its limits. For example, a federal judge ruled in 2005 that the Act could not be used to force a phone company to allow real-time tracking of a phone without a warrant.

Nor is this the first time Apple has refused to comply with a request for information either. In a currently active criminal investigation in Brooklyn, New York, Apple has refused to comply with the FBI and the All Writs Act in unlocking an iPhone 5s that the DEA (Drug Enforcement Agency) had seized in a drug investigation, belonging to one Jun Feng, who was suspected of drug trafficking. In fact, Apple has been involved in nine cases since October, including two in Manhattan and the aforementioned one in Brooklyn, the latter involving two phones. But on February 29th, New York federal magistrate Judge Orenstein ruled that Apple did not have to comply with the FBI’s request. Though this ruling isn’t legally binding in regards to the San Bernardino case, it may wield some influence. But Attorney General Loretta Lynch has agreed with California federal magistrate Sheri Pym in defending the government’s demands that Apple assist the FBI (though she did not name the company by name), saying this legal battle shows how encryption is a real threat to law enforcement and that judges do indeed have the authority to direct third parties to assist the government in gathering evidence.

Apple argues in both cases that rendering this assistance and delivering such a back-door code would be unduly burdensome for them, as it would severely harm their reputation, and thus cause them significant economic harm, thereby putting the FBI’s request outside the jurisdiction covered by the All Writs Act. The FBI counters that writing code is part of Apple’s normal set of activities, and therefore is not burdensome. But Apple is also citing their First Amendment rights, as code is legally recognized as a form of speech, and therefore is protected as such. Apple asserts that being forced to write new software would be an act of “compelled speech and viewpoint discrimination,” which is indeed outlawed by the First Amendment. And, were they to do this, the government could demand Apple do it again, including writing code to turn on the microphone, activate the video camera, record conversations, and turn on location services to track a phone user - and that last one is already illegal without a warrant.

Apple is also citing their Fifth Amendment rights to due process. In Apple’s own words, the FBI, by “conscripting a private party with an extraordinarily attenuated connection to the crime to do the government’s bidding in a way that is statutorily unauthorized, highly burdensome, and contrary to the party’s core principles, violates Apple’s substantive due process right to be free from ‘arbitrary deprivation of its liberty by the government.’” While Constitutional arguments are not likely to be relied upon this early in the case, given the large likelihood this will move to an appeals court and further, “Apple needs to include all of its arguments in the lower court if it wants to raise them again in a higher court,” said Larry Downes,  project director at the Georgetown Center for Business and Public Policy.

To complicate matters further, both Apple and the FBI have asked Congress to step in and settle the question of when and how law enforcement can get access to citizens’ private data. Professor Joel Reidenberg from Fordham University’s Center on Law and Information Policy agrees. “Congress really ought to be doing [this] rather than a magistrate judge in Brooklyn, a magistrate judge in California, [and] a couple judges here or there. It is really a national policy choice,” he said.

Policymakers say they want a compromise between the two, but that isn’t exactly possible. House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA), a member of the Senate Intelligence Committee, have proposed a national commission on security and technology challenges, modeled on the panel Congress formed to investigate the security and intelligence failures before 9/11, which would bring together experts such as law enforcement officials, cryptographers, and technology company representatives, to develop viable recommendations on how to balance both security and privacy concerns, which are now so at odds.

But it is hard to envision a way to selectively undo encryption protections without doing away with the concept of having encryption entirely. “Either Apple weakens security or they do not,” says Bruce Schneier, a cryptography and security expert. That Apple even can work around their own encryption, even if it is with difficulty, intimates that their iOS software is more vulnerable than any of us might wish to admit. However, as technology continues to evolve, future versions might be more secure and prevent the work-around that the FBI is demanding Apple provide.

The court has set a deadline of March 10 for the government to respond to Apple, and a hearing is scheduled for March 22 in the US District Court of Central California.  Whenever Magistrate Sheri Pym delivers her decision, the case will be appealed no matter the ruling. If the magistrate rules in the government’s favor, as she did in February, and Apple refuses to comply, the government can ask the court to fine Apple. This was a strong-arming tactic used in 2008 against Yahoo after they fought a court order to hand over data under NSA’s PRISM program, and the government threatened Yahoo with a $250,000 daily fine if they refused to comply. But Apple CEO Tim Cook said he is willing to take this fight right to the top - the Supreme Court. Apple has already hired the renowned Washington attorney Ted Olsen, a man who earned his fame when he successfully represented former President George W. Bush in his Supreme Court battle of Bush vs. Gore, in which he won Bush the 2000 presidential election.

Ultimately, this case will not be settled soon, and we can look forward to a period of bitter litigation. Privacy and civil liberties have tangled with national security needs before, though the tension between the two has escalated since 9/11. But as society continues to become ever more dominated by rapidly evolving and invasive technology, both our security and privacy needs will change - likely faster than the law can keep up. The results of this case will set the tone for much future litigation on the issue, as well as our control over our own private, for now, data.  

Images courtesy of Shutterstock.


Post a Comment