The Real Stakes of Apple’s Fight With the FBI

On Tuesday, the government obtained a court order compelling Apple to hack into an iPhone as part of the FBI’s investigation into the San Bernardino shooters. While the government’s investigation is an important one, the legal order it has obtained crosses a dangerous line: It conscripts Apple into government service and forces it to design and build what is, in effect, a master key that could be used as a mold to weaken the security of an untold number of iPhones.

The resulting order is not only unconstitutional, but risks setting a precedent that would fundamentally undermine the security of all devices, not just the one iPhone being debated in the news.

A bit of background is necessary to understand this debate.

As part of its investigation, the FBI has apparently obtained an iPhone 5C used by one of the shooters. The bureau has said that the phone is encrypted and protected by a passcode, and that it needs Apple’s assistance to unlock the phone. Specifically, it has asked Apple to design and write custom software that would disable several security features on the phone.

While Apple has generally cooperated in the investigation, it has refused the FBI’s latest demand to write malware that would help the FBI hack the device. To its credit, Apple has poured incredible resources into securing its mobile devices. One consequence of that effort is that Apple does not have a ready way of breaking into its customers’ devices. In the words of Apple’s CEO, Tim Cook: “We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”

But the FBI is dismissive of that effort. According to its legal filing, the FBI believes that Apple could, if compelled, build a master key that would allow the FBI to try to break into iPhones like the one involved in the San Bernardino investigation. The FBI acknowledges that this would require Apple to write new software and then cryptographically “sign” that software (as the iPhone will accept only software updates signed by Apple).

A federal magistrate judge granted the FBI’s request the same day, but it gave Apple five days to object. Again to its credit, Apple has vowed to fight.

It is critically important that Apple win—for cybersecurity and for the fate of privacy in the digital age—for several reasons.

First, the government’s legal theory is unbounded and dangerous. The government believes it has the legal authority to force Apple into government service, even though the company does not actually possess the information the government is after. Of course, historically, the government has sought and obtained assistance from tech companies and others in criminal investigations—but only in obtaining information or evidence the companies already have access to.

The difference between those cases and Apple’s is a radical one. If Apple and other tech companies—whose devices we all rely upon to store incredibly private information—can be forced to hack into their customers’ devices, then it’s hard to imagine how any company could actually offer its consumers a secure product. And once a company has been forced to build a backdoor into its products, there’s no way to ensure that it’s only used by our government, as opposed to repressive regimes, cybercriminals or industrial spies.

Second, this debate is not about one phone—it’s about every phone. And it’s about every device manufactured by a U.S. company. If the government gets its way, then every device—your mobile phone, tablet or laptop—will carry with it an implicit warning from its manufacturer: “Sorry, but we might be forced to hack you.”

Some might accept that risk if it were possible to limit access to legitimate governmental purposes, overseen by a judge. But as Apple’s Cook points out, backdoors are uniquely dangerous: “Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.”

That risk is only growing every day as the “Internet of Things” expands. For the government, every device connected to the Internet will be more than just a novel convenience—it will be a new window into your home. The fridge that responds to your verbal commands might have a backdoor to allow for remote listening. The TV that allows you to video chat with your family might be commandeered into a ready-made spy camera.

These are the real stakes of the debate: Either American companies are allowed to offer secure products to their consumers, or the U.S. government is allowed to force those companies to break the security of their products, opening the door for malicious hackers and foreign intelligence agencies alike. For the sake of both our privacy and our security, the choice is clear.

This post was originally published by Time.

View comments (73)
Read the Terms of Use

Anonymous II

I hear your frustration about losing your job after so many years. I honestly get how much that sucks. But, please, hear me out as to why I think your anger is misdirected. Over the last few decades and especially when the Supreme Court passed Citizens United, the US turned a dangerous corner. Corporations are now granted the power of people. Now, huge corps, maybe like your ex-employer, can give millions to politicians for their campaigns, so can the billionaires of industry and Wall Street. Now, funds, amounting to legal bribery Corporations are making sure laws, regulations and everything that in the past would have kept your job secure has been eliminated by the bribes politicians have taken for favors, meaning enacting legislation that allows corporations to do whatever they want to. These bribes are rampant in the oil and gas industries (They are the ones paying Rep's to deny climate change.) Pharmaceutical, Agrifarming and many, many others. A good article you might enjoy on this topic is one about the infamous Koch brothers. It's the main article in the 6/24/2014 Rolling Stone.
Again, I am sorry for your hardship. But, only by educating ourselves can we truly defend ourselves from the greed and corruption.

Fanning

When that day comes, and ACLU staffers and lawyers are killed, It will almost certainly be by Government not by individuals.
The right to bear arms stems from our founding fathers understanding of the need to protect our citizens from a tyrannical government, more than from each other.

wrs

I think that the ACLU's analysis is entirely correct, and the article was kind to the FBI, since it didn't mention the FBI screw-up related to the iCloud password reset. The FBI has urged the Americans people to support a request that is unconscionable, while using the imminent threat of terrorism to provoke our support. A powerful man once said that the people "can always be brought to the bidding of the leaders. This is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism and for exposing the country to danger. It works the same in every country." That man had already proved himself correct when he made that observation to Gustave Gilbert, at the Nuremburg Trials. That man was Hermann Georing.

Chris W.

I strongly commend Apple for fighting back against the US governments overreach. Smartphones are valuable personal data storage tools used to make a consumer's private life easier and more productive as he or she accomplishes everyday tasks. The government should not be setting precedent to reduce the protection of such valuable tools, but should be advocating even stronger privacy protection of consumers. I acknowledge the need for supporting our hard working law enforcement in keeping all of us safer, but there must be an alternative way to balance their needs with the equally valid need for privacy. Forcing a US company to create a backdoor that could intentionally or negligently be leaked by the US government and used by any government, business, or criminal entity to spy on, market products to, or commit identity fraud on all of us is not in keeping with our fundamental right to privacy under the Constitution. As a husband, father, and veteran I want to be safe from terrorism just like everyone else, but not in return for an unlimited invasion of my privacy. I have stood on the front lines and protected democracy, I think it is time the government should do the same for my privacy. The government needs to find another way to get at the criminal evidence they need while upholding all law abiding consumers rights to privacy. ACLU I hope and pray as a donor that you will become amicus curiae in this matter and write a amicus brief as it is that important to all of our privacy rights.

Lois White Buffalo

in response to "once again an overreaction by ACLU," it should be stated that once again there is one and only one organization standing between us and the wanna be SAVAK US GOV, that is to say precisely the ACLU.

We need more ACLUs, in every neighborhood, and only in this manner will we become truly safe from "terrorism". As Geronimo put it; we savages have been working for homeland security and fighting terrorism since 1492.!!!!

White Buffalo anon

Anonymous

Many of the "CoinTelPro" felony crimes perpetrated by FBI agents from the 1950's until to it's end (supposedly in the 1970's) could still be criminally prosecuted today. What is missing today is a deterrent against these types of law breakers. The ACLU warned us about a climate worse than CoinTelPro in October 2001 (just one month after 9/11).

If FBI agents that participated in CoinTelPro felonies had been criminally prosecuted in the 1970's after the Church Committee Reports, there would have been a strong deterrent from 2001 until today.

There are no statute of limitations for these types of Vietnam era war crimes against American citizens and surviving FBI officials could be criminally prosecuted as they were in the Fred Hampton assassination case.

The ACLU should force the Attorney General to appoint a special prosecutor to create that deterrent affect against some (not all) FBI agents that perpetrate felonies and war crimes under color of law.

g.felder.

i can't determine whether I am yet under a watch list , but I do know that i was up to about 10 years ago-due to civil rights and anti-war activities. I never did anything unlawful . I worked for the Telco at an earlier time(55-68) and found the wire tap in the Central office that I was assigned. the point being that the faith that we place in many to the Corps we trust is mis-placed! Its all about the Money all the time. The legal protections for violating our privacy are rarely protected unless you have very deep pockets!

Bob English

While I agree with both the ACLU and Apple that this use of the All Writs Act is dangerous and deserves to be fought, I find the PR campaign raising the specter of a Master Key exposing all Apple devices to hackers reprehensible. The only Master Key in this case is Apple's software update process. Signing a version of iOS without the retry limit does no more to expose other iPhones to hacking than any other release of iOS. If signing an image were sufficient to create a Master Key, the FBI wouldn't be asking for Apple's help.

I've been an Apple customer and an ACLU member for decades, but that support doesn't extend to misrepresentations or incompetence.

Alex A.

Bob,

Thank you so much for your thoughtful response.

I understand your technical point, but here’s why I think it is fair to call what the government is asking for from Apple “in effect, a master key that could be used as a mold to weaken the security of an untold number of iPhones.” (This is quoted from the first paragraph of my piece.)

For Apple to comply with the government’s request, two things would need to happen, both of which I think are, effectively, master keys:

1 – Apple would need to create a modified version of its iOS that disables certain security features. Although we don’t know the full technical details yet from Apple, let’s assume that it can limit the use of that modified version to a single iPhone (in other words, let’s assume that the cryptographic signature covers the portion of the code that checks to make sure that the phone being updated is the one phone in question).

This modified version is, “in effect, a master key” that can be used as a “mold” to break into other iPhones, because it would require very little modification by Apple to make it deployable against the next phone of interest to law enforcement. And so, once Apple creates it, other law-enforcement agencies will undoubtedly come knocking.

Which gets me to my second point:

2 – The government would need to prevail on its legal theory that the All Writs Act permits an order compelling companies to hack into their users’ devices (and it would need to overcome our constitutional objections). The legal precedent that the government is after is, in a very important way, the “master key” it wants. Because once it has this precedent, it’s hard to imagine how any company could design a device secure enough to withstand even its own compelled efforts at hacking it. Perhaps that is theoretically possible (and on that point, I defer to actual security researchers), but it is unquestionably very hard.

Imagine, for example, a government order compelling a company to send your phone a software update that breaks key security features on your device.

That legal authority is the ultimate backdoor or master key or whatever you want to call it. And it’s what worries me most about the government’s request in this case.

***

Now, I imagine you probably do not disagree with me about either of these two points, but you don’t think that either of them amounts to a “master key” that a hacker can get at. I guess I’m not as confident that, once these tools are built, companies can forever shield them from attack. It is one thing to protect a signing key; it is quite another to protect a division of your company that has been set up to hack into customers’ devices in response to what will surely become hundreds of law-enforcement requests every year.

Thanks, again, for your thoughtful response and for advancing the conversation. I can’t promise I’ll have time to respond to your reply to this, if any, but I’ll do my best.

Alex Abdo
Staff Attorney
ACLU

FreedomRydr

I agree that Apple should NOT provide a 'backdoor' to access private information carte blanche, however, I think that if technically possible, they should provide any and all information on this particular phone, as it is imperative for potential future attacks. The phone owner, whether or not a terrorist, is dead, therefore has no 'rights' and so this should be no issue. Every 'rule of law' has exceptions. Where the 'rights' of the entirety of the population are at stake, like that of life, liberty and the pursuit of happiness, are threatened by terrorists, the 'privacy' act needs to be bent, whereas, giving carte blanche access to all phones, in perpetuity, is not justified, nor should be deemed so. The ACLU should continue to fight for the privacy of all smart phone owners, the issue of giving up information of a dead terrorist, that could be of major benefit to the populous, should be supported (IMHO).

Pages

Stay Informed