1. 78

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.


  2. 25

    I always think of Benjamin Franklin’s famous quote when readings like this come up:

    Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

      1. 2

        I think the quote in itself is ambiguous, so it’s open for two (or possibly more) interpretations.

    1. 20

      Is there any doubt that when the FBI brings up a law from the 1700’s to justify breaking digital encryption in 2016 that they are completely making it up as they go along?

      1. 4

        They certainly aren’t making it up as they go along. They successfully used this law to force another company to unlock a locked smartphone. The big difference is that company already had the technique ready to use.

        The FBI was trying to quietly create a precedent that would allow them to force companies to create techniques even when a law applies (think forcing you to pick a lock vs forcing you to hand over a key) which is a massive expansion.

        Don’t get me wrong, the All Writs Act has a necessary place in law, filling in gaps of execution that haven’t been legislated, and nothing else can really replace it. But this application is so far out of precedent that it’s very worrying.

        1. 3

          More so than when the EFF quotes the first amendment to justify blogging?

          1. 6

            The First Amendment to the Constitution is hardly the legal equivalent of a 200-year-old obscure section of the US Code whose sole notable application is against smartphone manufacturers.

            1. 2

              Since when do notable applications determine the validity of a law?

              Every time Congress passes a bill that says “on the internet”, people scream “we don’t need this law. the laws we have are just fine.”

              Every time the police arrest somebody per a law that doesn’t say “on the internet”, people scream “these outdated laws don’t count.”

              1. 4

                Have you seriously read the bills that people get up in arms about? Its not just because it ‘says “on the internet,”’ its normally because it would require breaking of basic internet security. This outcry is perfectly consistent with that.

                The gov’t is using this law that is designed to allow a judge to say, compel a landlord to hand over a key so that they can execute a search warrant, to try to force Apple to build a key which is not what the precedent sets and in fact apple argues is against the law.

                The argument is that this case satisfies neither satisfies the requirement that no other law applies more specifically and that the writ is “agreeable to the usages and principles of law.” [1] This is because of the Communications Assistance for Law Enforcement Act of 1992 which lays out the interaction and responsibilities between govt and companies when it comes to digital messages.

                If the FBI is successful, then they can use the All Writs Act to do whatever they want when it comes to electronics as long as the law didn’t explicit cover that type of electronics. If that happens then it would be preferable to pass more explicit laws to restrict their usage of this act.

                [1] http://www.nyulawreview.org/sites/default/files/pdf/NYULawReview-83-1-Portnoi.pdf If you can habdle it, I suggest reading the above article even if just for context of how this law is being used in general.

                1. 1

                  The generalization on how the FBI is supposedly misusing US laws doesn’t sound very solid, but then again talking about how people are screaming against laws or their enforcement is hardly better. Sorry because I’m probably biased here as I value civil-rights associations higher than US appendices, especially those meddling with our rights to privacy. :p

                  1. 2

                    Pretty much the only way the FBI wins is through overturning precedent that would then say that forcing someone to hand over a key and forcing someone to pick a lock are legally equivalent. That would be a horrifying precedent to set because of the implications on the current state of 5th amendment precedents which say you can force someone to hand over knowledge that exists outside of themselves but not something that only exists within themselves (theoretical OS that has these features disabled).

              2. 1

                In that case they are relying on an interpretation of the first amendment that wasn’t law until the 60s. Before then the U.S. didn’t really have free speech.

            2. 11

              Apple is not the best company to be taking this on, likely to the SCOTUS, but they are certainly the one with the largest war chest. Good luck to them, and to us all.

              1. 14

                It would be great if some other companies in similar positions would stand with them.

                1. 3

                  This is not specifically about Apple. Or Facebook. Or Google. Or Volkswagen. Or Nestle. This is about all of them and all of us. If we uncritically accept that transnational corporations decide when and how to follow the rules we as societies established just because right now their (PR) interests and ours might superficially align how can we later criticize when the same companies don’t pay taxes or decide to not follow data protection laws?

                  I really like this commentary, absolutely necessary in the face of overwhelming support for this PR move conducted by Apple. While Apple’s stance today aligns with our interests, there is a thin veil of threat from transnational conglomerates towards governments (and the citizens they represent): We don’t need to follow your rules.

                  1. 4

                    I certainly don’t think we should uncritically accept what Apple is doing. But we can accept it, while understanding that they do wield some power, and that power needs to earn trust.

                    With regard to the feeling that they’re ignoring the rules, I have to say, Apple is advancing a legal argument. They are not openly breaking the law; a single ruling went against them, and they’re appealing. That is what playing by the rules looks like. Should they uncritically accept all requests made of them? They are disagreeing with an aggressive claim, using the process set forth to do so. There is no law that explicitly states anything about the balance between encryption and surveillance, and the FBI’s legal theory is a novel one which is not law until it has been through the entire legal process. Not immediately acceding to the anger of a non-elected official is a far cry from anarchy.

                    And - I don’t believe that governments always represent citizens. They’re supposed to. I’m not clear that they ever truly have, except in limited, short-term ways, but some do better at it than others. Fundamentally, governments can do wrong things, and laws can say wrong things, and when the rules are wrong we shouldn’t necessarily follow the rules. We really need to each find our own sense of right, rather than assuming that there’s any one party who has all the answers.

                    I hesitate to refer to this article in this context, because it would be possible to read too much into the comparison (I am not accusing the US government of behaving similarly to East Germany), but I really like the discussion of why people cooperate with surveillance.

                    “This was my cell,” said Vera Lengsfeld, who spent a month there awaiting trial as Stasi agents tried to force a confession to opposing the state. She did not know then that the man who betrayed her was her husband.


                    Wollenberger, who suffers from advanced Parkinson’s disease, does not give interviews. But a decade ago when a television interviewer asked why he agreed to spy on his wife he said, “I didn’t think you could say no.” Was he forced to do it? “No.” Well, asked the interviewer, was it voluntary? Wollenberger answered with a question. “What is voluntary?”

                    1. 3

                      I apologize if my previous post’s length introduced some implications which I didn’t intend. I actually agree immensely with what you have wrote, with a few differences where I should clarify my position on.

                      With regard to the feeling that they’re ignoring the rules, I have to say, Apple is advancing a legal argument.

                      Absolutely, they filed a motion of appeal within the 5 days of reprieve they were afforded by the original court order. I did not mean to imply they are illegally disobeying a court order without going through the proper legal channels, though I can see how my brevity may have led to that reading.

                      Should they uncritically accept all requests made of them? They are disagreeing with an aggressive claim, using the process set forth to do so.

                      On point 1, absolutely not—however, I find this argument you’ve advanced in the latter sentence worrying. I am not pointing fingers at any particular individual, but it is a “moving of the goal post” that I’ve noticed across the web. The general consensus and mentality among Netizens (for a lack of better word; I don’t mean to stereotype) is that the authorities are generally overstepping their judicial authority when they go through rubber stamp secret courts (FISA court), or if they perform surveillance (bulk or otherwise) without a court’s sanctioning (in the form of a warrant, or other forms of legal order). On these points, I completely agree. Full stop.

                      However, in this particular instance, not-the-rubber-stamp-secret-FISA-court (District Court of California) issued a very sensible directive and critics are still crying foul. Is the court order truly aggressive? An actual reading of the court order (it’s 2 pages of double spaced text; it really isn’t an onerous burden to any critic to actually read the first hand document) should show us that it is, in fact, very fair! I’ll take the words straight from the tante.cc article:

                      1. Apple is supposed to disable features of the IPhone automatically deleting all user data stored on the device.
                      2. Apple will also give the FBI some way to send passcodes to the device.
                      3. Apple will disable all software features that introduce delays for entering more passcodes.

                      Apple is compelled to write a little piece of software that runs only on the specified IPhone (the text is very clear on that) and that disables the 2 security features explained in 1 and 3. Because the court actually recognizes the dangers of having that kind of software in the wild it explicitly allows Apple to do all of this within its own facilities: The Phone would be send to an Apple facility, the software loaded to the RAM of the device. This is where 2 comes in: When the device has been modified by loading the Apple-signed software into its RAM the FBI needs a way to send PIN code guesses to the device. The court order even explicitly states that Apple’s new Software package is only supposed to go to RAM and not change the device in other ways. Potentially dangerous software would never leave Apple’s premises

                      To summarize, the court orders the decryption under the following measured conditions:

                      1. It is a targeted device (the shooter’s).

                      2. The software necessary to decrypt its data should ever only reside in RAM.

                      3. The entire process is to be performed within Apple’s own secured facility.

                      I made an assumption that you had not read the original court order–if you have, and you still believe those 3 steps are too aggressive, then I’m happy to discuss further.

                      1. 1

                        Sorry for the delay in answering; didn’t see this response at first.

                        Your caveat is pretty fair. I agree at the very least that there’s nothing secretive about this.

                        I did read the original court order, but I also read an explanation of what responding to this request might really entail, “Apple, FBI, and the Burden of Forensic Methodology”. I don’t want to jump to conclusions about whether this is an accurate description of the implications of what they’re being asked to do, but I think it’s at least a plausible and frightening prospect.

                        Even leaving aside the burden of producing a “forensic instrument”, it also isn’t clear whether there is any realistic way for Apple to design this thing to be certain that the hardware it’s running on is the targeted device, and while I’m sure they can protect their signing keys I’m dubious they can protect the firmware image itself. It doesn’t take a lot of imagination to think about hardware-based attacks that cause it to read a different device ID, or to realize that all software has bugs and that this custom firmware could easily have flaws that enable its wider use, if it’s successfully stolen.

                        The responsible approach to dangerous things with no legitimate purpose (there’s other information around the case that suggests there’s little reason to think the device has anything relevant) is not to build them.

                2. 4

                  In full tinfoil hat mode, this would be the kind of thing I’d release (with full support from national agencies to play along with the public back-and-forth), if I’d just put some top secret backdoors in my stuff. Or, if they asked me to release a message like this to increase the level at which people start to worry about any party eavesdropping their communications. I doubt it’s unfeasible that there’s a margin which if passed severely impacts eavesdropping ability, due to behaviour of those other than the target.

                  1. 4

                    Why does the FBI even need the phone? The shooters are dead. If they want to trace their connections, NSA has probably already pulled out all records of their phone use, internet access, and social media postings. There are dozens of ways to worm into people’s private data, especially if you’re the government. The phone is not necessary.

                    1. 4

                      They want to read the encrypted iMessages on the phone? Really, you can’t think of a single piece of evidence that could be contained on an encrypted phone?

                      1. 5

                        Really, you can’t think of a single piece of evidence that could be contained on an encrypted phone?

                        The point is not that there is no evidence on the phone, but that the evidence is not necessary since there is plenty to be found elsewhere.

                        1. 12

                          Right, this. My guess is that there’s nothing to be gained in this particular case, but that they’re really excited about the legal precedent that they’re forming.

                          1. 4

                            Heard the expression “you don’t know what you don’t know.”? Its pretty hard for the fbi to determine when they know “enough”. How would they, for instance, rule out using signal to communicate with a as yet unknown coco spittle?

                            Eh, coconspirator. Or coco spittle. Either or, really.

                      2. 3

                        So Apple had no issues complying with the NSA, or chose not to defy the gag orders but they suddenly have an issue with the FBI?

                        1. 2

                          It seems Apple has a backdoor that would allow them to force-upgrade the phone, as alluded to here:

                          Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

                          There’s talk (on twitter) of a Secure Enclave feature in later models (starting iPhone 6, it seems) that might help, but a former Apple employee questions the non-upgradability of that too.

                          Apple’s security document on iOS is here for those that want to dive into it: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

                          So far the jury’s out as far as all iPhones go, but leaning in the direction that Apple has a backdoor it could use.

                          1. 3

                            My read of it is that this is a threat model which hadn’t previously been taken into account. It would be mitigated if the phone did not allow upgrades without either unlocking the phone, or reformatting it. You can find howtos all over of how to do exactly that, so I think that what the FBI is asking is possible without a backdoor. They plausibly need to ask because, like all firmware, this malicious firmware would need Apple’s signature.

                          2. 1

                            If the FBI had the ability to brute-force the device, what would the outcome be? I would hope (but doubt) Apple complying would make no real difference (i.e. brute-forcing would take decades) due to the security.

                            1. 19

                              The phone in question is an iPhone 5C. It doesn’t have the secure enclave that later A7 models have, so the delay for wrong guesses is only in software. See http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/ for a good summary.

                              1. 3

                                In order to limit the risk of abuse, Apple can lock the customized version of iOS to only work on the specific recovered iPhone and perform all recovery on their own, without sharing the firmware image with the FBI.

                                Even if there were a way to tie it only to that specific device, they still have to create and sign a neutered version of iOS. I think the signing part gets into tricky 1st Amendment stuff.

                                1. 3

                                  Hmmm.. and, if the FBI were to attempt any reverse engineering, could Apple file suit under the DMCA? That would be amazing.

                                  1. 10

                                    From 17 U.S. Code § 1201 (e):

                                    This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States[…]

                                    1. 3

                                      Yes, I forgot about that. Shame.

                                  2. 2

                                    I’m not a lawyer and this is not legal advice. :)

                                    I can’t see how the 1st amendment would apply here. The only one which gives a right not to speak is the 5th, and Apple is not implicated criminally in this case.