Judge Calls Bluffs On Encryption Debate; Asks Apple To Explain Why Unlocking A Phone Is 'Unduly Burdensome'
from the no-more-FBI-shitposting? dept
Things on the Crypto War 2.0 battlefront just got a little more interesting. The administration won't seek backdoors and neither will Congress. The intelligence community has largely backed away from pressing for compliance from tech companies. This basically leaves FBI director James Comey (along with various law enforcement officials) twisting in his own "but people will die" wind.
Comey continues to insist encryption can be safely backdoored. He claims the real issue is companies like Apple and Google, who hire tons of "smart people" but won't put them to work solving his "going dark" problem for him. As pretty much the entirety of the tech community has pointed out, holes in encryption are holes in encryption and cannot ever be law enforcement-only.
We may get a chance to see who's telling the truth. As the Washington Post's Ellen Nakashima reports, a NY federal judge is calling everyone's bluff.
Magistrate Judge James Orenstein of the U.S. District Court for the Eastern District of New York released an order Friday that suggests he would not issue a government-sought order to compel the tech giant Apple to unlock a customer’s smartphone.The order details what the government is trying to accomplish, but has yet to succeed in doing.
But before he can rule, the judge said, he wants Apple to explain whether the government’s request would be “unduly burdensome.”
In a sealed application filed on October 8, 2015, the government asks the court to issue an order pursuant to the All Writs Act, 28 U.S.C. § 1651, directing Apple, Inc. ("Apple") to assist in the execution of a federal search warrant by disabling the security of an Apple device that the government has lawfully seized pursuant to a warrant issued by this court. Law enforcement agents have discovered the device to be locked, and have tried and failed to bypass that lock. As a result, they cannot gain access to any data stored on the device notwithstanding the authority to do so conferred by this court's warrant.The order demands Apple submit a response by October 15th. First, it seeks an answer as to whether the government's request is even "technically feasible." If it is, Apple will need to explain why complying with the order would be "unduly burdensome." If further discussion is needed, oral arguments from both parties will be heard a week from that date (at this point oral arguments are purely optional).
The order also closely examines the government's request in light of the All Writs Act. This would be the 1789 law the DOJ is trying to use to "cover" a gap between what Congress has specifically authorized and what the FBI is hoping to have granted. The presiding judge in this case -- Judge Gabriel Gorenstein -- has had previous experience with the FBI, phone manufacturers, and the All Writs Act, having dealt with a similar case back in 2005. In that case, he noted the government's request seemed to be a "Hail Mary play" designed to elude statutory restraints, the checks and balances built into the system, and put the magistrate judge in the position of granting something possibly beyond his power to grant.
The government thus asks me to read into the All Writs Act an empowerment of the judiciary to grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature's intensive and repeated consideration. Such a broad reading of the statute invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority.The All Writs Act is challenged here by Gorenstein again, nearly a decade later. After quoting a lengthy bit of report on "going dark" written by everyone's favorite terrorist-sympathizer Peter King, Gorenstein goes on to challenge Comey's public statements in light of his agency's desire to deploy a 1789 law to punch holes in 2015's phone encryption.
More specifically -- in a lengthy footnote -- Gorenstein basically calls Comey a hypocrite.
In a similarly-titled article published shortly before his Senate testimony, Director Corney discussed the extent to which companies like Apple should be compelled to ensure law enforcement access to the user content stored on its devices. Pertinent to the instant analysis of the All Writs Act, he wrote:The order also points out that the previous use of the All Writs Act to secure phone records is a completely different legal animal than the current demand that Apple open up a customer's phone and expose all it contains to federal investigators.
Democracies resolve such tensions through robust debate… It may be that, as a people, we decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context, or that public safety folks will be able to do their job well enough in a world of universal strong encryption. Those are decisions Americans should make, but I think part of my job is [to] make sure the debate is informed by a reasonable understanding of the costs...
Director Corney's view about how such policy matters should be resolved is in tension, if not entirely at odds, with the robust application of the All Writs Act the government now advocates. Even if CALEA and the Congressional determination not to mandate "back door" access for law enforcement to encrypted devices does not foreclose reliance on the All Writs Act to grant the instant motion, using an aggressive interpretation of that statute's scope to short-circuit public debate on this controversy seems fundamentally inconsistent with the proposition that such important policy issues should be determined in the first instance by the legislative branch after public debate - as opposed to having them decided by the judiciary in sealed, ex parte proceedings.
[U]nlike the Telephone Company, Apple is not "a highly regulated public utility with a duty to serve the public[.]" It is a private-sector company that is free to choose to promote its customers' interest in privacy over the competing interest of law enforcement. Indeed, whereas in New York Tel Co. "it [could] hardly be contended that the Company ... had a substantial interest in not providing [the requested] assistance," it is entirely possible, if not likely, that Apple has thus far made a deliberate decision to balance those competing interests in favor of its customers' privacy preferences, as discussed further below.Gorenstein also notes that the government has other ways of obtaining the contents of the phone, including the use of coercive measures to force the owner to unlock it. This has its own constitutional implications, but they are not under the purview of the magistrate judge. (There are also any number of third-party services utilized by the phone's owner that may be more amenable to turning over information in response to court orders.)
Similarly, unlike the Telephone Company, which as the Supreme Court noted, regularly used pen registers for its own business purposes, there is nothing in the record to suggest that Apple has or wants the ability to defeat customer-installed security codes to access the encrypted data that its customers store on Apple devices after purchasing them.
Gorenstein says the government's interpretation of the All Writs Act seems to exceed the intent of that law and completely bypasses the checks and balances built into the system -- namely, the legislative branch, which has notably not pushed for mandated backdoors no matter how much Comey and others have complained about the threat it poses to the safety of Americans.
In the end, though, Gorenstein says it comes down to Apple pointing out why decrypting this phone would be "unduly burdensome," if it is actually possible at all. Judging from the content of the order, it appears the Gorenstein is far more skeptical of the government's claims than Apple's, but we won't know for sure until he responds to Apple's response. If Apple responds with answers the government doesn't like, it may move to have any further discussion on the matter sealed, which means we may not find out where this stands until years from now.
Then again, it may mean nothing at all. As Nakashima points out, this particular battle may not provide the best chance to defeat Comey's backdoor fantasies.
Law enforcement officials said Saturday that the device at issue is a phone that runs on an older version of Apple’s operating system that Apple can unlock.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: all writs act, burden, encryption, fbi, going dark, james comey, james orenstein
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
Oh wait, that would stop their mission creep. Never mind.
[ link to this | view in thread ]
If the NSA can't do it
* clipper chip
* greek phone system backdoor
* opm unencrypted
list goes on and on
[ link to this | view in thread ]
Re: If the NSA can't do it
[ link to this | view in thread ]
Re: If the NSA can't do it
Results on the cheap and lazy. The "best and brightest" don't work for the NSA or the Government in any real sense. It is unlikely for the third string to be able to move the ball against the starters/stars...
[ link to this | view in thread ]
[ link to this | view in thread ]
"It's clear that they don't really want to keep you safe, or they would have done as we asked."
By instead insisting that public companies solve the 'problem', they can always claim that there is a solution, the companies just aren't trying hard enough to find it.
[ link to this | view in thread ]
When all you have is lies...
The tech companies however 'cheated' by going straight to the public, and suddenly they weren't dealing with some technologically clueless judges, but a whole lot of people who knew exactly what they were demanding, and how impossible and dangerous it was.
At that point the standard lies weren't going to cut it, but so used to getting their way said lies were all they had, and when that failed to work, they had no backup plan other than trying to cut the public out of the matter entirely and go straight to the companies to try and force compliance.
[ link to this | view in thread ]
Will be interesting to see what Apple has to say
[ link to this | view in thread ]
Apple supported/created unlock possible?
I am not for back doors or anything like that but just an observation that most of the security is for external attacks but as the manufacture/designer Apple could by-pass most if required with effort.
Any thought?
[ link to this | view in thread ]
Re: Apple supported/created unlock possible?
It would cost a fortune and be unduly burdensome.
It would damage there reputation and bottom line... Unduly burdensome...
They could provide the source code of ios and the specs and let the FBI do it themselves but it would cost to much and the FBI would have to change things each time ios is updated.
If the means of having devices became public knowledge it would be unduly burdensome as they would have to change everything....
Basically there is no way they can do it without attracting significant risk and cost.
[ link to this | view in thread ]
Re: Apple supported/created unlock possible?
There will be a signed unencrypted boot loader that will ask for a password, decrypt the main partition, and run the OS from there.
So, no, even with the phone in your possetion, and removing the memory chips, without the password, the encrypted partition would not be accessable without the use of a supercomputer and a lot of time.*
* Providing a decent encryption algorythm and long password have been chosen!
[ link to this | view in thread ]
i've not seen it better said. this govt is determined to upset everything the original framers had in mind.
so who are the traitors in this sad saga?
[ link to this | view in thread ]
Re: Re: Apple supported/created unlock possible?
Apple uses AES 256 and the passcode is generated with a unique device ID which I guess means it's long.
Also maybe to add... The memory chips are encrypted with a key that is unique to each device, "burned" on the processor at production and unknown to Apple (according to Apple). The boot Rom is part of the processor and can't just be taken out like a flash chip.
This means if you want to change the boot ROM to add a signed new boot ROM you have to change the processor which takes all the keys away and you are left with brute force.
Or you can use brute force on the person and ask them to unlock it.
https://xkcd.com/538/
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Um...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Apple supported/created unlock possible?
This isn't to say that will stop them, but it does mean at some point that they have to consider that they're transgressing someone's rights before the wrench beatings proceed.
[ link to this | view in thread ]
Re: Re: If the NSA can't do it
[ link to this | view in thread ]
Response to: Anonymous on Oct 13th, 2015 @ 12:13pm
[ link to this | view in thread ]
Re: If the NSA can't do it
[ link to this | view in thread ]
I think people who want good security will WANT stock encryption.
There is a false security with security through obscurity, in that the obscurity always deteriorates through time (usually rapidly). After that your encryption scheme's merits will be tested, and given that secure schemes are still difficult to make, odds are that your new one won't be all that secure.
[ link to this | view in thread ]
The answer is no
[ link to this | view in thread ]
A Socratic question:
These guys, in our supposition, are the guys the FBI really wants to catch.
Supposed that, in the persuit of our real cell, the FBI and White House convince our legislature to pass bills to compromize crypto used in the US, so they have back doors to everyone's electronics and private data. Consequently, so does China.
Meanwhile, to counter this scrutiny, our crafty and still real terrormeisters, who were already using burners (disposable cell phones) and talking in code (a la The Pizza Connection), decide to exchange data by filling up flashdrives and drive images half-full of Moroccan jazz and goatse porn (because the FBI analysts will HAVE to sift through all of that) and half-full of encrypted data disguised as trash in empty sectors.
Plausible deniability for miles.
And since big companies foreign and domestic have big company secrets that they would really rather not be looked at too closely by police and hack-savvy competitors, they respond in kind, exchanging lots and lots of empty sectors that provide this perfect plausible deniability.
Supposing this lengthy but really rather plausible scenario, what then, FBI? What then, Director Comey? What then?
[ link to this | view in thread ]
[ link to this | view in thread ]
I think a lot of you missed the point
for one we need to recognize what is considered burdensome?
If It was my company and they tried to force me to break my own encryption. And the encryption is one of the MAJOR selling points of the item that is to be decrypt. The burden is: LOSS of all the followers who were buying the item specifically because it was secure. This is DAMAGE to reputation and the bottom line of company and possibly a death sentence for the company or product line if I was successful in cracking my own encryption.
You are also demonstrating to the world that your product is not as secure as advertised, leaving you open for litigation, for misrepresentation of goods and lying to your customers.. Even if the court gives a gag order to the success of the hack, it will still get out at some point.
Also because I am the one being forced to crack my own security, instead of the government. There is no chance of restitution for the damage caused for a self inflicted wound to your company vs a government inflicted wound if they crack it.
Then there is the issue of the most valuable commodity "time" that your best and brightest is spending on cracking a single phone, when they should be focused on writing the more robust secure encryption for the next phone, going to market, that just happens to be on a deadline. Thus because they are working on cracking and not securing. The next phone line of products has a inferior encryption than planned. Thus poor product. equals reduced revenue. Which in the end will not be reimbursed by the government for all lost revenue through collateral damage.
================================================
If Apple cracks their own encryption I WOULD NEVER buy any future phone from them.
This is the true burden apple faces.
[ link to this | view in thread ]
Re: I think people who want good security will WANT stock encryption.
[ link to this | view in thread ]
Re: I think people who want good security will WANT stock encryption.
We're using standard crypto, just not the stuff that's preloaded into the phone. The preloaded stuff is not as trustworthy. But for people who otherwise wouldn't use crypto at all, the preloaded stuff is a great thing.
[ link to this | view in thread ]