Judge Calls Bluffs On Encryption Debate; Asks Apple To Explain Why Unlocking A Phone Is 'Unduly Burdensome'

from the no-more-FBI-shitposting? dept

Tue, Oct 13th 2015 6:20am — Tim Cushing

Things on the Crypto War 2.0 battlefront just got a little more interesting. The administration won't seek backdoors and neither will Congress. The intelligence community has largely backed away from pressing for compliance from tech companies. This basically leaves FBI director James Comey (along with various law enforcement officials) twisting in his own "but people will die" wind.

Comey continues to insist encryption can be safely backdoored. He claims the real issue is companies like Apple and Google, who hire tons of "smart people" but won't put them to work solving his "going dark" problem for him. As pretty much the entirety of the tech community has pointed out, holes in encryption are holes in encryption and cannot ever be law enforcement-only.

We may get a chance to see who's telling the truth. As the Washington Post's Ellen Nakashima reports, a NY federal judge is calling everyone's bluff.

Magistrate Judge James Orenstein of the U.S. District Court for the Eastern District of New York released an order Friday that suggests he would not issue a government-sought order to compel the tech giant Apple to unlock a customer’s smartphone.

But before he can rule, the judge said, he wants Apple to explain whether the government’s request would be “unduly burdensome.”

The order details what the government is trying to accomplish, but has yet to succeed in doing.

In a sealed application filed on October 8, 2015, the government asks the court to issue an order pursuant to the All Writs Act, 28 U.S.C. § 1651, directing Apple, Inc. ("Apple") to assist in the execution of a federal search warrant by disabling the security of an Apple device that the government has lawfully seized pursuant to a warrant issued by this court. Law enforcement agents have discovered the device to be locked, and have tried and failed to bypass that lock. As a result, they cannot gain access to any data stored on the device notwithstanding the authority to do so conferred by this court's warrant.

The order demands Apple submit a response by October 15th. First, it seeks an answer as to whether the government's request is even "technically feasible." If it is, Apple will need to explain why complying with the order would be "unduly burdensome." If further discussion is needed, oral arguments from both parties will be heard a week from that date (at this point oral arguments are purely optional).

The order also closely examines the government's request in light of the All Writs Act. This would be the 1789 law the DOJ is trying to use to "cover" a gap between what Congress has specifically authorized and what the FBI is hoping to have granted. The presiding judge in this case -- Judge Gabriel Gorenstein -- has had previous experience with the FBI, phone manufacturers, and the All Writs Act, having dealt with a similar case back in 2005. In that case, he noted the government's request seemed to be a "Hail Mary play" designed to elude statutory restraints, the checks and balances built into the system, and put the magistrate judge in the position of granting something possibly beyond his power to grant.

The government thus asks me to read into the All Writs Act an empowerment of the judiciary to grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature's intensive and repeated consideration. Such a broad reading of the statute invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority.

The All Writs Act is challenged here by Gorenstein again, nearly a decade later. After quoting a lengthy bit of report on "going dark" written by everyone's favorite terrorist-sympathizer Peter King, Gorenstein goes on to challenge Comey's public statements in light of his agency's desire to deploy a 1789 law to punch holes in 2015's phone encryption.

More specifically -- in a lengthy footnote -- Gorenstein basically calls Comey a hypocrite.

In a similarly-titled article published shortly before his Senate testimony, Director Corney discussed the extent to which companies like Apple should be compelled to ensure law enforcement access to the user content stored on its devices. Pertinent to the instant analysis of the All Writs Act, he wrote:

Democracies resolve such tensions through robust debate… It may be that, as a people, we decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context, or that public safety folks will be able to do their job well enough in a world of universal strong encryption. Those are decisions Americans should make, but I think part of my job is [to] make sure the debate is informed by a reasonable understanding of the costs...

Director Corney's view about how such policy matters should be resolved is in tension, if not entirely at odds, with the robust application of the All Writs Act the government now advocates. Even if CALEA and the Congressional determination not to mandate "back door" access for law enforcement to encrypted devices does not foreclose reliance on the All Writs Act to grant the instant motion, using an aggressive interpretation of that statute's scope to short-circuit public debate on this controversy seems fundamentally inconsistent with the proposition that such important policy issues should be determined in the first instance by the legislative branch after public debate - as opposed to having them decided by the judiciary in sealed, ex parte proceedings.

The order also points out that the previous use of the All Writs Act to secure phone records is a completely different legal animal than the current demand that Apple open up a customer's phone and expose all it contains to federal investigators.

[U]nlike the Telephone Company, Apple is not "a highly regulated public utility with a duty to serve the public[.]" It is a private-sector company that is free to choose to promote its customers' interest in privacy over the competing interest of law enforcement. Indeed, whereas in New York Tel Co. "it [could] hardly be contended that the Company ... had a substantial interest in not providing [the requested] assistance," it is entirely possible, if not likely, that Apple has thus far made a deliberate decision to balance those competing interests in favor of its customers' privacy preferences, as discussed further below.

Similarly, unlike the Telephone Company, which as the Supreme Court noted, regularly used pen registers for its own business purposes, there is nothing in the record to suggest that Apple has or wants the ability to defeat customer-installed security codes to access the encrypted data that its customers store on Apple devices after purchasing them.

Gorenstein also notes that the government has other ways of obtaining the contents of the phone, including the use of coercive measures to force the owner to unlock it. This has its own constitutional implications, but they are not under the purview of the magistrate judge. (There are also any number of third-party services utilized by the phone's owner that may be more amenable to turning over information in response to court orders.)

Gorenstein says the government's interpretation of the All Writs Act seems to exceed the intent of that law and completely bypasses the checks and balances built into the system -- namely, the legislative branch, which has notably not pushed for mandated backdoors no matter how much Comey and others have complained about the threat it poses to the safety of Americans.

In the end, though, Gorenstein says it comes down to Apple pointing out why decrypting this phone would be "unduly burdensome," if it is actually possible at all. Judging from the content of the order, it appears the Gorenstein is far more skeptical of the government's claims than Apple's, but we won't know for sure until he responds to Apple's response. If Apple responds with answers the government doesn't like, it may move to have any further discussion on the matter sealed, which means we may not find out where this stands until years from now.

Then again, it may mean nothing at all. As Nakashima points out, this particular battle may not provide the best chance to defeat Comey's backdoor fantasies.

Law enforcement officials said Saturday that the device at issue is a phone that runs on an older version of Apple’s operating system that Apple can unlock.

Apple Encryption (PDF)Apple Encryption (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: all writs act, burden, encryption, fbi, going dark, james comey, james orenstein
Companies: apple

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 13 Oct 2015 @ 6:42am

Can the Feebs just not shut up about this crap?

Oh wait, that would stop their mission creep. Never mind.
[ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2015 @ 6:48am

If the NSA can't do it
despite hiring what are arguably the best and brightest, why is there so much push for the commercial world to solve the problem?
* clipper chip
* greek phone system backdoor
* opm unencrypted

list goes on and on
[ link to this | view in chronology ]
- Anonymous Coward, 13 Oct 2015 @ 6:56am
  
  Re: If the NSA can't do it
  Great question. Because the private sector simply pays better and has better benefits for the best and brightest. It also allows them to have lives outside of work, and you know, friends you can talk to. They know this and realize they can't change that piece, so they move on to coercing private corporations to do their work.
  [ link to this | view in chronology ]
- Someantimalwareguy, 13 Oct 2015 @ 6:59am
  
  Re: If the NSA can't do it
  "despite hiring what are arguably the best and brightest, why is there so much push for the commercial world to solve the problem?"
  
  Results on the cheap and lazy. The "best and brightest" don't work for the NSA or the Government in any real sense. It is unlikely for the third string to be able to move the ball against the starters/stars...
  [ link to this | view in chronology ]
  - Anonymous Bastard, 13 Oct 2015 @ 1:22pm
    
    Re: Re: If the NSA can't do it
    The FBI and especially the NSA probably have their share of smart people but they don't manufacture devices which is the point at which the subversion of encryption makes the most technical sense. Not that I agree with breaking encryption for millions worldwide to catch a relative few terrorists, many of whom won't be using stock encryption anyway. I think the children/terrorist/going dark angle is BS anyway. They're used to having a smooth ride sneaking around without accountability. All of a sudden someone is saying no and nobody likes that. It's in stark contrast to a secret court that rubber stamps every request on the rare occasion they even bothered.
    [ link to this | view in chronology ]
- That One Guy (profile), 13 Oct 2015 @ 7:13am
  
  "It's clear that they don't really want to keep you safe, or they would have done as we asked."
  The government doesn't want to try their hand at it because they know that it's not possible, and if they failed they'd have no one to blame but themselves. Hard to insist that someone else can do something when you've failed to do it first after all.
  
  By instead insisting that public companies solve the 'problem', they can always claim that there is a solution, the companies just aren't trying hard enough to find it.
  [ link to this | view in chronology ]
- Personanongrata, 13 Oct 2015 @ 2:52pm
  
  Re: If the NSA can't do it
  Bureaucracies exist to perpetuate themselves and expand their power at all costs. They are not concerned with being innovative nor providing anything of value in return for their funding.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2015 @ 7:06am

Our three letter agencies were not expecting everyone to dig their heals in when dealing with this , I find it absolutely hilarious to watch them scramble , lie, cheat, beg and steal to try and get their way.
[ link to this | view in chronology ]
- That One Guy (profile), 13 Oct 2015 @ 7:20am
  
  When all you have is lies...
  If all they had to deal with was a judge or two that they could lie to, then they probably would have been able to get their way, like they have on other matters.
  
  The tech companies however 'cheated' by going straight to the public, and suddenly they weren't dealing with some technologically clueless judges, but a whole lot of people who knew exactly what they were demanding, and how impossible and dangerous it was.
  
  At that point the standard lies weren't going to cut it, but so used to getting their way said lies were all they had, and when that failed to work, they had no backup plan other than trying to cut the public out of the matter entirely and go straight to the companies to try and force compliance.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2015 @ 7:45am

Will be interesting to see what Apple has to say
Remember, Blackberry was supposed to be secure and was fighting the Indian government. Then next thing you know they came to some sort of agreement with the Indian government. So did that mean they actually did have a way to decrypt customer traffic?
[ link to this | view in chronology ]
Dennis (profile), 13 Oct 2015 @ 8:03am

Apple supported/created unlock possible?
Just a thought. I have only briefly reviewed the Apple iOS security paper but it seems once you control a device you could, with hardware emulation or replacement with customized components, along with the ability to sign any code as Apple, do about anything with the device. The primary protection for the iOS is the secure boot process and code verified as code signed by Apple. Could Apple create a "special" version of the boot code or any part of the iOS to by-pass selected security? This would not be quick or easy method but may possible on a case by case. This might even require a hardware ROM replacement, or moving the device to an emulator setup, but the iOS security system would see this as a signed authentic system. As long as you do not effect the internal key storage you would have full control of the device with all data intact.

I am not for back doors or anything like that but just an observation that most of the security is for external attacks but as the manufacture/designer Apple could by-pass most if required with effort.

Any thought?
[ link to this | view in chronology ]
- Fin, 13 Oct 2015 @ 8:12am
  
  Re: Apple supported/created unlock possible?
  Of course they could.
  
  It would cost a fortune and be unduly burdensome.
  
  It would damage there reputation and bottom line... Unduly burdensome...
  
  They could provide the source code of ios and the specs and let the FBI do it themselves but it would cost to much and the FBI would have to change things each time ios is updated.
  
  If the means of having devices became public knowledge it would be unduly burdensome as they would have to change everything....
  
  Basically there is no way they can do it without attracting significant risk and cost.
  [ link to this | view in chronology ]
- Wryhta (profile), 13 Oct 2015 @ 8:17am
  
  Re: Apple supported/created unlock possible?
  Assuming here that this phone is switched off.
  
  There will be a signed unencrypted boot loader that will ask for a password, decrypt the main partition, and run the OS from there.
  
  So, no, even with the phone in your possetion, and removing the memory chips, without the password, the encrypted partition would not be accessable without the use of a supercomputer and a lot of time.*
  
  * Providing a decent encryption algorythm and long password have been chosen!
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Oct 2015 @ 9:04am
    
    Re: Re: Apple supported/created unlock possible?
    "the encrypted partition would not be accessable without the use of a supercomputer and a lot of time."
    
    Apple uses AES 256 and the passcode is generated with a unique device ID which I guess means it's long.
    
    Also maybe to add... The memory chips are encrypted with a key that is unique to each device, "burned" on the processor at production and unknown to Apple (according to Apple). The boot Rom is part of the processor and can't just be taken out like a flash chip.
    
    This means if you want to change the boot ROM to add a signed new boot ROM you have to change the processor which takes all the keys away and you are left with brute force.
    
    Or you can use brute force on the person and ask them to unlock it.
    
    https://xkcd.com/538/
    [ link to this | view in chronology ]
    - Uriel-238 (profile), 13 Oct 2015 @ 12:51pm
      
      Re: Re: Re: Apple supported/created unlock possible?
      The dialog about other ways of obtaining the contents of the phone, including the use of coercive measures to force the owner to unlock it. is referring to the $5 Wrench though that would be in direct violation of the owner's right, especially if he were already a suspect.
      
      This isn't to say that will stop them, but it does mean at some point that they have to consider that they're transgressing someone's rights before the wrench beatings proceed.
      [ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2015 @ 8:19am

completely bypasses the checks and balances built into the system

i've not seen it better said. this govt is determined to upset everything the original framers had in mind.

so who are the traitors in this sad saga?
[ link to this | view in chronology ]
Ninja (profile), 13 Oct 2015 @ 10:25am

If they can 'open' that encryption then it is not encryption at all. Which means older devices could be "locked" but not encrypted. This is a crucial point against backdoors: encryption can, at best, be brute-forced which would be analogous to kicking a weaker door or blowing up a stronger one (which may resist if it is thick enough, has a long, hard pass key). If said door has a special key, a master key, it can be opened by obtaining, studying said key. If other people have such master key then that door is NOT secure.
[ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2015 @ 10:28am

I'd like the judge to explain, why this is lawfull
[ link to this | view in chronology ]
- Anonymous Coward, 13 Oct 2015 @ 12:04pm
  
  Re:
  Read the opinion and you will find out..
  [ link to this | view in chronology ]
David Nieporent, 13 Oct 2015 @ 11:28am

Um...
Gabriel Gorenstein and James Orenstein are different people! Gorenstein is a magistrate judge in the Southern District; Orenstein is a magistrate judge in the Eastern District.
[ link to this | view in chronology ]
Anonymous, 13 Oct 2015 @ 12:13pm

Or perhaps they already can decrypt the phone but are spreading a mis-info lie to calm people down by going to courts and publicly challenging Apple?
[ link to this | view in chronology ]
- Anonymous Bastard, 13 Oct 2015 @ 1:39pm
  
  Response to: Anonymous on Oct 13th, 2015 @ 12:13pm
  Possibly. I don't think anybody that wants good encryption will use the stock option anyway, especially on an American product. It's not in Apple's interest to acquiesce to this request. It will devastate Apple and many other tech companies, not if, but when the unintended consequences of backdoored encryption hit the fan.
  [ link to this | view in chronology ]
Uriel-238 (profile), 13 Oct 2015 @ 3:28pm

I think people who want good security will WANT stock encryption.
The problem with non-standard encryption is that it hasn't withstood the test of the public. We have a number of symmetrical encryption options which are difficult and expensive to crack through analysis. (Robust encryption algos won't make a difference against a $5 wrench or human error.)

There is a false security with security through obscurity, in that the obscurity always deteriorates through time (usually rapidly). After that your encryption scheme's merits will be tested, and given that secure schemes are still difficult to make, odds are that your new one won't be all that secure.
[ link to this | view in chronology ]
- Anonymous Bastard, 13 Oct 2015 @ 5:58pm
  
  Re: I think people who want good security will WANT stock encryption.
  There's nothing stopping somebody using both the stock encryption and some other product in addition. Even if they build in a backdoor it will probably be good for a short time until it isn't. I think Windows 10 backs up your Bitlocker key to the cloud. That's sort of a back door that will be exploited by criminals eventually but it works - for now.
  [ link to this | view in chronology ]
- John Fenderson (profile), 13 Oct 2015 @ 7:22pm
  
  Re: I think people who want good security will WANT stock encryption.
  When I think of "stock encryption", I think of crypto that's already baked in. People (like me) who don't use stock encryption aren't using some weird crypto that hasn't been well-tested.
  
  We're using standard crypto, just not the stuff that's preloaded into the phone. The preloaded stuff is not as trustworthy. But for people who otherwise wouldn't use crypto at all, the preloaded stuff is a great thing.
  [ link to this | view in chronology ]
Anonymous, 13 Oct 2015 @ 4:09pm

The answer is no
When has it become the responsibility of the public to do the job of the government? The answer is no, the government can already arrest that person and force them under legal means to gain access to the phone. This is the government crying foul that they have to do the leg work and instead wants an easy backdoor when the person wont comply.
[ link to this | view in chronology ]
Uriel-238 (profile), 13 Oct 2015 @ 4:15pm

A Socratic question:
Suppose, for a second, there are real terrorists in the United States. By real terrorists, I mean guys (and gals) who are radical (have a fringe extremist platform), ideological (believe society should fit a specific paradigm) and fanatical (are very strongly committed to their cause) and they really do plan to further their cause (or at least represent it) by massacring a lot of people and causing a lot of damage. Bombs are great for this, but they're willing to be creative.

These guys, in our supposition, are the guys the FBI really wants to catch.

Supposed that, in the persuit of our real cell, the FBI and White House convince our legislature to pass bills to compromize crypto used in the US, so they have back doors to everyone's electronics and private data. Consequently, so does China.

Meanwhile, to counter this scrutiny, our crafty and still real terrormeisters, who were already using burners (disposable cell phones) and talking in code (a la The Pizza Connection), decide to exchange data by filling up flashdrives and drive images half-full of Moroccan jazz and goatse porn (because the FBI analysts will HAVE to sift through all of that) and half-full of encrypted data disguised as trash in empty sectors.

Plausible deniability for miles.

And since big companies foreign and domestic have big company secrets that they would really rather not be looked at too closely by police and hack-savvy competitors, they respond in kind, exchanging lots and lots of empty sectors that provide this perfect plausible deniability.

Supposing this lengthy but really rather plausible scenario, what then, FBI? What then, Director Comey? What then?
[ link to this | view in chronology ]
Anonymous Coward, 13 Oct 2015 @ 5:42pm

I don't own a cell phone any longer. I never bank or buy anything on line. I use cash more often as of late and want to get away from using my card at all for fear of my financial information falling into the wrong hands. These idiots won't be happy until they bring our whole financial system to its knees. Once the money is worthless that will level the playing field though.
[ link to this | view in chronology ]
corey, 13 Oct 2015 @ 5:58pm

I think a lot of you missed the point
The point of all this is what kind of “unduly burdensome.” does it put on Apple to defeat their own encryption.

for one we need to recognize what is considered burdensome?

If It was my company and they tried to force me to break my own encryption. And the encryption is one of the MAJOR selling points of the item that is to be decrypt. The burden is: LOSS of all the followers who were buying the item specifically because it was secure. This is DAMAGE to reputation and the bottom line of company and possibly a death sentence for the company or product line if I was successful in cracking my own encryption.

You are also demonstrating to the world that your product is not as secure as advertised, leaving you open for litigation, for misrepresentation of goods and lying to your customers.. Even if the court gives a gag order to the success of the hack, it will still get out at some point.

Also because I am the one being forced to crack my own security, instead of the government. There is no chance of restitution for the damage caused for a self inflicted wound to your company vs a government inflicted wound if they crack it.

Then there is the issue of the most valuable commodity "time" that your best and brightest is spending on cracking a single phone, when they should be focused on writing the more robust secure encryption for the next phone, going to market, that just happens to be on a deadline. Thus because they are working on cracking and not securing. The next phone line of products has a inferior encryption than planned. Thus poor product. equals reduced revenue. Which in the end will not be reimbursed by the government for all lost revenue through collateral damage.
================================================

If Apple cracks their own encryption I WOULD NEVER buy any future phone from them.

This is the true burden apple faces.
[ link to this | view in chronology ]