Dissecting And Dismantling The Myths Of The DOJ's Motion To Compel Apple To Build A Backdoor

from the dishonest-doj dept

While everyone's waiting for Apple's response (due late next week) to the order to create a backdoor that would help the FBI brute force Syed Farook's work iPhone, the DOJ wasted no time in further pleading its own case, with a motion to compel. I've gone through it and it's one of the most dishonest and misleading filings I've seen from the DOJ -- and that's saying something. Let's dig in a bit:

Rather than assist the effort to fully investigate a deadly terrorist attack by obeying this Court's Order of February 16, 2016, Apple has responded by publicly repudiating that Order. Apple has attempted to design and market its products to allow technology, rather than the law, to control access to data which has been found by this Court to be warranted for an important investigation. Despite its efforts, Apple nonetheless retains the technical ability to comply with the Order, and so should be required to obey it.

This part is only marginally misleading. The key point: of course Apple has designed a product that allows technology to control access because that's how encryption works. It's as if the DOJ still doesn't understand that. Here's a simple, if unfortunate, fact for the DOJ: there are always going to be some forms of communications that it doesn't get to scoop up. Already we know that Farook and his wife destroyed their two personal iPhones. Why not just recognize that fully encrypted phones are the equivalent of that? No one seems to be whining about the destroyed iPhones and what may have been lost even though the very fact that they were destroyed, and this one was not, suggests that if there was anything important on any of his phones, it wasn't this one. There are also things like communications between, say, a husband and wife in their own home. The DOJ can never get access to those because the two people are dead. Think of that like their brains were encrypted and their death made the key get tossed.

There are lots of situations where the physical reality is that the DOJ cannot recover communications. It's not the end of the world. It's never been the end of the world.

Apple, now (finally) trying to design encryption systems that make it so no one else can get in sees this is the best way to protect the American public, because it means that their own information is much safer. It means fewer phones get stolen. It means fewer people are likely to have their information hacked. It means much more safety for the vast majority of the public. And I won't even get into the fact that it was the US government's own hacking of private data that pushed many companies to move more quickly towards stronger encryption.

The government has reason to believe that Farook used that iPhone to communicate with some of the very people whom he and Malik murdered. The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple. The FBI obtained a warrant to search the iPhone, and the owner of the iPhone, Farook's employer, also gave the FBI its consent to the search. Because the iPhone was locked, the government subsequently sought Apple's help in its efforts to execute the lawfully issued search warrant. Apple refused.

"May contain" is a pretty weak standard, especially noting what I said above. Furthermore, if there were communications with Farook's victims, then shouldn't that information also be accessible via the phones of those individuals as well? And if they already know that there was communication between the two, much of that data should be available elsewhere, in terms of metadata of a phone call, for example.

Apple left the government with no option other than to apply to this Court for the Order issued on February 16, 2016.

Actually, there are plenty of other options, including traditional detective work, looking for information from other sources or just recognizing that sometimes you don't get every piece of data that exists. And that's okay.

The Order requires Apple to assist the FBI with respect to this single iPhone used by Farook by providing the FBI with the opportunity to determine the passcode. The Order does not, as Apple's public statement alleges, require Apple to create or provide a "back door" to every iPhone; it does not provide "hackers and criminals" access to iPhones; it does not require Apple to "hack [its] own users" or to "decrypt" its own phones; it does not give the government "the power to reach into anyone's device" without a warrant or court authorization; and it does not compromise the security of personal information. To the contrary, the Order allows Apple to retain custody of its software at all times, and it gives Apple flexibility in the manner in which it provides assistance. In fact, the software never has to come into the government's custody.

And here's where the misleading stuff really starts flowing. It absolutely is a backdoor. Anything that makes it easier for a third party to decrypt data without knowing the key is a backdoor. That's the definition of a backdoor. That it comes in the form of making it substantially easier to brute force the passcode doesn't change the fact that it's still a backdoor.

And, yes, this impacts "every" iPhone. As Senator Ron Wyden correctly notes, if the precedent is set that Apple can be forced to do this for this one iPhone, it means it can be forced to do it for all iPhones. No, this single piece of code may not be the issue -- though there are some concerns that even creating this code could lead to some problems if the phone connects to a server -- but forcing a company to hack its own customers puts everyone at risk.

And yes, there is no legitimate way to describe this without claiming that it's hacking Apple's own customers. The whole point of the system is to get around the fact that they don't have the key, and building a tool to disable security features and then allow a brute force attack on the passcode is very much exactly "hacking" Apple's own customers. Sure, this one still requires a warrant, but once Apple is pushed to create that kind of code -- and other companies are forced to build similar backdoors, the technology itself is being designed with extra vulnerabilities that will put many more people at risk. It's not just about the DOJ seeing what's on this damn phone.

The fact that Apple can retain control over the software is a total red herring. No one cares about that. It's about the precedent of a court requiring a company to hack its own customers, as well as forcing them to create a backdoor that can be used in the future -- even to the point of possibility requiring such backdoors in future products.

In the past, Apple has consistently complied with a significant number of orders issued pursuant to the All Writs Act to facilitate the execution of search warrants on Apple devices running earlier versions of iOS. The use of the All Writs Act to facilitate a warrant is therefore not unprecedented; Apple itself has recognized it for years. Based on Apple's recent public statement and other statements by Apple, Apple's current refusal to comply with the Court's Order, despite the technical feasibility of doing so, instead appears to be based on its concern for its business model and public brand marketing strategy.

And the misleading bullshit gets ratcheted up a notch. First of all, we already went through why the "Apple helped us in the past" story is wrong. This is totally different. One is giving access to unencrypted information that Apple had full access to. The other is building a system to hack away security features in order to hack into an encrypted account. Very, very different. Second, the whole idea that better protecting its customers is nothing more than "a brand marketing strategy" is insulting. Should the US government want the American public to be protected from criminals and malicious hackers and attacks? The best way to do that is with encryption. The fact that consumers are demanding that they be safer is not an "Apple marketing strategy" it's Apple looking out for the best interests of its customers.

And I won't even dig deep into the fact that one of the big reasons why the public is clamoring for more protection these days is because the US government ran roughshod over the Constitution over the past few years to suck up all kinds of information it shouldn't have.

Later in the motion, the DOJ again argues that there's no "unreasonable burden" on Apple to hack its own customers. It trots out a similar line that was in the original application for the order, saying "what's the big deal -- we're just asking for software, and Apple makes software, so no burden."

While the Order in this case requires Apple to provide or employ modified software, modifying an operating system which is essentially writing software code in discrete and limited manner is not an unreasonable burden for a company that writes software code as part of its regular business. The simple fact of having to create code that may not now exist in the exact form required does not an undue burden make. In fact, providers of electronic communications services and remote computing services are sometimes required to write some amount of code in order to gather information in response to subpoenas or other process. Additionally, assistance under the All Writs Act has been compelled to provide something that did not previously exist the of the contents of devices seized pursuant to a search warrant. In United States v. Fricosu..., a defendant's computer whose contents were was seized, and the defendant was ordered pursuant to the All Writs Act to assist the government in producing a copy of the contents of the computer. Here, the type assistance does not even require Apple to assist in producing the contents; the assistance is rather to facilitate the FBI's attempts to test passcodes.

Again, this is both ridiculous and extremely misleading. Creating brand new software -- a brand new firmware/operating system is fraught with challenging questions and potential security issues. It's not just something someone whips off. If done incorrectly, it could even brick the device entirely, and can you imagine how the FBI would react then? This is something that would require a lot of engineering and a lot of testing -- and still might create additional problems, because software is funny that way. Saying "you guys write software, so writing a whole new bit of software isn't a burden" is profoundly ignorant of the technological issues. Update: If you want a long and detailed post from someone who absolutely knows how iPhone forensics works, and how incredibly involved creating this software would be, go read this blog post right now. In it, Jonathan Zdziarski, notes that the DOJ is flat out lying in the way it describes what it's asking Apple to do, and it would be incredibly involved, and would create all sorts of risks of the code getting out.

Second, the Fricosu case is quite different. That was compelling someone to give up their own encryption key -- something that not all courts agree with by the way, as some view it as a 5th Amendment or 1st Amendment violation. That's quite different than "write a whole new software thing that works perfectly the way we want it to."

As noted above, Apple designs and implements all of the features discussed, writes and signs the routinely patches security or functionality issues in its operating system, and releases new versions of its operating system to address issues. By comparison, writing a program that turns off features that Apple was responsible for writing to begin with would not be unduly burdensome.

This shows a profound technological ignorance. Yes, Apple updates its operating system all the time, but yanking out security features is a very different issue, and could have much wider impact. It might not, but to simply assume that it's easy seems profoundly ignorant of how software and interdependencies work. Again, the DOJ just pretends it's easy, as if Apple can just check some boxes that say "turn off these features." That's not how it works.

Moreover, contrary to Apple's recent public statement that the assistance ordered by the Court "could be used over and over again, on any number of devices" and that "[t]he government is asking Apple to hack our own users," the Order is tailored for and limited to this particular phone. And the Order will facilitate only the FBI's efforts to search the phone; it does not require Apple to conduct the search or access any content on the phone. Nor is compliance with the Order a threat to other users of Apple products. Apple may maintain custody of the software, destroy it after its purpose under the Order has been served, refuse to disseminate it outside of Apple, and make clear to the world that it does not apply to other devices or users without lawful court orders. As such, compliance with the Order presents no danger for any other phone and is not "the equivalent of a master key, capable of opening hundreds of millions of locks."

We discussed some of this above, but the issue is not the specific code that Apple will be forced to write, but rather the very fact that it will be (contrary to the DOJ's claim) forced to hack their own phones to eliminate key security features, in order to allow the FBI to get around the security of the phone and access encrypted content. If the court can order it for this phone, then yes, it can order it for any iPhone, and that's the key concern. Furthermore, again having Apple tinker with the software can introduce security vulnerabilities -- and already this discussion has revealed a lot about how hackers might now attack the iPhone. I'm all for full disclosure of how systems work, so that's okay. But the real issue is what happens next. If Apple looks to close this "loophole" in how its security works in the next iPhone update, will the court then use the All Writs Act to stop them from doing so? That's the bigger issue here, and one that the DOJ completely pretends doesn't exist.

To the extent that Apple claims that the Order is unreasonably burdensome because it undermines Apple's marketing strategies or because it fears criticism for providing lawful access to the government, these concerns do not establish an undue burden. The principle that "private citizens have a duty to provide assistance to law enforcement officials when it is required is by no means foreign to our traditions."

Again, this is a made up talking point. Protecting user privacy, as they demand it, is not a "marketing strategy." It's a safety and security strategy. You'd think, of all agencies, the FBI would appreciate that.

Anyway, you can go through the entire 35 page filing yourself, but these were the key points, and almost all of them are misleading. It should be interesting to see Apple's response next week.

Filed Under: all writs act, backdoors, doj, encryption, fbi, going dark, hacking, motion to compel, safety, security
Companies: apple