In an open letter to Apple customers published Tuesday evening, CEO Tim Cook said the company is challenging a court order directing it to assist the Federal Bureau of Investigation. The company was reportedly asked to help the FBI bypass security measures that protect data stored on a locked iPhone.
The FBI is trying to access the data on the iPhone of Syed Farook who, with wife Tashfeen Malik, killed 14 people in San Bernardino, Calif., in December 2015. The agency believes that data on the phone may provide useful information about other potential threats or co-conspirators. But investigators have been unable to examine the phone's data because the device is protected by a numeric passcode, according to a Department of Justice legal filing. And the FBI has not tried to guess the passcode because Apple's iPhone software includes a security feature that deletes data after 10 incorrect passcode entries.
The device, an iPhone 5c, belongs to the San Bernardino County Department of Public Health, which provided it to Farook as an employee and has consented to the government's search. The FBI has already obtained some data from Apple's iCloud service, with Apple's cooperation. But the government contends that Farook disabled the automatic iCloud backup of his iPhone data at some point, thereby preventing more recent data from being stored on Apple's servers.
[ What will the next US President do with tech? Read Where 2016 US Presidential Contenders Stand On Tech Issues. ]
"We have great respect for the professionals at the FBI, and we believe their intentions are good," Cook said in his letter. "Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."
For years, law enforcement officials have sought government-mandated backdoors to bypass encryption. FBI Director James Comey last year testified before the Senate Judiciary Committee about the way that encryption can hinder investigations. Security experts and academic researchers have countered that backdoors cannot be controlled and will inevitably be misused. Comey has warned that encryption allows criminals to "go dark." At the same time, Peter Swire, professor of law and ethics at Georgia Institute of Technology, has argued that surveillance and data gathering have never been easier. The debate remains ongoing.
However, the Obama administration has opted not to mandate backdoors to bypass digital security measures. And Sen. Ron Wyden (D-OR) has introduced a bill that seeks to prohibit the government from requiring weak security.
Apple, in its privacy statement about government information requests, acknowledges that it complies with lawful legal demands for information that it possesses. But the company maintains it "has never worked with any government agency from any country to create a 'backdoor' in any of our products or services."
This case has the potential to determine whether Apple can continue to make that claim. Citing precedent in a legal filing, the Department of Justice asserts that the All Writs Act of 1789 authorizes the court "to order a third party to provide nonburdensome technical assistance to law enforcement officers."
The Department of Justice also notes that there are multiple pending unpublished orders to compel Apple's technical assistance in similar cases. However, DoJ acknowledges that a magistrate judge in the Eastern District of New York, handling one such case, has questioned the court's authority to issue a compliance order under the All Writs Act.
On Tuesday, a magistrate judge in Riverside, Calif., ordered Apple to help the FBI. The order directs Apple to provide technical assistance:
- to bypass or disable the auto-erase function that deletes data after 10 successive attempts to enter an incorrect passcode;
- to provide a way to automate passcode entry (thereby enabling the possibility of brute force passcode attacks); and
- to remove any software-based mechanism that delays password entry as a method of limiting brute force attacks.
The government is asking Apple to create a custom firmware for the iPhone in question that disables security measures. Security experts Jonathan Zdziarski and Dan Guido claim that Apple has the ability to comply with this order.
But as Cook's letter indicates, Apple opposes being required to do so. "[W]e fear that this demand would undermine the very freedoms and liberty our government is meant to protect," Cook says.
If the iPhone were a newer model, an iPhone 6 or later, Apple might not be able to comply fully with the order. According to Zdziarski, Apple moved the passcode entry delay code from software into a hardware element called the Secure Enclave in recent model iPhones. The feature that deletes data after 10 incorrect passcode guesses, however, can still be disabled in newer iPhones, Zdziarski maintains.
Newer iPhones with TouchID are arguably less secure than older models, however. US courts allow authorities to compel a person to use his or her fingerprint to unlock a biometrically protected phone. Passwords, because they're considered to be testimonial, cannot be compelled.
Chris Eng, VP of research at security firm Veracode, said in an emailed statement that the FBI isn't asking for a generic backdoor or decryption, but a software update that applies to one specific phone. He argues that Apple has bypassed lock screens for investigators in the past and is making a stand primarily as a matter of competitive differentiation.
Yet Eng's assertion implies there's a difference between a backdoor and a software update. A backdoor is simply an abstract term for something that bypasses a security measure. And a backdoor becomes generic if it can be applied repeatedly via legal process.
The Department of Justice contends that what Apple has been directed to do is not overly burdensome. But Apple may not consider its assigned task a trivial use of engineering resources. And there's also the burden of brand damage: Any company promising data security will no longer be able to do so if authorities can require businesses to create skeleton keys on demand.
Does your company offer the most rewarding place to work in IT? Do you know of an organization that stands out from the pack when it comes to how IT workers are treated? Make your voice heard. Submit your entry now for InformationWeek's People's Choice Award. Full details and a submission form can be found here.