Apple’s situation with the FBI is not as you’ve heard it

When the terrorists who attacked America at San Bernardino were neutralized the FBI began an investigation, as they are supposed to. There’s been much said about how that investigation has progressed but the latest bit deals with an Apple iPhone used by the terrorists and left behind in the wake of their own shooting by police. Apple’s iOS software running on the phone contains a number of security features, not the least of which is the ability for the user to encrypt all of the data on the phone. (We in the industry refer to encrypting the data on a device as “data at rest” encryption. “Data in motion” refers to encrypting a data connection, like you do when you have WPA2 running on your wifi router at home.) The FBI is seeking access to the data on that phone, but it’s encrypted. They have asked – and now the courts have ordered – Apple to assist them in getting that access. Apple is resisting. And here’s where the facts are likely not as you’ve been told.

Apple and others who support them are saying that the FBI is telling Apple that they need to develop for the FBI a method of breaking that encryption. Various accounts in the media have suggested that the government is wanting Apple to build for them a “skeleton key” that, while directed at this 1 phone today, could be used at will against any iPhone tomorrow. This is simply not true. As explained by people in the legal profession who have taken the time to actually read the order issued by the court (PDF), the FBI isn’t asking Apple to break any encryption whatsoever. They also aren’t asking Apple to develop something new. According to the order, they telling Apple to do what’s needed to:

  1. Bypass the auto-erase function, whether enabled on the phone or not. The auto-erase function will wipe the phone if a number of failed password attempts is exceeded, and I think that number is 10. Once you’ve blown the password entry that many times, the phone clears its data out. The court wants Apple to keep the phone from doing that.
  2. Enable the FBI to enter passcodes via the device port or Bluetooth or WiFi as opposed to having to enter it by hand onto the screen.
  3. Remove the software-introduced delay between password attempts. When a password is attempted and fails, the software basically starts a clock for a few seconds and won’t allow another code to be entered until that timer runs down. The court wants Apple to remove that timer and allow new passcodes to be entered immediately.

And that, ladies & gentlemen, is it. The FBI has not asked for Apple to break the passcode or crack the encryption on that device. They are perfectly OK with doing that on their own and they clearly understand that the burden is on them to break into the phone.

Apple and their supporters are resisting, too, because they are certain that once the government has this capability they will use it again, presumably on their own, and that the technique won’t stay secret. They are sure the government won’t be able to keep the technique from leaking out. As to the latter of those concerns, I completely agree. I do work at federal agencies. I need no better example of the care and competence they exhibit in keeping their information secure than to point to the Office of Personnel Management (OPM). If they can’t keep the background investigation data they are using to grant Secret and Top Secret clearances to people secure, then I would have no confidence they would be able to keep the programming efforts needed to comply with this court order secure. Both of these concerns – that the government will use the technique over and over and that they wouldn’t be able to keep a lid on it – are addressed in the court order. Specifically:

  1. The court order references this one phone and this one phone only. It explicitly states that the work is to be tailored to apply to this phone and no other.
  2. The order permits Apple to perform the work at their facility and, thereby, keep the work done on the phone completely under their control.

So, what is the order  asking for them to do, exactly. It asks that Apple build a version of their iOS, signed and specified for this phone only, that turns off the features I listed above. In my past career work, I did a fair amount of application development of my own. What this order is asking for is for Apple to simply turn off features they implemented in the code. In other words, no one’s asking Apple to develop anything new at all. They want Apple to get into their own source code, make a special-purpose copy aimed at this 1 phone, and put statements into the code that when those 3 features I referenced above are called upon by the operating system, that those features just simply don’t do anything. In programming parlance, they’re asking that the subroutines in question simply return operating flow back to whatever called upon them without doing anything else. I can assure you that’s nowhere near being rocket science nor is it new development. And while I’ve never seen the code for iOS, I am confident that making those changes is no big deal for the application team who wrote the code in the first place.

The government won’t have the source code. Apple can perform the process at their offices and set up access to the phone – once they’ve performed the iOS update being ordered – and then sit back and watch the FBI do their thing. Hell, they could use it in their next advertising campaign: Hey, folks, look how easy someone could get into your phone if we weren’t as diligent about security as we have been! The court order could be construed to allow Apple to comply with the order, let the FBI crack the passcode, change it to something they like better, and then re-update the phone to put the original iOS back on it. The phone doesn’t leave Apple with the modified code. Apple can then make a big deal about destroying the separate coding environment they used to comply with the order and wipe the modifications out of existence.

Sure, the court could make such an order again. So what? The court demands that banks give access to safety deposit boxes, that offices give access to warehouses and file cabinets, and that telecom companies give access to phone metadata all the time. With a proper warrant that’s called due process. This entire situation has been made to sound like the government wants a back door into every device. That is not what the order is about and Apple is not being asked to do any such thing. While I was initially supportive of Apple, the facts of the matter have changed my mind.

Advertisements