Apple is on wrong side of fight with FBI, experts say

Tim Cook's letter outlining Apple's objections to the court order compelling it to help the FBI bypass security on an iPhone has met with criticism from some cyber-security professionals.

Tim Cook - opposes moves to access iphone data
Tim Cook - opposes moves to access iphone data

Tim Cook, the CEO of Apple, says a court order compelling the company to hack the iPhone of a dead terrorist would set a dangerous precedent, but his views have been met with scepticism from certain quarters of the cyber-security industry.

Cook warned that the FBI's use of the All Writs Act of 1789 – a 200-year-old law which authorises US federal courts to issue any writs they see fit – is the wrong way to act in cases like this. He implies that the FBI should instead seek new legislation through the US Congress if it wants to compel companies such as Apple to defeat security devices within their own products.

“The implications of the government's demands are chilling,” he wrote. “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone's device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone's microphone or camera without your knowledge.”

The facts of the case

The phone in question belonged to one of the San Bernardino shooters, Syed Farook who late last year killed 14 people with his wife, Tashfeen Malik. The couple were later killed in a shootout with police.

The US Federal Bureau of Investigation (FBI) requested that Apple help it unlock the iPhone 5c and has obtained a court order to compel Apple's cooperation.

Farook's phone uses a version of  iOS which locks up after 10 wrong guesses of the passcode and erases the information on the phone.

US judge Sheri Pym ordered Apple's “reasonable technical assistance” in three areas. Firstly, the company will “bypass or disable the auto-erase function whether or not it has been enabled”. Second, Apple “will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, bluetooth, wi-fi, or other protocol available on the subject device” and finally, “ensure that when the FBI submits passcodes to the subject devices, software running on the device will no purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware”.

Apple's response

Apple's opposition to this seems to place itself at the juncture of not only principle but technological integrity, too.

Tim Cook, the CEO of Apple published an open letter on 16 February, explaining Apple's stance: “Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation.”

Cook made the company's position plain, saying the FBI “may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

Not only does the gripe stem from the need to write Apple software with a backdoor but to actually break encryption of the company's devices: The Apple CEO clearly placed this fight right in the centre of the current fight over encryption, currently being waged in the various parliaments, assemblies, columns, opinion pieces, forums and chatrooms of the western world.

The Apple CEO stated in his letter: “The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers.”

He said: “For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”

This is something of a new development around the legal case for breaking encryption, or rather, forcing companies to break their own encryption. In October last year, Judge James Orenstein considered a US government request to force Apple to break encryption on one of its iPhones, and access the information inside. He compared such a demand, were it made, to forcing a drug company to assist in a lethal injection despite the company's conscientious objection.

Industry reaction

Philip Lieberman, CEO of Lieberman Software told SCMagazineUK.com that the grand moral battle that Apple described is not quite as simple as it may outwardly appear. “It is well known that both the phone carriers and manufacturer of locked cell phones maintain their own set of keys within their publicly declared walled gardens to the devices they sell”, said Lieberman.

He added “This barrier to competition and their ability to select winners and losers in their app store as well as patch/improve their operating system at any time, is also the backdoor they have to get into any phone they wish and do as they wish at any time irrespective of a client's wish to maintain privacy or security.”

Chris Eng, vice-president of research at Veracode, rejected Apple's argument that it was being forced to create a backdoor into all iPhones. “The issue here is not one of creating a backdoor; nor is the FBI asking for Apple to decrypt the data on the phone. They're asking for a software update (which could be designed to work only on that one particular phone) which would then allow the FBI to attempt to crack the passcode and decrypt the data. Such a solution would be useless if applied to any other phone,” he said.

“In the past Apple has complied with requests to, for example, bypass lock screens in aid of criminal investigations. It's only in recent years that they've taken an ideological stance on consumer privacy. I believe Apple is taking this position less as a moral high ground and more as a competitive differentiator, betting that Google won't do the same.”

This doesn't mean Eng believes in creating backdoors into encryption. “There is no way to do this safely without endangering users,” he said. “If a backdoor exists for law enforcement, it also exists for criminals. However, this isn't what's being proposed in the Apple case right now and it's important to make the distinction.”

However, others in the industry support Apple's position. Brian Spector, CEO of MIRACL said the order places tech companies in an ethical dilemma. "How can you tell your customers that your products are secure, but also knowingly compromise that security by building backdoors and weakening encryption? For customers to trust your products, their security must come first," he said. 

Apple are not the first company to go head-to-head with a major US law enforcement body over a customer's privacy, even if that customer is the culprit in an ongoing investigation. Microsoft are currently locked in a fight with the American government over the email account, held in Ireland, of a suspect in a narcotics investigation.