« Parcel of rogues | Main | Monster trucks »

Poisoning the fruit tree

"Why would Apple take this to court?" a TV researcher asked me on Wednesday. He was, of course, referring to Apple's pushback against a court order telling it to help the FBI access the data on the phone belonging to Sayed Rizwan Farook, the gunman who, with his wife, killed 14 people and injured 22 in San Bernardino, California, in December 2015. This is the kind of hard case that laws must be made to balance. In Britain, where the draft Investigatory Powers bill hovers menacingly, the Apple case is an important example of the debates in our immediate future. What Apple is being asked to do is that bill's equipment interference (PDF).

Apple has little choice but to fight it. Complying would tell customers that either the technology is flawed or that the company lied when it promised its customers that it could not access their data. What technology brand can survive that? That business reality is, I'm sure, only one of the reasons for Apple's stance: like the Vatican, to which Andrew Brown compares it in the Guardian, an organization can be both self-interested and principled. (Though Brown is wrong to say that "it's as easy" to build software that can be broken - that's much, much easier.)

There's been a lot of crossfire and confusion since Wednesday because speed tends to damage technical detail and also because simultaneously Apple is involved in a New York case that sounds similar but isn't.

The law the FBI is citing is the All Writs Act of 1789, a sort of get-out-of-court-free clause that lets judges issue orders that fall into legal gaps. The discretion so granted has been ramped up lately to expand surveillance and in terrorism-related cases such as the detainees in Guantánamo Bay (PDF).

What sounds like good news for privacy-conscious users of the current generation of iPhones is that after two months of trying the FBI hasn't managed to get into Farook's phone. Of course, we don't know how hard or consistently they have tried: it's certainly possible that this case is a carefully-chosen canary designed to make the political point that legislation requiring access to encrypted data is necessary. If that was the plan, it may have begun to succeed: the Wall Street Journal reports, based on unnamed sources, that Senate Intelligence Committee chair Richard Burr (R-NC) proposes to create legislation that would criminalize such refusals in future.

At Techcrunch, Matthew Panzarino explains the difference between the iPhone running iOS7 in the New York case and the iPhone5C that belonged to Farook. In iOS7 Apple can extract the phone's contents without knowing the user's password; it is resisting the New York order to do so. From iOS8 onwards, it can't. the iPhone5C runs iOS9. Hence the FBI's request.

As Techdirt explains, the judge is not ordering Apple to crack the encryption itself or to create a backdoor into it, but to create a patch for just this phone that changes the way the software reacts to repeated incorrectly entered passwords. Users get ten tries with increasing required delays to get it right before the phone locks away their data forever. What the FBI wants, therefore, is an infinite number of tries at high speed - "brute force", like I had apply to my friend's computer when he died leaving his financial files inaccessible.

TimCook-Apple.pngOff-air on Wednesday, a presenter asked me whether Apple wasn't glossing over its capabilities. If, he said, Apple could devise software that locks permanently after ten tries, why couldn't it essentially fool the software into losing count? Why couldn't you just tell the software that it was only on try number eight, or three? Just this once? That is, as I told him, the beauty of software: write once, use many. You can't crack one copy and leave the rest secure any more than you can (as we used to say about internet censorship) pee in the shallow end of the pool and expect the deep end to remain uncontaminated. Even if you turn off the circulating pumps.

It's not exactly precise for Apple CEO Tim Cook to call the software Apple is being asked to make a backdoor - by "backdoor" we usually mean a deliberate weakness in the cryptography itself. However, he is right that the effect is the same, and that it's both dangerous and unprecedented. 256px-Caspar_Bowden-IMG_smaller.jpgOnce the patch the FBI is asking for has been created, not only is the patch itself out there to be rewritten to hack into all the other iPhones running the same software, but every well-funded criminal research lab now has the extra motivation of knowing it's possible. Script kiddies will be downloading it within weeks. Why wouldn't Apple run away screaming?

Today, it's being fought by the same people, joined by giant technology companies, some of which didn't even exist then: EFF, Mozilla, Google, Facebook, and Twitter are all backing Apple's stance. It's an extraordinary moment, even if tomorrow in another part of the privacy forest we'll all be fighting again.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)