Apple CEO Tim Cook’s open letter defying a court order to hack into an iPhone — and asking for an open discussion about data privacy — has dramatized and widened the debate over encryption as never before.
In a pointed “message to our customers,” Cook said the government’s request to circumvent a security protection mechanism on an iPhone could “undermine decades of security advancements that protect our customers.” The CEO’s letter set off a firestorm of commentary and reporting as soon as it went online early this morning.
Cook was responding to an order handed down by a federal magistrate judge in California Tuesday that compelled Apple to help the government break into an iPhone belonging to Syed Rizwan Farook, who along with his wife, Tashfeen Malik, killed 14 people in San Bernardino, California, in December.
Judge Sheri Pym did not order Apple to break the encryption on the iPhone. Instead, she asked the company to develop a new version of the iPhone’s iOS operating system that would allow the FBI to use its computers to guess the passcode quickly, without getting locked out for making too many guesses. This approach, sometimes referred to as a “brute force attack,” circumvents the iPhone’s encryption without actually breaking it.
The judge gave Apple five days to respond. But Cook issued his letter to customers within hours, clearly establishing Apple’s position in the case.
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand,” he wrote.
“Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution,” he added. “But it ignores both the basics of digital security and the significance of what the government is demanding in this case.”
“In today’s digital world, the ‘key’ to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.”
Beyond Apple’s big-picture objections, it’s not entirely clear whether the company can actually do what the judge has asked: design a software update that would first stop the phone from erasing its data after 10 failed password attempts, then allow the FBI to input passwords electronically and rapidly rather than by hand.
The government likely benefits from the fact that it is trying to break into an older iPhone model, the 5C, according to several computer security experts. The 5C, introduced in September 2013, limits password guesses primarily via the operating system. Later iPhone models limited guesses via a miniature onboard computer known as the “Security Enclave,” which apparently introduces delays of up to an hour after repeated guessing.
“The 5C model iPhone lacks … the single most important security feature produced by Apple: the Secure Enclave,” wrote Dan Guido, CEO of computer security outfit Trail of Bits, in a blog post. “Since the iPhone 5C lacks a Secure Enclave, nearly all of the passcode protections are implemented in software by the iOS operating system and, therefore, replaceable by a firmware update.”
Although the government’s request asks Apple to help bypass security on just one device, the company is alarmed by the precedent its compliance would set, fearing it could be asked for further such assistance down the line.
In the future, “if [law enforcement] is going to arrest somebody, what they could do is force the user to update their phone” to the security-weakened version of iOS Apple has been asked to create for the San Bernardino case, said Amie Stepanovich, U.S. policy manager for Access Now, a group that advocates for digital rights. The government could be setting up a precedent to force Apple or other companies “to continually hack [their] users,” she said.
“They’re basically compelling speech,” she continued, referring to the demand to produce code that enables malicious attacks. “It’s a slippery slope. They could compel other companies to build code in order to facilitate other intrusions.”
Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, has said that a government victory over Apple in the San Bernardino case could have implications for other companies, including Open Whisper Systems, which under co-founder Moxie Marlinspike released a popular encrypted calling app known as Signal. “If the FBI’s argument against Apple succeeds,” Cardozo recently tweeted, “nothing prevents them from ordering Moxie to backdoor Signal.”
Critics have also taken aim at the legal avenue through which the government is trying to compel Apple’s cooperation. To get its way, the government is leveraging the All Writs Act, a federal statute that allows it to require Apple to take extra steps to help fulfill an earlier lawful request, in this case the warrant to search the iPhone. The government turned to the act after the FBI spent two months trying to figure out a way into the phone and was unable to find one. The act’s lineage traces back to the Judiciary Act of 1789, though it has been updated numerous times since it was introduced.
“The court is ordering Apple to create a backdoor into an iPhone’s operating system, citing a law adopted in 1789,” said Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology in a statement. “If the order stands, the defective operating system (iOS) could be installed over any existing version of iOS, enabling law enforcement officials to guess the password on a cellphone. If the order stands, Apple and other technology companies could be ordered to build backdoors — essentially defects — into other devices, rendering them insecure and vulnerable to attack by law enforcement and by others as well. We will fight against this result.”
Other, authoritarian governments — as well as clever criminal hackers — could also take advantage of any malware developed by Apple to exploit its own products. “If the U.S. government dictating iPhone encryption design sounds ok to you, ask yourself how you’ll feel when China demands the same,” wrote Matthew Green, a cryptography professor at Johns Hopkins University, in a recent tweet.
Sen. Ron Wyden, D-Ore., who is pro-encryption, also expressed concerns Wednesday about the consequences of compelling Apple to cripple its own products’ security. “This unprecedented reading of a nearly 230-year-old law would create a dangerous precedent that would put at risk the foundations of strong security for our people and privacy in the digital age,” he said in a statement emailed to The Intercept. “If upheld, this decision could force U.S. technology companies to actually build hacking tools for government against their will, while weakening cybersecurity for millions of Americans in the process.”