18 Feb 2016

Apple Vows To Defend Its Customers As The FBI Launches A War On Privacy And Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.
In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.
We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.
– From Apple CEO Tim Cook’s letter: A Message to Our Customers
I’ve spend most of the morning reading as much as possible about the explosive battle between the FBI and Apple over consumer rights to digital privacy and security. I came away with a refined sense of just how monumental this case is, as well as a tremendous amount of respect for Apple CEO Tim Cook for his public stance against the feds.
Before I get into the issue at hand, some background is necessary. The feds, and the FBI in particular, have been very vocal for a long time now about the desire to destroy strong encryption, i.e., the ability of citizens to communicate privately. A year ago, I wrote the following in the post, By Demanding Backdoors to Encryption, U.S. Government is Undermining Global Freedom and Security:


One of the biggest debates happening at the intersection of technology and privacy at the moment revolves around the U.S. government’s fear that the American peasantry may gain access to strong encryption in order to protect their private communications. Naturally, this isn’t something Big Brother wants to see, and the “solution” proposed by the status quo revolves around forcing technology companies to provide a way for the state to have access to all secure communications when they deem it necessary.
Many technology experts have come out strongly against this plan. Leaving aside the potential civil liberties implications of giving the lawless maniacs in political control such power, there’s the notion that if you create access for one group of entitled people, you weaken overall security. Not to mention the fact that if the U.S. claims the right to such privileged access, all other countries will demand the same in return, thus undermining global privacy rights and technology safeguards.
We are already seeing this play out in embarrassing fashion. Once again highlighting American hypocrisy and shortsightedness, as well as demonstrating that the U.S. government does’t actually stand for anything, other than the notion that “might means right.” Sad.
With that out of the way, let’s turn our attention to the issue at hand. Specifically, how Tim Cook, CEO of Apple, threw down the gauntlet yesterday in a message to his customers. Here are a few critical excerpts:

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.
This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.
We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.
When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.
We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.
In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.
The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.
We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.
Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority. The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.
We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.
While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.
Indeed, as Edward Snowden noted on Twitter:
Tim Cook deserves tremendous credit for the courage to come out and so aggressively and publicly denounce what the FBI is trying to do. If he hadn’t decided to publicly challenge the court order and write a detailed treatise on precisely why, the American citizenry would be left completely in the dark. This would be an unethical and unacceptable position.
Second, this case could very well be headed up to higher courts. The greatest risk in these sorts of cases revolves around judicial ignorance when it comes to technology issues. The government knows all too well that most judges are clueless when it comes to tech, and that all they have to do is scaremonger with the word “terrorism” and judges will almost always default to the government position. Cook’s very public stance will at least shine some light on the issue and hopefully fuel robust, intelligent public debate which could inform judges ahead of being presented with technology related cases they don’t really understand.
I’d now like to share additional tidbits I discovered from various articles around the web on the topic. First, from Ars Technica:

“[The Department of Justice] went with the nuclear option,” Chris Soghoian, a technologist with the American Civil Liberties Union, told Ars.
Similarly, Ahmed Ghappour, a law professor at the University of California, Hastings, concurred.
“Here you have the government using a catch-all statute from the 18th century to compel a technology company to ‘assist’ law enforcement by designing custom software to backdoor an encrypted device,” he told Ars. “The ramifications of such a precedent could be tremendous. If the government can compel Apple to provide custom software, why can’t they compel Facebook to customize analytics that predicts the criminality of their user base?”
Now here’s what a member of Congress who actually understands technology had to say on the matter. From the Daily Dot:

federal judge’s order directing Apple to help the FBI break into the San Bernardino shooter’s iPhone effectively “forces private-sector companies like Apple to be used as an arm of law enforcement,” one of the most prominent pro-encryption voices in Congress said Tuesday night.
Rep. Ted Lieu (D-Calif.), a Stanford University computer-science graduate, wondered where the use of the All Writs Act—on which the magistrate judge based her ruling—might lead.
Critics of the order argue that, based on its wording, all software companies could be forced to insert potentially harmful code into their products, because, as the government argued, “writing software code is not an unreasonable burden for a company that writes software code as part of its regular business.”
“Can courts compel Facebook to provide analytics of who might be a criminal?” Lieu said in an email to the Daily Dot. “Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?”
Moving along, the Obama administration is now coming out and claiming that it’s not looking for a backdoor. Reuters reports:

Feb 17 The court ruling ordering Apple Inc. to help unlock an iPhone belonging to one of the San Bernardino attackers represents just one case, the White House said on Wednesday, emphasizing that the U.S. Department of Justice is asking the tech giant for access to a single device.
In a briefing with reporters, White House spokesman Josh Earnest deferred to the Justice Department but said it’s important to recognize that the government is not asking Apple to redesign its product or “create a new backdoor to its products.”
But let’s revisit Tim Cook’s exact words. He wrote:

They have asked us to build a backdoor to the iPhone.
Given the fact the Obama administration is essentially calling Tim Cook a liar, I decided to initiate a Twitter poll (final results are not yet in, but it stands at 94% voting Tim Cook).
Please share this post. It is monumentally important that as much of the public as possible (including judges) knows exactly what’s at stake here. Do we really want to sacrifice overall privacy and security in order to get information from one person’s phone?
Or what about the following question posed by cryptography professor Matthew Green:
These are enormous questions with tremendous implications. I just hope we as a society choose wisely.

In Liberty,
Michael Krieger


Source




No comments:

Post a Comment