We Read All 20 Filings In Support Of Apple Against The FBI; Here Are The Most Interesting Points

from the it's-a-crypto-party dept

Support our crowdfunding campaign to help us keep covering stories like these!

In the last week or so, it became quite clear that a fair number of tech companies and organizations in the civil liberties community would file amicus (friend of the court) briefs urging magistrate judge Sheri Pym to side with Apple over the Justice Department and the FBI. However, now that the briefs are in, it’s fairly staggering just how many companies, organizations and individuals signed onto briefs supporting Apple. Yes, many of them teamed up and filed briefs together, but it’s still a ton. And that’s especially true for an issue at the district court level in front of a magistrate judge. Here’s the big list put together by Apple, including links to various blog posts and press releases about the filings:

Amicus Briefs

Letters to the Court

Not entirely sure why, but Apple (at least as I’m writing this) did not include one other amicus brief on its side, which is from Lavabit, the one company out there should should have tremendous perspective on Apple’s situation, given that it shut down its entire business to avoid having to hand over its encryption keys to the government. At this point, we just have Lavabit’s motion for leave to file its brief, rather than the full brief. If and when that brief is released, we may address it separately.

I’ve also put all of these together in a collection which are embedded below (which also lets you search through the text of them all).

Having read through many of them (and skimmed the rest), there are certainly some common themes. Frankly, an awful lot of them do really feel like they’re just a rehashing of Apple’s motion to vacate, repeating the claim that the All Writs Act should not apply (and that CALEA already covers this issue and doesn’t allow such a solution). Obviously, all the filings from the various tech companies are getting a lot of the press attention, and they’re worth reading to perhaps better understand a few of the key legal points that Apple is raising. Similarly, the filings from civil liberties/human rights groups aren’t all that surprising either — focusing more on some of the human rights questions. The EFF brief is a bit different in focusing on the First Amendment issue, which many expect won’t even be looked at by the courts. It’s really the only brief that digs deeply into that issue and is worth a read for that reason (I’ve seen legal experts in fairly strong disagreement about the applicability of the First Amendment argument here).

Separately, I thought that the filing from EPIC was worthwhile as well, in focusing in on the importance of encryption on phones these days because so much personal information is accessible from phones and because unencrypted phones are such a big target for criminals. That’s a slightly different perspective that isn’t covered nearly as much by other filings and actually could be a useful perspective for the court.

However, the most interesting filing of all may be the one filed by a group of iPhone Security and Applied Cryptography Experts, and put together by Jennifer Granick and Riana Pfefferkorn from Stanford’s Center for Internet and Society. That brief is super educational in getting down into the weeds of just how dangerous it would be for Apple to create this code. Since so many people — including the DOJ — seem to think that Apple can just create this code and then make it disappear, this filing is super useful in debunking that claim. It first notes that the Court did try to put in some “safeguards” against abuse of the code, but then explains why those won’t help:

These rules are not meaningful barriers to misuse and abuse of the forensic capabilities this Court is ordering Apple to create. First, the Order assumes that Apple will create the Custom Code without any vulnerabilities in its implementation. Vulnerabilities are common in software code, including Apple?s iOS, and despite Apple?s best efforts. The government dismissively downplays the effort required to develop and update the Custom Code, stating that Apple ?writes software code as part of its regular business,? including ?routinely patch[ing] security or functionality issues? in iOS and ?releas[ing] new versions of [iOS] to address issues.? Application at 15. But creating software (especially secure software) is complex, and software development requires rigorous testing.

Vulnerabilities are common in software code, despite vendors? best efforts. To address this problem, vendors employ extensive pre-release testing; after-thefact audits, including by independent security researchers; and regular updates. Yet none of these practices, alone or in concert, can ensure that software will not be vulnerable and subject to misuse. Yet, given the circumstances of this case, this code is unlikely to go through this lifecycle, increasing the risk that it will introduce vulnerabilities into the iPhone ecosystem.

For example, since first introducing the earliest iPhone, Apple has waged a cat-and-mouse battle with ?jailbreakers,? software developers who identified and exploited vulnerabilities in the devices in order to run software other than that signed by Apple and to defeat carrier locks that tied handsets to particular cellular providers. Apple warns its users against jailbreaking and the practice is contrary to Apple?s terms of service. Jailbreaking involves modifying the iPhone firmware so that it will run software code without checking to see if the code has been signed by Apple. When Apple releases a new iOS, scores of independent programmers study the code, successfully finding ways to circumvent Apple?s imposed restrictions. In response, Apple issues software updates to defeat these jailbreaks. Eventually, the jailbreaking community finds new ways to circumvent controls built into Apple?s increasingly secure iOSes. Today, all iOS versions through 9.2 are jailbroken, even though doing so is increasingly harder due to Apple?s efforts.

In other words, vulnerabilities in Apple?s software have persisted for years even though Apple very much does not want them to. This is a lesson for this case. Apple can try its very hardest to create this Custom Code as the Court directs. Nevertheless, it may well fail, as it has acknowledged to the Court…. Even with time and extensive testing, which the government?s sense of urgency seems designed to deny Apple, it is extremely difficult to write bug-free code. Software bugs can interact with existing code in complex ways, creating unanticipated new paths for bypassing iPhone security and exploiting the phone.

This is a point that so few people outside of the tech world seem to get. Security vulnerabilities exist and software (and hardware) are incredibly complex. Purposefully creating vulnerabilities likely creates even more vulnerabilities and those can be pretty dangerous. And that’s especially true in a situation — such as this one — where Apple will have to create the code entirely by itself, and without any outside security audit possible.

Furthermore, the brief notes the fact that, contrary to what many keep insisting, there’s a high likelihood that any such code will leak out:

This Court also allowed the Custom Code to stay with Apple, rather than go to the FBI. Simply put, if no one else has the Custom Code, no one else should be able to use it, at least not without Apple?s knowledge. However, once created, this software is going to be very valuable to law enforcement, intelligence agencies, corporate spies, identity thieves, hackers, and other attackers who will want to steal or buy the Custom Code. Keeping the Custom Code secret is essential to ensuring that this forensic software not pose a broader security threat to iOS users. But the high demand poses a serious risk that the Custom Code will leak outside of Apple?s facilities.

Other governments, or ours, may eventually compel Apple to turn the Custom Code over so that law enforcement officials can unlock phones without delay or Apple oversight. Authoritarian governments will likely be the most enthusiastic customers for the Custom Code this Court is contemplating ordering Apple to create and sign. The software will be used in China, Russia, Turkey, the United Arab Emirates, and other governments with poor human-rights records where iPhones are sold.

Inadequate security practices by those governments increase the risk that attackers will acquire and use the Custom Code. Given the Custom Code?s value, unscrupulous government officials in corruption-plagued jurisdictions could foreseeably sell the Custom Code to third parties. For example, if the Russian government compelled Apple to hand over the Custom Code, it could end up being sold by a corrupt agent to a Russian identity-theft ring. Even without selling it, corrupt officials could also use the code for their own agendas, such as to target political or personal enemies who had broken no law. Journalists, human-rights advocates, religious and sexual minorities, and others in those countries are at much greater risk if software that can bypass passcode limitations exists.

There is also a danger that the Custom Code will be lost or stolen. The more often Apple must use the forensic capability this Court is ordering it to create, the more people have to have access to it. The more people who have access to the Custom Code, the more likely it will leak. The software will be valuable to anyone eager to bypass security measures on one of the most secure smartphones on the market. The incentive to steal the Custom Code is huge. The Custom Code would be invaluable to identity thieves, blackmailers, and those engaged in corporate espionage and intellectual property theft, to name a few.

Those technicians responsible for using the Custom Code to comply with access demands will likely be targeted by phishing attacks?emails carefully designed to seem legitimate but which contain malware?that seek to steal the Custom Code. The same technicians will be approached with offers to buy the software. The price offered could be irresistibly high, as the Custom Code will be worth a lot to foreign national security officials and organized crime syndicates, and can be sold to multiple customers. Or Apple technicians may be blackmailed to the same end. In short, the Custom Code will be exceedingly valuable and in danger of leaking or being stolen.

Finally, that brief also notes a key point being raised increasingly by security experts: that if a company can be forced to remove security features in an automatic update, it creates incentives for people not to update their devices, which will open up many more serious security problems:

Automatic updates are an important way that software companies ensure their users are as protected as possible from attackers, without inconvenience, significant effort, or technical savvy on the part of the user (who is more likely to install security updates when there is little or nothing she needs to do). These autoupdates are one of the reasons why the millions of iPhones currently in use worldwide are very secure.

Consumers (and their devices) trust these auto-updates because they are signed by the vendor. A cryptographic signature from Microsoft or Apple assures the user that the software she is about to install legitimately comes from the company she trusts. It is akin to Apple saying, ?This is Apple, and we stand behind this software.? Here, however, the Court is contemplating ordering Apple to sign software it does not stand behind and in fact considers ?too dangerous to build.? …. And the next logical step if this Court enforces its Order is for the FBI to ask to compel other vendors, in addition to Apple, to sign other software that bypasses other customer security measures, creating new and different risks.

This is why compelling cryptographic signatures is extremely risky. Automatic software updates are a crucial vehicle for maintaining the security of iOS devices and other computers, but they can be effective only so long as users continue to trust them. If the Court compels Apple to create and sign the Custom Code in this high-profile case, then all computer users, especially those for whom smartphone privacy may already be a concern, could become suspicious of all software updates going forward. That is because a member of the public could reasonably fear that in the future, even a signed software update from a trusted vendor will bypass passcode limitations, convert her iPhone into an audio or video recording device, or otherwise interfere with her property, privacy, or security interests. Users will know that these updates could be software designed to extract private data from the user?s machine, but which a company was forced to sign at the behest of some court, law enforcement, or other government official. The code would be indistinguishable from a genuine update created, signed, and transmitted of the vendor?s own free will.

This distrust would have serious ramifications for computer security at large. In response, some users would likely stop accepting iOS updates (which users must choose to install), in which case their machines will remain unprotected against vulnerabilities that legitimate automatic updates would have patched. Importantly, the impact of unpatched devices is not limited to those devices. Vulnerable software that has not been updated can become a vector for spreading malware, potentially compromising other machines on the network. The more users who turn off automatic updates, the more devices, the more information, the more people put at risk. Just as herd immunity to a disease is lost if enough members of the group are not vaccinated against the disease, if enough users stop auto-updating their devices, it will weaken the entire device security ecosystem. Indeed, one computer security expert has likened automatic updates to ?a public health system for the Internet.? It is this whole system which the Court ultimately threatens to put at risk should it enforce its Order to Apple.

Good stuff. One hopes that the judge will read this brief, in particular, carefully.

The other two things that were most interesting were not amicus briefs, but merely two of the letters to the judge. First was the letter from the UN Special Rapporteur on “the protection and promotion of the freedom of opinion and expression,” David Kaye. He adds in some additional perspective about how the right to secure communications and encryption is a fundamental part of freedom of expression, including quoting from his own report on the benefits of encryption for the public, along with the challenges it presents for law enforcement. As he concludes:

My concern is that the subject order implicates the security, and thus the freedom of expression, of unknown but likely vast numbers of people, those who rely on secure communications for the reasons identified above and explicated in more detail in the report. This is fundamentally a problem of technology, one where compromising security for one and only one time and purpose seems exceedingly difficult if not impossible. Again from the report, ?States must show, publicly and transparently, that other less intrusive means are unavailable or have failed and that only broadly intrusive measures, such as backdoors, would achieve the legitimate aim.? … It is not clear that the Government has tried other means short of compelling Apple?s code-writing in this case, such as enlisting the technical expertise of other agencies to access this particular phone.

Finally, there’s the letter from Salihin Kondoker, whose wife, Anies, was one of the people shot, but not killed, in the attack. That letter is truly worth reading. He notes that while he has been “frustrated that there isn’t more information” as to why the attack occurred, and that he was initially frustrated that Apple might be a roadblock. But then, as he understood more of the details, he supports Apple’s decision.

When I first learned Apple was opposing the order I was frustrated that it would be yet another roadblock. But as I read more about their case, I have come to understand their fight is for something much bigger than one phone. They are worried that this software the government wants them to use will be used against millions of other innocent people. I share their fear.

I support Apple and the decision they have made. I don?t believe Tim Cook or any Apple employee believes in supporting terrorism any more than I do. I think the vicious attacks I?ve read in the media against one of America?s greatest companies are terrible.

In my opinion it is unlikely there is any valuable information on this phone. This was a work phone. My wife also had an iPhone issued by the County and she did not use it for any personal communication. San Bernardino is one of the largest Counties in the country. They can track the phone on GPS in case they needed to determine where people were. Second, both the iCloud account and carrier account were controlled by the county so they could track any communications. This was common knowledge among my wife and other employees. Why then would someone store vital contacts related to an attack on a phone they knew the county had access to? They destroyed their personal phones after the attack. And I believe they did that for a reason.


Finally, and the reason for my letter to the court, I believe privacy is important and Apple should stay firm in their decision. Neither I, nor my wife, want to raise our children in a world where privacy is the tradeoff for security. I believe this case will have a huge impact all over the world. You will have agencies coming from all over the world to get access to the software the FBI is asking Apple for. It will be abused all over to spy on innocent people.

You never know how much weight a court will put on these things. Amicus briefs often are little more than a chance for some publicity for those filing them. But many of these briefs (and letters) are detailed, thoughtful and actually do add compelling and important perspectives on the larger issues involved in this case. Hopefully the judge pays attention.

Support our crowdfunding campaign to help us keep covering stories like these!

Filed Under: , , , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “We Read All 20 Filings In Support Of Apple Against The FBI; Here Are The Most Interesting Points”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

A tricky balance

So on the one hand you’ve got the government arguing that there might be something valuable on the device, with one particularly… enthusiastic individual claiming that the phone may have evidence of a ‘dormant cyber pathogen’…

And on the other hand you’ve got various companies, security experts, human rights and privacy groups all pointing out that forcing Apple to decrypt the phone would open a pandora’s box of problems, both directly and indirectly.

Between the two you’d think the decision would be an easy one, hopefully the judge in this case, and whichever judges are involved in the appeal(s) rule on the right side.

Bergman (profile) says:

Re: Re: Re: Both sides of the story

I agree with you, the people panicking over changing climate — without once ever proving that such a change is even a bad thing — who insist that the science is settled and not open for debate with no room for dissenting views do lack legitimate expertise.

Oh, did you think your side was inherently right? Sorry, science doesn’t work that way. That would be religion.

Anonymous Coward says:

Re: Re: Re:2 Both sides of the story

You could argue over the meaning of “bad thing” i dont know if you can argue about what temperature ice melts at. You can argue over the methodology used to calculate the volume of water stored in the ice caps you cant argue that more water in the ocean causes sea levels to rise. I dont think you can argue that a lot of populous areas and cities are closr to or below sea level. Who knows maybe jesus put all the sea shells in the desert you can definatly have in infinite argument about that.

tqk (profile) says:

Re: Re: Re:3 Both sides of the story

You could argue over the meaning of “bad thing” …

No need to go that far. I can stop at “it is, always has been and always will be, a dynamic system which is only poorly understood.” Look, but touch sparingly, because you’ve no idea really what anything will cause it to do.

Its behavior has been surprising us since we came to exist and that’s pretty much the nature of the beast.

Anonymous Coward says:

Re: Re: Both sides of the story

If you look at both sides of this issue and eliminate any perceived bias… you get only one side. The DOJ and FBI have yet to argue anything that actually makes technical and legal sense, regardless of whether it is desirable for society as a whole.

At least climate change deniers have “if we ignore it we can make more money in entrenched markets in the short term!” on their side, as well as the fact that there’s been some shoddy science (some, not most) on the climate change side of things. The FBI doesn’t even have THAT.

Wyrm (profile) says:

Re: A tricky balance

Yes, one can hope.
France had a “debate” after January last year. It was about pushing for new and quite extreme laws extending the government ability to spy on basically everyone.
A handful of politicians were all for it; all security, legal and even counterterrorism experts were against it.
Can you guess what the result was?

Anon says:

The Other Question

What if anything does this require human beings to do? If I work for Apple, can I decline to participate in this effort?

What if Apple hints, since they can’t outright say, that participation would be career-limiting? And no engineer wants to do this work? Can the court force a specific engineer to do something like that? Can they force Apple to turn over the proprietary guts of their core business so an outsider can take a crack?

This isn’t “turn over the key”, this is “here’s a lock you figure out how to pick it”. It requires creative new input.

Jack says:

Re: Re: The Other Question

Hell No – if I worked for Apple I’d be all over this! The Hacking Company can pay something like 6 figures for a compromised CA. I would imagine you could become a multi millionaire very, very easily with this. This would be worth a stupid amount of money. Count me in…

Hey Apple, do you have any positions open for this? You don’t even have to pay me!

Anonymous Coward says:

Amicus briefs in opposition to Apple

I’m still catching up on all my reading.

However, yesterday, Courthouse News Service published a story by Matt Reynolds, which contains links to two of the amicus briefs filed in opposition to Apple.

Battle Lines Drawn in Apple’s Fight With FBI

• “Amicus Curiae Brief of Greg Clayborn, James Godoy, Hal Houser, Tina, Meins, Mark Sandefur, and Robert Velasco”

• “Brief of Amici Curiae Federal Law Enforcement Officers Associaton, Association of Prosecuting Attorneys, Inc., and National Sheriffs’ Association In Support of The Government’s Motion To Compel Apple, Inc. To Comply With This Court’s February 16, 2016 Order Compelling Assistance In Search”

Anonymous Coward says:

Point of Order...

… Lavabit … shut down its entire business to avoid having to hand over its encryption keys to the government.

Not quite correct, as the request to submit describes:

After a lengthy legal battle, and a potential contempt charge, Lavabit surrendered the private encryption key. Lavabit then chose to cease operation of the e-mail service.

So they did comply with the court order, in the end. They just salted the fields as they retreated.

Anonymous Coward says:

What is said about refusing updates is very true. I for one have done this because I don’t agree with some of those updates. I own a Kindle Fire. It’s not going to connect to the internet to receive that update that will remove the encryption from the OS. Nor do I agree that I should just let Microsoft decide that nag screens to get you to change over to one of the most datamining intensive new OSes in the form of Win 10 is something I want. I don’t want 10 gigs of hard drive space consumed in preparation for this new OS I don’t intend to install. Nor do I agree with the new permissions that Microsoft has given itself in the TOS.

So updates have come to a halt.

Anonymous Coward says:

Actual Brief

Via David Kravets’ Mar 4, 2015 story at Ars Technica, “What is a ‘lying-dormant cyber pathogen?’ San Bernardino DA won’t say”, here’s a copy of the actual brief which was uploaded to DocumentCloud by Cyrus Farivar—

San Bernardino County District Attorney Amicus Curiae Brief In Support of the United States Government

afn29129 (profile) says:

13th Amendment.

13th Amendment.
Section 1. Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.

Section 2. Congress shall have power to enforce this article by appropriate legislation.

I wonder why this angle hasn’t been raised yet. specifically the ‘involuntary servitude’ bit.

Whatever (profile) says:

What I find interesting here is that it’s as if there are two groups arguing about different things, but related. It’s hard to compare them because they aren’t the same.

The courts order does not force Apple to update everyone’s phone. It doesn’t force them to make secret updates that will make your phone less secure. It doesn’t order Apple to change their current OS that is on your phone or make your phone less secure.

Many of briefs seem to be stuck on this very notion. Much of the scaremongering going on runs exactly down that road. I personally think that Amazon pulled the “removing encryption” thing to scare people (and oh yeah, they walked it back so fast they probably have corporate whiplash).

It’s really sad to see how quickly this has gone away from the subject at hand and been turned into something really scary and mean.

Whatever (profile) says:

Re: Re: Re:

The problem with playing that game is that you can argue almost ANY conclusion, and be right. I just think it’s insanely misleading to suggest that Apple is being asked by this court order to roll out an update to all users that would make their phone less secure.

If you want your phone to be more secure, move to an 8 or 10 digit pincode – or use an even longer pincode for your encrypted documents. Then even if Apple let this update out into the wild and supported it being applied to phones without bricking them, you would still be many times MORE secure than you are today.

John Fenderson (profile) says:

Re: Re: Re: Re:

“I just think it’s insanely misleading to suggest that Apple is being asked by this court order to roll out an update to all users that would make their phone less secure.”

I haven’t heard that many people making this argument, which is good since, as you say, it’s a misleading one.

The actual argument is this: the government is using this case to set a legal precedent that would allow them to force any tech company to go to extraordinary lengths to break your security.

If this is successful, it simply means that this is another aspect where you are prevented by law from being able to trust the tech that you use and the companies that provide it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...