Real Security Begins At Home (On Your Smartphone)

from the not-with-the-fbi dept

When the FBI sued Apple a couple of years ago to compel Apple's help in cracking an iPhone 5c belonging to alleged terrorist Syed Rizwan Farook, the lines seemed clearly drawn. On the one hand, the U.S. government was asserting its right (under an 18th-century statutory provision called the All Writs Act) to force Apple to develop and implement technologies enabling the Bureau to gather all the evidence that might possibly be relevant in the San Bernardino terrorist-attack case. On the other, a leading tech company challenged the demand that it help crack the digital-security technologies it had painstakingly developed to protect users — a particularly pressing concern given that these days we often have more personal information on our handheld devices than we used to keep in our entire homes.

What a difference a couple of years has made. The Department of Justice's Office of Inspector General (OIG) released a report in March on the FBI's internal handling of issue of whether the Bureau truly needed Apple's assistance. The report makes clear that, despite what the Bureau said in its court filings, the FBI hadn't explored every alternative, including consultation with outside technology vendors, in cracking the security of the iPhone in question. The report also seemed to suggest that some department heads in the government agency were less concerned with the information that might be on that particular device than they were with setting a general precedent in court. Their goal? To establish as a legal precedent that Apple and other vendors have a general obligation to develop and apply technologies to crack the very digital security measures they so painstakingly implemented to protect their users.

In the aftermath of that report, and in heartening display of bipartisanship, Republican and Democratic members of Congress came together last week to introduce a new bill, the Secure Data Act of 2018, aimed at limiting the ability of federal agencies to seek court orders broadly requiring Apple and other technology vendors to help breach their own security technologies. (The bill would exclude court orders based on the comparatively narrow Communications Assistance to Law Enforcement Act—a.k.a. CALEA, passed in 1994--which requires telecommunications companies to assist federal agencies in implementing targeted wiretaps.)

This isn't the first time members of Congress in both parties have tried to limit the federal government's ability to demand that tech vendors build "backdoors" into their products. Bills similar to this year's Secure Data Act have been introduced a couple of times before in recent years. What makes this year's bill different, though, is the less-than-flattering light cast by the OIG report. (The bill's sponsors have expressly said as much.) At the very least the report makes clear that the FBI's own bureaucratic handling of the research into whether technical solutions were available to hack the locked iPhone led to both confusion as to what was possible and to delays in resolving that confusion.

But worse than that is the report's suggestion that some technologically challenged FBI department heads didn't even know how to frame (or parse) the questions about whether the agency possessed, or had access to, technical solutions to crack the iPhone's problem. And even worse is the report's account that at least some Bureau leaders may not even have wanted to discover such a technical was already available—because that discovery could undermine litigation they hoped would establish Apple's (and other vendors') general obligation to hack their own digital security if a court orders them to. As the report puts it:

After the outside vendor successfully demonstrated its technique to the FBI in late March, [Executive Assistant Director Amy] Hess learned of an alleged disagreement between the CEAU [Cryptographic and Electronic Analysis Unit] and ROU [Remote Operations Unit] Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the "poster child" case for the Going Dark challenge.

There's a lot to unpack here, and one key question is whether "capabilities available to national security programs" — that is, technologies used for FBI's counterintelligence programs — can and should be used in pursing criminal investigations and prosecutions. (If such technologies are used in criminal cases, the technologies may have to be revealed as part of court proceedings, which would bother the counterintelligence personnel in the FBI who don't want to publicize the tools they use.) But the case against Apple Inc. was based on a blanket assertion by FBI that neither its technical divisions nor the vendors the agency works with had access to any technical measures to break into Farook's company-issued iPhone. (Farook had destroyed his personal iPhones, and the FBI's eventually successful unlocking of his employer-issued phone apparently produced no evidence relating to the terrorist plot.)

Was the problem just bureaucratic miscommunication? The OIG report concludes that this was the fundamental source of internal misunderstandings about whether FBI did have access to technical solutions that didn't require drafting Apple into compelled cooperation to crack their own security. (The report recommends some structural reforms to address this.) And certainly there's evidence in the report that miscommunication plus the occasional lack of technical understanding did create problems within the Bureau.

But the OIG report also suggests that some individuals within the Bureau actually may have preferred to be able to argue that the FBI didn't have any alternative but to seek to compel Apple's technical assistance:

The CEAU Chief told the OIG that, after the outside vendor came forward [with a technical solution], he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, "Why did you do that for?" According to the CEAU Chief, his unit did not ask CEAU's partners to check with their outside vendors. CEAU was only interested in knowing what their partners had in hand – indicating that checking with "everybody" did not include OTD's trusted vendors, at least in the CEAU Chief's mind.

I have to note here, of course, that the FBI has consistently opposed strong encryption and other essential digital-security technologies since the "Crypto Wars" of the 1990s. This isn't due to any significant failures of the agency to acquire evidence it needs; instead, it's due to the FBI's fears that its ability to capture digital evidence of any sort may someday be significantly hindered by encryption and other security tech. That opposition to strong security tech has been baked into FBI culture for a while, and it's at the root of agency's fears of "the Going Dark challenge."

Let's be real: it's not clear that encryption will ever be the problem the FBI thinks it is, given that we live in what law professor Peter Swire has called "The Golden Age of Surveillance." But if the day that digital-security technology significantly hinders criminal investigations ever does come, then it would be appropriate for Congress to consider whether CALEA should be updated, or whether a new CALEA-like framework for technology companies like Apple should be enacted.

But that day hasn't come yet. That's why I favor passage of the Secure Data Act of 2018 — it would limit federal agencies' ability to impose general-purpose technology mandates through the courts' interpretation of a two-century-old ambiguous statute. (Among other features, the Act also would effectively clarify that that the All Writs Act, general-purpose statutory provision from 18th century can't be invoked all by itself to compel technology companies to undermine the very digital security measures they've been working so hard to strengthen.) In the long term, our security (in both cyberspace and meatspace) is going to depend much more on whether we all have technical tools that protect our information and data than it will depend on the FBI's has a legal mandate compelling Apple to hack into our iPhones.

Of course, I may be wrong about this. But I share Apple CEO Tim Cook's argument that this public-policy issue ought to be fully debated by our lawmakers, which is a better venue for policy development than a lawsuit filed based on a single dramatic incident like the terrorist attack in San Bernardino.

Mike Godwin (@sfmnemonic) is a Distinguished Senior Fellow with R Street Institute.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 21 May 2018 @ 11:41am

    What's the difference of an encrypted iphone that cannot be decrypted in any way and a destroyed iphone?

    The evidence that *may* be contained within them is lost. And either way law enforcement has the duty of investigating and finding other means. And in the absence of any way to find a solution to the puzzle, well, though luck. In any case what they should be doing with the utmost care is FOLLOW THE DAMN CONSTITUTION and respect citizens rights.

    Let's face it, there are very few crimes where the human(s) behind them didn't leave any breadcrumbs that could be followed. We are fallible beings. But the very few cases where it's not possible via decent investigative means then though luck, let's move ahead and hope the means present themselves via technological advancement (like the DNA thing we read a while back) or accept the criminal was good.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 21 May 2018 @ 5:00pm

    This may be a bandaid on a bone fracture

    The FBI is essentially a rogue agency, ever since it switched the mission (under James _Golly I'm so devoted to the mission Comey, no less) from Law Enforcement to National Security.

    National Security is one of those things like good faith and fake news and terrorism that means whatever you want it to mean at the time.

    So until we disband the FBI and start a new federal agency whose mission is Law Enforcement again, I don't imagine they're going to stop pushing for more and more surveillance power that is in direct conflict with the Bill of Rights.

    This is at most a nudge toward the better, when we need an explosives-driven shove.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 21 May 2018 @ 5:01pm

      That is...

      James Golly I'm so devoted to the mission Comey

      ...because today I can't markdown.

      reply to this | link to this | view in chronology ]

    • identicon
      Thad, 21 May 2018 @ 5:11pm

      Re: This may be a bandaid on a bone fracture

      So until we disband the FBI and start a new federal agency whose mission is Law Enforcement again, I don't imagine they're going to stop pushing for more and more surveillance power that is in direct conflict with the Bill of Rights.

      You seem to be implying that there was once a time where the FBI wasn't pushing for increased surveillance powers.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2018 @ 5:26pm

        Re: Re: This may be a bandaid on a bone fracture

        … there was once a time where the FBI…

        Palmer Raids

        On August 1, 1919, [President Woodrow Wilson's Attorney General A. Mitchell] Palmer named 24-year-old J. Edgar Hoover to head a new division of the Justice Department's Bureau of Investigation, the General Intelligence Division (GID), with responsibility for investigating the programs of radical groups and identifying their members.

        reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 21 May 2018 @ 6:11pm

    Common error (you should know better)

    " the U.S. government was asserting its right (under an 18th-century statutory provision called the All Writs Act)"

    The US government has NO *rights*. They have POWERS.

    Rights are exclusively individual, and apply to a person.

    NO group has ANY rights - be it a government, street gang (but I repeat myself), race, religion, or any other group.

    Groups take power by force, either direct, indirect, or implied, often to the detriment of the Rights of the members of that group.

    It's a common error, most often applied to Police having "rights", they don't - other than the same Rights everyone reading this has. Police have Powers granted to them, which CAN be removed.

    The same for any other group.

    reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 22 May 2018 @ 12:33am

    1861 v 2017

    In 1861 a plantation owner tell his slave to 'pick that cotton boy!' 'whatyamean you don't want to?' 'we have laws that say you are property and don't have any rights.'

    Fast forward to 2017

    In 2017 the US government tells Apple is must write some software. 'don't backtalk me!' 'We have the law that says you must do this you want to or not.'

    I really suspect that Apple would of had a very good argument that the All Writs Act wouldn't survive a 13th & 14th amendment challenge

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 May 2018 @ 7:38am

    I laugh at this whole going dark B.S. If anything it's been getting brighter and brighter. Look how many people these days have Mics on them and in their houses. Between Google Home and Amazon Alexa alone, with these mic arrays, it's better than in the past where Government would have to physically go inside your house and place mics around your place. You're now doing it yourself.

    You have a Mic and GPS tracking on you at all times with your Smartphone which they can gain access to. This whole going dark is a myth.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 May 2018 @ 9:09am

    What are they called "smart" phones? These things are actually a spy device, or possibly a monitoring device - but it is no longer a phone and certainly not smart.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 May 2018 @ 5:50pm

      Re:

      "Smart" in that it has a mind of its own. Something that's truly "smart" is rarely easy to control.

      "Phone" in the sense of "phoning home": "an act of client to server communication which may be undesirable to the user and/or proprietor of the device or software".

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.