from the fresh-out-of-master-keys dept
Apple has entered its response to federal magistrate judge James Orenstein's request that the company explain whether or not unlocking an encrypted iPhone would be "burdensome." It was the judge calling the bluffs of everyone involved in the new Crypto War, but mainly the FBI's.
A key issue in the encryption debate, part of a larger discussion of what the FBI calls its “going dark” problem, is to what extent the government can force companies to provide “technical assistance” under current law.The DOJ is attempting to use a 1789 act to unlock a phone running a 2013 operating system. Orenstein made several points in his order requesting Apple's participation, including the fact that the FBI's abuse of an old law was at odds with director James Comey's claim that he desired a "public debate" about encryption and public safety.
In the Apple case, the government asserted its request “is not likely to place any unreasonable burden on Apple.”
Orenstein said, “I am less certain.”
Apple's brief points out that "burdensome" may soon become indistinguishable from "impossible." As was noted earlier, this case concerns a phone running an older version of the iPhone's system software. Apple admits it can access a certain amount of data if the judge signs off on the All Writs order.
For these devices, Apple has the technical ability to extract certain categories of unencrypted data from a passcode locked iOS device. Whether the extraction can be performed successfully depends on the device itself, and whether it is in good working order. As a general matter, however, certain user-generated active files on an iOS device that are contained in Apple's native apps can be extracted. Apple cannot, however, extract email, calendar entries, or any third-party app data.As for the question of whether this possibility veers into "burdensome" territory, Apple had this to say:
[T]he act of extracting data from a single device in good working order, running an operating system earlier than iOS 8, would not likely place a substantial financial or resource burden on Apple by itself. But it is not a matter of simply taking receipt of the device and plugging it into a computer. Each extraction diverts man hours and hardware and software from Apple’s normal business operations. And, of course, this burden increases as the number of government requests increases.Apple then points out that the burden doesn't end with unlocking the phone and retrieving whatever data it can. It would also need to send legal representatives and witnesses to court to explain the process and testify to the veracity of the retrieved data.
Apple also notes the "burden" would be felt in more than just man hours.
Apple has taken a leadership role in the protection of its customers’ personal data against any form of improper access. Forcing Apple to extract data in this case, absent clear legal authority to do so, could threaten the trust between Apple and its customers and substantially tarnish the Apple brand. This reputational harm could have a longer term economic impact beyond the mere cost of performing the single extraction at issue.A footnote states that Apple has performed this sort of service for law enforcement on previous occasions, but only within the limited scope of warrants seeking specific data or information. It has never done so under the vague, broad authority of an All Writs order.
But the brief also points out that what is possible to achieve with this operating system version will no longer be possible going forward.
In most cases now and in the future, the government’s requested order would be substantially burdensome, as it would be impossible to perform. For devices running iOS 8 or higher, Apple would not have the technical ability to do what the government requests—take possession of a password protected device from the government and extract unencrypted user data from that device for the government. Among the security features in iOS 8 is a feature that prevents anyone without the device’s passcode from accessing the device’s encrypted data. This includes Apple.Underscoring this point, Tim Cook spent the same day this response was delivered (Oct. 19th) being interviewed by Gerard Baker, the executive editor of the Wall Street Journal. Cook reiterated Apple's stance on encryption: either it works and keeps everyone out or it doesn't.
“We think encryption is a must in today’s world,” says Cook. “No back door is a must.”That's the way it has to be if anything's going to be truly secure. The FBI will have to find other routes to obtain data. It can no longer expect that running to the manufacturer of a phone will allow it obtain what it wants. It will have to find a new approach, one that engages with third-party applications and possibly even the owner of the phone, which is the way it should be.
“No one should have to decide privacy or security. We should be smart enough to do both.”
“If there was a way to expose only ‘bad’ people … that would be a great thing. But this is not the world,” says Cook.
“I think it would be in everyone’s best interest … if everyone is blocked out,” he says.