As I've said many times over the years, on matters of technology policy and Internet security, sometimes I wonder if the US government ever left the 1990s.
Last evening a federal magistrate directed Apple to work with the FBI in facilitating their access to the seized iPhone of one of the San Bernadino attackers. But not content to remain in the 1990s, the judge invoked the All Writs Act -- first enacted in 1789, its amended version has become the seemingly de facto legal basis for US federal law enforcement to try and compel its way into, through, or around technology security controls.
The text of the court order is here. Although it does not direct Apple to break the encryption per se, it asks the company to disable features that make it more difficult to brute force the device security capabilities -- such as the function that disables (er, self-destricts) the device after multiple attempts to enter a PIN number.
While that sounds innocuous enough, it is likely such access cannot be granted on a device-by-device basis upon demand by law enforcement, although some technologists believe it possible. Rather, unless Apple demonstrates the technical, economical, or temporal infeasability of complying with the judge's order or gets the order lifted, the consequence may well be an update/patch to IOS that would implement that proverbial "backdoor" feature that certain law enforcement officials -- specifically, FBI Director James Comey -- allege is needed to protect the country, citizens, and (think of the) children from Any Number of Evil-Sounding Things That May or May Not Be True(tm). By contrast, NSA Director Admiral Mike Rogers has already stated publicly there is no need for such backdoors or law enforcement access, and that strong Internet security features are more of a benefit than risk to society -- despite that perennial and selectively sensational hand-wringing by prominent law enforcement and/or intelligence officials. Meaning, we can't discount the notion that Comey's quest for such access is little more than a turf battle between the FBI and NSA over computing capabilities, something that surveillance maximalists in Congress are only too happy to support. Thankfully, some members of Congress -- namely Stanford CS graduate Ted Lieu -- already are speaking out and sounding the warning about the very slippery slope these actions may create over time.
Wired's Kim Zetter notes that this request suggests the FBI is confident in its ability to brute-force passwords and PIN numbers. Perhaps that's true --- although I can't help wonder if the FBI would otherwise be forced to delegate such duties to more computer-savvy organizations such as the NSA, potentially under a secret cybersecurity cooperation agreement relying on the controversial practice of parallel construction. Or maybe the FBI simply wants the ability to do this stuff on their own without any external assistance but with some legal precedent to help that process along? (Conspiracy theories abound....)
Apple CEO Tim Cook has already responded to the issue in an open letter to customers, vowing to fight the order, reiterating the company's defense of strong product security and condemning the government's renewed attempts to weaken encryption and/or mandate backdoors to customer data.
Date published: February 17, 2016