Apple's refusal to allow backdoor access to its iPhones

Both Keith and myself brought up the New York decision on page 1 of the thread. One thing that isn't mentioned is that Apple was rather crafty here, timing their statement in the New York case so that the judge could rule before their response in the San Bernardino case.

Apple played the game well here, and won this round. Let's see if they can win it all.

It's one thing to have an order to access information on a phone, and in the case of Apple, it's something very different to be ordered to create a means, a tool, and product, a unique operating system (GovOS), to defeat the capability to keep information secure and private.

I don't think Apple really cares about the other case. Apple is all in, they are going to litigate, regardless of other cases.

Beyond this case, it appears that the ability to protect one's privacy is better than the ability to violate that privacy. That is where this is heading, it will be in the hands of Congress pretty soon. More cases like this with Apple and other entities that use encryption will happen and Congress will have to get involved.

I'd have to search for the source, but according to an article I was reading, Apple timed their response in the New York case so the judge's ruling would happen prior to this one. Where New York has bearing is in the government's use of the All Writs Act to compel Apple's assistance contrary to Apple's interests. By denying the government's motion in New York Apple has legal ammo to use in San Bernardino.

I wonder if the FBI has tried these passwords?

I stand with Apple, 'Liberty-Security etc'

The New York case may be a dirt bag Drug Dealer, but he owns that phone. San Bernardino County owns the terrorist phone and has said open it!

I'm not a legal scholar, but that All Writs Act is baffling. From what I have read about its intent and use, it appears to be a law that is used when no other law/substantiation can be found, it is a non-specific catch-all law to grant authority when nothing else works. Kinda like being in an argument with someone, and they run out of legit arguing points, and they lash out with "Oh yeah, well your face is ugly." Or when a parent has to pull out the, "Because I say so."

As far as Apple's response and timing, if you read the Court Orders, there are specific response timing requirements. There is little latitude in timing a response. One of the Court Orders allowed for only 5 days to respond. I have to think that timing restriction with all the other cases with pending decisions where authority is using the Courts to get at data on a phone, that could number in the hundreds, and Apple trying to strategically and tactically time their response for some dramatic effect, is quite a stretch. If the Judge in NY had released that decision after Apple made their submission, I think it would have been just fine. That NY decision will then be available to Apple for reference in the next submission, and that is where it will be useful. What if that NY judge ruled that law enforcement could not have the requested access to the phone? I maintain that Apple is all-in, they are going to fight their own fight, and probably set some precedent along the way. And both sides, Apple and the FBI, had plenty of substantiating case law in those Court Orders and responses. This NY case is a drop in the bucket of case law that can be referenced.

But the means to "open" the phone does not exist. The FBI Court Order directs Apple to create the means to "open" the phone, defeating all security and privacy. Please understand that the FBI CAN NOT GET INTO THE PHONE! All the super spy capability of the US can not get into the phone.

There was a recent article from a reporter/writer that was on a flight. His computer was hacked while he was on the plane. The guy sitting behind him saw that he was interested in this Apple vs FBI case, and he hacked into the writer's computer. When the flight ended, the hacker told the writer what he had done, and showed how easy it was and how devastating it can be.

So there either is security and privacy, or there isn't.

And never use WiFi or Bluetooth on a plane.

The county failed to use the device management tools Apple makes available so that they themselves could have managed the device and not needed Apple to do anything.

In the recently released iOS 9.3 beta, Apple makes it "abundantly clear if your work iPhone is being tracked by your employer." I'm not so sure Apple is working with them behind closed doors. I think in light of this case, Apple is taking extra steps to keep the iPhone user informed if their data privacy is at risk because it is a major concern for the majority of their users.

Check out this article

http://9to5mac.com/2016/03/02/ios-9-3-makes-it-abundantly-cl...

Apple also wants users to use Apple Pay. Apple takes .15% per Apple Pay transaction. That may not sound like a lot, but it certainly adds up. If consumers know there is a backdoor to their credit/debit cards and any other personal info, this would deter many from using Apple Pay possibly even from using the iPhone. Plus if there is a backdoor, hackers would be all over trying to get in. It's in Apple's interest to side with the consumer and show its fighting big brother for their privacy.

Apple's protection of its users.

diesel, I'm confused. The NY judge DID rule that law enforcement couldn't have access to the phone.

Phil

What would it mean to Apple's case where they are being ordered to hack their own security, and their response to the Court Order demanding that they access a phone for the FBI? Not much. There are many cases that can be used either for or against. None appear to be the "straw that broke the camel's back".

The company I work for has a document all employees must agree to that states, "If you choose to use your personal equipment (Cell / SmartPhone, Computer) for business purposes, it gives the company an unrestricted legal right to take your cell phone / SmartPhone / computer and inspect it, collect any and all data, pictures, txt messages, contact lists for whatever purposes they are fit."

After consulting with a couple of attorneys on the language presented in the company document, I was advised not to so much as call my business using my personal cell / smartphone to tell them I would be late or notcomming in. Same for my computer.

I switched out my smartphone, got a new number, built a New personal computer.

So since I don't have a land line in the house and all I have is a personal smartphone and work gave me a smartphone for business, I only talk to them using their device.

For an emergency contact number I have my business smartphone listed.

On the weekends when I run around town, yup, you got it my business smartphone sits on my coffee table until I go to work.

When I go on vacation, I leave my smartphone plugged in and charging on my desk at work.

Hey, the company made these stupid and silly rules, not me.

I'm stringently complying with the legally enforcable corporate documents as it pertains to use of personally owned equipment for business purposes.

I'm not paranoid, I'm just not going to take unnecessary legal risk with my company.

For what it’s worth, I side with the FBI on this. What if ISIS manages to obtain a nuclear device as they’ve said they want to. And its location in Manhattan was known to be stored in a confiscated but locked iPhone? Is it still “Stand firm Apple. Tough luck NYC”? (This may sound like a Hollywood movie but so did 9/11 until it happened.)

Secondly, I find it baffling how many folks side with Apple on this, standing firm that their privacy must not be violated, yet they willingly download some app to that same phone from a company they’ve never heard of, hitting ‘Agree’ to the license agreement without reading it, and oblivious to the data that the app may be sending back to the company. Why do you think the app was free? It's very likely they are selling your "private" data in some fashion.

I put data on my phone expecting it to be compromised at some point. I don’t use it to hold any private information. I think it would be foolish to do so.

An appeal has been filed by the Justice Dept. on the NY decision:

http://www.nytimes.com/2016/03/08/technology/justice-dept-ap...

FBI wants backdoor, in case they lock themselves out.

http://mobile.nytimes.com/2016/03/02/technology/apple-and-fb...

Suppose I lose or forget my iPhone passcode and I go to Apple and say "open it!". Do you think they will just jump to it? Being the owner of the phone doesn't make any difference in getting it open,

My friends in the military and law enforcement always want more power. They see more power as more safety but it is a never-ending cycle. When police got the power to tap phone lines the smart crooks switched to different ways to communicate. The San Bernadino terrorists had two phones, the city's phone and a personal phone. The personal phone was smashed to bits which means they knew there was nothing on the city phone. If they get into the city phone there is not going to be a list of Favorites: Jihadi John, Suicide Vests are Us, etc.

As each electronic method of communication is tapped the crooks figure out ways around it. Bin Laden had no phones or Internet. It was only when his courier turned on the phone briefly outside the compound that he was able to be caught. Hand written notes still cannot be tapped.

Encryption makes life harder for cops but it also makes things safer for those who need communicate business without Chinese eavesdropping.

Interesting combination of events from someone that was hacked, or had his privacy violated, or the reason why security is important:

http://www.usatoday.com/story/tech/columnist/2016/02/24/got-...

The IRS wants you to declare personal use of business phone, its a perk and taxable

The terrorist did not he was not the owner, the owner waived that right. Also, I do not believe its a case of hacking or creating a special program, they simply need to load a update to that phone, that by passes or eliminates a wipe feature

The flaw in your reasoning is Apple would have to CREATE that software feature which doesn't exist. That's the central point in Apple's argument - You can't make me create a program that will undo my security. There are a couple of other issues involved in this mess as well. The primary issue is IF the phone had been backed up to Apple's cloud, the data could have been retrieved from the cloud. From the reports being circulated, the FBI bungled the opportunity by telling the city to reset the phone which changed the password and did other things without doing a backup first. As there was no backup before reset, the data was lost.

Now, this is how I think the situation came about, but then I don't use Apple products so I'm relying on hearsay reports.

Hence the reason I do not back up my data to the "cloud". I don't know where that cloud is kept (India, US, etc.) and I have no control over the security used to safeguard my personal information. I keep some things on the cloud (like POI files) but none of that data is my personal information and can be had from many other public sources already. Yes, it is easier, and more convenient, but at the risk of my personal information? I don't think so.

I think you misunderstood...

I don't use my personal devices for any business related activities... All business related calls come in on my business distributed cell phone.

I don't use my business devices for any personal related activities... If at work, and I need to make a personal call, I use my cell phone to do it. I won't even use the phone on my desk.

never will my personal and business communications the twain cross... devices...

Whole thing is, I'm not going to give my company any reason to inspect my personal equipment, ever, for any reason.

There may be things on my personal cell phone I'd really prefer they not know about.

And yes, the whole phone is encrypted, it has a 20 character encryption key, so good luck figuring it out in 30 guesses

From the ACLU:

https://www.aclu.org/blog/free-future/one-fbis-major-claims-...

The American Commie Layers Union (ACLU) get it correct...

I totally support Apple position on this and continue to think what is on your smart phone is personal and private.

The mere concept that a company should destroy the privacy mechanisms they put in their OS for the pleasure of the government is absurd. Remember also that it would require the re-creation of a new OS.

Agree 10%

How did you arrive at 10%?

The Friggin' Big Idiots blow it on a cell phone data recovery, but get it right with hookers, and cocaine...

Need more be said?

Check this out:

https://www.yahoo.com/finance/news/fbi-threatens-to-demand-a...

Apple's lawyer responds...

http://9to5mac.com/2016/03/10/bruce-sewell-apple-cheap-shot-...

I agree wholeheartly

This is one of the prices we pay to live in a so called free society. If this means I become a victim of murder by so called terrorists then I'll pay that price for my privacy. This is something our brothers and sisters in the US military understand.

How can anyone think giving the government a back door when they can't protect their own makes sense, is beyond me.

is this what some people believe we need , ultimate power breads ultimate corruption and we have created it and now we must feed it ! how many government agency's do we need we have homeland ,
the fbi , the cia and how many other security originations do we need we should only have one . we are being tracked by business banks medical I get mail from funeral homes how do they know how old I am , when is enough enough , yes apple should tell who ever what's on the phone but not give them a program so they get into every ones iPhone . what is the price of privacy that your willing to pay remember once you give it away you cant get it back !!!

A case of who will watch the watchers.

If the ACLU's description of how Apple's security system works is correct, it is pretty ingenious. Use multiple keys with one key protecting another and if one in the middle is destroyed/erased, the protected area can't be recovered.

The computer company I worked for back in the 70's developed a neat little program they called Scramble for use in-house. It was a simple little routine the performed an Exclusive OR on every byte in a program essentially making it unreadable without the single character key. We used to double encrypt by encoding with one character, then decoding with another. You had to apply the codes in reverse order to retrieve the data otherwise it was totally useless. If one step was missed, essentially one of the middle keys was then destroyed like Apple's implementation.

This gets even better:

http://www.theguardian.com/technology/2016/mar/11/fbi-could-...

And whenever the iOS changes, what then?

Just waiting for this:

http://arstechnica.com/tech-policy/2016/03/florida-sheriff-p...

The software that FBI wants is quite complicated to write and would take a large team of software engineers to build it from scratch, assuming it is possible which Apple says it is.

And if it doesn't work, and requires further refinement, testing, and quality assurance, where does it end? If the software has a bug that deletes the data it is trying to recover, who is responsible? There isn't much upside to Apple, even if they are a wealthy company.

If the next FBI/Court request is sent to a small shop instead of a large tech giant, who will keep the business in business while its employees are tied up writing FBI software at the government's demand?

In order to understand this issue, it helps to have a tech background, and one in engineering and software would help.

Any connected device is simply not completely safe. A truly safe installation has no connections to the outside world, even electrical power is from off the grid. Once connected to the world, anything is vulnerable.

Again, imagine a world with no security on our banks, financial institutions, medical facilities, etc. It would be total chaos. Well, a weakened or deliberate access point is the same as having no security. Game over.

Here's an interesting article from a guy that knows quite a bit about cybersecurity:

http://www.businessinsider.com/john-mcafee-oped-on-obama-cyb...

RedRevrnd, there is yet another case going before the Supreme Court to test if religion allows a person to ignore laws, things like the Constitution, because of a conscience objection due to deep religious belief.

When people can't get their way working within the law, they pull out the religion card and/or the victim card.

"I distrust those people who know so well what God wants them to do, because I notice it always coincides with their own desires." ~Susan B. Anthony

That sounds a bit like a former FL city Mayor who said" Our crime statistics aren't so bad when you remove all the murders and rapes"

We have a few loose cannons in FL. But next election in Polk county may see a new sheriff.

Haven't used a disassembler since the early 90's but I bet they still work just as good as then.

It's Apples fault. Make a phone with a back door and sooner or later the government is going to demand you open it. If they encrypted the phone with no back door, they wouldn't have this problem. If people lose their password then tough, reenter all your info. if you don't want the hassle of backing it up yourself. Apple should not be involved with helping legitimate people back into their phone because the gov't will say they are one of the legitimate people.

Like at least one other person on this thread you're misunderstanding what exactly is going on here. The entire issue here is that the FBI is a bunch of dinglefritzes. When given the opportunity to retrieve the data simply by heading to the shooter's house and firing up the WiFi so iCloud could retrieve the data they botched this simple task by changing the password!

Now, in order to cover their stupidity, the FBI has ordered Apple to create a backdoor to the iPhone, not open up a non-existent previously installed backdoor. Apple has refused to comply with the FBI order, with the Justice Department citing precedent with Lavabit email and implying that they will push for Apple to provide the source code to iOS if Apple does not comply. I wonder if that precedent applies to the private signing key Apple uses [EDIT: it does], and I wonder how disruptive it would be to the Apple ecosystem to change the signing key.

As to your belief Apple shouldn't be involved with helping legitimate people back into their phones, that's patently ridiculous. On a private device, the legitimate owner can supply the credentials necessary to get into the phone. The San Bernardino IT department, if it had done its job, would have installed remote management software on the phone so they could access it, since they are the legitimate owners of the phone. In neither case is the US government the legitimate owner of the phone. Therefore they cannot supply the credentials to access the data, and if they attempt to do so more than ten times, the data is instantly wiped.

I am the black sheep of an entire flock of devoted and devout sheep.

The FBI can make all the dumba$$ mistakes they want, they have the authority to abuse and do so.

The real issue is that many do not understand what security is and isn't, and how that affects privacy, or doesn't. And then how that plays into what is spooling up to be a modern test of privacy vs. the authority to invade that privacy. The digital domain presents privacy and security issues that are completely new. The proliferation of the data and the need to protect it has mushroomed. This is very different than keeping a shoebox with notes and receipts.

A warrant would usually allow LE to go and get what they want, and old world evidence stored on paper or unsecured electronics were easy to get into. Now, modern encryption and other electronic security exceeds the ability of LE to breech that security and the privacy it provides. And THAT is the real issue here.

Do not be surprised if this ends up in some way in the Supreme Court, several times over the next few years, and in Congress to debate new laws to establish limits on the security that can be used to protect (encrypt, lock, secure) electronic data, as crazy as that sounds.

No Court or Congressional Committee will excoriate the FBI and dismiss their claims and attempts at getting what they want because they are numbskulls. That Court or Congressional Committee would be considered negligent or derelict in its duty if indeed there was an imminent threat to national security.

But the other thing that people do not understand is that any compromise, or intentional hook to allow access, is effectively the same as neutralizing all security. It is a weakness that will be found and exploited. Just imagine what it will be like with NO digital protection and security.

When cable internet service started many, many, many years ago, I tried it, and was terrified to see the computers and hard drives of other people on the cable system show up on my computer. My computer must have been showing up on the computers of others. I immediately terminated the cable internet service. I stayed with a service that had a private connection to the switch. Cable service is now more secure than way back then, I hope. At least all the other people on the cable system are no longer showing up.

As it is, there are breaches happening regularly. Give an opening and it will be found and exploited. This may sound harsh, but that is far more devastating and threatening to national security than what happened in San Bernardino.