DoJ claims victory, wins nothing
29 March 2016 | 0
Congratulations to the US Dept of Justice on the successful conclusion to its campaign to unlock the secured iPhone 5c belonging to San Bernardino shooter Syed Rizwan Farook. After weeks of legal wrangling between the forces of government and Apple, the FBI has got its… em… handset fully aware it has attained nothing of investigative value.
A quick reminder of the the facts of the case: On 2 December 2015 Farook and wife Tashfeen Malik killed 14 and wounded 22 in a gun attack at the Inland Regional Centre in San Bernardino, California where a training event and holiday party for 80 health department employees was taking place. Farook, a US citizen with Pakistani heritage himself an employee of the health department, and Malik, classed as a permanent resident of the US, fled the scene but were tracked down and killed by police in a shootout the following day.
According FBI, the couple’s rampage was an act of homegrown terrorism. The couple did not have ties to other organisations based either in the US or internationally, had accumulated a massive stash of weapons and bomb-making materials over a number of years and that had plans for a similar assault for 2011 that were abandoned.
The facts are not in dispute. There is no case to prosecute. There is no global significance to this horrific act.
And yet the Dept of Justice and the FBI fixated on a particular item in Farook’s possession – an iPhone 5c he was issued with for work purposes. The DoJ demanded Apple circumvent the security features on the phone to make it accessible to investigators, Apple refused and was subsequently issued with a court order issued under the All Writs Act, a tactic that had been used to seize information from password-protected mobile phones since 2014.
The All Writs Act is a particularly flexible legal framework that allows a court to rule on issues within its own jurisdiction not explicitly covered by law so long as it satisfies legal principles.
Had Farook’s password been kept and managed by Apple on a database somewhere, cracking the phone would have been a simple matter of a subpoena, however, because Apple does not keep that kind of information and limits the number of user logins as a protective measure in iOS, Cupertino argued it would not its own security measures. Cupertino’s argument went that cracking the phone would require it to develop a version of iOS with an exploitable back door, something it would not allow happen. Stalemate.
The case was set to go back to court on 5 April but was withdrawn on 28 March after the FBI claimed it had bypassed the handset’s security measure with the aid of an unnamed third party security company (most likely the Israeli firm Cellebrite).
Full of win, surely?
Investigators will claim a significant in managing to secure a valuable source of intelligence – one it already knows has no operational value.
The real prize in all this wasn’t access to a single phone or even a backdoor to iOS, it was to set a legal precedent giving investigators access to any encrypted device through the mandatory creation of back doors. Imagine, buying a device knowing the height of its security capabilities is to frustrate a pickpocket or give a hacker a direct line to your personal contacts and correspondence. With so much of our lives routed through smartphones developing a surveillance-friendly OS would change how we use such devices, reducing them to dumb phones with notions. The knock-ons for developers and manufacturers would be catastrophic, potentially leading to the demise of the app economy and the fracturing of mobile operating systems by territory – say with strong encryption the norm in the EU but unheard of in countries with oppressives regimes and massive commercial potential – China, for example.
So why dd the DoJ settle for a single handset over the star prize of iOS? The game was up as soon as third party security firms got involved and the focus of the investigation lost its global consequences – though Apple has demanded to know how its security features were bypassed. Unfortunately for Apple the only way it can find that out is if the case is dropped. That leaves the DoJ with a window into the world of iOS for as long as it takes Cupertino to find and shut it. And shut it they will with great ceremony. Expect encryption to become a serious selling point with Apple’s future product lines.
Legally there was no winner here but the prospect of keeping the discovery of encrypted data in uncertain legal territory seems the preferred option to a public shaming and a consumer uprising. This won’t be the last threat to encryption but it has shown that the US government is reluctant to tackle the issue in public and there are plenty of untrustworthy contractors and daring hackers watching what they do in private.