Apple filed their response to the court order seeking them to create a new operating system with security features removed. Since I did a post on the DOJ’s motion, I thought I’d also do one with my thoughts as I read the Apple response.
Page 1 line 3: This is not a case about one isolated iPhone.
Nobody believes this. Even FBI Director James Comey, who has made that argument, had to come out and admit that the case “will be instructive for other courts,” and that the outcome would affect other cases.
Page 1 lines 4-5: this case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld.
Page 1 lines 13-15: In fact, no court has ever authorized what the government now seeks, no law supports such unlimited and sweeping use of the judicial process, and the Constitution forbids it.
Page 1 lines 16-17: Since the dawn of the computer age, there have been malicious people dedicated to breaching security and stealing stored personal information.
Page 1 lines 21-22: In the face of this daily siege, Apple is dedicated to enhancing the security of its devices
Apple sure does seem to be using a lot of grandiose language. I feel like I’m getting ready to watch Star Wars or something, or at least something a more exciting than a boring, old legal brief.
Page 2 lines 7-8: There are two important and legitimate interests in this case: the needs of law enforcement and the privacy and personal safety interests of the public.
I think it’s important to frame this debate as being law enforcement vs security, instead of being a case of security vs. privacy. If the DOJ is able to win this case (and the sure-to-follow appeals), then it will lead to a reduction in security as backdoors would then be something that the government could compel organizations to create.
Note: I wanted to link to a really good blog post on whether this is a “backdoor” or not, as people have been latching onto that word. I can’t remember who it was and just wasted too much time trying to find it, but basically the guy said that if you have Program A which removes security features so that a formerly-secure product could be accessed. That would be considered a backdoor. You could also have Program B which only allows Program A to run in certain situations. Program B may not be a backdoor, but it relies on Program A, which could be used on any device. It made a lot more sense than that when he wrote it, and I really wish I could find it again.
Page 2 lines 26-27: And once developed for our government, it is only a matter of time before foreign governments demand the same tool.
This is just ignored by all the “It’s just one phone!” folks. Our government has decent civil liberties protections for citizens. Other countries don’t, though. If the DOJ wins this case then it opens up other countries to then expect the same assistance, and Apple would face tremendous pressure to comply, and that process would almost certainly be used on political dissidents in authoritarian countries.
Page 3 line 18 – page 4 line 2: even if such limitations could be imposed, it would only drive our adversaries further underground, using encryption technology made by foreign companies that cannot be conscripted into U.S. government service—leaving law-abiding individuals shouldering all of the burdens on liberty, without any offsetting benefit to public safety.
This is why this needs to be framed as a decision pitting less security vs. more security. Encryption is out there. It’s not going away no matter what the U.S. government wants (see the worldwide encryption products survey by Bruce Schneier and others).
Page 4 lines 6-12: Finally, given the government’s boundless interpretation of the All Writs Act, it is hard to conceive of any limits on the orders the government could obtain in the future. For example, if Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing.
This is a bit of a sky-is-falling argument, but it wouldn’t surprise me if law enforcement really did want those capabilities.
Page 4 lines 13-17: As FBI Director James Comey expressly recognized:
Democracies resolve such tensions through robust debate. . . . It may be that, as a people, we decide the benefits [of strong encryption] outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context, or that public safety folks will be able to do their job well enough in the world of universal strong encryption. Those are decisions Americans should make, but I think part of my job is [to] make sure the debate is informed by a reasonable understanding of the costs.
Nice use of Director Comey’s words to make their point right there. It seems to be a pattern where he says something and then later says the exact opposite thing (see the 1 phone vs precedence item above).
Page 6 lines 15-17: For one, Apple uses a “large iteration count” to slow attempts to access an iPhone, ensuring that it would take years to try all combinations of a six- character alphanumeric passcode.
This points out that the best thing you can do is to change the setting away from the default number-only passcode and make it an alphanumeric passcode. As long as that alphanumeric passcode isn’t something obviously gussable, then your phone wouldn’t be able to be opened, even with the “FBiOS”.
Page 8 lines 10-17: In addressing the twin needs of law enforcement and privacy, Congress, through CALEA, specified when a company has an obligation to assist the government with decryption of communications, and made clear that a company has no obligation to do so where, as here, the company does not retain a copy of the decryption key. 47 U.S.C. § 1002(b)(3). Congress, keenly aware of and focusing on the specific area of dispute here, thus opted not to provide authority to compel companies like Apple to assist law enforcement with respect to data stored on a smartphone they designed and manufactured.
This seems to me like a pretty good argument. My understanding is that the All Writs Act is for situations where the law is silent. In this case, the law isn’t silent. It specifically says that Apple does not have an obligation to assist law enforcement.
Page 9 lines 12-14: Moreover, members of Congress have recently introduced three pieces of legislation that would affirmatively prohibit the government from forcing private companies like Apple to compromise data security.
To be fair, other members of Congress have proposed legislation that would require companies like Apple to compromise data security.
Page 11 footnote 21: In its motion to compel, filed February 19 with this Court, the government sought to shift the blame to the “owner” (San Bernardino County) in describing who changed the password and why it allegedly has no other viable alternatives besides the creation of a new operating system. Dkt. 1 at 18 n.7. The FBI later issued a press release acknowledging that it “worked with” the County to reset the password.
Nice little dig at the FBI. Yet another example of law enforcement being quite duplicitious.
Page 11 footnote 22a: The government obtained the Order without notice to Apple and without allowing Apple an opportunity to be heard. See Mullane v. Cent. Hanover Bank & Tr. Co., 339 U.S. 306, 314 (1950) (recognizing that one of the “‘fundamental requisite[s] of due process of law is the opportunity to be heard’”) (quoting Grannis v. Ordean, 234 U.S. 385, 394 (1914)).
The Order also made it quite clear that Apple could file a motion challenging the validity of the order, so I think they’re pushing their luck here trying to argue they weren’t given the “opportunity to be heard.” That’s probably why it’s in a footnote, though.
Page 11 footnote 22b: But this was not a case where the government needed to proceed in secret to safeguard its investigation; indeed, Apple understands that the government alerted reporters before filing its ex parte application, and then, immediately after it was signed and confirmed to be on the docket, distributed the application and Order to the public at about the same time it notified Apple.
That’s because it’s not a case about getting information from this one phone. There’s been a lot written about this already, but the phone isn’t even likely to have much information, since the terrorist destroyed his other phones but didn’t care enough about this one to destroy it.
Page 11 footnote 22c: Moreover, this is the only case in counsel’s memory in which an FBI Director has blogged in real-time about pending litigation, suggesting that the government does not believe the data on the phone will yield critical evidence about other suspects.
The blog post was a p.r. effort. Lending even more credence to the argument that, for the FBI, this is all about setting a precedence.
Page 13 line 27 – page 14 line 6: Thus, quality assurance and security testing would require that the new operating system be tested on multiple devices and validated before being deployed. Apple would have to undertake additional testing efforts to confirm and validate that running this newly developed operating system to bypass the device’s security features will not inadvertently destroy or alter any user data. To the extent problems are identified (which is almost always the case), solutions would need to be developed and re-coded, and testing would begin anew.
An example of why anybody who says “It’s only one phone” either has absolutely no grasp of how software development works or else is just lying.
Page 14 lines 14 – 24: The All Writs Act (or the “Act”) does not provide the judiciary with the boundless and unbridled power the government asks this Court to exercise. The Act is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress; it does not grant the courts free-wheeling authority to change the substantive law, resolve policy disputes, or exercise new powers that Congress has not afforded them. Accordingly, the Ninth Circuit has squarely rejected the notion that “the district court has such wide-ranging inherent powers that it can impose a duty on a private party when Congress has failed to impose one. To so rule would be to usurp the legislative function and to improperly extend the limited federal court jurisdiction.” Plum Creek, 608 F.2d at 1290 (emphasis added).
This seems to be one of their best arguments, especially since it relies on precedent from a prior Ninth Circuit case instead of arguing that this would be bad policy.
Page 16 lines 1-5: Thus, in another pending case in which the government seeks to compel Apple to assist in obtaining information from a drug dealer’s iPhone, Magistrate Judge Orenstein issued an order stating that while the Act may be appropriately invoked “to fill in a statutory gap that Congress has failed to consider,” it cannot be used to grant the government authority “Congress chose not to confer.”
It’s important to note that Apple has already had success in arguing against the use of the All Writs Act to compel them to decrypt a phone. That was in New York, though, so it doesn’t have an precedental value in this case.
Page 17 lines 2-5: CALEA does not allow a law enforcement agency to require Apple to implement any specific design of its equipment, facilities, services or system configuration. Yet, that is precisely what the government seeks here. Thus, CALEA’s restrictions are directly on point.
I can’t get past this argument. My uderstanding is the All Writs Act is for situations where there is no clear law. It doesn’t seem like if there’s a law that law enforcement doesn’t like they should be able to use the All Writs Act to get around that law.
Page 24 footnote 24: The government’s suggestion that Apple can destroy the software has clearly not been thought through, given that it would jeopardize criminal cases.
I love it when subtle insults are put into footnotes. I don’t know why I take so much pleasure from that, but I do.
Page 26 lines 12-16: Indeed, under the government’s formulation, any party whose assistance is deemed “necessary” by the government falls within the ambit of the All Writs Act and can be compelled to do anything the government needs to effectuate a lawful court order. While these sweeping powers might be nice to have from the government’s perspective, they simply are not authorized by law and would violate the Constitution.
I made the same point in my blog on the DOJ’s filing in this case, saying that, “It seems like the government’s reasoning would lead to the situation where anybody with any specialized skills would be required to assist in serving a warrant.”
Page 30 lines 1-4: Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks.
I don’t think the FBI wants to say publicly that the NSA can’t get into the phone. Of course, that assumes that the FBI’s purpose in this case is to gain access to the phone. I’ve said multiple times that its purpose is to set a precedent that companies need to break their encryption. I guess if you look at it that way, Apple is the only company that can serve that purpose in this case.
To call these issues even temporarily “resolved” is quite the stretch. Virtualization is not addressed at all in the Lessons Learned (LL) documents. While the others were addressed, they were not resolved. For example, the LL on BES Cyber Assets doesn’t provide a definition for “programmable,” which forms the basis of the Cyber Asset definition but doesn’t have any clear definition itself.
These figures were included in the CMEP report. It seems weird that ReliabilityFirst would have done almost twice as many events as anybody else, but had the second lowest number of participants. These numbers would mean that RF only had about 9 participants per event, which seems quite low. It makes me wonder if the different regions didn’t all use a standardized definition of what constitutes an “outreach event.”
Workentin's Cybersecurity Blog 