Apple Versus the Feds: How a Smartphone Stymied the FBI

When Syed Farook and Tashfeen Malik died in a hail of gunfire last December 2 after killing 14 people at a San Bernardino office party, the FBI recovered Farook's iPhone within a few hours.  One of the critical unanswered questions about the San Bernardino shootings is whether the couple had outside help, and the data on the iPhone may hold the answer.  Problem is, the FBI can't get at the data, and Apple, the iPhone's maker, won't help them.

Why not?  Let's let Tim Cook, CEO of Apple, answer that one:  "[T]he U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."  A little historical perspective is in order to put this situation into context.

With the advent of powerful digital computers, advanced encryption algorithms were designed and adopted by both sides of the Cold War (both the U. S. and the Soviet Union) for secret communications in the 1970s and onward.  The U. S. National Security Agency, long used to spying on analog communications in which good radios were the most elaborate equipment needed, found itself behind the technology curve and spent millions on advanced computing technology to maintain its ability to crack enemy codes.  The computing power of those early NSA computers now resides on your smartphone, and after a run-in with NSA a few years ago involving spying on Apple, the tech company and its president resolved to do a better job than ever in protecting its customers' privacy.  The latest iPhone operating system has a feature that not only encrypts the user's private data, but destroys the internal encryption key if it detects more than 10 attempts to unlock the phone using the 4-digit password.  After that happens, nobody but God can retrieve the data. 

At first the FBI was hoping that the phone was backed up to the iCloud, where the data might be recovered.  But it turns out that the automatic backup feature was turned off last October, possibly by Farook to avoid just such snooping.  After trying everything they could think of, including things Apple suggested, the FBI has asked Apple to do something that the firm claims is unprecedented. 

The FBI wants Apple to write a new operating system for Farook's phone that will allow unlimited password tries electronically, which will allow the FBI to access the phone's data.  They say it will only be used on Farook's phone, and so there is no risk to anybody else's phone.  The FBI has put this request in the form of a court order, and Tim Cook has vowed to fight it.

Why?  Apple claims the risks of that system getting loose, either accidentally or by command, are simply too great, and they have dug in their heels.  For example, it has been suggested that once it becomes generally known that Apple has developed such a backdoor, repressive regimes will order the firm to give it to them, or else kick Apple out of the country.

This is not the first time that Apple and the federal government have been at loggerheads over encrypted data.  In a 2014 case, Apple was ordered to extract data from an iPhone, but it is not immediately clear from the record whether they complied.  In both that case and the San Bernardino situation, the FBI cited as its authority the All Writs Act of 1789, which basically lets courts issue writs (orders) "necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law."   To the ears of this non-lawyer, it sounds like the law basically says you can do whatever you want, but the Act is typically hauled out as a kind of last resort, as subsequent case law has erected a set of four conditions that must be fulfilled before a court can issue an order under the Act.  Of course, the FBI thinks the conditions are fulfilled, and Apple doesn't.

Apple's stand is based on the idea, not that common among high-tech companies, that even Apple doesn't have any business with your personal data, which is why they designed the iPhone operating system to be so hard to crack.  This differs from practices of other firms, who happily mine their customers' private data for commercially valuable things like brand names and so on.  Privacy advocates from across the political spectrum have joined Cook in his opposition to the order, and the outcome of this case could have wide implications not only for the FBI and smartphones, but for digital privacy generally.

National Review commentator Kevin Williamson (from whose column I first learned about this matter) takes the view that the FBI is taking the easy way out by simply ordering Apple to do its job.  There is evidence to support this claim.  For example, in its instructions to Apple, the FBI asked them to rig a bluetooth link to the phone so they could try the 9999 different number combinations electronically, instead of having to make somebody sit there and do it by hand.  This apparently minor detail has the aroma of a royal order to underlings—"and while you're at it, fix it so I don't mess up my manicure wearing my fingers out on that touchscreen of yours."  Back in the days of telephone hacking in the 1960s, teenagers with time on their hands would amuse themselves by dialing all 9999 numbers in a given 3-digit telephone exchange (e. g. 292-0000 to 292-9999) just for the thrill of discovering the test and supervisory numbers the phone company used for long-distance routing and maintenance.  Apparently, the FBI can't be bothered with such tedium.

The matter is in the hands of lawyers now, and if the issue does indeed go all the way to the Supreme Court, its fate may well depend on whether President Obama gets to appoint a new member after Justice Scalia's recent demise, or whether the next president does, or whether a split Court ends up doing nothing (split decisions leave the lower court's decision standing).  Whatever happens, I admire Tim Cook for taking a principled and consistent stand for a cause that he could so easily abandon:  the notion that privacy still means something in a digital age.

Sources:  Kevin Williamson's column "Hurray for Tim Cook" can be found at National Review Online at http://www.nationalreview.com/article/431491/apples-tim-cook-right-resist-governments-demand.  I referred to articles by ABC News reporter Jack Date carried on Feb. 19, 2016 at http://abcnews.go.com/US/san-bernardino-shooters-apple-id-passcode-changed-government/story?id=37066070 and Feb. 17 at http://abcnews.go.com/US/fbi-iphone-apples-security-features-locked-investigators/story?id=36995221.  I also referred to an article in The Guardian online at http://www.theguardian.com/technology/2016/feb/19/apple-fbi-privacy-encryption-fight-san-bernardino-shooting-syed-farook-iphone, and Wikipedia articles on encryption software and the All Writs Act of 1789.

Under the Cloud

The business world is almost as fad-ridden as the education world, and one of the hot words in the last few years is "cloud" as in "I'll get it from the cloud," or "We put all our data on the cloud."  In this sense, the word means a set of Internet servers where your important data is archived so that it is accessible from anywhere that has an Internet connection.  The concept is increasingly vital to commercial and institutional users worldwide, and makes sense in that context.  But as Scientific American columnist David Pogue warns in the February issue, Apple and Microsoft are taking not-so-subtle steps to force many individual users of their products onto the cloud.  And I doubt that anyone reading this column can avoid using Apple and Microsoft products without a lot of inconvenience. 

The situation, as I understand it, is basically this:  suppose you have data that needs continual updating on your portable gizmo (which can be an iPad, an iPhone, a BlackBerry, one of those Android things, or you name it), and you'd also like the same version of the same data on your laptop.  In the old days, whenever you made changes on your calendar, for example, you would then physically plug your portable device through a USB cable or whatnot into your laptop and tell it to sync.  That way, your laptop calendar would agree with your handheld thingy's calendar and vice versa, and you wouldn't find yourself at Aunt Mimi's when you were supposed to be having your teeth cleaned.  So far, so good.

Then the number of handheld devices proliferated, and so did their operating systems, and so did the ways you can have laptops and towers talk with portable systems (wireless, IR, Bluetooth, etc.), and at least according to the manufacturers and their unofficial representatives, it just got to be too hard to come up with proprietary software to sync absolutely every portable thingamajig with each operating system for all the popular computers.  So they just said forget it:  the real data will sit on the cloud, where we can keep track of it, and then all we have to do is make sure that every piece of hardware (portable or not) can keep in touch with the cloud.  And that solved the problem. . . .

But if you were used to firing up your old laptop and plugging it into your BlackBerry that you've had since 2003, and you are dead-set against keeping your data in a place that you know not where and you know not when it might go down, you are now out in the cold and under the cloud, so to speak.  According to Mr. Pogue, the latest operating systems from both Apple and Microsoft either don't allow you to do hard-wired transfers without involving the cloud, or make it so hard to do that you almost have to get a networking certificate from Microsoft to know how to do it. A discussion thread on an Apple forum on exactly this topic has been going on since last October, and has accumulated 150 pages of comments.  So there are more than a few people upset about this.

Call me Amish, but it doesn't affect me because my form of a BlackBerry is a three-by-five card.  Or rather, many three-by-five cards.  I suppose if you took all the three-by-five cards I've used in the last decade and piled them up, they would make a stack high enough to fall over and form the kind of mess my desk looks like some days.  In fact, that may be why. . . anyway, somehow I have survived thirty years of an occasionally intense professional life with nothing more advanced than a laptop or two and a mobile phone that you still have to use the numeric keypad for to send a text.  It's so annoying to do it that way that I hardly ever send texts, which is all right by me. 

But seriously, this specific issue is an example of a more general trend that organizations are following: a move toward exerting increasing control of any computer that is connected to one of their networks.  For example, I spend some time at the University of Texas at Austin.  If I was using a University-provided laptop (which I'm not, as it turns out), I would now have to make sure that all the data on it was encrypted in accordance with a University-provided type of encryption software so that if it happens to get stolen, the thieves can't run off with University data.  That makes sense from a liability and security point of view—I have blogged on numerous scandals and crimes that happened when someone took home a laptop full of supposedly secure data—but it represents another intrusion, if you will, into a space that was formerly rather private. 

Of course, if the University owns the laptop, they get to say what you can and can't do with it.  Privately owned computers connected to privately rented networks are another matter, but then you still have to deal with Apple or Microsoft, and their pressure to keep your stuff on the cloud will prove irresistible.  The Star Trek Borg, a race of cybernetic beings, liked to say "resistance is futile," but that was only a TV show.   

Personally, I don't see any real harm in letting Microsoft know the details of my next dental appointment.  And yes, those massive servers go down from time to time, but then so does your laptop.  I admit that I would feel a certain kind of existential queasiness in entrusting the only record of my professional schedule to some ethereal system that is everywhere and nowhere, rather than having it in a tangible, solid form on pieces of paper in my appointment calendar in my briefcase.  (Yes, I do that the old-fashioned way too.)  Maybe people living in the 1850s felt the same way about the newfangled electromagnetic telegrams, and didn't really trust them on an instinctive level as much as they would trust a letter written by the hand of a friend they knew.  But they got used to trusting telegrams, and I suppose we will get used to trusting the cloud, as long as our trust is not abused. 

Sources:  The online version of David Pogue's article "The Curse of the Cloud" can be found at http://www.scientificamerican.com/article/were-forced-to-use-cloud-services-but-at-what-cost/.  I also referred to Wikipedia articles on BlackBerry and Borg (Star Trek).