back to article All-American Apple challenges US gov call for iOS 'backdoor'

Apple CEO Tim Cook has explained why his company will refuse to write custom iOS firmware to help the FBI decrypt an iPhone belonging to a mass murderer. A magistrate judge in California had ordered Apple to assist the FBI in decrypting an iDevice owned by one of the San Bernardino shooters. In response to this, Cook wrote an …

  1. SolidSquid

    Even putting aside the (very important) issue of encryption and the bypassing of it, this does raise the question of how much a court can compel someone to do. Can the court require a company to develop new software without any compensation for it? If so what other companies could be compelled to work for free under this precedent?

    1. Phil Kingston

      I read the court order earlier, and iirc it makes mention of paying some costs.

    2. The Man Who Fell To Earth Silver badge
      Boffin

      I guess we'll find out how good Apple designers are or are not

      One would assume Apple did their encryption correctly, in which case the entire "system disk" is encrypted including the OS. Which means it's the unencrypted boot loader that does the "erase after x failed tries", and Apple is being asked to modify that so the Feds can brute force attack with impunity.

      So the questions is, did Apple design their phone with security in mind so the boot loader is in a read only PROM? Or were they stupid and put it in rewritable storage so that it is possible to replace it with a boot loader that won't "erase after x failed tries"?

      1. CaitlinBestler

        Re: I guess we'll find out how good Apple designers are or are not

        The real question is whether Apple has careless left a hole in their security.

        You should not be able to update the firmware without entering the password or doing a full

        factory reset first. If Apple's firmware allows itself to be bypassed then the "guess limit" never

        really did any good anyway. Apple should have been allowing longer PINs to make brute force

        attacks infeasible even without this firmware assist.

        But forcing Apple to disclose this detail about potential flaws in its designs on the theory

        that this *might* unlock information that is useful to the FBI strikes me as a real stretch.

        If Apple confirms that such an attack is possible then hackers will inevitably figure out how it is done.

        Meanwhile, I doubt that an iphone has unbreakable *physical* security. The FBI, on its own dime,

        should be able to *clone* the memory and then just start a series of 10-try run until they've tried

        all 10,000 PINs. They do not need Apple's help to do that.

    3. Anonymous Coward
      Anonymous Coward

      There is a secondary problem here..

      The other problem with this court order is that it attempts to establish precedent with respect to encryption.

      The defence "we cannot access customer data because they encrypted it using our own software" has never actually been tested in court. What is attempted here is to establish a precedent to compel backdoor installation by any organisation who supplies crypto for customer data protection, Kerckhoffs' principle be damned (no, I don't agree with Wikipedia's idiotic spelling of the possessive "Kerckhoffs' ", but let's leave that aside).

      If Apple is held in contempt because it refuses to engineer some way to break its own encryption, that pretty much puts the nail into ANY, and I mean ANY US based business holding encrypted EU data because the precedent will say "you created it, so you break it or we will hold you in contempt".

      This is different to the MS vs DoJ case in that there is only one good outcome: Apple must win this. If it loses it, the precedent will act as an "OFF" switch for every US provider handling EU data like AWS. EU companies would no longer be able to defend holding data in the US through encryption and would have to move everything out.

      Apple is playing this absolutely right, and thankfully has enough financial clout to follow this through.

      1. agatum

        Re: There is a secondary problem here..

        Apple is playing this absolutely right, and thankfully has enough financial clout to follow this through.

        Apple indeed has enough gold. Annoying thought: all government has to do to force this kind of sick precedent is by challenging some other, considerably poorer company with a product with encryption. Said company can't defend itself, case becomes precedent and voila!

        1. Fungus Bob

          Re: There is a secondary problem here..

          "all government has to do to force this kind of sick precedent is by challenging some other, considerably poorer company with a product with encryption. Said company can't defend itself, case becomes precedent and voila!"

          Or said company goes bankrupt and the government is left with nothing.

      2. Matt Bryant Silver badge
        FAIL

        Re: AC Re: There is a secondary problem here..

        ".....Apple is playing this absolutely right....." Apple is indeed playing, but with the iTards and the paranoid conspiracy theorists. The judge's ruling says explicitly that the any software produced must only be used on the one phone in question, and that the use of the special software has to happen under Apple's control on Apple's premises, all of which exposes Tim Cook's blathering as just hype and froth. What he's really worried about is having to admit there are simple ways to circumvent the iPhone security setup once he has admitted it is technically possible then countries like China will work out how to do it themselves. He really doesn't give a hoot about protecting his customers' data, as shown by the happy way they let iPhone's brick themselves if any user dares to load any app not paying into the iTax scheme. Cook means when he says "We have no sympathy for terrorists" is actually that all he cares about is protecting the iPhone business when sales are slowing worldwide.

        1. Anonymous Coward
          Anonymous Coward

          Re: AC There is a secondary problem here..

          > having to admit there are simple ways to circumvent the iPhone security setup once he has admitted it is technically possible then countries like China will work out how to do it themselves.

          However, the mechanism proposed involves creating *signed* firmware which is signed using the *private key* which is held in Cupertino.

          So the Chinese won't be able to exploit this mechanism unless they can steal the key - which is likely to be very, very, very well guarded indeed.

          1. Anonymous Coward
            Anonymous Coward

            Re: AC There is a secondary problem here..

            However, the mechanism proposed involves creating *signed* firmware which is signed using the *private key* which is held in Cupertino.

            So the Chinese won't be able to exploit this mechanism unless they can steal the key - which is likely to be very, very, very well guarded indeed.

            Where there is a will and enough money, or convincing threats to someone's relatives, there is a way. "Accidents" happen, and let's not forget that this demand is made in a nation that has been proven not to be shy about grabbing information that isn't theirs to have.

            Don't get me wrong, I support law enforcement engaging in legitimate investigations but that should not allow the creation of something that cannot be undone. Because once it's out there, it will leak. Assuming it will not demonstrates a naive view of the world where mistakes never happen, and deliberate actions do not exist.

            Apparently, Donald Trump agrees with the FBI that Apple should break its own technology so it might as well stop selling to anyone (and the rest of Silicon Valley, because there will then be precedent) which demonstrates just what an idiot he is. But that part is not exactly news, is it? :)

            1. Eddy Ito

              Re: AC There is a secondary problem here..

              Let's not forget that this is the same company that has had beta iPhones left at bars. It doesn't matter who works on the project or how well paid they are there is always the possibility that Xi, Putin or someone else will make them an offer they can't refuse. How quickly could you empty an account with Apple Pay if you've got the keys?

              Meh, that just puts Trump squarely on the same talking points as the White House and the presumptive Democratic nominee. I'm sure we'll be hearing from Sen. Feinstein on the topic shortly but we all know what she'll say.

              1. Eddy Ito

                Re: AC There is a secondary problem here..

                Well it seems Sen. Feinstein has finally joined Trump and company. Not that anyone here is surprised.

          2. druck Silver badge
            Mushroom

            Re: AC There is a secondary problem here..

            AC wrote:

            However, the mechanism proposed involves creating *signed* firmware which is signed using the *private key* which is held in Cupertino.

            So the Chinese won't be able to exploit this mechanism unless they can steal the key - which is likely to be very, very, very well guarded indeed.

            Let's give Apple the choice of producing a one of piece of custom firmware with a couple of if statements comment out, which they can use and destroy afterwards, or the court can subpoena the privite code signing key.

        2. Anonymous Coward
          Anonymous Coward

          Re: AC There is a secondary problem here..

          The judge's ruling says explicitly that the any software produced must only be used on the one phone in question, and that the use of the special software has to happen under Apple's control on Apple's premises, all of which exposes Tim Cook's blathering as just hype and froth.

          Are you really that naïve that you think that software will remain in that place, the knowledge of how it was done never leaks and this precedent would not be abused to force any other US company to screw over their own business and their customers? Really?

          This has actually pretty much nothing to do with Apple being Apple, but with the general issue of providing equipment that can protect data where some people would really, really like to keep a backdoor open to the detriment of all, and set the clock back some 2 decades.

  2. DrXym Silver badge

    The precedent is the thing

    I bet Apple have the means to extract the firmware from the phone in question, or reset the retry limit, or do something to aid in decrypting it. They probably don't want to because if they demonstrate the capacity to circumvent or override security features, they'll be on the receiving end of court orders from all around the world to decrypt their phones. In some cases governments might even order them to give up the circumvention software to do it or face fines, import embargoes etc.

    Aside from that, their customers will lose faith in Apple's promises of encryption which might affect sales.

    So the consequences of helping could be really bad. For their sake, let's hope the security they put into the phone stands up to attack by Apple themselves. In which case they might come out of this with their reputation enhanced. But the way they're resisting makes this unlikely.

    1. Steve Davies 3 Silver badge

      Re: The precedent is the thing

      Quote

      Aside from that, their customers will lose faith in Apple's promises of encryption which WILL affect sales.

      But where will they go for a secure device?

      Android? If Apple caves in then it won't be long before Google will be in the same boat..

      Microsoft? ???

      Blackberry?

      A.N. Other?

      Back to Semaphore then...

      1. Anonymous Coward
        Anonymous Coward

        Re: The precedent is the thing

        If Apple caves in then it won't be long before Google will be in the same boat..

        No, it won't. You have already accepted to have your data scanned when you got yourself a Google account to get most of the Android functionality online. Add to that that Google's main business IS getting your data, and I suspect Android is not quite as well protected, and law enforcement might not even need your phone to get to the data.

      2. allthecoolshortnamesweretaken

        Re: The precedent is the thing

        Semaphore? Potentially funny, but not very practical.

        Anyway, this is very interesting, for various reasons. And I quite like the way Apple is presenting itself here. In fact, I'm almost ready to forgive them at last for axing the Newton.

    2. Phil Kingston

      Re: The precedent is the thing

      They're not being asked to decrypt, which is key. They're being asked for a method to bypass the PIN lock (by allowing the FBI to brute force the PIN without the OS complaining).

      1. Phil Kingston

        Re: The precedent is the thing

        Yes, the end result is the same, but the method is an interesting point.

      2. Anonymous Blowhard

        Re: The precedent is the thing

        "They're being asked for a method to bypass the PIN lock"

        That's what I saw as well; this will either be impossible, because the software behind the PIN lock can't be changed without giving the PIN, or relatively trivial if the PIN lock doesn't protect the PIN lock software. This is a bit like being able to change the lock mechanism in a door without having the key whilst the door is locked.

        1. Dan 55 Silver badge

          Re: The precedent is the thing

          Does it accept reflashing while locked?

          If not, can the keys be extracted from the secure storage while locked and can the device be reflashed while without tripping any safeguards?

          It sounds like a tall order (Error 53).

          If it doesn't work, can they be forced to push out an update which removes safeguards from everybody's device?

          1. Anonymous Coward
            Gimp

            Re: The precedent is the thing

            @Dan 55

            The real question is whether Apple can/can be forced to push out an update which removes the safeguards from everyone's device WITHOUT THE OWNERS KNOWLEDGE.

        2. monty75

          Re: The precedent is the thing

          A Slashdotter has posted what appears to be a thorough description of how the iPhone handles encryption and why this court order is asking for the impossible http://yro.slashdot.org/comments.pl?sid=8756397&cid=51524693

          1. Anonymous Coward
            Anonymous Coward

            Re: The precedent is the thing

            In language that politicians can understand:

            If the FBI gets its way and the tech titans fall like dominoes, it'll destroy the economy and bring down the government, USSR-style.

            Hyperbole? No more so than "cuz terrerists!!!"

    3. Anonymous Coward
      Anonymous Coward

      They might go to China or Russia for a "secure" phone

      I've stated this several times before and I think this is a perfect illustration. Given a choice between a device I knew was bugged by the US government and one that was bugged by the Chinese or Russian government, as a US citizen I'd choose the latter. Because the Chinese or Russian governments are not a threat to my personal liberty, which the US government is since I live within its borders and am subject to its laws and whims.

      All you really need is a company using Android, removing the Googly bits, and based in a country where they don't have to bow to the demands of the US government (or their government to pressure from the US government)

  3. Doctor Syntax Silver badge

    'the FBI* doesn't want to use the toxic phrase "back door"'

    Of course they don't. That makes it important to insist on calling a spade a spade - and a back door a back door.

    *Other agencies and nationalities are available.

  4. Phil Kingston

    What I'm intrigued about is what the FBI think they'll find on there that they can't access by other means.

    1. wolfetone Silver badge

      Photos of the two of them with guns, looking all mean and nasty. It's this sort of thing that works really well in news reports, which will then be used the next time the subject of encryption being evil comes up.

    2. Anonymous Coward
      Anonymous Coward

      It's an investigation. You need to collect all the available data. Actually there could be information there that may discharge someone.

      Maybe Cook should be charged for selling encryption devices to terrorist. Maybe he will change position...

      1. Phil Kingston

        There's surely no need to discharge anyone - presumption of innocence and all that.

        My guess would be the FBI are looking for some evidence of workplace dispute (CNN said this is his work phone).

        Tragic though the event was, I have to say I side with Apple in contesting it.

        And charging someone for selling a way of privately storing/transmitting data seems wrong to me. But I'm no expert on their dearly-held constitutional rights.

      2. Steve Davies 3 Silver badge

        Charge Cook?

        If they charge Tim Cook then they need to also charge the bosses of Smith & Wesson and every other gun maker in the USA. After all, terrorists don't only use AK-47's do they?

        Then there is the company that sold every gun used to commit a crime in the USA. They should be bang up along with him. After all, they sold weapons that killed people didn't they?

        1. Mephistro

          Re: Charge Cook?

          And don't forget telcos and car makers!

        2. Elmo Fudd
          Happy

          Re: Charge Cook?

          I understand that Congress passed legislation specifically protecting the gun manufacturers from liability and litigation. If Apple looses this case, and it sounds like Cook is determined to fight this as far as possible, then they make sure that the next version of IOS, can not be hacked using whatever tools they are forced to create. (Assuming that they are even able to hack this phone)

          1. Anonymous Coward
            Anonymous Coward

            Re: Charge Cook?

            It's been a while since I went grammar Nazi, but this annoys me.

            If Apple looses this case

            I would like to refer you to the first line of this Oatmeal cartoon, but it may be worth your time reading all of it, especially if English is not your first language.

            1. Likkie

              Re: Charge Cook?

              "It's been a while since I went grammar Nazi..."

              To be perfectly pedantic, you're correcting spelling there not grammar.

              1. Anonymous Coward
                Anonymous Coward

                Re: Charge Cook?

                LOL, you've pinpointed the exact reason why I rarely go grammar nazi. It's the realisation that I'm not perfect either, so the likelihood that I screw up in the comment is close to 100%, especially with a bit of help from Murphy's Law. That being said, I do welcome the correction :).

      3. zebthecat

        Well done...

        ...that is the most idiotic comment I have read for a while. It is satirical I hope.

      4. Anonymous Coward
        Go

        @ "It's an investigation" AC

        Thank you for demonstrating why end-to-end encryption is so important. You'd probably never have the sack to come here and write what you did if you had to actually identify yourself to the Reg commentariat. Think of people living in police states who are actually trying to promote human rights and political reform. They face a lot worse consequences for their actions than the flamefest from 10-20 el Reg commenters that you just ducked.

  5. Anonymous Coward
    Anonymous Coward

    Anyone else think the Apple/Microsoft refusal to co-operate with the US government to be a bit over the top? This leads me to believe this is all to make people think that their data is safe.

    Surely in this case they would do all this behind closed doors so nobody knew they had obtained access.

    Also do you really expect me to believe that a shooting that happened on December 2nd involving people who could have co-conspirators and an immediate threat to national security is only now going through court to get access to the device?

    Lets face it, they can unlock and access any device but they don't want everyone to know because when they do get those devices there will be nothing of use on them.

    1. LDS Silver badge

      Microsoft case is different. MS was asked to give FBI data of a foreign citizen in a foreign state not under US jurisdiction. The same data would have been easily available if the FBI had followed the usual procedure to obtain them, and MS would have complied to an Irish warrant.

      I would agree with Apple if the device was illegally obtained. But it's an evidence from a multiple mureder case on US soil, under a valid search warrant.

      1. Mephistro

        (@ LDS)

        I think that's not the point. As I see it, the court asked Apple to decrypt the phone's contents, and when told that it was impossible, "They" -note capitalization and quotemarks this time- requested Apple to make changes in the software so Apple's customers data could be decrypted at LEAs and TLAs whim. The problem with this approach is that the same mechanism -a backdoor- that allows the FBI to decrypt someone's data will end up allowing other parties to do the same thing. These parties include criminals and foreign governments.

        IMHO the case was just used as an excuse for a push to further erode citizen's privacy. Not the first time this happens! :-(

      2. Anonymous Coward
        Anonymous Coward

        I would agree with Apple if the device was illegally obtained. But it's an evidence from a multiple mureder case on US soil, under a valid search warrant.

        This is not what is being asked. A manufacturer is asked to re-engineer a product to ESTABLISH a backdoor that they have just spent countless man years eradicating. If Apple does this, the cost to Apple itself will be monstrous as will publicly invalidate the security of their devices.

        This could have been done differently, in secret, with Apple staff assisting the FBI in making an image of the device which they could then attempt to break, or let the NSA have a go. Instead, they chose to publicly ask for something which no sane company could agree to, because agreeing to this would not only destroy a large part of Apple's stance and market appeal, it would also set a precedent for EVERY SINGLE US BASED MANUFACTURER OF SOFTWARE AND HARDWARE - read that again, because it's rather important - every single one of them to destroy any semblance of security as soon as a court order arrives, taking the company down with it because after that you were certain to lose a LOT of customers.

        This is not exactly helping the US IT industry after the blow of the death of Safe Harbor. It's like asking Volvo to remove all the safety features from their cars because criminals are using them to ramraid shops.

        By the way, it has just been confirmed as complete lunacy - apparently, Donald Trump agrees with the FBI. A clearer confirmation of the idiocy of this demand is hardly possible.

  6. fnusnu

    So will future versions of iOS have a check box marked 'install US Government mandated backdoor'?

    Either you check it or you have something to hide and are therefore guilty...

    1. UncleZoot

      I guess I'm guilty then. Now that my phone is encrypted, I won't allow anyone to look at what's inside.

      The same reasoning I use for why I still use the touch pad to enter my code instead of the finger print reader.

      When Judges have ruled that forcing you to place your finger on the reader is legal and forcing you to enter a code number isn't. Screw it, it the code for good.

      1. Annihilator Silver badge

        "When Judges have ruled that forcing you to place your finger on the reader is legal and forcing you to enter a code number isn't."

        Have they? Even if they have, just stall. The power will run out on your iDevice. Whenever it's switched on for the first time, it demands your passcode before it will enable the fingerprint reader (first boot from cold anyway).

        1. Mephistro
          Trollface

          "...just stall..."

          Please explain how you prevent three big uniformed guys armed with tasers from puting your finger whenever they please, including your iPhone*.

          Although being an iPhone, you'd only need to hold them off for two hours average! ^_-

          *Or if you are really unlucky, in a small paper envelope in your breast pocket!!

          1. Anonymous Coward
            Anonymous Coward

            That's why I disable the touch reader when I travel. Not only is it not very secure, but you also do this on a device with a surface that is almost *designed* to store your fingerprints when you just hold it. It's not a very good thing to use if you're interested in security...

          2. Annihilator Silver badge

            "Please explain how you prevent three big uniformed guys armed with tasers from puting your finger whenever they please, including your iPhone*."

            Because it's not three big uniformed guys. It's 3 months after the arrest/seize under a court order that you'd be "forced" to do so. And you could just decline and end up in prison for contempt of court.

            I'm not a fan of "if you've nothing to hide, you've nothing to fear" but in this case I suggest the paranoia of them forcing your thumb onto the phone is slightly unwarranted. Or if it is the case, you're already in a blacksite unlikely to see the light of day again.

    2. Anonymous Coward
      Anonymous Coward

      They already do. This is just PR stunt to make idiots think iOS is secure.

  7. Warm Braw Silver badge

    IANAL and even less a student of US law

    However, as I understand it, the AWA is supposed to be used only when it is needed to support the jurisdiction of the court issuing it - that is in order to ensure that a valid case can be pursued - and when all other potential remedies have failed.

    In this case, I really don't see what valid case is being pursued - the acknowledged perpetrators are dead and no charges can be brought against them. I find it difficult to see how the AWA can be validly applied to compel assistance with an investigation by a non-judicial body (such as the FBI).

    If it were upheld, it would indeed be an interesting precedent - the same logic, for example, could compel individuals to report on the activities of their colleagues or family or neighbours if it were impractical to conduct surveillance in any other way.

    If hard cases make for bad laws, they seem to make for worse judicial decisions.

  8. The Mole

    Precedent setting?

    My understanding was that there are third party firms who provide hacks to governments (http://www.theregister.co.uk/2013/09/17/nsa_vupen/) and I would therefore be very surprised if these firms haven't developed the techniques that the FBI is looking for - with physical access to the device most things are possible. Given that in this case the FBI would never need to use the contents of the phone in a court of law I see on reason why they wouldn't be able to use these third party companies.

    Therefore this looks to be part of a long term strategy and this case is being used to set a precedent as it is an easy sell to the man on the street as being a proportionate action. Once the precedent is set they can start sliding down that slippery slope to their final much less morally defensible objectives.

  9. CAPS LOCK

    I must be missing something here, what's to stop Appple encrypting the data partition..

    ... with full strength encryption using a key supplied by the device owner and not stored on the device? When the TLAs come callin' they can say 'Cannot help sorry"?

    1. Mephistro

      Re: I must be missing something here, what's to stop Appple encrypting the data partition..

      Two words: Bricked phones.

      And customer's frustration, and lawsuits, and ...

      What they do instead is keeping the decryption key in a specialized chip that -supposedly- can't serve the keys themselves, through some advanced cryptomagick that, being frank, is quite over my level. :-)

      Weakening that protection mechanism makes easier for the bad guys -whoever they are- to access said data. E. G., imagine what would happen to witness protection programs, investigative journalists , whistleblowers and political dissidents if Apple (or Google, or...) does this.

      And let's go a little bit further: this hypothetical law mandating companies to install backdoors in their products could be used to mandate also installing said backdoors in general use computers, giving the baddies access to most IP and commercial information. There are lots of hints -many of them in Elreg- that this is already happening, but this law would make it totally legal and uncontestable.

      I've said this before and I'll say it again: a few more years with this shit and "1984" will look like a picnic in a sunny day.

    2. Annihilator Silver badge

      Re: I must be missing something here, what's to stop Appple encrypting the data partition..

      Nothing, I think the point is they already do. But most phones (presumably including this one) have 4-digit passcodes. With brute-force they could crack that in a little under 3 hours with a measly 1-try per second (and they could do faster - they're emulating the iTunes USB interface to do this I suspect).

      The thing they've asked apple to do is disable the "pause after too many retries" so they can actually attempt 1 per second.. After 6 tries, it makes you wait a minute before getting another go. After 10 attempts it's 1 try per hour which rather puts a dent in their brute-force attempts.

    3. Anonymous Coward
      Anonymous Coward

      Nothing stops them - that's how it works now

      Apple has encrypted the entire contents of the phone's flash since the 3gs using hardware encryption that cannot be disabled. However they held a copy of the key so if someone lost their passcode Apple could help them out and unlock their phone. They changed this in iOS 8 so the key exists ONLY within the phone's secure enclave, and that key can ONLY be unlocked by supplying the passcode/password (the key is NOT generated from the passcode)

      So since iOS 8 if you forget your passcode then you lose all the data on your phone unless you made a backup.

  10. msknight

    To my mind...

    Court says... give us the data off this device... Apple should damn well comply or sling Cook in Prison.

    Court says... give us software that has the potential to get data off any device.. then Cook has a case.

    1. Rob Crawford

      Re: To my mind...

      It's a good job that you haven't got a mind then isn't it

    2. Phil Kingston

      Re: To my mind...

      Pandora's box.

      The court order is extremely specific to the device (serial and imei). And iirc doesn't require the software to be handed over. I was actually quite impressed with the wording and can sympathise with the intent.

      However, the idea that any individual's protected information can be accessed by the state by way of a court order is troubling to me. Personally, I've nothing to hide, but that doesn't mean I'm comfortable with a government agency rifling through my stuff. Especially without a clear suspicion (I could be wrong, but this request seems purely speculative).

      1. msknight

        Re: To my mind...

        I think we've got to have some respect for the court here. After all, we comply with the law for a reason. If we don't like the laws, we're free to protest them.

        After all, if the courts were that corrupt, then the spy agencies wouldn't have tried their damnedest to circumvent them. If I've shot and killed loads of people and might have links to terrorist organisations, then I'd be laughing if corporates shielded my contacts to prevent investigations.

        On the other hand, I'm relying on the courts to say, "This is an average Joe/Jill, there's no reason to suspect them of doing anything wrong, so fishing for stuff is wrong." and deny the decryption/access request.

        If Apple doesn't support the court, then there is a very serious risk here that the governments might actually ban encryption and screw everyone. If Apple (and others) play ball in the extreme circumstances then the government hasn't got anything to complain about when the rest of us stick to our encryption guns.

        1. Captain Queeg

          Re: To my mind... @msknight

          "On the other hand, I'm relying on the courts to say, "This is an average Joe/Jill, there's no reason to suspect them of doing anything wrong, so fishing for stuff is wrong." and deny the decryption/access request."

          the trouble is, at least in the UK, "The courts" often morph into "The Home Secretary", so placing faith in any judicial system to protect us sort of implies a similar level of trust in legislators/politicians/despots of the day.

          Whatever the rights and wrongs of this case, the only way forward, difficult as it may be is to have (practically) unbreakable encryption. Knee jerk legislation is almost always poor legislation.

          Civilisation, it seems to me, hangs on the right balance between the individual and the state. Shift too far from a sensible balance and we land with either anarchy or totalitarianism.

      2. BenR

        Re: To my mind... - Phil Kingston

        The court order is extremely specific to the device (serial and imei). And iirc doesn't require the software to be handed over. I was actually quite impressed with the wording and can sympathise with the intent.

        You and I both. Some of the judges have obviously been paying attention to the growing furore over security, unwarranted snooping and the like.

        However, the idea that any individual's protected information can be accessed by the state by way of a court order is troubling to me. Personally, I've nothing to hide, but that doesn't mean I'm comfortable with a government agency rifling through my stuff.

        I don't agree here though. If the authorities, be it the local police of some arm of the government security apparatus, has actually been to a court and got a court order, then isn't this exactly what most people have been asking for? Clear, accountable judicial process and a valid warrant for the information?

        Admittedly in this case, it's all a bit post hoc and arguably pointless - which is why I tend to agree with people suggesting it's being used as a precedent-setting test-case - but I'd be perfectly happy with this. Especially given the controls the judge has tried to put on it.

        Of course, if Apple were to comply, all they've done is shown everyone and their dog that there *IS* in fact a way to break into their system and "bypass" the security...

        1. Don Dumb
          Stop

          Re: To my mind... - Phil Kingston

          @BenR - "Admittedly in this case, it's all a bit post hoc and arguably pointless"

          I think people seem to mistakenly think the FBI is after the two (now dead) perpetrators. Rather I believe they want to review the phone to help establish whether anyone else was involved (also culpable) or whether the 'workplace dispute' angle is valid.

          It certainly doesn't seem to me to be fishing to review the phone of a couple of mass murderers to establish any further background behind what really happened.

          "If the authorities, be it the local police of some arm of the government security apparatus, has actually been to a court and got a court order, then isn't this exactly what most people have been asking for? Clear, accountable judicial process and a valid warrant for the information?"

          Apparently what people kept asking for isn't what many people really want, if the comments on this story are anything to go by...

          Personally, I agree that this seems acceptable. I can't see what more the government can be expected to do - there has definitely been a serious crime commited for which further investigation is in the national and public interest, they have got an open court order to help unlock the phone and the court order is specifically limited to getting assistance into getting into the phone in question.

      3. Anonymous Coward
        Anonymous Coward

        Re: To my mind...

        " Personally, I've nothing to hide"

        Really!

        Ok, give me your bank account details and paswords, in fact give me all your passwords... you have nothing to hide...you have nothing to fear....

        1. msknight

          Re: To my mind...

          You know... I don't get this.

          Two people murder innocents, there's a serious risk that they could be tied in to terrorist groups, the court specifically want access to their phones, and have been careful as to the wording that it is only these phones they need access to... and people have a problem with this? I'm stunned.

        2. Phil Kingston

          Re: To my mind...

          There's a big difference between divulging that information to a court and handing it to an AC.

          1. Anonymous Coward
            Anonymous Coward

            Re: To my mind...

            "There's a big difference between divulging that information to a court and handing it to an AC."

            but that's the point, there really isn't, once there is a mechanism to divulge it to the court, then there is a mechanism for any random agency to get at it. It's either secure or it isn't, it can't be partially secure.

      4. tom dial Silver badge

        Re: To my mind...

        "[T]he idea that any individual's protected information can be accessed by the state by way of a court order is troubling to me."

        The US government and subordinate state and local governments have been able to access an individual's private information lawfully for the last 227 years under the US Constitution and laws and under other laws for some centuries more than that. Nothing is particularly noteworthy or novel about granting them equivalent authority to access it when it is stored on a smart phone or other computer device. Moreover, for the same 227 years, US judges have been authorized by law to issue orders compelling cooperation in carrying out lawful warrants and other court orders; their predecessors under English law probably had roughly equivalent authority. Nothing is new there either.

        What is new is the somewhat odd notion that there is an absolute individual right to designate certain information as "private" and withhold it at will and under all circumstances from all government officials. That right never existed and does not now. The government's authority to search and seize is constrained. It must be reasonable. It requires a warrant based on probable cause and supported by oath or affirmation. The warrant must describe what is to be searched or seized with some precision. Subject to those requirements, the government legitimately can obtain and try to exercise a warrant to search an individual's private information, protected or not. And under the law, the government also can direct others to help carry out the lawful search.

        The fact that it cannot successfully conduct a properly authorized search because access to the information is blocked has nothing to do with the government's legitimate authority to do so, and does not confer a right that would not exist if the access were not prevented by technical means.

  11. Herby

    A backdoor for one is a backdoor for all

    Enough said.

    I doubt that anyone (much less a government agency) can keep a secret about any backdoor.

    Question: Can you keep a secret?

    Answer: So can I!!

  12. toughluck

    Apple CEO Tim Cook has penned an open letter to Apple fanbois as the company refuses to decrypt an iDevice belonging to an alleged criminal.

    Excuse me, what do you mean alleged?

    1. Steve Davies 3 Silver badge

      Innocent until proven guilty and all that

      Until you are found guilty you are 'alledged' to have comitted a crime.

      The couple can't be found guilty as they are dead so they will be alledged for a long time yet.

      1. Kurt Meyer

        Re: Innocent until proven guilty and all that

        @Steve Davies 3 - "The couple can't be found guilty as they are dead"

        I'm surprised to read this, Steve. Being deceased (or not), has nothing to do with a finding of guilt or innocence in the US courts.

        1. Anonymous Coward
          Anonymous Coward

          Re: Innocent until proven guilty and all that

          I'm surprised to read this, Steve. Being deceased (or not), has nothing to do with a finding of guilt or innocence in the US courts.

          It would, however, make sentencing considerably more interesting...

  13. monty75

    They want the suspect's Reminders list

    - Buy milk

    - Take out the trash

    - Bring about a new caliphate by murdering dozens of infidels

    - Send mum's birthday card

    1. Dan 55 Silver badge

      Re: They want the suspect's Reminders list

      If the list is on the fridge it'll be next to the photo of Osama bin Laden.

      (This week's X-Files.)

  14. Jason Bloomberg

    Ticking Timebomb Scenario

    I am not saying it is the same scenario - the Feds are no doubt mostly fishing for incriminating evidence or anything useful for propaganda purposes in the San Bernadino case - but...

    If the Feds were looking for a dying kidnapped child, and obtaining access to the iPhone of the killed kidnapper seemed to offer the best chance of finding that child alive, would Apple providing the tools to do that still be, "something we consider too dangerous to create"?

    What it comes down to is that it's not Apple's decision to make. Apple and Cook are entitled to their opinion - as is everyone else - but someone has to decide what is ultimately in the public's best interest. And that would normally fall to the highest court in the land.

    Apple are right to challenge the current ruling all the way to the top. But the ultimate decision does not, and should not, rest with them.

    I do agree that setting precedent is the real issue. It may be right to force Apple's hand in some circumstances, but that does not mean it is right to force their hand in others. One must therefore hope that the courts rule in a manner which does not set precedent where it would not be appropriate.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ticking Timebomb Scenario

      After the dying child has been saved, suppose there is a government plan which could result in the death of many more people and the journalist who has the evidence now has no way of protecting that evidence from the government because the back door has been created?

      1. theOtherJT

        Re: Ticking Timebomb Scenario

        The circumstances of the case aren't really the issue. It doesn't matter what is at stake in terms of saving lives or protecting people, it's a matter of the precedent set about what a court can and cannot demand a company do.

        Even if it were the case that complying with this order save a million lives, it would still be questionable to comply with it because it's accepting that the court has the authority to order them to do something which might actually be technically impossible.

        Assume for the moment that the device actually _can't_ be forced open, then what? Imagine that the encryption key is stored in a small block of Read Write memory on a chip that's otherwise Read only - the only way to get at it is to compromise the ROM part - which means you'll have to replace the chip, because the software on that chip can't be rewritten. Replace the chip and you lose the key, which puts you back where you started.

        Apple would simply not be able to comply with that order, but if they comply with this one they're accepting that were such a case to arise the court would have the authority to compel them to do so - and what would that mean? It makes no sense that the court can order them to do something that they physically can't, but if they accept that they built the device and are therefore responsible for getting data off the device - which would seem to be the key premise in this case - they'd have to accept the same responsibility for this hypothetical future device.

        The obvious conclusion to be drawn from that is that such a device would be illegal to build, and that's taking us into a place that we really shouldn't go.

        1. tom dial Silver badge

          Re: Ticking Timebomb Scenario

          US courts have had the authority to require assistance for 227 years. Apple stated as much in their PR piece. Their claim that the application of that law is novel is belied by the fact, stated in the FBI application, that they routinely responded to similar writs in the past.

          In addition, Apple have not stated that they cannot comply with the order; they have stated that they do not wish to do so.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ticking Timebomb Scenario

      If we're talking hypotheticals then how do you know that nobody in the same building where they produce this backdoor will ever sympathise with ISIS, owe money or be duped by a bogus secret service person? Because once the software exists we have to assume it will fall into the wrong hands.

      The cybercaliphate are rooting for the FBI in this one.

    3. Martin-73 Silver badge

      Re: Ticking Timebomb Scenario

      You did, just actually raise, without tongue in cheek, the 'won't someone think of the children' angle, didn't you

  15. RikC

    Often reading articles on the Reg I don't have a too high expectation of the US governments', or many other governments, respect for personal privacy.

    However, we know that the line between the need to fight crime and the freedom to use of encryption is a thin one.

    In a case like this there would be the is an investigation after a crime has been committed. And the US government is looking to break the encryption of one a specific device. It is not a request to have backdoors on all of our devices, but a request to install one a specific device that has been seized in a confined setting. How to do it? Connect it physically, or with a confined wifi or cellular network is another case. But this is clearly something entirely different than unwarranted mass surveillance. And preferably such an operation is done by the manufacturer and not by the government itself on government premises. Because that would restrict that government in applying such a technique itself.

    1. John G Imrie

      It's dificalt to write software

      It's very easy to run it the second time.

    2. tom dial Silver badge

      This is fundamentally correct, but proper to supplement with the observation that, as Apple claims, the fact that the capability exists increases the risk that someone, whether government or other, will abuse it. Given the constraints consistent with the court's order and the Apple software validation process, the risk probably is very small, but it is not zero. If it is done, it will be a sign to others that they should redouble their efforts to do the same, and it might happen that the whole system becomes compromised. The risk, again, can be made very small, but it cannot be made zero.

      It is a problem, in the US maybe more than some other places, that people often are unable to evaluate risks rationally and therefore are unwilling to accept any level of identified risk. In this case, the risk to individuals who are not legitimate targets of law enforcement officials is very close to zero; indeed, it is close to zero whether the phone data are encrypted or not. Thieves, police, data brokers, and signals intelligence agencies have far more efficient ways to collect personal information than collecting it from large numbers of individual cell phones.

      The risk to Apple, however, may be appreciably larger, maybe even measurable. Having claimed inability to recover lost pass codes, they cannot perform the ordered task without being shown to have lied about it.

  16. Prst. V.Jeltz Silver badge

    one thing that puzzles me , If the GOV forces companies into putting back doors into their encruption , why would the terrorists use those systems?

    Its no secret how to create strong encryption from scratch.

  17. alcopops

    Reverse engineering not possible?

    Surely, with their resources they could reverse engineer these devices to allow them to brute force the encryption. Yes it would be expensive and difficult, but it's the US govt FFS!

    1. Prst. V.Jeltz Silver badge

      Re: Reverse engineering not possible?

      Well , encryptions pretty strong these days , Im not to familiar with names of particular systems , rsa , pgp , AES256 etc etc , but i keep hearing phrases like

      "All the power of all the computers ever built working for a billion years , would not brute force this encryption"

      In fact i heard it again on s7e3 of "the infinite monkey cage" the other day.

      So even if the men in black could clone the memory or do whatever to get as many goes as they like without the thing self destructing - theyd still have their work cut out.

      we are dealing with very very big numbers here!

      1. Darryl

        Re: Reverse engineering not possible?

        Yes, but in this case, they just want Apple to turn off the automatic wipe after x incorrect PIN entries. Then all the gov't is doing is brute forcing a 4 digit PIN, which isn't that hard. I've done it with laptop combination lock cables.

      2. Aqua Marina

        Re: Reverse engineering not possible?

        >>we are dealing with very very big numbers here!

        I always thought the longest encryption could hold out was 40-50 years once you factor Moore's law into the equation. I.e. you have an encryption that can be brute forced mathematically in say say 1 billion years using current computer hardware. Moore's law says that computing power doubles every 2 years, so half that number after 2 years, and half it again 2 years later and so on. If you were to wait 50 years before starting to brute force, you could then do it within a year.

    2. John H Woods

      Re: Reverse engineering not possible?

      "Surely, with their resources they could reverse engineer these devices to allow them to brute force the encryption." -- alcopops

      well, they could use electron microscopy perhaps, depending on any counter measures used by the crypto hardware. Now that would be a specific-to-the-object approach. If the material is that important, then this is what they should try.

  18. Vinyl-Junkie

    I don't think the device itself is the problem....

    If Apple were to create this piece of software to extract the data from this one device and hand it over, they would effectively be admitting "it is possible to create a less secure version of the OS and update the device with it without the user's permission, thereby making it possible for someone to extract data without the usual consequences".

    Just knowing this was possible would:

    a) Have lots of black hat hackers trying to achieve the same thing; knowing something is possible is a big help when it comes to trying to achieve it; and

    b) destroy any credibility Apple might have as a provider of secure devices, because no device is secure if you can update the OS with a less secure version whilst keeping the data intact without the user's permission.

    I can see why they don't want to do this!

  19. Anonymous Coward
    Anonymous Coward

    Letter target

    Shouldn't Cook be arguing the issue in the court?

    Is this a case of not expecting to get much traction there on either legal or technical merits and hoping to get further with the "court of public opinion" and pressurize the court through the politicos?

    1. Don Dumb

      Re: Letter target

      @ac - "Shouldn't Cook be arguing the issue in the court?

      Is this a case of not expecting to get much traction there on either legal or technical merits and hoping to get further with the "court of public opinion" and pressurize the court through the politicos?"

      Well, they are also arguing the issue in the court.

      I guess that Apple is ultimately answerable to its shareholders and it cares about public opinion which affects sales. Even though they are taking court action, it seems smart to explain to everyone, *before* a negative backlash, why they are fighting the court order.

  20. Anotherother
    WTF?

    Madness

    this will only inspire Apple's engineers to build even more security into their next phone to block any kind of circumvention, pushing the US gov even further towards the ludicrous position of banning encryption / imports of the hardware.

    Where will this end?

  21. mark666

    Quote:

    The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

    If Apple are forced to build this back door, then what is to stop criminal organisations from using this same backdoor to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge?

    The governments and the FBI all need to stop for a minute and take a step back, and the independently look at it and ask themselves what is really in the best interest of the people as a whole!

    1. John G Imrie

      what is really in the best interest of the people as a whole?

      Us knowing everything --- FBI

  22. UncleZoot

    To me there are two conflicting issues here.

    #1. Encryption has been around for years. Recently theregister posted stories that PGP had been broken by the US government and was a waste of time. The aes256 encryption can be broken, given enough time for a brute force attack.

    #2. What's the main sticking point is that Apple installed a dooms days counter. Enter the incorrect password 10 times and the unit triggers an auto-wipe feature. Apple claims they don't have a work around, government is now demanding Apple build one for them, supposedly for a one time event.

    If anything, the existence of the FISA courts shows that government lies and cheats and isn't accountable to the citizens. Companies receiving warrants from FISA are required to remain silent that they even received the warrant. So much for constitutional rights.

  23. Anonymous Coward
    Anonymous Coward

    Diversion?

    It's "unprecedented" because they usually do (or "allow") similar things under gag order for others?

  24. Byz

    Either we have liberty or we don't

    The 20th Century is scattered with examples of governments coming to power (by fair means or foul) that have then used the apparatus of power to remove the liberty of their citizens.

    The problem of what is the "best interest of the people" is decided by a group of people who have a viewpoint that may not be in my interest or a majority of the population.

    What is currently being demanded by governments both here in the UK and US may not be abused by the current governments, however if these attempt are successful they put into statute, laws that can be used by a future government to suppress the rights of their citizens.

    You just need to look at history to see that can very easily happen.

    Even in my lifetime I have seen British Governments complain that the courts should not undermine their rights to govern (thank goodness the courts have not buckled) however in the 1920's, 30's and currently in Russia there are many examples where the courts just become an extension of the ruling party. If the governments then have laws that allow you to be constantly or occasionally monitored (legally) without being suspected of a crime it becomes easy to find fault to put free thinking and innocent people in prison.

    It has happened before it will happen again.

    Go read Animal Farm the laws get rewritten.

  25. David Kelly 2

    Sue God

    Clearly the FBI needs to sue God for encryption key and back door to the human brain because not having this access is interfering with all the Good Work government could be doing to^H^H for us.

  26. M7S

    Simple solution

    OS manufacturers should create their OS with the approved "means of lawful access" (not backdoors, Oh, no, definitely not) and pass the keys securely to their respective governments. In return government should indemnify all users of said OS, including those accessing systems running on it (such as customers logging into an online bank), against the financial consequences of said OS being "breached" in some way. The burden of proof in all cases to rest with the authorities that they have not left the CD containing the keys on the train.

    Now try proving a negative.

    1. Vinyl-Junkie
      Thumb Up

      Re: Simple solution

      I like this, however I would take it a stage further.

      The burden of proof in all cases to rest with the authorities that the "approved means of lawful access" did not in any way contribute to the breach.

  27. Harry Stottle

    Authority V Liberty

    Nobody would contest the desirability of knowing exactly what was in the killers' head and history. Preferably before they get to commit their crime.

    And it is not just conceivable but likely that within 10-20 years, we will have technology capable of ferreting that information out of any head.

    Once that is possible, it will be plausible to argue that, for example, airlines should be allowed to put every passenger through such a mind scanner, in order to ensure that no-one with evil intent against the aircraft is permitted to board.

    Society is divided into two groups. The authoritarians and their followers form one group and they will argue in favour of allowing the mind-scanners and insisting that we all step through them,

    Once they've conceded that for something as serious as air travel, it will be only a matter of time before they concede it for (in roughly descending order) weeding out Pedophiles, Rapists, Tax dodgers, Trolls, and Dissidents

    Those who understand Liberty and the nature of threats like the above will probably have to fight the authoritarians literally to the death in what may come to be known as Humanity's Final War.

    The current Apple battle is an early skirmish in that war.

    Pick your sides now and be sure of a good seat...

    1. jaduncan

      Re: Authority V Liberty

      "And it is not just conceivable but likely that within 10-20 years, we will have technology capable of ferreting that information out of any head."

      Heh. You're very much overrating the state of neuroscience.

      1. Harry Stottle

        I beg to differ

        If you'll pardon my self promotion I've expanded the argument a little here

  28. dave 93

    If Apple's crypto is designed well...

    There is no way that even Apple can get in. This is actually fundamental for business users.

    The traffic in, and out, of the phone in question is all logged somewhere else, and yields the most important information about other potential suspects, but there could easily be incriminating material on the phone.

    If Apple *can* actually get in, :-( then it is best if each legal request is made really public, by going through the courts like this one, and Apple charge $1million to do it in-house to deter fraudulent or fishing access by authorities.

    This is all a good argument against TouchID, because if one's finger is available...

  29. BurnT'offering

    Lost me at 'fanbois'

    Are you on some sort of quota?

  30. Velv
    Boffin

    Nothing is truly secure ad infinitum, it's about just how much resources you can put at breaking it in a timely manner.

    I couldn't find in the iOS Security Guide if the hardware is tamper proof, so if it's not, the brute force challenge is about how many attempts you need to make before it locks. A four digit PIN has 10,000 combinations, however one way to achieve that is to clone the device 10,000 times and try a different four digit PIN against each.

    Resources you put up against the problem...

  31. GunnarM

    Analysis?

    Where is the analysis? Which is after all basically why we read the reg. This article is more or less just a quotation of the original letter from Apple, without insights added.

    1. Anonymous Coward
      Anonymous Coward

      Re: Analysis?

      With breaking stories there is always tension between timeliness and analysis. It is common in such cases to do the story "straight" - and then loop back later with analysis - as we have done here:

      http://www.theregister.co.uk/2016/02/17/why_tim_cook_is_wrong_a_privacy_advocates_view/

  32. 98Ravioli

    A couple of things for the folks who say, let the government in. The folks in the FBI already have all the relevant info they need from the telco and to use a law that was updated in 1911 to access the technology of today is really a stretch of authority. Please remember once the head of the camel is in the tent the rest is not far behind and all sense of privacy will be lost.

    1. tom dial Silver badge

      The All Writs Act dates from 1789, shortly after the Constitution was ratified. It was part of the act which established the US federal courts. Its use to demand Apple assistance in executing an unquestionably valid search warrant is not novel, even as to its use with respect to an iPhone. The fact that the law has been so for over 225 years is not at all an indication that it is obsolete, and the fact that it is being applied to obtain assistance with a warrant affecting technology that is much younger is interesting, but irrelevant to its purpose, which is to enable the government to get help to carry out judicial orders.

  33. url

    The real story is

    somebody actually bought an iPhone 5C

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022