Apple is resisting a court order to help the FBI hack into the iPhone used by San Bernardino shooter Syed Rizwan Farook. At the heart of the matter, the court is demanding that Apple enable investigators to use brute force to gain access to information stored on the phone.
In an open letter to customers on Tuesday, CEO Tim Cook said Apple will fight the order and warned that compliance with the FBI's demands would open up a Pandora's box.
"In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone's physical possession. Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control," Cook wrote.
The phone is owned by Farook's former employer, the San Bernardino County Department of Public Health. The department has supported federal investigators' requests to search the contents of the device.
The White House contends that the Justice Department is not asking Apple to create a new backdoor, but is simply asking for access to one device.
In this case, the details matter, said cybersecurity experts.
"The FBI is technically correct," said Herb Lin, senior research scholar at the Stanford Center for International Security and Cooperation. "Tim Cook is taking a broad view of it."
While Apple is using this opportunity to reaffirm its privacy policy and reassure customers that the company is not giving the government backdoor access to iOS devices, in doing so it is conflating two separate issues, experts said.
"It is not the same thing as a backdoor, because it does not allow access to the device," said Alexander Heid, chief research officer of cybersecurity start-up Security Scorecard. "The government would still have to figure out the password to the device, whereas a backdoor would allow the government to access the device surreptitiously."
To use brute force — a standard hacking technique — investigators need to be able to enter as many passcodes as it takes to guess Farook's passcode without the device auto-erasing after 10 attempts, a standard security feature Apple offers.
The court order requires Apple to help the FBI create and install software on the device that would bypass this and other security features. Investigators could then theoretically crack the four-digit passcode between 0000 and 9999 with 10,000 attempts, cybersecurity experts said.
"Apple would be providing software that prevents the iPhone from erasing," said Heid. "It would be letting the guard down for an attack."
Silicon Valley and the U.S. government have been at loggerheads for years about how much access companies should grant government and law enforcement agencies — a debate that took on new urgency following the 2013 Edward Snowden revelations.
"Pre-Snowden, the iPhone cryptographic process was different and easier to break," said Gabe Gumbs, vice president of Strategy at Identity Finder, a company that helps companies identify and classify sensitive information. "As a response to consumer affairs, when Apple released a new version of the iPhone they improved the encryption process they currently had."
Privacy advocates and technology leaders largely came out in support of Apple's stance Wednesday. Google CEO Sundar Pichai commented via Twitter.
The Information Technology Industry Council, an advocacy and policy organization in Washington representing America's tech giants, also defended Apple's position.
"Our shared fight against terrorism must be grounded in principle," it said. "We worry about the broader implications both here and abroad of requiring technology companies to cooperate with governments to disable security features, or introduce security vulnerabilities into technologies. Our fight against terrorism is actually strengthened by the security tools and technologies created by the technology sector, so we must tread carefully given our shared goals of improving security, instead of creating insecurity."
With this court order, the government has picked an emotional case with which to test the limits of the All Writs Act of 1789, the statute the DOJ is citing to obtain information in this case.
Sen. John Cotton, R-Ark., accused Apple of choosing to protect a dead ISIS terrorist's privacy over the security of the American people. "Regrettably, the position Tim Cook and Apple have taken shows that they are unwilling to compromise and that legislation is likely the only way to resolve this issue."
House Intelligence Committee ranking Mmmber Adam Schiff, D-Calif., adopted a more nuanced assessment.
"This case is at the heart of the difficult debate over privacy and security," he said. "The FBI has a compelling interest in gaining access to a phone used by one of the shooters in the San Bernardino attack — the data contained on the phone could tell us more about the shooter's plans, and whether there were other plots against additional targets. At the same time, there is also a compelling interest in favor of strong encryption, and avoiding any precedent that could degrade the privacy rights, cybersecurity and the legitimate business interests that encryption helps to promote."
Cybersecurity experts warned that we will likely see many more cases like this, and that given that U.S. companies operate globally, some may involve opponents with an entirely different agenda.
"This gets to the root of the issue," said Purdue professor Gene Spafford, a cybersecurity expert who has also advised government agencies including the NSA, FBI and Air Force. "If the Chinese or the Iranian government under their legal system has all the legal requirements met to break the encryption or look at what is on a phone, they would have a same standing as the U.S. government does in this case to compel Apple to cooperate."
