Article Mar 22, 2016

Apple, FBI, and Cybersecurity: The Basics

Apple CEO Tim Cook’s letter about the FBI brought forth both emotional outrage and joyful fist-pumping from the tech community. It also has brought a very public spotlight to a conflict between two great problems that plague the modern era: security against threats and the safety of our personal data. The implications of this public debate for cybersecurity, law enforcement, case law, and digital privacy are worth considering.

But if you’re just tuning in, here are the basics, the debate so far, and what is ahead. There are a lot of interlocking pieces so it’s OK if you’re just getting a handle on this issue.

In December 2015, Syed Rizwan Farook and Tashfeen Malik murdered 14 people at a party at the Inland Regional Center in San Bernardino, California. It is now known they had ties to jihadi groups and this was the deadliest terrorist attack on American soil since 9/11. Farook was an employee of the San Bernardino County health department and was issued a work phone, an iPhone 5C running iOS 9 operating system software. Farook and his wife-accomplice destroyed their personal phones on which presumably they did much of the coordinating for these attacks. Farook’s work phone, the phone in question, has been in law enforcement possession since Farook’s death.

However, Farook’s iPhone is locked by the famous iPhone passcode screen. (iPhone 5Cs do not have fingerprint security). Furthermore, Farook may have enabled a feature that would scramble the phone’s information should multiple incorrect passcode guesses be made. This proves a nearly insurmountable obstacle for the FBI. Given these circumstances, the FBI considered the best course of action was to request that Apple help bypass this security feature by creating special software to disable the passcode and scrambling feature. So, on February 16 a federal judge in Riverside, California, mandated through a court order that Apple help the FBI by essentially two means: 1) bypassing or disabling the auto-erase function and 2) enable the FBI to guess the password however it wants, as quickly as it wants.

The authority that law enforcement is relying on is the All Writs Act, federal statute the government has historically used to compel cooperation in law enforcement activities.The FBI says it wants Apple to create this workaround software for only this one deceased terrorist’s iPhone and offered Apple to have complete control of the phone, the software, everything. They just want the data on the physical phone in the chance there’s any additional evidence in this case.

Before Tim Cook’s public letter, Apple complied with law enforcement’s initial request for information from the iPhone 5C by handing over its iCloud records. However, since the iCloud records only went up to October 19, 2015, this left an obvious gap in time. Adding to the complexity, in a March 10 filing the government said there is evidence that the auto backup feature for iCloud may have been disabled  somewhere between October 19 and his death on December 2. The FBI, desiring to do its due diligence, thinks additional information could be located on the phone but they can’t get into it because of the aforementioned combination of passcode lock and potential information scramble if the passcode is entered incorrectly. And that’s if that feature is even enabled. The FBI would rather not try their luck.

Apple built this security feature into its operating software since iOS 8 was released in September 2014. If this were any earlier version of the iPhone software, then, from a technical perspective at least, the FBI wouldn’t be facing this issue in quite the same way. With a simple password and no auto-scramble feature, the FBI could “brute force” its way into the phone by hooking it up to a more powerful computer and running all the 4-digit password combinations (10,000 by the way) until it guessed the right one. But with iOS 9, the operating system on Farook’s iPhone, a user can set a 4-digit, 6-digit or alphanumeric passcode. This makes guessing the correct password from a few hours to 5.5 years.

A quick aside: A brute force hack is just guessing passwords until the correct one is discovered. This is why websites encourage you to have passwords more complex than 1234 or 1122. Those are easy to brute force. With those passcodes or similarly simple ones, a thief could break into your account just sitting on the couch letting a computer do all the work in a matter of minutes depending on computing power.

Some other important events have also occurred since this very public debate burst on the scene February 16. For a full timeline of events, here is a good report from USA Today. On February 29, a New York magistrate ruled that the FBI could not use the All Writs Act to ask Apple to unlock an iPhone 5S running iOS 7 that is evidence in a drug case. While this case is completely unrelated--the request, circumstances, and software are different--it is significant in that the judge’s ruling said the All Writs Act was not sufficient to compel Apple’s cooperation.

The legal back and forth on this case has been very public. Apple, a New York District Attorney, and the FBI appeared before the House Judiciary Committee on March 1 to present their sides of the case. There has also been an appeal from Apple, a Justice Department response, and a response from Apple. On March 22, the Justice Department and Apple will present their cases in a public hearing in Riverside, California. No matter the outcome for either side, this case could proceed all the way to the Supreme Court.

From a cybersecurity standpoint there are a couple key factors to keep in mind:

First, digital information resists containment. Say Apple complies and creates software to bypass its security measures. This will require a team of 6-10 engineers to develop this software. Software is inherently different than a physical good in that it could be copied or distributed infinitely with no discernible effect on the end product. Of course Apple and FBI employees can and should be trusted, but human nature being what it is does not guarantee the software will not get out. In cybersecurity, human error or malfeasance is the number one weakness. An institution can set up all the right protections from outside attack, but as we saw in 2013 with Edward Snowden, it just takes one person on the inside to release the information to the world.

Second, insecurity for one means security for none. In the realm of electronic information, creating software to bypass a security feature essentially nullifies that security feature for everyone. Back doors to encryption (encryption being a feature that makes information unreadable and nearly unguessable without a key) means that very encryption is now worthless because someone out there can get into it. This means this is not merely a domestic issue but an international one since Apple operates around the globe. Internationally there are likely hundreds, if not thousands, of locked iPhones possessed by governments both well-meaning and not-so-well-meaning. Were Apple to comply, this would bring other countries to Apple’s door with requests for the software to bypass the security. What the United States does, the land of the free with those pesky first ten amendments to protect civil liberties and human rights, draws attention and emulation from other governments.

Finally, how should a Christian consider this issue? In Matthew 10:6, Jesus told his followers to be “as wise as serpents yet as harmless as doves." When considering this issue we must take into account not just the terrible tragedy and families affected by the December attack, but also the further ramifications of security in this information age. This is not an isolated case free of international or future ramifications. Lives everywhere, including those of persecuted Christians who use iPhones and other encryption serves to protect their missions, may be at risk now and in the future without strong information security. It as an issue for all the Church to consider prayerfully and carefully.

Update:  In a very surprising move, yesterday afternoon the FBI requested the much anticipated March 22 hearing be canceled because an "outside party" has provided a possible way of unlocking Farook's iPhone without the need for Apple's help. Although this particular case could possibly be resolved if this "outside party" is successful — the FBI will provide a status update to the court by April 5 — certainly the broader debate will continue as law enforcement and technology are increasingly intertwined.

ERLC2018