Desert of My Real Life

{February 20, 2016}   Apple vs. The FBI

I’ve been reading a lot about the controversy surrounding the court order compelling Apple to help the FBI break into the phone used by one of the San Bernardino killers, Sayed Farook. I think at this point, I mostly understand the technical issues although the legal issues still confound me. And there’s a significant question that I’m not seeing many people discuss but would help me to understand the situation better.

Here’s what the case is about. The iPhone used by one of the killers is owned by his employer, San Bernardino County. The FBI sought and received a court order to confiscate the phone with the intention of gathering the data stored on it. The County willingly turned the phone over. As an aside, there is currently a controversy with the FBI saying that a County employee, working on his own, reset the password for the phone after giving it to the FBI which means one possible method for retrieving the data from the phone is no longer available. The County claims that its employee reset the password under the direction of the FBI. Somebody is lying. If the FBI really did direct the employee to reset the password, they need to hire more adept technologists. The news stories about this controversy neglect to mention that the method in question would only have worked if Farook had not changed his password after he turned off the automatic iCloud backup. I think that’s pretty unlikely.

So, the FBI has physical access to the iPhone but the problem is that the phone has two layers of security. The first is that it will automatically delete all of its data if someone enters an incorrect password 10 times. The second is that the data on the phone is encrypted which means that it can’t be read unless the password is entered. The FBI sought and received a court order to require Apple to “bypass or disable” the feature that wipes the phone clean. Doing so would then allow the FBI an unlimited number of password attempts to decrypt the data stored on the phone. Apple’s response to the court order is that to comply would be to put the data of every iPhone user in jeopardy.

One of the things that confused me about this story was that I kept hearing and reading reports about Apple helping law enforcement to unlock iPhones many times in the past. The folks over at Tech Crunch helpfully explained that Apple’s current response is not hypocritical. For iPhones running the operating system iOS 7 (and previous versions of iOS), Apple had the ability to extract data from the phones. And so it complied with court orders requiring it to extract data from iPhones. For iPhones running iOS 8 and later, Apple removed that capability. Apple has stated that the company wants to protect its users’ data even from Apple. The iPhone in question is running iOS 9. So Apple does not currently have to capability to extract data from the phone in the ways that it has in past cases. In order to comply with the court order, Apple would need to write some new software, a version of iOS with the phone wiping feature disabled, and then install it on the iPhone in question. The court order requires Apple to provide “reasonable technical assistance.” Is writing new software “reasonable technical assistance”?

But here’s the question that I haven’t found an answer for. Is there a precedent for the government compelling a person (remember: corporations are people so Apple is a person, right?) to build something that doesn’t already exist? The case that’s being cited as a precedent seems to me (admittedly, not a lawyer) to be pretty different. In that case, the Supreme Court said that the government could compel The New York Telephone Company to put a pen register (a monitoring device) on a phone line. But the telephone company already had the technology to monitor phone lines so it wasn’t as though they were being compelled to create a new technology. Apple is being asked to write a new piece of software, to build something that doesn’t already exist. This diversion of resources is one of their grounds for objecting to the court order. So, John McAfee has offered to write the software for free. It isn’t clear, however, that writing the software is enough since iPhones will only work with software that has been signed by Apple. Even if McAfee was successful, the government would still need Apple’s cooperation. And that’s unlikely since Apple’s philosophy is that their products should provide their customers as much data security as possible.

Ultimately, I agree with Bruce Schneier that the American public is best served if Apple does not comply with the government’s order. The government says that this request would be a one time thing, that they would not ask for such assistance again. I don’t believe that. Even if I did believe that the government would not ask again, I don’t think we can keep such software, once it exists, out of the hands of the many, many hackers who want to steal your data. That is a threat to our everyday lives that far outweighs the threat of terrorism.

Addendum (2/21/16): I’ve read some articles that take issue with Apple CEO Tim Cook’s “slippery slope” argument. His argument has been that if Apple complies with this order to circumvent the iPhone feature that wipes the phone clean after 10 incorrect password attempts, they will have no basis to refuse to do so in the future. Every time the US government asks them to circumvent the feature, they will have to do so. Government lawyers have said that this request is about this phone only and that they won’t ask in other cases. Tell that to Cyrus Vance, Jr., the district attorney in Manhattan. On Weekend Edition this morning, Vance argued that Apple should comply with the order because they are circumventing law enforcement’s ability to view the data on more than 175 phones related to criminal investigations. If this software is available for use by law enforcement officials, it will be available for use by the “bad guys.” That puts everyone’s data in jeopardy. Apple is protecting your ability to keep your data out of the hands of hackers (whether they work for the government or not).

{July 31, 2013}   Whistle-blowers

Two whistle-blowers are in the news today: Bradley Manning and Edward Snowden. Manning is the Army soldier who was convicted yesterday of 17 of the 22 counts against him. He leaked top secret documents to Wikileaks and was convicted of espionage and theft although found innocent of aiding the enemy. He is now awaiting sentencing. Edward Snowden is the contractor working for the National Security Agency who revealed details of several surveillance programs to the press. He is currently on the run from charges of espionage and theft but is continuing to make headlines with further revelations. Some see these two as heroes and others see them as traitors. I think history will judge which they are. What interests me most are the ways these two cases are being discussed.

We already know that Bradley Manning has been found guilty of most of the charges against him. The prosecutor in the case has said that Manning is not a whistle-blower but is instead a traitor looking for attention via a high-profile leak to Wikileaks. Manning’s defense attorney countered by saying that Manning is naive and well-intentioned and wants to inform the American public. “His motive was to spark reform – to spark change.” Why is his motive important? Since when is intent important in determining whether someone committed a crime or not? Next time I get stopped for a traffic infraction, I’m going to try saying “I didn’t intend to break the law” to the officer. What do you think my chances of getting off will be? I also find it interesting that the prosecutor seems to think that Manning is not a whistle-blower because he believes that Manning wanted attention. A whistle-blower is “a person who exposes misconduct, alleged dishonest or illegal activity occurring in an organization.” Manning might not be a whistle-blower because the activity he revealed was not misconduct, was not dishonest or illegal. But to argue that he’s not a whistle-blower because he didn’t have the proper intentions seems to lead us as a society down a dangerous path. Of course, the Zimmerman verdict might have already sent us down that path.

The Snowden situation is more recent than the Manning case so we don’t know what Snowden will be found guilty of. He’s accused of disclosing details about some secret surveillance programs being conducted by the National Security Agency (NSA) in the United States. The NSA is supposed to gather information about foreign entities strictly outside of US boundaries. Edward Snowden revealed the existence of several NSA surveillance programs focused on domestic as well as foreign communications. He then fled the country with several laptops “that enable him to gain access to some of the US government’s most highly classified secrets.” The question that interests me most about this case is how a contractor, an employee of a private company, an employee who probably should have failed his background check on the grounds that his resume contained discrepancies, was able to gain access to such secret information. “Among the questions is how a contract employee at a distant NSA satellite office was able to obtain a copy of an order from the Foreign Intelligence Surveillance Court, a highly classified document that would presumably be sealed from most employees and of little use to someone in his position.” Yes, that IS among the most important questions to answer. The NSA director, Keith Alexander, has said that the security system didn’t work as it should have to prevent someone like Snowden from gathering the sensitive information that he did. Snowden claims that he was authorized to access this information. The NSA claims that he was not authorized. Why does the NSA think it’s preferable that an unauthorized person gained access to its information?

I’m going to pause here to say that I’ve been reading a lot of speculation about how Snowden gained access to this information that he shouldn’t have had access to. There may be some people who know how he gained this access but in the dross of the Internet, the methods aren’t yet clear. From a technical standpoint, however, I find it incredibly disturbing that someone with Snowden’s computer security background (which appears to be rather mundane–he was no genius computer hacker) was able to gain access to all of this sensitive information within the agency that is supposed to be most expert in the security game. No matter what you think of Snowden and his intentions, I think you have to be concerned about the ease with which someone was able to gain access to these “secrets.” Having now read a whole bunch of information about this case, I feel like it is similar to the one in which the high school student is punished by the school’s IT staff for pointing out how weak the school’s computer security setup is. Perhaps we should be focused on the (lack of) security around this information rather than the fact that it has been disclosed.

In the Senior Seminar that I teach, we often discuss whistle-blowing. If I use the term “whistle-blowing,” my students generally feel that the person doing the disclosing is doing a service to society. If, instead, I say that the employee is revealing corporate secrets, my students generally feel that the person is betraying his/her employer. The cases of Manning and Snowden are more complex than I can easily comprehend but I guess I generally feel that shedding light on situations is better than trying to maintain security by secrecy, by obscuring the facts. In a democracy, sunshine is a good thing.

et cetera