By Steve Hersee
On December 2nd 2015, 14 people were killed and 22 were seriously injured in a terrorist attack in San Bernardino, California after Syed Rizwan Farook and Tashfeen Malik targeted a Public Health training event with small arms fire and an attempted bombing. Four hours later the perpetrators were killed in a police shootout after fleeing the scene in a sports utility vehicle. President Obama declared the incident a terrorist attack and the FBI described the perpetrators as home-grown violent extremists inspired by foreign terrorist groups. The attack was the deadliest in the US since the 2012 Sandy Hook Elementary School shooting and was the worst terrorist attack in the US since the September 11 attacks in 2001.
The FBI, who were investigating the incident, attained a search warrant on a black Lexus car linked to the perpetrators. Along with other evidence they seized an Apple iPhone C5, which belonged to one of the subjects. Apple co-operated with the FBI on the case, passed them relevant data within their possession, complied with subpoenas and search warrants and made Apple engineers available to advise the FBI of the investigative options at their disposal. But when the FBI wanted access to the recovered iPhone in order to help understand the motives of the killers and any terrorist networks they were in contact with, Apple would not co-operate.
Apple has marketed itself as a crusader for individual rights and has made privacy a key part of its offering to customers. Since 2014 Apple started to produce iPhones that were encrypted by default and in doing so it claimed that they couldn’t unlock phones even if presented with a court order to do so.
For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.
Encryption isn’t just a technical feature;
it’s a marketing pitch
iPhones are encrypted by default and can only be decrypted when the user enters the correct passcode. After 10 unsuccessful attempts all data on the phone is erased. Since this policy change the FBI and Apple have been at loggerheads, with FBI director James Comey suggesting that widespread use of such technology could undermine the rule of law.
Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?
Following their frustration at their inability to access the iPhone owned by the San Bernardino attackers, the FBI have taken a new approach. They took the case to the United States District Court in California and on 16th February 2016 they received a court order which directed Apple to assist the FBI to access the iPhone in question. As Apple does not have the capability to remove the encryption the court order directed Apple to create software, which will allow the FBI to determine the passcode using a brute force attack. Apple were instructed to create a new version of iOS to load onto the device. This new version should remove the ten password rule, remove the time limit restricting rapid password attempts and to allow passwords to be created and entered automatically. This software would allow the FBI to try every one of the 10,000 possible passcodes in quick succession without the phone erasing all the data and this would ultimately give them full access to all of the data on the phone.
Apple responded quickly and decisively and its CEO, Tim Cook released a statement on Apple’s website condemning the court order and vowing to fight against it. Cook framed the issue as an attack against encryption and claimed that the order had implications far beyond the legal case at hand.
“The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”
Framing the issue as one about the sanctity of encryption, the malevolence of backdoors and the threat of state surveillance plays into a view, held by many, that the US government is out to spy on its citizens and only encryption can stop them. The Electronic Freedom Foundation immediately issued a statement backing Apple, many technology websites backed the move and thousands of comments on Twitter showed support for Apple.
People siding against Apple *on this encryption issue* basically hate the liberty and freedoms we have.
Bravo @tim_cook and Apple for standing up for strong encryption.
These views contrast sharply with those who support the move by the FBI such as US Senator Tom Cotton:
“Apple chose to protect a dead ISIS terrorist’s privacy over the security of the American people … It’s unfortunate that the great company Apple is becoming the company of choice for terrorists, drug dealers, and sexual predators of all sorts”.
And a number of Twitter commentators:
@Reuters A court order shld be issued to decrypt this terrorists iPhone. The info could be vital to Nat’l Sec;Apple has 0 rt to deny decrypt
Once you slaughter 14 other people you should lose rights….no?
Encryption is given status well beyond its actual function. It is idolised by many and held up as the great hope for society but demonised by others who claim that it has the potential to bring about a lawless society. What strikes me about this discourse is how divisive it is. As I have seen in many conferences, debates and opinion pieces, the discourse is divided into two competing camps.
Encryption is given status well beyond
its actual function
Those advocating the need for effective law enforcement and security argue that security and law enforcers must be given the powers and information they need, otherwise we are at greater risk of terrorism and crime. Those who advocate for digital rights argue that the more significant threat comes from the state’s ability to breach its citizen’s privacy by spying on an individual’s online activity. The former are accused of not caring about privacy and the latter about security. This is reflected in the pre-emptive defence each side feels it must adopt to protect itself from these attacks. For example, in Tim Cook’s response to the court ruling he felt the need to explain the very obvious fact that “[Apple] have no sympathy for terrorists”.
However, on closer inspection the aims and aspirations of Tim Cook and James Comey are not mutually exclusive. Tim Cook has said that Apple were shocked by the San Bernardino shootings, want justice for all those affected and want to “support government efforts to solve this crime”. Whereas James Comey has said that he wants privacy for people to share their lives with who they choose and that he holds “a desire to protect our privacy and our data” So could we actually have both security and privacy? Is there no way that modern intellectuals, legislators, technologists and activists can’t work together to devise a way to give investigators the data they need without creating harmful backdoors and affecting the security and privacy of everyone else?
Amongst thousands of comments on Twitter I found one which suggested such a route:
#Apple could decrypt terror phone WITHOUT revealing encryption keys to gov. Court COULD sanction evidence chain. Solved.
Apple should decrypt terror phone IN-HOUSE under supervision W/O revealing encryption keys. Court should sanction evidence chain.
But the suggestion that Apple can comply with the court order without compromising the long term privacy of its customers has received a hostile reaction and little support. As I see it, the obstruction to achieving progress does not come from the difficulty of the challenge; it comes from a divisive discourse which is preventing all sides of the debate from realising that their aims are not incompatible. If this (false) division can be overcome, then we might be able to focus our attention towards the serious threats to privacy and security which exist in the world today by restoring trust and having all sides working together to discuss and address these very real challenges.
Steve Hersee is a Cyber Security Researcher jointly supervised by the Information Security Group and Department of Geography at Royal Holloway, University of London. He is studying threat construction in cyberspace, focussing on the roles of the state and the digital rights movement. He can be #hunted down on Twitter @stevehersee