[David Strom's Web Informant] Apple vs. the FBI: The son of the Clipper Chip?

David Strom david at strom.com
Mon Feb 29 13:28:02 EST 2016

Web Informant, February 29, 2016: Apple vs. the FBI: The son of the Clipper

The news reports about the lawsuit between Apple and the FBI over a
terrorist’s iPhone is fraught with misinformation and security theater. It
has been characterized as privacy’s last stand or as the tech industry’s
gift to criminals around the world, and everything in between. I assume you
have read something about the case, so will start by providing two
documents that you may not have links to. Both of them pre-date the Apple

First is the *Keys Under Doormats
<https://dspace.mit.edu/handle/1721.1/97690>* paper, written by more than a
dozen different security researchers report in July 2015. The paper does a
very good job laying out the issues involved in decrypting our modern
computing devices. Many of these researchers were involved in the Clipper
Chip era of the late 1990s, when the government lasted tried to force their
way into our devices.

While you should read the entire paper, here are some highlights. The paper
concludes by saying that “the damage that could be caused by law
enforcement exceptional access requirements would be even greater today
than it would have been 20 years ago.” They also say that providing
decrypts would be “unworkable in practice, raise enormous legal and ethical
questions, and would undo progress on security at a time when Internet
vulnerabilities are causing extreme economic harm.”

The second document was written by the NYC District Attorney last November
It deals exclusively with whole disk smartphone encryption, which is the
central issue of the case. It contains a proposal for device vendors to be
able to unlock any phone under the request of a search warrant.  The report
has justifications and technical questions for both Apple and Google.
Again, the entire document is worth reading, but between September 2014 and
September 2015, the DA’s office was unable to execute approximately 111
search warrants for smartphones because those devices were running iOS 8,
which automatically encrypts its information. They claim this feature
benefits criminals and imperils the safety of us all.

Okay, here are some of my own thoughts.

*Is the DA’s proposal a backdoor way around encryption*? The government and
law enforcement officials say no. I would disagree, and say that their
proposal is probably better characterized as a side door. Having a way
inside an encrypted disk compromises the disk’s security, no matter how it
is done and who holds the keys.

*Shouldn’t Apple, Google et al. want to cooperate with law enforcement*?
Sure they should but in a way that won’t be a threat to overall security of
everyone. I side with the “doormats” folks on this one.  The issue, as they
say, is that “Law enforcement cannot be guaranteed access without creating
serious risk that criminal intruders will gain the same access.”

The FBI initially stated that they were *only interested in a single iPhone*,
and then later changed their statements. The FBI is being somewhat
disingenuous here. If Apple develops the technology to break into a phone,
this will certainly be used in numerous other cases. The FBI carefully
picked a test case with a known criminal, a terrorist, to make their
request more sympathetic to the courts and the public.

*Don’t encryption tools benefit criminals*? Many of us say that we have
nothing to hide. Perhaps that is true, but why should citizens have their
phones compromised by others who are either less sanguine about their
rights to privacy or who are trying to gain access for illegal intent?
Sure, gaining access to encrypted information isn’t easy: you might have read
how the FBI arrested Ross Ulbricht for his activities with Silk Road.
But that’s the whole point. The FBI got around the various encryption
protocols he was using by seizing his open laptop at a public library in
San Francisco, preventing him from closing his session so his identity
could be verified and they could gain access.

*Why can’t corporate IT departments make use of mobile device management
tools to open their phones for the law*? Indeed, this is sort of what
happened with the San Bernardino case. However, his employer, the county
health department, had only partially installed the MobileIron MDM tool.
Because it wasn’t completely implemented, they couldn’t get all the
information out of the phone. Certainly now many IT managers who have heard
about this recognize the value of MDM. Perhaps they will finish their own
installations as a result.  But there will be many phones that other law
enforcement staff will get their hands on that will be in a similar state:
do we really want to pass legislation to compel IT workers to do their jobs
properly? And just because I have a personally owned phone that is managed
by an MDM doesn’t mean that IT can obtain any information from it.

Your comments always welcome here: http://blog.strom.com/wp/?p=5217
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20160229/d5df68e0/attachment-0002.html>

More information about the WebInformant mailing list