Apple–FBI encryption dispute


The Apple–FBI encryption dispute concerns whether and to what extent courts in the United States can compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected. There is much debate over public access to strong encryption.
In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.
The most well-known instance of the latter category was a February 2016 court case in the United States District Court for the Central District of California. The Federal Bureau of Investigation wanted Apple to create and electronically sign new software that would enable the FBI to unlock a work-issued iPhone 5C it recovered from one of the shooters who, in a December 2015 terrorist attack in San Bernardino, California, killed 14 people and injured 22. The two attackers later died in a shootout with police, having first destroyed their personal phones. The work phone was recovered intact but was locked with a four-digit passcode and was set to eliminate all its data after ten failed password attempts. Apple declined to create the software, and a hearing was scheduled for March 22. However, a day before the hearing was supposed to happen, the government obtained a delay, saying it had found a third party able to assist in unlocking the iPhone. On March 28, the government claimed that the FBI had unlocked the iPhone and withdrew its request. In March 2018, the Los Angeles Times reported "the FBI eventually found that Farook's phone had information only about work and revealed nothing about the plot" but cited only government claims, not evidence.
In another case in Brooklyn, a magistrate judge ruled that the All Writs Act could not be used to compel Apple to unlock an iPhone. The government appealed the ruling, but then dropped the case on April 22, 2016, saying it had been given the correct passcode.

Background

In 1993, the National Security Agency introduced the Clipper chip, an encryption device with an acknowledged backdoor for government access, that NSA proposed be used for phone encryption. The proposal touched off a public debate, known as the Crypto Wars, and the Clipper chip was never adopted.
It was revealed as a part of the 2013 mass surveillance disclosures by Edward Snowden that the NSA and the British Government Communications Headquarters had access to the user data in iPhones, BlackBerry, and Android phones and could read almost all smartphone information, including SMS, location, emails, and notes. Additionally, the leak stated that Apple had been a part of the government's surveillance program since 2012, however, Apple per their spokesman at the time, "had never heard of it".
According to The New York Times, Apple developed new encryption methods for its iOS operating system, versions 8 and later, "so deep that Apple could no longer comply with government warrants asking for customer information to be extracted from devices." Throughout 2015, prosecutors advocated for the U.S. government to be able to compel decryption of iPhone contents.
In September 2015, Apple released a white paper detailing the security measures in its then-new iOS 9 operating system. iPhone models including the iPhone 5C can be protected by a four-digit PIN code. After more than ten incorrect attempts to unlock the phone with the wrong PIN, the contents of the phone will be rendered inaccessible by erasing the AES encryption key that protects its stored data. According to the Apple white paper, iOS includes a Device Firmware Upgrade mode, and that "estoring a device after it enters DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present."

Apple ordered to assist the FBI

The FBI recovered an Apple iPhone 5C—owned by the San Bernardino County, California government—that had been issued to its employee, Syed Rizwan Farook, one of the shooters involved in the December 2015 San Bernardino attack. The attack killed 14 people and seriously injured 22. The two attackers died four hours after the attack in a shootout with police, having previously destroyed their personal phones. Authorities were able to recover Farook's work phone, but could not unlock its four-digit passcode, and the phone was programmed to automatically delete all its data after ten failed password attempts.
On February 9, 2016, the FBI announced that it was unable to unlock the county-owned phone it recovered, due to its advanced security features, including encryption of user data. The FBI first asked the National Security Agency to break into the phone, but they were unable to since they only had knowledge of breaking into other devices that are commonly used by criminals, and not iPhones. As a result, the FBI asked Apple Inc. to create a new version of the phone's iOS operating system that could be installed and run in the phone's random access memory to disable certain security features that Apple refers to as "GovtOS". Apple declined due to its policy which required it to never undermine the security features of its products. The FBI responded by successfully applying to a United States magistrate judge, Sheri Pym, to issue a court order, mandating Apple to create and provide the requested software. The order was not a subpoena, but rather was issued under the All Writs Act of 1789. The court order, called In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate #5KGD203, was filed in the United States District Court for the Central District of California.
The use of the All Writs Act to compel Apple to write new software was unprecedented and, according to legal experts, it was likely to prompt "an epic fight pitting privacy against national security." It was also pointed out that the implications of the legal precedent that would be established by the success of this action against Apple would go far beyond issues of privacy.

Technical details of the order

The court order specified that Apple provide assistance to accomplish the following:
  1. "it will bypass or disable the auto-erase function whether or not it has been enabled"
  2. "it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available"
  3. "it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware"
The order also specifies that Apple's assistance may include providing software to the FBI that "will be coded by Apple with a unique identifier of the phone so that the would only load and execute on the SUBJECT DEVICE".
There has been much research and analysis of the technical issues presented in the case since the court order was made available to the public.

Apple's opposition to the order

The February 16, 2016 order issued by Magistrate Judge Pym gave Apple five days to apply for relief if Apple believed the order was "unreasonably burdensome". Apple announced its intent to oppose the order, citing the security risks that the creation of a backdoor would pose towards customers. It also stated that no government had ever asked for similar access. The company was given until February 26 to fully respond to the court order.
On the same day the order was issued, chief executive officer Tim Cook released an online statement to Apple customers, explaining the company's motives for opposing the court order. He also stated that while they respect the FBI, the request they made threatens data security by establishing a precedent that the U.S. government could use to force any technology company to create software that could undermine the security of its products. He said in part:
In response to the opposition, on February 19, the U.S. Department of Justice filed a new application urging a federal judge to compel Apple to comply with the order. The new application stated that the company could install the software on the phone in its own premises, and after the FBI had hacked the phone via remote connection, Apple could remove and destroy the software. Apple hired attorneys Ted Olson and Theodore J. Boutrous Jr. to fight the order on appeal.
The same day, Apple revealed that in early January it had discussed with the FBI four methods to access data in the iPhone, but, as was revealed by a footnote in the February 19 application to the court, one of the more promising methods was ruled out by a mistake during the investigation of the attack. After the shooter's phone had been recovered, the FBI asked San Bernardino County, the owner of the phone, to reset the password to the shooter's iCloud account in order to acquire data from the iCloud backup. However, this rendered the phone unable to backup recent data to iCloud, until the new iCloud password was entered. This however, requires the phone to be unlocked. This was confirmed by the U.S. Department of Justice, which then added that any backup would have been "insufficient" because they would not have been able to recover enough information from it.

Legal arguments

The government cited as precedent United States v. New York Telephone Co., in which the Supreme Court ruled in 1977 that the All Writs Act gave courts the power to demand reasonable technical assistance from the phone company in accessing phone calling records. Apple responded that New York Telephone was already collecting the data in question in the course of its business, something the Supreme Court took note of in its ruling. Apple also asserts that being compelled to write new software "amounts to compelled speech and viewpoint discrimination in violation of the First Amendment.... What is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone's user?" Apple argued that the FBI had not made use of all of the government's tools, such as employing the resources of the NSA. A hearing on the case was scheduled for March 22, 2016.
San Bernardino County District Attorney Michael Ramos filed a brief stating the iPhone may contain evidence of a "lying dormant cyber pathogen" that could have been introduced into the San Bernardino County computer network, as well as identification of a possible third gunman who was alleged to have been seen at the scene of the attack by eyewitnesses. The following day, Ramos told the Associated Press that he did not know whether the shooters had compromised the county's infrastructure, but the only way to know for sure was by gaining access to the iPhone. This statement has been criticized by cyber-security professionals as being improbable.