After five hours of testimony in the U.S. House of Representatives’ Judiciary Committee on Tuesday (March 1), we are still walking the “encryption tightrope” in the Apple vs. FBI debate that is pitting national security against smartphone privacy. Although no resolutions are in sight, the court of public opinion may have turned to favor Apple in what could be construed as a slippery slope argument regarding access to secure technology.
“A lot of people in the room changed their minds today. This didn’t resolve everything but clearly raised the level of the technological debate and what’s at stake here,” said Envisioneering Group Research Director Rick Doherty. “Apple definitely appears to not be the uncaring citizen that so many people have portrayed them to be the last few weeks. And the FBI appears to be less engaged with the intelligence community.”
Tuesday’s hearing concerns a FBI court order that would force Apple to create software to override a security feature in the iPhone 5s belonging to one of the shooters in the Dec. 2 attack in San Bernardino, Calif., which killed 14 people and left 22 injured. Until today, the FBI had maintained that such an override would be specific to one phone and largely painted Apple as uncooperative; Apple says creating such software infringes on their first and fifth Amendment rights while potentially putting technology in the wrong hands.
With such a tool, the FBI hopes to “take away the drooling watch dog that’s going to attack us if we try to get in, and give us time to pick the lock,” FBI director James B. Comey said. “It’s so seductive to [say] that privacy is the ultimate value. In a society where we aspire to be safe…that can’t be true. We have to find a way to have both.”
The software/workaround in question would do the following for the smartphone in question:
- Do away with data deletion after 10 failed attempts to login
- Do away with the time delay between successive failed login attempts
- Rewrite the code that controls the touch screen and allow the FBI to put a probe into the phone and bypass the need to enter numeric digits
The FBI has come under fire for lacking sufficient knowledge of Apple security systems; Comey also admitted that the agency did not ask for Apple’s source code or try to duplicate the shooter’s phone to bypass the login timing mechanism. In a motion to vacate, Apple wrote that the “FBI, without consulting Apple or reviewing its public guidance regarding iOS, changed the iCloud password associated with one of the attacker’s accounts, foreclosing the possibility of the phone initiating an automatic iCloud back-up of its data to a known Wi-Fi network …which could have obviated the need to unlock the phone.” Apple wrote that if the FBI had consulted them first, litigation may not be necessary.
During the hearing, Apple General Counsel and Senior Vice President Bruce Sewell told the committee that his company had worked diligently with the FBI but was unwilling to essentially create a government operating system. The biggest fear is that such “untested functionality” could easily slip into the hands of criminals or enemy governments and open a Pandora’s box of evil possibilities.
“Building that software tool would not affect just one iPhone, it would affect all iPhones. The FBI would likely use this as precedence for other cases,” Sewell said. “We see ourselves as being in an arms race with criminals, cyber terrorists, hackers. We’re trying to provide a safe and secure place for the users of our devices to be assured that their information cannot be accessed, hacked or stolen.”
The iOS operating system – the iPhone 5s used by the San Bernardino shooter ran iOS 9 — was criticized for its impenetrability during the hearing. Cyrus Vance, New York County’s district attorney, said “criminals are literally laughing at us” and added that technology companies are responsible for adapting their products. Vance had earlier stated that he would use the override technology on more than 170 additional cases – despite the fact that a US magistrate judge in New York ruled Monday that the government can’t force Apple to help law enforcement unlock an iPhone using the All Writs Act, with regard to a drug trafficking case in Brooklyn.
The Obama administration is not seeking legislation at this moment, Comey added, yet hundreds of cases could be solved by an encryption workaround specifically designed for the federal government. He also testified that the decision in Apple vs. FBI could set a precedent for future cases and that Congress will ultimately have to decide on the broader question this issue poses for Americans’ privacy and security.
Methodology is at the heart of this argument, which committee members, government officials and academics consistently termed “security versus security.” Worcester Polytechnic Institute Professor Susan Landau said chipping away at smartphone security is not the best way to manage an increasingly connected world where phones are often used as authenticators to large systems such as banks and power grids.
“There are many ways for nefarious sorts to take advantage of the opening offered by law enforcement. Law enforcement has been pressing to preserve 20th century investigation techniques while our enemies are using 21st century technologies against us,” she said. “We’re connected in all sorts of disastrously unsafe ways…and what law enforcement is asking for is going to preclude ourselves from those solutions.”
Most encryption professionals saw this issue coming 20 years ago, Doherty said, but a software tool like this could be analogous to the development of an atomic bomb. If Apple can easily create the requested tool, it may incite others (potentially terrorists) to create similarly destructive software. “The moment you know something is possible, then frenzies begin,” he said.
At one point, Comey suggested that the FBI receive the software tool on a hard drive, further showing its lack of understanding around security.
“I think law enforcement needs to develop those [security and decryption] skills themselves. They also need right level of funding,” Landau said.
* * *
Unlike the hard partisan lines drawn in other congressional debates, the House Judiciary Committee was mostly unified, curious, and frustrated during the hearing.
“I’ve never seen so many republicans and democrats come together,” Doherty said. “They seem to resent the idea that they’re being called in to resolve something that the technologists say is insolvable and the law enforcement hasn’t exhausted their resources on.”
Still, after hours of testimony, Apple provided no alternative solution and instead said the issue must be decided by Congress “after a balance has been achieved.” In an exchange with Crime Subcommittee Chairman Jim Sensenbrenner (R-Wis.), Sewell asked for more debate.
“Ultimately Congress must decide this issue … I think we find ourselves in an odd situation in the court in California because the FBI chose to pursue in an ex parte fashion a warrant that would compel Apple to do something,” Sewell said. “We view that not as an extension of the debate, not as a way to resolve this issue; we view that as a way to cut off debate.”
FBI Director Comey agreed the issue of security vs. security is one for Congress. “I don’t see how the courts can resolve the tension between privacy and public safety that we’re all feeling,” he said.
Congressman Trey Gowdy (R-S.C.) seemed most angered at the lack of legislative suggestion from Apple or decisive action from the FBI. Speaking to Comey, he said:
We ask the Bureau and others to do a lot of things – investigate crime after it has taken place, anticipate crime, stop it before it happens – and all you are asking is to be able to guess the password and not have the phone self-destruct. And you can go into people’s bodies and remove bullets but you can’t go into a dead person’s iPhone, I find that baffling.
Doherty told EE Times that the ball is likely in Apple’s court now as the situation doesn’t seem to be as urgent as the FBI has made it seem. The Committee could “take their foot off the gas” in a debate that “seems to be a nuisance complaint from the FBI.”
U.S. attorneys must respond to Apple’s latest filing regarding the San Bernardino iPhone by March 10 and another court hearing is scheduled for March 22. On Monday, a bill was introduced into Congress that would create a National Commission on Security and Technology Challenges. The 16-person Commission would represent “all of the interests at stake so we can evaluate and improve America’s security posture as technology — and our adversaries — evolve.”