Last week, the Department of Justice filed its response to Apple’s appeal in the ongoing San Bernardino case. The government is attempting to force Apple to create a method of bypassing the security that would unlock an iPhone 5C that belonged to the shooter, Apple is fighting this demand by arguing against the 1789 All Writs Act that the DOJ has used against it. The Department of Justice’s latest filing ups the ante on this topic by claiming it could compel Apple to give up the source code for iOS itself, so the government could make the appropriate modifications.
The Department of Justice’s latest filing is best classified as vitriolic. It does not hint that Apple has commercial motivations, it accuses the company of manufacturing the entire controversy — and a great deal more besides. The second sentence of the filing reads: “This burden, which is not unreasonable, is the direct result of Apple’s deliberate marketing decision to engineer its products so that the government cannot search them, even with a warrant.”
Apple has taken a strong, pro-user stance on this issue and numerous security experts (and even John Oliver) have weighed in to explain why creating this kind of backdoor for the FBI is dangerous.
The FBI’s brief dismisses all of this as a marketing ploy, and then blasts Apple as a literal threat to American democracy, writing: “Apple’s rhetoric is not only false, but also corrosive of the very institutions that are best able to safeguard our liberty and our rights: the courts, the Fourth Amendment, longstanding precedent and venerable laws, and the democratically elected branches of government.”
The source code threat
One of the central arguments around this issue is whether or not providing software to unlock the iPhone 5C in question is overly burdensome. Apple maintains that requiring it to break the security protections it builds into its own devices is a substantial burden, while the FBI maintains that it is not. The government notes that it remains willing to work with Apple to find a way to reduce the burden of breaking into the device, then writes:
“For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers.”
That’s a threat, not a friendly offer, and it underscores an important point in this debate. When Edward Snowden’s leaks revealed the existence of Prism and the cooperation that many US companies had been forced to offer, users were justifiably angry at the idea that companies they trusted with their personal data were providing information in investigations where no warrants had been filed and little oversight existed.
As more information came to light, we learned that several firms, including Yahoo had fought these orders at multiple levels and been defeated. Some of you may also recall what happened to the secure email provider Lavabit, and how the company was forced to shut down. The government paints a picture of corporate cooperation, but what actually happens behind closed doors is anything but friendly. The reason we’re hearing about this case at all is that the FBI chose to make it public, betting that the circumstances of the case and the horrific San Bernardino shooting would help it win the court of public opinion and establish a precedent for forcing companies to break their own encryption. Given the imminent expansion of FBI access to the NSA’s own databases, there’s no sign the government is backing down on its efforts to pull in ever more data.
Is security a selling point?
The DOJ’s brief argues repeatedly that this is nothing but a marketing ploy by Apple, but real life tends to suggest otherwise. Customer surveys show that many people claim to care about security, but repeated security investigations show very few people actually understand it.
Target sales are still brisk. Lenovo’s still shipping millions of laptops. Samsung sales escaped unscathed. Vizio TVs are still selling well, too. People still buy Android phones by the hundreds of millions across the world, despite multiple potentially devastating bugs and very little in the way of coherent solutions. When consumers say they value security, what they actually mean is “I want the word ‘secure’ printed somewhere on the box.”
The DOJ is arguing that all of this is a ploy to attract customers, but there’s little evidence it is. Apple’s current iPhone 6S marketing page mentions (in order): 3D Touch / Multi-Touch (two sections), the iPhone’s front and back cameras, the A9 SoC, the phone’s physical design, Touch ID security, faster WiFi, and various accessories. There’s nothing related to full device encryption and no sign Apple is seeking to use this as a prominent sales feature.
All of this may be moot in the future; Apple is reportedly working on a device that would be impossible for even it to hack. It’s not at all clear how this would work without compromising other aspects of the device, like the ability to update firmware or repair a malfunctioning device via forced software update.