The FBI–Apple encryption dispute concerns whether and to what extent courts in the United States can compel manufacturers to assist in unlocking cell phones whose contents are cryptographically protected. There is much debate over public access to strong encryption. In 2015 and 2016, Apple Inc. has received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple “to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older” in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these device’s security and unlock the phones.
The following YouTube video clip does a good job of capturing the issue:
The most well-known instance of the latter category was a February 2016 court case in the United States District Court for the Central District of California. The FBI wanted Apple to create and electronically sign new software that would enable the FBI to unlock a work-issued iPhone 5C it recovered from one of the shooters in a December 2015 terrorist attack in San Bernardino, California, that killed 14 people and injured 22. The two attackers later died in a shootout with police, having first destroyed their personal phones. The work phone was recovered intact but was locked with a four-digit password and was set to eliminate all its data after ten failed password attempts. Apple declined to create the software, and a hearing was scheduled for March 22. However, a day before the hearing was supposed to happen, the government obtained a delay, saying they had found a third party able to assist in unlocking the iPhone and, on March 28, it announced that the FBI had unlocked the iPhone and withdrew its request.
In another case in Brooklyn, a magistrate judge ruled that the All Writs Act could not be used to compel Apple to unlock an iPhone. The government appealed the ruling, but then dropped the case on April 22 after it was given the correct passcode. Tim Cook, Chief Executive Officer of Apple Inc. Cook and FBI Director Comey have both spoken publicly about the case. In 1993, the National Security Agency (NSA) introduced the Clipper chip, an encryption device with an acknowledged backdoor for government access, that NSA proposed be used for phone encryption. The proposal touched off a public debate, known as the Crypto Wars, and the Clipper chip was never adopted. It was revealed as a part of the 2013 mass surveillance disclosures by Edward Snowden that the NSA and the British Government Communications Headquarters (GCHQ) had access to the user data in iPhones, BlackBerry, and Android phones and could read almost all smartphone information, including SMS, location, emails, and notes. According to The New York Times, Apple developed new encryption methods for its iOS operating system, versions 8 and later, “so deep that Apple could no longer comply with government warrants asking for customer information to be extracted from devices.”
Throughout 2015, prosecutors advocated for the U.S. government to be able to compel decryption of iPhone contents. In September 2015, Apple released a white paper detailing the security measures in its then-new iOS 9 operating system. The iPhone 5C model can be protected by a four-digit PIN code. After more than ten incorrect attempts to unlock the phone with the wrong PIN, the contents of the phone will be rendered unaccessible by erasing the AES encryption key that protects its stored data. According to the Apple white paper, iOS includes a Device Firmware Upgrade (DFU) mode, and that “[r]estoring a device after it enters DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present.” The FBI recovered an Apple iPhone 5C owned by the San Bernardino County, California government, that had been issued to its employee, Syed Rizwan Farook, one of the shooters involved in the December 2015 San Bernardino attack. The attack killed 14 people and seriously injured 22. The two attackers died four hours after the attack in a shootout with police, having previously destroyed their personal phones. Farook’s work phone was recovered intact, however.
The phone had been locked with a four-digit password. On February 9, 2016, the FBI announced that it was unable to unlock the county-owned phone it recovered, due to its advanced security features, including encryption of user data. As a result, the FBI asked Apple Inc. to create a new version of the phone’s iOS operating system that could be installed and run in the phone’s random access memory to disable certain security features that Apple refers to as “GovtOS”. Apple declined due to its policy to never undermine the security features of its products. The FBI responded by successfully applying to a United States magistrate judge, Sherri Pym, to issue a court order, mandating Apple to create and provide the requested software.
The order was not a subpoena, but rather was issued under the All Writs Act of 1789. The court order, called In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, was filed in the United States District Court for the Central District of California. The use of the All Writs Act to compel Apple to write new software was unprecedented and, according to legal experts, it was likely to prompt “an epic fight pitting privacy against national security.” It was also pointed out that the implications of the legal precedent that would be established by the success of this action against Apple would go far beyond issues of privacy. Apple’s opposition to the order The February 16, 2016 order issued by Magistrate Judge Pym gave Apple five days to apply for relief if Apple believed the order was “unreasonably burdensome”.
Apple announced its intent to oppose the order, citing the security risks that the creation of a backdoor would pose towards customers. It also stated that no government had ever asked for similar access. The company was given until February 26 to fully respond to the court order. On the same day the order was issued, chief executive officer Tim Cook released an online statement to Apple customers, explaining the company’s motives for opposing the court order. He also stated that while they respect the FBI, the request they made threatens data security by establishing a precedent that the U.S. government could use to force any technology company to create software that could undermine the security of its products. He said in part: The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.
In response to the opposition, on February 19, the U.S. Department of Justice filed a new application urging a federal judge to compel Apple to comply with the order. The new application stated that the company could install the software on the phone in its own premises, and after the FBI had hacked the phone via remote connection, Apple could remove and destroy the software. Apple hired attorneys Ted Olson and Theodore J. Boutrous Jr. to fight the order on appeal. The same day, Apple revealed that it had discussed with the FBI four methods to access data in the iPhone in early January, but, as was revealed by a footnote in the February 19 application to the court, one of the more promising methods was ruled out by a mistake during the investigation of the attack. After the shooter’s phone had been recovered, the FBI asked San Bernardino County, the owner of the phone, to reset the password to the shooter’s iCloud account in order to acquire data from the iCloud backup. However, this rendered the phone unable to back up recent data to iCloud unless its pass-code is entered. This was confirmed by the U.S. Department of Justice, which then added that any backup would have been “insufficient” because they would not have been able to recover enough information from it.
The government cites as precedent United States v. New York Telephone Co., where the Supreme Court ruled in 1977 that the All Writs Act gave courts the power to demand reasonable technical assistance from the phone company in accessing phone calling records. Apple responded that New York Telephone was already collecting the data in question in the course of its business, something the Supreme Court took note of in its ruling. Apple also asserts that being compelled to write new software “amounts to compelled speech and viewpoint discrimination in violation of the First Amendment. … [W]hat is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user?” A hearing on the case was scheduled for March 22, 2016.
San Bernardino County District Attorney Michael Ramos filed a brief stating the iPhone may contain evidence of a “lying dormant cyber pathogen” that could have been introduced into the San Bernardino County computer network, as well as identification of a possible third gunman who was alleged to have been seen at the scene of the attack by eyewitnesses. The following day, Ramos told the Associated Press that he did not know whether the shooters had compromised the county’s infrastructure, but the only way to know for sure was by gaining access to the iPhone. This statement has been criticized by cyber-security professionals as being improbable. FBI withdrawal of request On March 21, the government requested and was granted a delay, saying a third party had demonstrated a possible way to unlock the iPhone in question and the FBI needed more time to determine if it will work.
On March 28, the FBI said it had unlocked the iPhone with the third party’s help, and an anonymous official said that the hack’s applications were limited; the Department of Justice withdrew the case. The lawyer for the FBI has stated that they are using the extracted information to further investigate the case. On April 7, FBI Director James Comey said that the tool used can only unlock an iPhone 5C like that used by the San Bernardino shooter, as well as older iPhone models lacking the Touch ID sensor. Comey also confirmed that the tool was purchased from a third party but would not reveal the source, later indicating the tool cost more than $1.3 million and that they did not purchase the rights to technical details about how the tool functions.
Although the FBI was able to use other technological means to access the cellphone data from the San Bernardino shooters iPhone 5C, without the aid of Apple, law enforcement still expresses concern over the encryption controversy. Some news outlets, citing anonymous sources, identified the third party as Israeli company Cellebrite. However, The Washington Post reported that, according to anonymous “people familiar with the matter”, the FBI had instead paid “professional hackers” who used a zero-day vulnerability in the iPhone’s software to bypass its ten-try limitation, and did not need Cellebrite’s assistance.
In an address to the 2016 South by Southwest conference on March 11, President Barack Obama stated that while he could not comment on the specific case, “You cannot take an absolutist view on (encryption). If your view is strong encryption no matter what, and we can and should create black boxes, that does not strike the balance that we’ve lived with for 200 or 300 years. And it’s fetishizing our phones above every other value. That can’t be the right answer.” Proposed legislation On April 13, U.S. Senators Richard Burr and Dianne Feinstein, the Republican Chair and senior Democrat on the Senate Intelligence Committee, respectively, released draft legislation that would authorize state and federal judges to order “any person who provides a product or method to facilitate a communication or the processing or storage of data” to provide data in intelligible form or technical assistance in unlocking encrypted data and that any such person who distributes software or devices must ensure they are capable of complying with such an order.