Apple, Americans, and Security vs. FBI
This week's order by a federal magistrate judge requiring Apple to engineer new security flaws in its iPhone software operating system has prompted widespread and escalating controversy. Legitimate concerns about its implications have driven users around the country to raise their voices in defense of not only their privacy, but also the security of their online platforms threatened by the FBI's demands.
Beyond a single phone
While the FBI has framed its demand as addressing a single phone, it has failed to address concerns that the implementation of the order—which was issued on the same day the FBI submitted its motion, without changes—would necessarily place at risk the security of millions of other devices and the people who use them.
This week's order requires the development of a new software vulnerability that, as explained by the device's manufacturer, "[i]n the wrong hands...would have the potential to unlock any iPhone in someone’s physical possession."
This tool would be dangerous, whether used by a black hat hacker who might infiltrate Apple systems, a future FBI investigation emboldened by this week's order to apply the precedent in other less compelling settings, or a dictatorship looking for new ways to oppress people that might cite the company's compliance with this FBI demand as a reason to comply with those of its own intelligence agencies. As my colleague Nate Cardozo explained on the PBS News Hour:
Authoritarian regimes around the world are salivating at the prospect of the FBI winning this order. If Apple creates the master key that the FBI has demanded that they created, governments around the world are going to be demanding the same access.
Beyond a single case
In that respect, the FBI's demands reflect a familiar pattern of security agencies leveraging the most seemingly compelling situations—usually the aftermath of terror attacks—to create powers that are later used more widely and eventually abused. The government programs monitoring the telephone system and Internet, for example, were created in the wake of the 9/11 attacks. Those programs came to undermine the rights of billions of people, doing more damage to our security than the tragic events that prompted their creation.
The power to force a company to undermine security protections for its customers may seem compelling in a particular case, but this week's order has very significant implications both for technology and the law. Not only would it require a company to create a new vulnerability potentially affecting millions of device users, the order would also create a dangerous legal precedent. The next time an intelligence agency tries to undermine consumer device security by forcing a company to develop new flaws in its own security protocols, the government will find a supportive case to cite where before there were none.
What is worse, we fear the government will not use this precedent carefully given that agency officials have a disturbing habit of twisting the facts even under oath, misleading judges and legislators on the rare occasion that they are forced to answer tough questions.
Yes, we are talking about creating a backdoor
Ultimately, this week's order risks undermining the interests of millions of iPhone users whose device security would be undermined by the development of a new backdoor.
"Backdoors" in security parlance refer to vulnerabilities used to access an otherwise closed system, like the vulnerabilities on Cisco routers that the NSA surreptitiously placed after intercepting that company's hardware shipments. While Judge Pym's order does not require the creation of a back door per se, it does require Apple to disable core security features that will allow the FBI to quickly and easily hack the phone.
Some people have suggested that this is not a backdoor, since implementing the order would not, in itself, give the FBI access to the phone (which it would still need to brute force in order to access). But the order removes important security features, leaving the phone vulnerable to the same extent that removing the security gate in front of a door might leave it vulnerable to someone inclined to break it down.
This is functionally a backdoor, one that the court has required Apple to create, to allow the FBI to then open using brute force. If any black hat hacker, foreign intelligence agency, or criminal syndicate got their hands on this tool, they could exploit it for their own nefarious purposes.
Don't take this sitting down
Resistance to this half-baked and ill-advised judicial command has already taken many forms, and will continue to escalate over the next week, when Apple is scheduled to file its objections to the magistrate's order just a few days before EFF will file an amicus brief supporting Apple.
The day after the order was issued, users congregated at the Apple store in San Francisco to voice their support of the company's stance against FBI demands to undermine security for everyone. Next week, similar gatherings are planned in cities across the country, and at the FBI headquarters in Washington, DC, organized by our friends at Fight For The Future with transpartisan support from numerous organizations including CREDO, Demand Progress, the Bill of Rights Defense Committee / Defending Dissent Foundation, Downsize DC, and others.
While we help defend Apple in the courts, we invite you to participate in the defense of your own privacy & security by joining these actions and raising your voice through every channel available. If you do participate in an action next week responding to these FBI demands, please join us to share your experience with others.
Recent DeepLinks Posts
Sep 26, 2016
Sep 26, 2016
Sep 26, 2016
Sep 26, 2016
Sep 26, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games