203 comments

[ 5.4 ms ] story [ 235 ms ] thread
I'm not really surprised that other companies aren't coming out of the woodwork to make themselves targets. It's clear that in the main they will hold similarly strong views to Apple, but any PR worth their salt will not want the CEO of a company not implicated in something as politically charged as this to enter into the discussion.

For those who oppose this kind of behaviour by the US Government, it's a relief that they picked on Apple: a company with strong opinions about this topic, and the financial wherewithal and gumption to oppose it as robustly as anyone.

This doesn't sound as a freedom of speech but more as oppressive government. Something wrong if people don't want to express their opinions because of fear.
> Something wrong if people don't want to express their opinions because of fear.

Not people—companies.

They have the same free speech rights as people, so companies arguably do have opinions.
They do, but the implications of their fears are different.
The same tactics apply to people... have been applied to people...
Companies are groups of people. Trying to disparage them as some force outside humanity is great for getting laid in college, but it's not an accurate reflection of what is really happening, so it's not a helpful attitude when addressing problems.
> It's clear that in the main they will hold similarly strong views to Apple

That's not clear at all. It's hard to find neutral ground in political problems like this. Staying quiet to avoid implication isn't a neutral position. Evil triumphs when good men choose to step aside instead of helping their neighbor.

> I'm not really surprised that other companies aren't coming out of the woodwork to make themselves targets.

Not just targets of bad publicity, but probably lawsuits as well. The Feds don't want the dismantling of the 4th Amendment to be challenged in court and the companies complicit in said dismantling don't want it to hurt the bottom line.

> it's a relief that they picked on Apple: a company with strong opinions about this topic

Not only that, but so many other tech companies rely on user-data. They can't sell it, then turn around and say no when the govt asks for it.

I don't think it was luck, I think they picked on apple specifically because they clearly state that they don't rely on that data.

What sets Apple apart from Googles and Facebooks is that it's the only company that stores the data in way that Apple itself cannot read it. This is why the others have little to say on the subject - there is no issue of a "backdoor", because there is no wall to begin with when it comes to Google or FB, their business model depends on reading and analyzing your emails and posts.
Don’t the modern Android phones with Trusted Execution Environment do about the same?
(comment deleted)
I think what gtrubetskoy is talking about is Google (namely: search, Gmail, calendar, contacts, Plus--which are all tied to your Google account) and Facebook (namely: relationships, posting content, private messages, what you look at, etc) is information which is then mined or allowed to be targeted by advertisers for a handsome profit.

Apple doesn't do that. Their iAds are nothing in comparison to Google/FB's data mining. The only thing you get to go off of is the Advertising Identifier and the user can change/reset that at any moment effectively not tying them to any specific targeting.

I'm not sure what could be said of iCloud, but Apple itself isn't a big player in the ad-selling market unlike Google and Facebook. So unless Apple is straight selling off iCloud user data, it's a different ballgame.

edit: you also have to take into account Google and FB's ability to track you across the (near)-ENTIRE internet. Every FB/G-Plus share button, every video, image, asset loaded from FB/Google can track you via cookies. You could be reading a blog about pregnancies and how to prepare for a newborn on a cute little blog and Facebook may then target you for pregnancy/newborn products and services, etc. Unlike Apple, Google and Facebook aren't limited to their own properties in terms of info harvesting and ad-targeting.

> The only thing you get to go off of is the Advertising Identifier and the user can change/reset that at any moment effectively not tying them to any specific targeting.

People say this a lot, but Apple disagree: https://support.apple.com/en-us/HT205223

Highlights: name, address, age, iTunes/app etc. purchases, offers in Wallet, news read.

There is an opt out of those ("Limit ad tracking") but by default Apple will target on those things.

Probably semi-irrelevant because of Apple stepping away from iAd but Apple clearly use the Apple ID to target advertising.

Google has a lot to lose in this debate though. If government encroachment on security/privacy online becomes enough to worry people, they'll be less willing to share data. Less data means less effective advertising and lower rates, killing Google's business model.
Regardless of whether Apple profits from iCloud user data, the key question how well they protect the data on iCloud. Do they encrypt the data at rest? Are the links between data centers encrypted?
> Don’t the modern Android phones with Trusted Execution Environment do about the same?

Not from what I've been able to determine doing some research today. Or at leaast they're very poor at advertising it if they do.

Samsung KNOX uses the ARM TrustedZone to provide remte-attestation of running software, but I can't see anything similar to Apple's Secure Enclave for filesystem encryption keys.

If anyone does know an Android phone that does this properly, please let me know and I'll buy two this week. I am very impressed at the engineering Apple have built in this regard.

Apple also makes most of it's money by selling phones, not user information...
>Apple also makes most of it's money by selling phones, not user information...

Google is the advertiser. I'm surprised how often people make this mistake. They don't sell user data to other advertisers. This not only goes against their terms of service, but also makes no business sense. Why would they give up their best signal for targeted ads?

It's like keeping the cow and selling the milk. It's pedantic, but google is collecting rent from user information.
They effectively sell user information by way of allowing their customers to target individuals for a price. They aren't directly selling the data itself but they are selling a service that is an extension of that data. I think the semantics are negligible. They make money selling [ads based on] user data.
> They effectively sell user information by way of allowing their customers to target individuals for a price.

That's not selling user information in the same way that Ford doesn't sell automobile factories.

> They aren't directly selling the data itself

Nor are they indirectly selling the data. No one else gets the data.

> they are selling a service that is an extension of that data.

They are using the data to produce a service that they are selling, in the same way that Ford uses a factory to make a car. No one else gets the data, in the same way that no one else gets the factory from Ford.

> I think the semantics are negligible.

I think there is a substantive difference between transferring data to third parties and over whom neither the person the data describes nor Google exercises control and retaining the data internally and using it to provide a service to third parties. And I think that is a critical difference when it comes to privacy.

I mean, you erase the distinction between a armed security guard (who sells a service which involves a firearm) and an arms dealer (who sells firearms).

The difference is not semantic. It's an immense difference. One is an ad inserted into your Visa statement, the other is Visa selling your personal data to third parties. Completely different.
The incentives of those two business models could hardly be more different. The value of their services derives from the exclusivity of their data. It is directly in their financial interest to ensure that no one else can access that data.
> They effectively sell user information by way of allowing their customers to target individuals for a price

If you're implying that advertisers can target an specific user, this is false

The data that Google (or anybody else) collects is probably going to be around approximately "forever". Do you really believe Google will:

1) never sell that data at any time in the future (perhaps if they should suffer a bad year financially), and

2) that they will be able to retain control of that data (no leaks, no employees that abuse access, no attacks from other people interested in the data).

Without these criteria, saying anything about what Google "re4ally does" with their data is a best describing the past and maybe the present. Why does everybody act as if current business plans are some sort of Truth that we can rely on? Plans change, management changes - unless it's in writing on an actual contract, it's just wishful thinking.

Of course, this doesn't matter when talking about Google and their data. We already know they give data to the government because they are part of PRISM[1].

As for advertisers, the scenerios "Google gave customer data to an advertiser" and "Google did the targeting work for the advertiser as a (paid) service" differ only in minor details. The end result is the same. There numerous creative ways the data can be moved by proxy or as a service.

[1] https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sl...

> Do you really believe Google will:

The same can be said about other for profit organization. If the times changes and the board changes they can change their behaviour. So, it is only ifs.

> Of course, this doesn't matter when talking about Google and their data. We already know they give data to the government because they are part of PRISM[1].

So is Apple

> As for advertisers, the scenerios "Google gave customer data to an advertiser" and "Google did the targeting work for the advertiser as a (paid) service" differ only in minor details. The end result is the same

Minor details? Yes, NOT giving access to the data to advertisers is just a minor detail /s

> The same can be said about other for profit organization.

Only those for-profit organizations that are keeping personal data for long periods of time. This is not at all universal, and nobody[1] is collecting data on anywhere near the scale that Google is, across such a wide range of data sources. How many other corporations have entire browsing histories (google-analytics), email histories, and phone call and location logs?

Do you deny that the aggregation of this data is a risk, should someone abuse it? Do you think this data is going to ever be deleted? You call this "only ifs", but this is a constant risk as long as the data exists. The numerous leaks of personal information we've heard about in the last ~year prove this risk exists. I suspect that Google will do a better job at securing their valuable data than most organizations, but nobody is perfect.

> So is Apple

Entirely off topic. The fact that there are risks when giving data to other businesses doesn't make the risk of giving data over to Google go away. While it is a common meme recently, appeal-to-popularity is still a fallacy.

> Yes, NOT giving access to the data to advertisers is just a minor detail /s

Advertisers... like Google.

[1] save for a couple other corporations that are in the data-collection business

Probably because at Apple the consumer is not the product.
This just made me realise that Apple is a true "do no evil" company and not Google, for all its technology powress and fancy marketing. A sad realisation as I have been using Google products for almost everything-- they pitch up everything under the F/OSS banner and it's so tempting.

I think I should consider moving to iOS pretty seriously. I had been dismissing it for being over-priced and not being OSS. But the true fact of the matter is, the extra cost might be worth it, because frankly, Android without Google Apps and the Google Play Services is absolutely useless.

I feel the same way. I don't actually like iOS that much, and historically I haven't liked Apple for their human rights issues, but seeing that they relatively consistently take a stand on privacy is making me consider switching.

I don't mind the extra cost that much if I can be assured that the phone is the actual product the company is making money from—not by selling ads targeting me.

The problem is that Android phones are so much better now (IMO of course). :/

Agreed to both, I have a Macbook and that's the only apple product I own (sans mouse and keyboard of course), and I'll almost certainly NEVER use that finger print function on a device connected to the cloud (ostensibly), but I've kind of softened up towards maybe having an iPhone seeing the way Apple straight up tells the government "not just no, but hell no" regarding access to consumer data.

Yet....I love my S6 too damn much

Android M is fraught with issues (memory leakage, battery drain). Looks like the QA at Android HQ missed a trick or two before signing off this release.
(comment deleted)
(comment deleted)
Isnt it possible that apple wants to indirectly harm google, by raising the issue for returning information to users? Believing that corporations can be "good" or "evil" is real bad advice at best, cheap marketing speak at worse. I think tech people should be immune to such messaging.
Apple has its own share of evil of course (user lock-in etc.), but for one thing, when their CEO says "we won't hand your data" he knows that some day there will be another Snowden and he, the CEO of Apple, better make sure what he says today is actually true.
They may be "do no evil" on privacy, but apple heavily pushes vendor lock in and basically does everything they can to keep you from being able to easily switch to a different vendor.

Google seems easier to switch from, they seem less concerned with vendor lock in (don't get me wrong though, they still have some vendor lock in. Just less than apple IMO).

I think in this case it is "choose your evil" and for a lot of people, for good reason, privacy is going to win.

Google makes more money from iOS than they do from Android. Of course Google doesn't mind if you switch hardware vendors, just so long as you keep using Google products.

Also, I disagree with the notion that Apple "heavily pushes vendor lock in". They certainly don't go out of their way to make it easy to switch, but I can't come up with any examples off the top of my head where they're deliberately making it harder to switch without having a good reason for that decision. After all, Apple doesn't really have to do anything at all to keep people invested in its ecosystem, since platform-specific software, by its very nature, already acts as a form of lock-in, and iOS has a lot of software that other platforms don't.

Re lock-in: I agree. I attempted to switch to Android (Nexus 4) several years ago from whatever iPhone I had at the time. I had no issue transferring data over (or data I cared about, at least). Services (mail, chat, etc.) mapped just fine. My primary complaint, at the time, was lack of a well-performing PDF reader/viewer, and a handful of apps that I'd become semi-dependent on and had trouble finding suitable replacements for (e.g., Omnifocus - which has nice intregration between the mobile and desktop versions). I only wanted to change my mobile workflow, not the rest, so I switched back to iOS (I also found the interface grating at the time, not certain why anymore).

This is not, strictly, the fault of Apple, but of app developers and myself. Either for not making multi-platform a thing (Omnifocus), or for others not stepping up to compete, or for my inability or unwillingness to continue my search for suitable alternatives.

All this said, most of my coworkers use Android devices, and several want to switch to iPhones, but have run into the same issue I did, but in reverse.

   > They certainly don't go out of their way to make it easy to switch, but I can't
   > come up with any examples off the top of my head where they're deliberately 
   > making it harder to switch without having a good reason for that decision. 
Just an example for those that are not familiar with Apple devices.

You can sync your calendar, reminders and contacts with iCloud. But you don't have to.

iCloud calendar sync is basically a CalDAV server. You can setup your own CalDAV and sync with that if you like. On the iDevice you have to set the parameters for your server which makes it slightly harder to setup than iCloud, but that's just the way it is and not Apple's fault. There are no other stumbling blocks to make it more complicated than it needs to be.

Once set up it works like a charm. I can say "Hey Siri, remind me to buy pasta" and a split second later I have a new VTODO on my CalDAV server.

> Google makes more money from iOS than they do from Android.

Source?

It's been stated in numerous articles over the years. I don't have any source offhand, though a quick DDG search gives me a story from 2012: http://www.idownloadblog.com/2012/03/29/iphone-4x-revenue-an...
> It's been stated in numerous articles over the years

Then it will be easy to find any source that it is not the same old "Google makes 4 times more from iOS than from Android" that was debunked years ago for using assumptions about a royalty figure in the Oracle vs. Google trial and nothing real

Here's an article from last year claiming that Google made 75% of its mobile search revenue from iOS: http://appleinsider.com/articles/15/05/27/apples-ios-drives-...
As I said, when you can find that "report" we can start to discuss about the figures. Until then, it has the same validity as using a random function in a computer to guess those numbers
That's completely ridiculous. Even if the exact figures in the articles are wrong, it's still generally accepted that Google makes a significant amount of its mobile revenue off of iOS. Demanding that I unearth some vague "report" to give you specific figures is completely meaningless. Doubly-so since it doesn't even matter what the numbers are, because the whole point was that Android users switching to iOS are still extremely likely to be using Google products, which means Google's still making money off of them.
> That's completely ridiculous.

What is completely ridiculous is claiming things without any proof

> it's still generally accepted that Google makes a significant amount of its mobile revenue off of iOS

This is not your claim

> Doubly-so since it doesn't even matter what the numbers are,

Oh, no, it matter when you have made a very specific claim that can't be supporte

I made a general claim based on a widely-held belief in support of the notion that Google doesn't care if people switch away from Android because Google still makes money off of those people regardless of which platform they choose, as they'll still be using Google products. Please stop trying to nitpick about specific irrelevant details such as how accurate the numbers are that have been reported in various articles.
> Google makes more money from iOS than they do from Android.

I think that statement's based on an old stat that, at that time, Google's revenue from licensing (Apple was paying for Maps) and advertising (including web and search advertising, and at the time Google was the default search provider on iOS and this was also before Siri was around to displace some web search) to iOS users was greater than its revenue from Android.

The facts on which all that was based (market share, basis of iOS revenue streams, etc.) have changed substantially since then.

Fair enough, it's certainly possible that the stat is no longer true. Unless they've talked about it recently, it's hard to know for sure. Here's an article from May of 2015 that says that 75% of Google's mobile search revenue comes from iOS, which probably hasn't changed too dramatically since then, but it may no longer be accurate: http://appleinsider.com/articles/15/05/27/apples-ios-drives-...
> Here's an article from May of 2015 that says that 75% of Google's mobile search revenue comes from iOS,

Ah, the other figure from a report from Goldman Sachs that nobody has seen but it is now dogma.

When you find the report, please, put it.

And, by the way, using Appleinsider as source is very funny

It is funny, but it was the first result my search gave me. The result after was from another site that reported the same figure though, so it's not like AppleInsider was alone.
So if someone texts me an address, I can have it open in Google maps by default when I click it?
> They may be "do no evil" on privacy, but apple heavily pushes vendor lock in and basically does everything they can to keep you from being able to easily switch to a different vendor.

This is often used as an argument against Apple, but having gone back and forth over the years, I just don't think it's true anymore. It certainly was a decade ago, but now I'm finding it hard to think of any issues I've had going from Apple to any other vendor – regardless of whether it's software (migrating data, chiefly) or hardware. At least, I don't think they're significantly worse than any other vendor.

Have you tried plugging an Android into a Mac?
I haven't, no, but it'd be interesting to learn what the pain points are. Care to share?
By default you can't. You have to install an app on your OS X that Google makes, then it opens a file browser that lets you drag and drop files out/in of your phone. It's a pain.
>This just made me realise that Apple is a true "do no evil" company and not Google, for all its technology powress and fancy marketing. A sad realisation as I have been using Google products for almost everything-- they pitch up everything under the F/OSS banner and it's so tempting.

There's nothing evil about wanting to provide contextual information and to do that they need the context. Its just the nature of the service they provide.

Apple does that/is moving into that area too. They use your own hardware instead of their servers to do it.
There's nothing evil about wanting to provide contextual information and to do that they need the context.

The argument you've presented is ends justifying the means. I don't mean to imply that there is no convincing arguments to be made involving the points you present, but this is not it.

The face value reading of purely "providing contextual information" is benign af. But that does mean evil can not lurk in implementation constraints, and/or the design decisions made in service of making that presentation monetizable.

What Apple is doing is protecting its business model. It is a good thing what Apple is doing, but they are doing it only because it is aligned with its business model. Apple is a for-profit organization. Same as Google. Same as Facebook.
It's on record that Apple has chosen to avoid the business model used by Google in order to avoid this compromise.

Apple chooses a business model that is aligned with what it thinks is right, not the other way around.

I'm sure that it's easier for them to do it because it's aligned with their business model but Tim Cook has shown himself willing to pursue policies that aren't solely ROI-related.

Cook very publicly tangled with shareholders that argued against Apple's environmental & accessibility initiatives:

"'When we work on making our devices accessible by the blind, I don’t consider the bloody ROI,' Cook said, adding that the same sentiment applied to environmental and health and safety issues.

He told Danhof that if he did not believe in climate change, he should sell his Apple shares. 'If you want me to do things only for ROI reasons, you should get out of this stock,' he said.

Cook’s comments and visible passion over the issue are one of the strongest signals yet of his commitment to reducing Apple’s environmental footprint. He told shareholders that he wanted to 'leave the world better than we found it'."

http://www.theguardian.com/environment/2014/mar/03/tim-cook-...

It's not about evil vs not evil. It's about how to make profits. They've chosen different models. I tend to side with Apple's method, but that doesn't mean I don't use both companies' products, and I'll happily avoid one or the other when I feel that features are lacking.
>they pitch up everything under the F/OSS banner

Do they really pitch anything under the F/OSS banner? I don't understand why Google has this reputation. Android is OSS, but that's a fairly recent addition, and it's not really played up very much.

> I don't understand why Google has this reputation. Android is OSS, but that's a fairly recent addition, and it's not really played up very much.

In addition to AOSP, Chromium (and Chromium OS) are open source; while App Engine isn't, the App Engine SDK is, and Google has supported an open-source reimplementation of App Engine. Dart is open source, as is Go. And a lot of other stuff.

Well I don't think that Google really advertises itself under the OSS banner (and certainly not Libre/Free). And when compared to Apple, as the other poster did, I don't really see that Google is doing much more open source other than Android.

They definitely did advertise themselves with the motto "Do No Evil," which they dropped some time ago, but open source hasn't really been a part of Google's DNA. Google's extensive use of open source software without publishing their modifications is exactly the reason that AGPL was invented.

> They definitely did advertise themselves with the motto "Do No Evil," which they dropped some time ago,

Google has not dropped that motto

Oops, thanks for the correction! This was a bad memory. I can find no support to back up my claim, and though Alphabet has a different phrasing of it, that did not happen in the time frame I falsely recalled.
Well, Alphabet doesn't have that motto, perhaps is what you read.
I've actually been having similar feelings lately. I'm still not totally happy with Apple and fundamentally disagree with their closed ecosystem policy, but over the years I feel like they have been gradually gaining trustworthiness just as Google has been losing it. (Of course, Facebook never had it in the first place.) I still don't think it's so much a true desire to "do no evil" rather than Apple's business incentives happening to be more compatible with consumer privacy in this case, but that's really about the best you can hope for from any gigantic for-profit corporation.

I'm not quite ready to jump ship yet, but it's looking more and more tempting every day.

The problem as I see it: your stuck choosing the lesser evil. I agree with you on apple's stuff. If they opened up the ecosystem more, I'd like their stuff. And Google left "do no evil" so long ago, its not even funny.

I'd love a good FOSS alternative to their software/services. I try to run my own software/services, but there are some things I still just can't replicate.

I'm not sure what you are talking about here. Apple's _Cloud Services_ i.e. iCloud, do not prevent Apple accessing the data, and Apple does comply with 'valid' requests for that data, just like Google and Facebook.

As for data stored on user's devices, Google also ships their phones with full disk encryption which Google cannot bypass - the implementation isn't as good as Apple's, but the concept is the same. Facebook doesn't sell any end-user devices so I'm not sure why they are even in your comparison.

> What sets Apple apart from Googles and Facebooks

And here I believed that the difference was that one sells hardware and the others software.

> What sets Apple apart from Googles and Facebooks is that it's the only company that stores the data in way that Apple itself cannot read it.

FWIW, Mozilla does the same thing for Firefox Accounts sync data - it's an opaque blob that we couldn't decrypt even if we wanted to.

(Disclosure: Mozilla employee)

This is good to know. Might tempt me back to Firefox from Chrome.
I switched to chromium with homebrew via

    brew cask install chromium
last night. AFAICT, it's exactly the same as chrome minus the proprietary code. I literally haven't noticed a single difference other than the nicer icon.
> What sets Apple apart from Googles and Facebooks is that it's the only company that stores the data in way that Apple itself cannot read it

In an smartphone with encryption. If the data is on iCloud they can read it

Ups, the same case than Google

Don't Twitter, Facebook, Amazon and Google all make most of their money by having access to their customers data? Of course they're not as supportive of privacy as Apple.
This isn't the same thing at all.
Yes, it is. Apple's fight with the US is based on the fact they facilitate the encryption of user data so that even Apple doesn't see content.

When the other titans don't have that feature, they have less of a stake in the argument at hand.

Is Google or Microsoft's business model dependent on selling your info to anyone other than themselves? Do you think if they did that they would stand to lose business?

Their business model is to sell ads to 3rd parties based on the information they have about you. Selling your info itself would be detrimental to their business.

Gmail skims the contents of emails and uses them for targeted advertising. Same with searches of all kinds, and any other data they get from you.

Google's targeting would be less effective if they gave everyone PGP keys and locked themselves out of the conversations they host.

Even if they don't sell it, their business model requires that they have access to it. Apple's argument here is that they don't have it.
Would you expand on that? The feeling seems to be that these companies rely on access to user data in a way that Apple doesn't- that's true, isn't it?
That doesn't mean that they believe the FBI should have the right to unilaterally force software and hardware vendors to build proprietary access to hardware/software which bypasses basic security features.

Making money from targeted ads doesn't mean they think the FBI should be able to bypass device security via hardware and software vendors.

Basically: making money from data != believing that a right to encryption doesn't exist.

Even with all the recent "featuritis" on the software side the unchanged simplicity of Apple's business model makes me totally fall in love with them again.

Tim Cook is the only one doing the right thing here.

> Tim Cook is the only one doing the right thing here.

Because it was Tim Cook who was dragged into this mess. What if the shooter had an Android phone, rather than an iPhone? I'm sure Lary Page would be penning a similar letter, in that situation.

Hah, that's a laugh. If it were an Android phone, the feds wouldn't have had to call anyone. They'd have just broken the device's security and gotten what they wanted.

Only Apple takes security seriously.

This is a recent development. Apple only started to care about iOS security around 2012 for example.
In a complex system great security takes years of work, it isn't flipped on like a light switch in v1.0. Wasn't the first version of iOS running as the root user?
Oh really? iOS has page-based executable code hash/signing since at least iOS 2 (2008); Android still doesn't have any runtime code integrity protections.
Of all the random security issues in the past 8 years you'd be hard pressed to find one where this was relevant.
This is one of those citations needed statements. I have played with cyanogen with LUKS, luks nuke (a simple password that destroys the keys), firewall and tor without google services. And you can even make yourself a dead man's switch that will erase the keys dd if=/dev/zero - you know the drill if some condition is not met.

The best part - even if google can make custom version of the OS it won't help the least.

It is a tough nut to crack.

Of course you can secure your own device yourself.

But if you buy Apple you won't have to.

And in that case FBI will load their custom OS and open it. The entropy provided by the user in the apple current security solution is just too little for the device to not be vulnerable.

Apple tried to do it by providing also their own key, but that helps little when a dedicated agency has physical access to the device. And legal hammer to compel Apple to spill the beans.

This article explains the situation nicely:

http://blog.trailofbits.com/2016/02/17/apple-can-comply-with...

The short answer is, Apple compensates for the low entropy of 4 digit PINs by rate-limiting the number of guesses you can make.

But that is the root of the problem. Apple can control how the system is unlocked, they can update it, so they are able to circumvent their own measures. I wouldn't be surprised if they are able to do it with secure enclave too.

So apple didn't provided their users security. They provided security with potential backdoor in the design.

So I say - it is good if FBI can force apple to exploit their own backdoors - to learn their lesson.

> They provided security with potential backdoor in the design.

I'm not certain what you're asking for here. A device that is completely impregnable?

Depends on completely - but device that does not store critical encryption keys and allows users to set their master keys is a good start. The problem for apple is that every device that could be secured against malicious apple cannot be forced to be part of their walled garden.

Or just some honest marketing. Like - your device is not secure if we cooperate with LEO and let consumer make their choice.

I see. Never let profit stand in the way of principles. I can understand the appeal, even if I don't share it.
I would wager that the FBI and CIA are technically capable of breaking the security on this phone. This is likely more about setting legal precedent via a case that is very much in the public eye.
I very much doubt that. These agencies are very capable of operating outside of the law if it will get the job done. All a stunt like this does is raise public awareness, limiting their options. They wouldn't do that unless they couldn't get it done via other means.

Only the fact that this is a terror case makes them willing to roll the dice at all on the craps table of public opinion. It gives them an advantage, but not an overwhelming one.

Well for a million + they could delaminate the chips and read the private keys off them in a painstaking way.
But that is incredibly risky; it would be easy to make a mistake, and if they do, the information is gone forever, which is the worst case scenario for them.

I absolutely believe that the FBI thinks this is the only way to get this data.

Yes, they might like to get a strong precedent in favor of this, but what if the precedent goes against them? You never know what you're going to get in court. This would be appealed to the 9th Circuit, which has a history of being skeptical of government arguments in favor of collecting digital data. And if the Supreme Court deadlocks 4-4 (as it could now), the appellate ruling would stand.

It seems like many people don't get the concept of evidence preservation.

Apple put in a feature, which they may circumvent, that will effectively brick the device if it is tampered in certain ways. The lowest risk option for retrieving the data is to get the people who designed the device to implement their circumvention method. That is exactly what the FBI asked for and what the judge agreed to.

Why should the FBI have to waste resources reverse engineering Apple's product (and risk destruction of evidence) when Apple is wholly capable of helping out?

>Why should the FBI have to waste resources reverse engineering Apple's product (and risk destruction of evidence) when Apple is wholly capable of helping out?

so now apple has to pay for engineers to design and implement this change to their product because the government said so? why is apple required to "help out"?

Apple is currently required because there is an outstanding court order. I'm not sure if they have submitted a formal appeal.

I do think there are some interesting questions about "forced work" here, but that can be said of any subpoena, and I don't think many would contest the entire concept.

From my standpoint: Apple can prove critical in obtaining whatever evidence/information may be on the device. It may certainly be the case that there is nothing valuable there, but such events should be thoroughly investigated. This was a personal computing device of a person who killed many, we need to know what is on it, and we can. It wouldn't surprise me if Apple were already working on the software.

Apple is a $500 billion company that sells hundreds of millions of devices each year and has more credit card-linked accounts than any other company on Earth.

If a warrant can force Apple to do this work now, then what is the criteria that would determine when Apple wouldn't have to help out? That is the key legal question.

If a warrant can force Apple to do whatever the warrant says would be helpful to the FBI, then that's a pretty huge scope of potential work.

using their magical AES breaking powers?
From Apple's letter [1]:

> Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

> The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor.

So it's not a matter of technical impossibility.

[1] https://www.apple.com/customer-letter/

if the gov were capable of doing this themselves they would have done it already
For Apple it's not impossible. The government can't push updates to a phone without the necessary keys.
Yeah! That's why you can't even jailbreak every single one of their phones!
I think it's interesting to note that Apple has complied with requests from law enforcement in the past...

Of the total number of requests, which Apple references here: http://www.apple.com/privacy/government-information-requests...

> 94% were Device Requests--law enforcement seeking a stolen device

> 6% were Account Requests--law enforcement seeking personal information

> 27% of U.S. account requests received between 7/1/14 and 6/30/15 resulted in disclosed content.

> Less than 0.00673% of customers have been affected by government information requests

Interesting stats...

>I think it's interesting to note that Apple has complied with requests from law enforcement in the past...

It's also very important to note that preview law enforcement requests are not in the same scope as the FBI's request published yesterday. All of the information disclosed above is data held by Apple. The new request is for Apple to commit development resources to produce brand new software, not just turn over data.

Agreed...there is a difference...a whole new precedent may be set when all this is sorted...
Yes, the FBI is arguing that it's no hardship for Apple to write the software to do this, since writing software is the business they're in. Once that precedent is established, then no software the government asks Apple to write should be any "hardship." I'm betting the government has a well thought out wish list.
Brand new software that-- and this seems to be missed in the wider discussion-- may be impossible to produce. It may not be possibly for Apple to comply. For instance, you can't install firmware on a locked phone.
You certainly can - you can try it out yourself by rebooting the phone while connected to USB with Home button pressed - it will reboot to the Recovery mode that (since iTunes 12 AFAIR) allows you to choose between update and restore. Should you choose 'update', it will keep your data and rewrite the system partition, all without asking for your PIN.
My interpretation was that it would affect future iphones, not current ones. This is less to do with what was said, and more to do with what is practical.

It would be absolutely trivial to disable security features before selling to the customer. Afterward is more difficult.

Yeah, that 94%, keep reading the phrase man: The vast majority of the requests Apple receives from law enforcement ->>> come from an agency working on behalf of a customer who has requested assistance locating a stolen device <<---. Read also the guidelines to see which information Apple does give its really interesting and i think they are one of the few companies to be strong regarding user rights.
What makes you think he didn't understand what he wrote?
I don't say he didn't understand, I'm just throwing some more data to that simplified stats as they can be misunderstood
If you read the letter, they already said they have, do and will aid law enforcement in any lawful way they are able.

They question the lawfulness of this particular request.

(comment deleted)
I understand the technical issues, and understand the broader implications...

But, one thing has been bugging me about this case and your comment that Apple questions the "lawfulness of this particular request" leads me to ask:

Does 4th Amendment protection end at death...?...the terrorist is obviously dead...

I've been looking and don't find answers that satisfy me...?

Anyone?

Apple isn't questioning the legality of the request based on 4th amendment concerns. Most requests from law enforcement ask a company to give up information they already have. What makes this unique is that the request is for Apple to decrypt the device -- an ability they do not currently have. Further, there is no law requiring Apple to have the ability to decrypt the device.

So this request is really a request for Apple to develop a way to break their own encryption, which brings up a lot of slippery slope concerns. If Apple can be forced by the government to develop a way to break into this version of their OS, what would stop them from being forced to develop cracks for other versions of their OS?

(comment deleted)
John McAfee has posted his response: http://www.businessinsider.com/john-mcafee-ill-decrypt-san-b...

As usual for him, it's hyperbolic and over the top.

It starts with this...

> This is a black day and the beginning of the end of the US as a world power.

And snowballs into this:

> And why do the best hackers on the planet not work for the FBI? Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won't work for less than a half-million dollars a year. But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It's why we are decades behind in the cyber race.

Yes, McAfee just said that the Chinese and the Russians are hiring people who insist on smoking weed at work.

Not too far off. Obviously nobody would smoke at work for the same reason they probably wouldn't drink, illegality aside. But, what people do outside of work is their own business. If my boss started seriously inquiring about my vices, first thing I'd do that night is update my resume.

I've considered federal work before but every time I think hard about it, I keep coming back to the scene in Snow Crash where the fed works at a place where every little action - the time you arrive, the time you leave, whether you take the stairs or use electricity by taking the elevator - is scrutinized and judged. Yuck.

Do you live in China (or Russia) and work for the Chinese (or Russian) government?
>>I've considered federal work before

>Do you live in China (or Russia) and work for the Chinese (or Russian) government?

No.

> I've considered federal work before but every time I think hard about it, I keep coming back to the scene in Snow Crash where the fed works at a place where every little action - the time you arrive, the time you leave, whether you take the stairs or use electricity by taking the elevator - is scrutinized and judged. Yuck.

Wasn't that the corporate guy that did that to his employees? Intruding into their homes, even?

I can't speak for all federal jobs, but I doubt any involve anything like that level of busybody-ness unless a very high level of security clearance and access is involved.

I was being hyperbolic, but the point remains: I don't want to work in a place where my behavior outside of work - as long as it has no effect on my performance and/or publicly embarrasses my employer - is a part of the evaluation regardless.
> Wasn't that the corporate guy that did that to his employees? Intruding into their homes, even?

Well, the Fed was the one that monitored everything at work and bugged its employees' home phones too. L. Bob Rife was the corporate guy who didn't think that that was good enough, and wanted to be able to partition work data in his employees' minds so that they didn't have access to it outside of work. I think Rife is mentioned in passing as doing the former kind of monitoring whereas the Feds' practices are described in excruciating (and entertaining) detail, so you can certainly be forgiven for conflating the two.

> I've considered federal work before but every time I think hard about it, I keep coming back to the scene in Snow Crash where the fed works at a place where every little action - the time you arrive, the time you leave, whether you take the stairs or use electricity by taking the elevator - is scrutinized and judged. Yuck.

I work for a defense contractor, and while we do have some annoying DCAA-mandated timekeeping policies, it's really not half as bad as the Snow Crash FBI. We just have to write down time in, time out, and the amount of time worked on each contract each day (in tenths of an hour). The first two are only because the DCAA mandated it, and the third is for accounting purposes (IIRC, the company gets paid based on how many hours are billed to each contract).

It's because of this, by the way, that overtime is virtually nonexistent here; we can't bill the government more hours than have already been agreed to, and it would be illegal to lie. Thus, if we end up staying late or working on a weekend to meet a deadline, we take time off later in the month so our billed hours for the month match up with how many the company is allowed to bill.

Oh, and I'm an openly transgender person with a pink stripe in my hair, and I've never had any trouble with either. There's also no dress code, everyone knows that I'm a heavy drinker outside of work (and doesn't care as long as I don't drink at work or come to work drunk), and the environment is relaxed enough that we can talk about any subject during breaks.

> Yes, McAfee just said that the Chinese and the Russians are hiring people who insist on smoking weed at work.

I'm sure you understand his point.

Except on Hacker News where it received the most upvotes of all time by a margin of nearly double...?
HN is just a forum. I think this article is referring to official PR statements from major tech firms.
Wonder what the NYT's headline would be if it was Google that has gone out strongly.
Google doesn't care. They're the "if you have nothing to hide you have nothing to fear, and you better not fear advertisers, because we just told them all about you" crowd.

Few years back Cornell University adopted Gmail for their staff and faculty under the condition that the company wouldn't data-mine the emails. Google did anyway. Now we use Outlook.

Google does care in some cases, a couple of years ago they started encrypting links between their datacenters because the NSA was snooping on internal Gmail traffic.
The difference is: Apple is putting their money where their mouth is. Google only fixed that after they got caught with their pants down. Apple is pro-actively trying to prevent it from happening.
> Google doesn't care. They're the "if you have nothing to hide you have nothing to fear, and you better not fear advertisers, because we just told them all about you" crowd.

Still with that out of context quote?

Did you even read my second paragraph? I have personal experience of their ignoring contractual privacy requirements for private gain.
Then I suppose that you will provide proof of that.

And then you could explain why Cornell uses Google Apps for the students.

> Few years back Cornell University adopted Gmail for their staff and faculty under the condition that the company wouldn't data-mine the emails. Google did anyway. Now we use Outlook.

is this site[1] old then? Sounds like they have a very explicit privacy agreement[2], which isn't surprising...Cornell isn't a small school.

(according to the wayback machine, the privacy section in [2] has been in place unchanged since February 2012)

[1] http://www.it.cornell.edu/services/cmail/index.cfm

[2] http://www.it.cornell.edu/services/cmail/faq.cfm#privacy

Of course the industry response is muted; this is the chilling effect that we were all worried about. Most Big Co's don't want to put themselves in opposition to an organization as powerful and well-funded as the US intelligence apparatus. I'm sure they are all on Apple's side, but are less willing to speak out about it because they fear the consequences.

If you're cynical, you might think that this case is all about setting precedent and trying to scare one of the FBI's biggest opponents on the topic of data security (Cook). We know they have other options for cracking the phone in question (decapping, side channels, etc.). They want legal precedent for installing backdoors, and they want to scare Apple and other companies out of providing security features. No wonder those companies are hesitant to speak up.

Do you think they choose to ask Apple to do this in such a public way, because they are very confident the phone will contain information that will help with the investigation, which will make a positive precedent about this method for future requests, and also provide 'lobbying power' when new laws will be considered?
The phone might not even have to contain anything useful for it to be said to have been helpful by the elimination of that avenue of research. "Apple helped by showing the phone had no information on the attack and we've moved on to other investigative avenues."

One could twist things all day long to fit a goal.

They can be confident because they are free to assert whatever they want about the contents of the phone. Nobody will have access to information that contradicts their assertions.
The iPhone in question was his (government) work phone and they already found a bunch of their other 'burner' phones in a trash bin, which they got access to. I find it unlikely he used his work phone for planning when they purposefully ditched other devices. Additionally, I doubt he knew the iPhone encryption would block investigators from accessing the data, so the fact they can't access it is most likely just coincidental that the device's battery was dead.

But this is just speculation...

I'm definitely in the camp that believes this is a legal stunt by the FBI to set a precedent using a highly publicized terrorism case which the public will support. A previous All Writs Act claim in 2014 by the FBI for a credit card fraud case involving an encrypted iPhone didn't change Apple's position on the matter, so they are trying again with a higher stakes case.

Yes I agree. I can't be a coincidence. They deliberately picked the best weapon in this debate, biased public opinion.
Could it be possible that the government want to lose in this case(and in the media) - creating a strong illusion that the iPhone is 100% safe from spying ? How valuable such an illusion would be ?
Most people who think about this stuff often seem to think that TAO already has access and the only purpose is to create a precedent to use this legal process against anyone.
Do you really think that the information in this phone is otherwise beyond the reach of all mankind? Spare a few snowflake engineers and managers at Apple?

There are dozens if not hundreds of viable methods to obtain this info, FBI is choosing to pursue the court order route instead of any of the other forensic tools available to them.

The simple fact of the matter is that the encrypted data and the key to decrypt it both live in a piece of physical hardware on the device-- no matter how well obfuscated it is, it can still be analyzed and recovered by a sufficiently advanced technical entity.

This is exactly the type of work that NSA TAO exists to accomplish, and they are widely regarded as one of the best organizations of this kind in the world.

Who swore on it ? how high is he on the org chart ? is it possible that he is being kept in the dark ,intentionally ? or could such skills only availble at other agencies ,but the knowledge acquired can be shared ,like it has been in the past ?
The source link is a few tweets down. https://www.documentcloud.org/documents/2714170-SB-Shooter-M... The signatures are on page 20 but they're the same names as on the first page:

  Eileen M. Decker, United States Attorney
  Patricia A Donahue, Assistant US Attorney &
    Chief, National Security Division
  Tracy L. Wilkinson, Assistant US Attorney
  Allen W. Chiu, Assistant US Attorney
But the guy who said the specific statement you mentioned is just the regional director of the orange county forensic department in the FBI , Christopher Pluhar @pg 21.
I don't think it's about opposing the government, the line in Apple's letter that symbolises for me the importance of their argument is "because we believe the contents of your iPhone are none of our business." – for many other companies, the contents of your device is absolutely their business, it's how they maintain revenue.

If Facebook can't read your data, then they can't sell your eyeballs to advertisers.

If the contents are none of Apple's business, why did Apple give themselves (via their signing keys) a backdoor that allows them to replace the firmware out from under the owner of an ostensibly locked device?

If Apple couldn't do an end-run on the key derivation protection mechanisms, then they couldn't use that backdoor to aid the FBI.

"Can't do it" is a strong defense.

"Won't do it" isn't.

You'll have to excuse any naivety on my part, but is that for all devices or for <= 5C? I was under the impression that was not possible for the 6 and 6S because of the secure enclave, and that the device had to be unlocked for a firmware update to occur.
The weight of evidence is that they can update the secure enclave firmware in place, too, without losing keying material.
Actually - it seems to me that "won't do it" - when based on principle, is a much better defense.
Not when it comes to transparent, limited scope, reasonable writs.

This isn't some NSA mass surveillance program, or clipper chip reloaded(TM).

This is an active murder (and terrorism) investigation in which Apple's privileged position -- one they assumed by choice and to their own benefit -- already exists. It is not unusual, unethical, or establishing any new precedent for them to be compelled to use keys they already have to open this single device.

Apple does not need to, nor are they being asked to, provide a backdoor that can be used elsewhere, and any further demands of Apple will require the same judicial oversight as this one.

If Apple doesn't want to be in this position in the future, they can avoid the potential liability by not holding master signing keys that can be easily used to circumvent the security of an owner-locked device.

> Apple does not need to, nor are they being asked to, provide a backdoor that can be used elsewhere.

They are, however, being asked to _create_ a backdoor that can be used anywhere. The specific request is to remove the limits on guessing passcodes so that the FBI can brute force it.

The backdoor already exists, in cryptographic terms.

All they're being asked to do is to use it, entirely under their own control, for this one phone.

Tim Cook is trying to pretend that commenting out a few if statements in the key derivation code path is what creates the backdoor.

If Appke weren't able to update the software on your device, they really wouldn't be able to give you software updates. Since it's the software that enforces security, well you can sees where this is going.

It's not as easy as you imply. Denying themselves the ability to end run your security might well require them to not be able to upgrade or recover user devices. At all.

It's not as hard as you're implying; A locked device could support re-imaging by expunging all existing key material.

In general, Apple's guarantees about anonymity and security all assume that there is no risk to Apple sitting in a trust position. This case demonstrates why that's a bad idea.

Gotta love how some are using this as a marketing tool for Apple! For quite some time after Snowden we know well that Microsoft and Google at least believe the same as Apple - you can wax judgmental over strong or weak, loud or muted but fact of the matter is it is quite well known through their actions that both MS and Google are in opposition to government back doors and sweeping collection of information.

But yeah all that be damned - let us see how quickly we can paint the other teams in gray. Let's also ignore that Google's CEO basically agreed with Apple's and if someone brings it up let's dilute it - not strong enough words and it's on Twitter!!

Oh and while we are at it let's jump to the "you're the product" bandwagon as well especially when it isn't relevant to $subject at all. Clearly since Google and MS sell your data (whatever that means) they don't care about your privacy right? I guess Google forgot about violating your privacy if you are using ChromeOS - https://www.chromium.org/chromium-os/chromiumos-design-docs/... ?

Microsoft also forgot to violate the privacy expectations of their Irish customers I guess - https://en.wikipedia.org/wiki/Microsoft_Corporation_v._Unite... ?

And yes let's also imply that since Google and MS can read your email - getting that to the government is no big deal for them! It's the same thing right - government's just gotta sign up for Bing Ads and Google Ads?

"This is an Apple marketing ploy" is the absolute dumbest take on this issue. Please drop the tech horse-race bullshit for two minutes, sheesh
Explain then to me how it is not. (Note that I did not say Apple is doing the marketing for themselves - media and bloggers are. FTR I think obviously Apple's is the right stance to have.) There is no basis to paint the other horse race participants as complicit - especially when Google's CEO publicly agreed with Apple's stance and they and MS both have history of opposing this sort of stuff.
That's actually not what blinkingled said. They said that some people here are using it as marketing for Apple, not that Tim Cook or others at Apple intended for it to be taken that way.
Who is stronger Corporations or Government?

The largest company by revenue would rank 28th in largest country in world by GDP.

We came out and vocally supported Apple on our blog yesterday. The response from our customers, mostly consumers and small businesses, was overwhelming. Many long comments and passionate views.

https://www.wordfence.com/blog/2016/02/wordfence-supports-st...

I'd encourage every other tech company who has the ability to talk about this (in other words you don't sell to the intelligence community), to also inform your customers and take a viewpoint on this issue.

This is obviously nothing new, but we're finally at the point of inflection we've all been anticipating. If Apple caves, it will set a precedent that the government can use a law from the 1700's (and anything else they can dredge up) to force surveillance and backdoors on tech companies in the name of security. For startups alone, even if you ignore the chilling effects and impact on privacy, to simply comply could be onerous enough to hurt innovation.

This is NYT supporting the Establishment, by mocking Apple's position.
While I agree with you, it is sad to hear how quiet most of the the other big players are
It may have to do with this: http://www.wsj.com/articles/senate-intel-committee-chairman-...

An encryption bill that is being worked on by the Senate that would try and make it a crime to not help the government decrypt messages from smart phone or other device.

Suddenly these courts find they can't get evidence to convict people if their phone is encrypted and so are the messages. So they want tools to decrypt the messages to get the evidence.

Analogy: One kid stood up to the bully, and the other kids are waiting to see what the consequences are before they pick a side.