292 comments

[ 3.4 ms ] story [ 349 ms ] thread
This is an interesting tug of war. Considering 50% of Americans are taking the opposite stance, the SV elites are in the minority. (35%) Yet no pro-government business executive has emerged. I guess it's a risky position to take.

I have a feeling the government will eventually figure out a way to get its way without our realizing.

I would be absolutely shocked if the government didn't have numerous ways to get into any information on any commercial phone. What they don't have is a simple device that average joe agent has access to at the local office, and of course his civilian police force compatriot.
Just a suspicion but I imagine the narrative that FBI, DEA, ATF, IRS or any federal agency is frustrated that the NSA won't share its toys with them has some truth to it. Of course, it makes sense. Complying to very single request would leave NSA as mere peons.
It was just a couple years ago that the FBI was lamenting the fact that it was having trouble hiring hackers because they all smoke pot. I only cite that as it asserts that the FBI does in fact employ teams of digital hackers. The NSA surely has better/more, but if the FBI needs into an iPhone I'm sure they could do it on their own.
I don't know anything about the FBI or the NSA but I doubt the FBI would have remotely the same budget for zero day bugs. (:
I consider the "50% of Americans" stat to be useless. This is a complicated topic for technologists to grasp. To expect the general public to understand the implications of what they're being asked in order to provide an informed answer is a stretch.
especially when the answer is loaded (the think of the terrorist/children/drugs trick)
(comment deleted)
It is a complicated topic but we can't just ignore general public that takes on position without realizing its implications. For decades, general public had opposed marijuana, even when half of them have used them before.
Correct. The court of public opinion may not sway technologists, but it will determine what law makers feel the need to propose, based on their constituents demands.

We have to make it very easy for the general public to understand what's going on at an incredibly simple, "oh I get it" gut level.

Simple words communicated simply will go a long ways to showing the importance of keeping good security practices in place in our tech.

Do you really think that constituent demands are what drives law creation?
To a degree, yes. But even if you take a more pessimistic stance and assume that lawmakers have an agenda that is entirely divorced from that of their constituents, they still need to manufacture consent[1]. Which means that if you get enough voters to be strongly opposed to something, it does have an effect beyond what a small group of highly informed critics can have. The political system is neither perfect, nor useless, is somewhere in between, and I say so as someone who comes from a country with political process that leans way more towards 'broken' than the U.S. one does.

[1] https://en.wikipedia.org/wiki/Manufacturing_Consent

(comment deleted)
> but it will determine what law makers feel the need to propose, based on their constituents demands.

Where can I sign up for that Congress? Is that opt-in? Because that sounds great.

Probably wouldn't have the effect you are looking for. Corporations are constituents, too, being legally a person. Even if not, the owners are certainly constituents, and most large public companies have a large number of shareholders. 55% of Americans own stock (down from 62% in 2008) [1] So if that 55% constituency demands laws that you don't want, the result is that you are outvoted.

[1] http://www.gallup.com/poll/182816/little-change-percentage-a...

The way you can make your voice - and everyone else's - heard is in votes. Organize a coalition against a politician you think is bad. Get donations. Run ads.

Not saying it's easy, but when it comes to election day, that politician truly does hinge on the majority of people filling in the bubble by one name. If you can make that not happen a real threat in the candidate's mind, they'll listen to your desires.

A condescending attitude won't go far though.

Not everyone will agree with you, even if you use itty bitty words they can understand. I understand the issue, even when explained in grown up words. And I don't agree.

In this case, Apple already was not "keeping good security practices in place" because they made a weak system. If they had actually made a phone that kept good security practices in place, it wouldn't be possible for them to help the FBI.

They should comply with this and then fix their crap. Then you can worry about explaining the importance of fighting any law that would undermine strong security.

You have to dumb down some of the technical aspects but this isn't a particularly complicated topic.

Think about something like climate change or vaccinations. You probably have no actual idea how it all works. But with some explanations you can understand the gist of the technical sides of those issues.

The main disconnect between the tech crowd and the general public isn't technical knowledge but values. A lot of people in the tech community put a lot value on absolute privacy or secrecy. The general public doesn't. Especially in a case where the privacy or secret information is to a 100% certainty related to an actual mass murdering terrorist.

I'd bet if anything, the general public would overestimate the privacy risk the apple crack would cause. They don't know about signed updates, for example.

(comment deleted)
This is exactly why tech/internet companies should have been spending the last year educating people about why encryption is important and just how much of their lives relies on crypto.

The FBI has been running their own propaganda campaign, but when James Comey talks about the supposed "need" for backdoors, the common response by the people that understand crypto is to talk about how stupid Comey's suggestion was, sometimes with suggestions that he must not understand how crypto works. Meanwhile, the intended audience doesn't hear how backdoors aren't possible, and now have to unlearn the lesson that is "bad".

edit:

A suggestion on how to educate people about encryption: remember why[1] Philip Zimmermann wrote pgp - to provide an envelope for network communication.

[1] https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

50% of Americans can only take the opposite stance if they know what stance they are taking. The reporting on the poll doesn't reveal any screening questions to determine whether the respondents understand the issues at stake. If they don't understand the issue, then the 50% is answering a question about something else.

If they asked the question "Should Apple make it easier for terrorists and foreign hackers to access information on American phones", I suspect less than 50% would say yes.

Complying with the FBI's request does not make it easier for terrorists and foreign hackers to access data on American phones. This is a case where having a little bit of knowledge leads to a wildly inaccurate conclusion, similar to Greenwald's original PRISM reporting.
It sure does if that signed malicious firmware ever got out. And it will eventually since once it's written it will be requested by every police department and federal agency for ever increasing trivial cases. Every government in the world will want access to that piece of code.

If Apple really can tie the firmware to a specific piece of hardware with no possibility of it being modified I would be impressed but even still a little cautious.

The FBI has given Apple the option of brute-forcing the phone for them. In that case, the build never leaves Apple, just like the build that Apple has previously used to extract unencrypted data from iPhones.

Making the build not-modifiable is easy. That's what's stopping the FBI from modifying the existing build to remove the wipe rule.

Where do you get the idea Apple made a special build to extract unencrypted data?
Because the standard build does not have the capability to bypass the lock screen and extract data.
What makes you think such a build has been used before?
That Apple has said so in their transparency reports.
I can't find any statements indicating this required a special build, just normal access to the storage. If you have some citation for this I'd appreciate it.
On the standard build, normal access to storage only works if you've unlocked the phone.
> Complying with the FBI's request does not make it easier for terrorists and foreign hackers to access data on American phones.

You're disagreeing with every cyber security researcher I know, as well as the EFF, with no sources at all. At least google the subject.

Despite nearly a year of campaigning, 6 months of extensive political coverage, non-stop advertising, and series of debates with large audiences when push came to shove a third of New Hampshire primary voters decided in the last few days before election.

Perhaps it's a bit premature to treat people's responses to a quickie poll as evidence that people are "taking an opposite stance" as opposed to giving their immediate impression.

It seems likely that Apple, Google and Facebook could make a case that would persuade people, especially with the support of the EFF, ACLU, and Amnesty International.

That 50% stat is made up stat. 50% Americans probably cant spell "encryption" properly.

It is very easy to make people bend over and grease up by threatening them that some bad people are planning to kill them.

Defending liberty does not need 50%. You need few extremely vocal people willing to fight the good battle and help the discourse.

Given what I saw when I was at DO, everyone should back apple in their refusal to unlock the iPhone.
Apologies, what is DO?
DO = Digital Ocean. The parent wrote the abbreviated term subconsciously because he used to work at Digital Ocean.
Ah thanks, I'll commit this to my lexicon.
As a DO (digital ocean) customer, care to elaborate?
Under penalty of prosecution, not really.

All I can say is that they genuinely do their best to protect you. For me it's that they have to spent a lot of resource (fiscal and other) to protect you from what is in my opinion: really sketchy shameful shit on the US and many other government's part.

If people want to really know why tech companies are at the point of enough is enough, it's because many governments continually try to twist laws/regulations/random stuff/whatever they want/made up shit in an attempt to get what they want. Eventually becomes boring, annoying and very expensive telling them they're wrong.

> Under penalty of perjury, not really.

Since you're quite obviously having to dance around how to communicate the fact that you've received NSLs and invocations of CALEA that made you feel queasy (I feel your pain for similar, vague, hypothetical reasons), perjury isn't the legal concept that you're after there. You want 18 USC 2709, and for those keeping score at home, to my knowledge nobody has been prosecuted for violating (C)(1) which would test that law on appeal. The Internet Archive famously challenged the nondisclosure itself and won, which is a bit different.

I honestly don't know with what they'd charge you. Obstruction, maybe, but there's enough national security buzzwords in the (again, I've heard) letters and law to give me pause on considering civil disobedience there. The law does say in 18 USC 3511 that they can invoke a district court to force compliance, and then contempt can follow. But unclear on the nondisclosure part in the absence of a court order, and that's scary.

(BTW, IANAL, just an ex-hoster with a penchant for policy, and I'd love to hear someone like rayiner's view on this.)

Fixed, although frankly perjury may apply if I went too far given.. handwave.
Indeed. I know exactly what you mean. Relatedly, I hope you were able to avoid situations that required you to talk to NCMEC. (I wasn't, and I carry those memories with me now.)

To others: Don't go into hosting, particularly the abuse side, if you value your sanity and a positive outlook on humanity in general.

Yippers, hosting anything for the general public as a pretty brutal business to be in. I didn't enjoy any aspect of my job that required dealing with the judicial arm of any government. I'm incredibly happy to see apple going to town on this issue. I wish people knew what a fucking mess it is.
You see, Apple's "enough is enough" is exactly, "you have CALEA, we work with you based on that, but now you ask us based on 'All Writs' to modify our products."

The essence of "All Writs" is (actual quote) "all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law."

which if I understand means in simpler English "we can officially request anything from everybody when we do our job, unless it appears as too illegal."

Thank you, I appreciate your response.
While we're talking about Digital Ocean, how has your experience been? My company currently uses Dreamhost, but we've had quite a few problems with them lately and we're thinking about switching.
Could you tell me about your problems with Dreamhost?

I've had minor problems with Dreamhost, but nothing major yet.

They are pretty good with customer support and transparency. It's just that we have hundreds of sites, and about half are on a dedicated server. We asked that it be moved to Portland when they opened up a new datacenter there, but they moved it to Virginia instead - I guess Portland wasn't ready or something. Anyway, our sites were in Virginia and our database was in Portland, and the latency between the two got out of hand. We had a lot of down sites and a very stressful week or so for me and my boss. Problems continue with the shared server upgrading to a version of PHP that doesn't work with our sites - we can't really blame them for doing that and there was plenty of warning, but it added more stress to an already stressful month.

On top of that, our server in Portland STILL isn't ready, and we don't have an eta on when it will be. There's been a couple of other little things too - basically it feels like a major problem with the server every other day, clients are mad, and we feel out of our depth.

Anyway, I leave work at 5pm but my boss doesn't and I don't want him to die of a heart attack. So. Digital Ocean is being investigated.

Yeah, that'd be the "minor problem" I mentioned. Their shared hosting is great for $10/month, but my site eventually grew out of it. Their dedicated servers were out of my price range so I never tried them.

I currently use OVH for dedicated servers. Low prices (starting at $70/mo), unlimited bandwidth use (most other hosts charge for bandwidth above a certain amount), DDoS protection as a standard feature (most hosts just threaten to kick you out when you get DDoSed or make you pay $15,000/mo for DDoS protection), and they've only been down once in the past few years I've used them:

https://news.ycombinator.com/item?id=10494475

(And they automatically refunded me for that incident; didn't even make me open a support ticket or anything!)

I don't want to sound like a shill but I (and others I know) tried a few hosts before settling on OVH and OVH has just been so much better in every way than any other host I've tried...

On the other hand, if you're looking for a really cheap dedicated server, Oplink has a $35/mo dedicated server: https://www.oplink.net/dedicated.html

I used to use Oplink and still like them, but they were one of those hosts that kicked me off for getting DDoSed (related: if you run a popular game, expect to get DDoSed).

Thanks for the tip. I mentioned OVH to my boss and he checked it out, and liked what they offer well enough to try it. We're going to be migrating in the next couple weeks. The fact that they have a datacenter in Canada and none in the states really helped.

Did you get any information about what the deal is with Dreamhost? I want to give them the benefit of doubt because they have been great for a couple years - their live chat is especially useful for me, and their backend is easy to work with. But this move to Portland that they have going on seems to be an absolute shitshow, and I wish we could get a proper explanation for what is going on over there.

I don't know, I don't really pay attention to the details of what's going on at Dreamhost... I haven't read anything weird in their monthly newsletter, either.

There are parts I like and parts I dislike about the Dreamhost backend. The email stuff is really clunky. The other stuff isn't great, either, tbh. I like how easy it is to upgrade to PHP 7, though...

Incidentally, I think I was using around 20 TB of bandwidth a month when Dreamhost "subtly" started hinting that I should move on from their $8/mo shared hosting.

No. Everyone should not back Apple. Let's crack that phone open.

We then want Apple to improve their security so that no such request by governments would be possible in future. Tighten the security so that not even a special custom version of iOS would make a difference to the self destruct measures in place. Then we wouldn't need to waste any time arguing about it.

I've been trying to stir conversation on this point, to little success unfortunately. The whole affair is pretty damning for the tech industry. The people who should know better are parroting Apple's deceptive claims, and many more are just hopping on the anti-surveillance anti-FBI/NSA bandwagon because it fits their political narrative.

Just to be clear, I'm against mandated backdoors in products. I should be allowed to make my product as secure as I want to, even against myself. Yes, that might hinder government search and seizure, but that's the government's problem, not mine. I agree with Apple and most other tech companies on this.

But Apple isn't being asked to create a backdoor. The door already exists, and was voluntarily created by Apple. Apple has all of the tools and knowledge in its possession to walk through it. Whether that's the PIN itself (it's not), or the code-signing key and source code needed to disable attack mitigations (without which a 4-digit PIN is worthless), doesn't make a difference. As you observe, they could design the phone such that this attack is not possible. They did not, even though they've been claiming otherwise for years now.

All of the arguments in favor of Apple boil down to a general opposition to government search and seizure, worries about damage to Apple's reputation, a claim that code-signing occupies a privileged legal position (akin to attorney-client privilege), or a slippery-slope argument that the government will ask for mandated backdoors on all iPhones next. None of these has a chance in court. I'm more and more convinced that Apple is well aware of how legally wrong it is, and is just doing this to save face over erroneously advertising that their phones were secure even against Apple itself (and therefore any government coercion of Apple).

If someone is going to challenge me on this, please answer this two-part question: If Apple had the phone's PIN stored in their database, do you think the government should be able to compel them to hand it over? And why is that any different?

I disagree, and here's why it is different. If Apple had a "thing" and a warrant said "give us this thing", then Apple would be compelled to turn over the thing. But Apple doesn't have this thing (the software to hack their own security). The government is saying "make us this thing", ie asking Apple to execute the warrant - which is unprecedented - it's the governments job to execute the warrant not a private company's.
So if instead, the government asked for Apple's source code, build system, code-signing key, and flashing hardware, would that be okay to you?

It's not completely unprecedented to require active assistance from a third-party. There's a Supreme Court case about this very issue, United States vs New York Telephone Co. The FBI wanted New York Telephone to install monitoring hardware on their premises and assist the government in its operation. The district court issued an order to that effect. The company offered to instead give the FBI only information, which the FBI could then use to install and maintain the system themselves. The Supreme Court ultimately ruled in favor of the FBI.

The main criteria that people have read out of that case is "unreasonable burden". I don't think that the FBI's request to Apple is an "unreasonable burden", especially since the government will pay for any costs. The biggest burden will be on Apple's reputation, but that is self-inflicted from making claims (honestly or not) that ultimately weren't true. I can't imagine the court allowing Apple to keep its technical assistance from the government.

Yeah, actually that would be ok with me. Because those are "things". But if there is a legal precedent for demanding services, then I guess my point is mute. I guess Apple could charge one billion dollars per person/hour. That MIGHT be enough to cover their costs.
Yes, Apple does have a "thing". And the thing is the signing certificates. The fact that some work is involved in using the thing makes no difference. Every demand requires some work. The fact that they're being asked to do thing A instead of thing B to get some outcome seems to be a weird place to draw the line. If it took hundreds of man hours to collect and properly separate out data for a single person to hand over to the FBI as evidence, they would be expected to do it. And they will even be compensated for it.
I actually agree with you. Apple should just make it it so that Apple CAN NOT do anything.

> If Apple had the phone's PIN stored in their database, do you think the government should be able to compel them to hand it over? And why is that any different?

Well, I think, they should not, but I don't claim its different.

Apple wants to have it both ways, build it so that they have full control and they can be compelled by nobody to give up that control. I would rather they build a system, where nobody is in control at all.

How do you suggest that Apple do that? Somewhere there has to be some code to check if security passed. It is always feasible for Apple to remove/disable the security check in a custom version of iOS.
Hardware chips with tamper protection can hold encryption keys which Apple wouldn't be able to modify. It is technically feasible and I'm pretty sure this is why people are saying Secure Enclave protects against this in newer iPhone models.

This is also the idea behind TPM chips which are in almost every phone/laptop these days, so consumers couldn't tamper with DRM and other similar crypto systems.

I guess that assumes that the phone's drive is encrypted with the hardware key? Otherwise the software could just ignore the hardware.

I find it ironic that this argument in support of TPM, etc. is being made for phones (not necessarily by you), but this same site has vigorously opposed it for PCs, especially Linux.

Android uses TPM chips for their disk encryption scheme. I don't see why Apple wouldn't be doing the same here...
The TPM is basically another processor with a small amount of on-chip storage. It exposes two fundamental operations: seal(plaintext) returns a secret, and and unseal(secret) returns the original plaintext. If you tamper with the device, the internal storage (i.e. the keys it uses to seal and unseal) is wiped. Unseal attempts are rate limited (at the hardware level) to prevent brute force attacks.

You can also seal against some other value. So you'd have seal(plaintext, pin) and unseal(secret, pin). Unseal only returns the plaintext if the PIN is the same that was used to seal.

This is where it gets really fancy. The TPM has a bunch of built-in registers called PCRs (Platform Configuration Registers). You set a PCR by calling extend(newmeasurement). At boot, the firmware hashes the bootloader and sticks the hash in the first PCR by calling extend(hash). Then the bootloader measures the next boot component (probably a second stage bootloader, or perhaps the BIOS settings), and stores that hash in a PCR, and so forth. The resulting value of each PCR is based on both the measurement passed to extend() and the previous measurements, so the whole chain is verified. The cool thing is that seal() and unseal() can use these PCRs the the same way as, and in addition to, a PIN. Now your disk will only be decrypted if you boot the OS that you used to encrypt it. If you're willing to trust the firmware and OS makers, you don't even need a PIN anymore. The OS's built-in authentication could be enough.

Windows PCs tend to have TPMs, but iOS devices have their own hardware encryption solution.

I've glossed over and simplified away important details, but that's the gist of it.

Nobody on the Linux side is opposed to TPM, Secure Boot and everything like that. The controversy is about who controls the key.

Apple can either create a special update key for the TrustedZone and distribute it to User (SmartCard in the package you buy the phone in) or they could just put in a non-upgradable system.

Both would work.

I think the Secure Enclave is still upgradable. Seems to me that apple should either make it non-upgradable, or give the upgrade key to users. Both would stop the FBI from comming to Apple with locked devices.
you could also say that a PR campaign putting all our trust into apple with a behind-doors deal to actually privately share that information is worth even more to both parties.

you could also argue that the NSA has the data already and would know if it even needs to be unlocked. If not, someone is smart enough to know: it still makes for a good PR campaign.

I feel like my positioned has changed a bit now that it is clearer the iPhone is owned by the same party that wants to recover the data?
This comment doesn't seem to make any sense whatsoever, care to expand on what you meant?
I was originally wholly on the side of Apple since I place an exceedingly high value on privacy and against government intrusion. But now that I understand that the phone is the county's, it seems more like a case of a phone owner just wanting to recover their own data. Thanks for the downvote, though!
They were eventually able to get into the phone without the backdoor. The shooter's employer was able to change the iCloud password on it because they issued the phone in the first place.

The FBI initially wanted to get in by having Apple build a backdoor that could be used to defeat the security on ANY iPhone-- that's the bad thing, and it's still a bad thing.

And re: "thanks for the downvote"-- stop digging when you're in a hole.

(comment deleted)
Sure, as far as the FBI getting this being reasonable I don't think we need to go much further than the user being a butcher of humans. But there's no way for Apple to comply with this order without putting everyone else in danger either through the exploit leaking (and what an incentive to steal that exploit there would be!) or the legal precedent leading to our government (or others!) asking for more.
I think your being downvoted because the techies on hn are concerned with security, not ownership. Apple complying with the government makes everyone less secure. We aren't as worried about judicial over reach as we are with creating tools that will be used to commit crimes.

Good security will keep out anyone that does not know the secret. That includes "owners." The concept of ownership is irrelevant to the design of a secure system.

>I think your being downvoted because the techies on hn are concerned with security, not ownership.

I made this post last day [1]. It received 3 votes.

https://news.ycombinator.com/item?id=11149716

Please don't get discouraged. People might have misunderstood what you meant. There's also the problem with asking other people to spend their time and money on your request. If you want this to happen, you should provide a proof of concept and get people excited about buying it. If you develop a market, others will implement your solution.
Wanting to recover the data, I don't think anyone actually has a problem with - not even Apple, if I read the letter correctly. It's wanting to force Apple to create a tool we'd rather didn't exist.

If you or I asked Apple to recover data from our phones, they'd just act sympathetic until we went away. Perhaps walk you through some of the backup options.

Who owns the phone is irrelevant in this case. Apple doesn't want to be forced to build operating systems into phones that break Apple's own security model.
That's an extenuating but, so far as I'm aware, both moot and nonessential criterion.

Virtually all the relevant phone data and metadata are available from other sources, including call, message, and email data, and backups until six weeks prior to the attacks.

Apple could have provided a data extraction on request, as it has done previously. This wasn't what the FBI had demanded.

Due to the FBI's own actions and direction, the data on the phone has quite probably already been destroyed.

Legally, my read is that the request has few or no merits.

What kind of a democracy do we live in where we rely on corporations to protect the people from an overreaching government?
Apple believes they are serving the people by protecting their privacy. The FBI believes they are serving the people by hunting down terrorists.

Just two different beliefs in what serving the people means.

Yeah, but Apple didn't fail to read the public Facebook of an immigrant to see if they were a foaming at the mouth, fully supportive of killing a bunch of civilians, crazed loonbat terrorist, before giving them the ok to come on over and kill some people.

The FBI et al did.

This sounds like you are saying truth is relative. Isn't there one best way to serve the people? Which is by protecting tenets of classical liberalism and natural rights; and ideally promoting and defending these ideas elsewhere to prevent such things as terrorists.

I am weary of this idea that no man is wrong except the man who says he is right. The FBI is an institution that was built by a seriously flawed megalomaniac.

I think in terms of building a just and reasonable federal law enforcement agency, you'd 1) need to pass a federal amendment and 2) not build it upon an overreaching and power hungry organization built by J. Edgar Hoover.

We can do better.

> Isn't there one best way to serve the people?

No. Not unless you are omniscient and all-powerful. And even then, still no, because different people are different and want different things.

No one is claiming that the FBI is without fault or even that its actual goal is serving the people. But there are plenty of people out there who have a sincerely held -- and in a few cases even informed -- belief that the FBI is on the right side of this debate.

That's a distortion of what I meant.

So respecting natural rights and popular sovereignty are not the right way to serve people? Your perspective on this was the point of Professor Bloom's book, The Closing of the American Mind.

I don't personally care what ill-informed people who are victims of the American Historical Association think about classical liberalism and human freedom.

The FBI will not exist in the future, solely because it is a threat to human freedom and in a better world, such a powerful authoritarian organization won't be needed.

> That's a distortion of what I meant.

It's really not. GP (or whatever) was saying that perhaps there's a reasonable difference of opinion. You responded by stating the author was wrong becuase "there [is] one best way to serve the people" and accusing GP of relativism (which is clearly a Bad Thing).

> So respecting natural rights and popular sovereignty are not the right way to serve people?

Natural Rights: There are reasonable conceptions of natural rights which allow for the FBI's interpretation of the All Writs Act. The exact scope and meaning of natural rights has never been and never will be resolved. Anyone proclaiming otherwise is just wrong. Hell, the philosophers who originated this concept had heated disagreements about their meaning. Things have only become more convoluted as we've tried to apply this idea in scaled-up settings.

Popular sovereignty: It's not at all clear to me how what the FBI is doing violates popular soverignty. In fact, it seems to me that they are fully engaged in a PR campaign designed, precisely, to leverage the legitimacy of popular sovereignty...

More generally, "natural rigths + popular sovereignty" is not a deterministic algorithm. It's entirely possible for people to adhere to both of thse philosophies and still vehemently disagree on the best way to govern. I might excuse a philosopher for not being able to foresee this fact 2000 or even 300 years ago. But clinging to the notion that "natural rigths + popular sovereignty" is a panacea to political disfunction after the past 200 years is rather astounding.

I happen to strongly agree with Apple and loathe what the FBI is trying to do. But I also think the argument you're making here is dead wrong. The case against the FBI here is not based upon natural rights. It is either based upon constitutional rights, or it is based upon pure pragmatics. And the final answer will almost certainly the latter.

> Your perspective on this was the point of Professor Bloom's book, The Closing of the American Mind.

1. No, it really isn't...

2. I was educated in exactly the style Bloom suggests. Suffice it to say that actually reading the classics has a way of undermining the authority that staunchy old conservative men try to get out of their particular interpretations and applications of ideas expressed in those books.

2a. Damned marxists bastardized Nietzsche and also rock music is for flooseys. lol

3. If Bloom's opinions were at all sincerely held, he would likely have agreed with the observations about natural rights and popular sovereignty given above.

> I don't personally care what ill-informed people who are victims of the American Historical Association think about classical liberalism and human freedom.

Don't worry, I use tin foil bookmarks.

> The FBI will not exist in the future

Okay.

Apple is also an institution that was built by a seriously flawed megalomaniac. ;-)
That's what apple wants us to believe, but they also have powerful financial interest in the matter. No one has called them out on it yet because it would be rather unpopular to do so.
Or that Apple's financial interests, moral interests, and the interests of their customers are all in alignment on this issue.
The US Department of Justice has very publicly made that claim, it just fell flat.
I don't think they do have much financial interest in this -- if they cave and give the FBI what they want, Google will cave too (if they haven't already). Regardless of what Apple does in this case, they are going to sell billions of dollars of iPhones.

There may be a few hardcore privacy advocates that buy an iPhone because of this, but it's not going to make any significant change in sales.

And as for criminals, well most of them don't know or care about encryption and aren't thinking far enough ahead about what would happen if the cops seized their phones. The organized "professional" criminals aren't going to rely on device encryption to protect their secrets.

And of course, the cynic in me thinks that Apple (et al) has already given the FBI what they want and this whole case is just public posturing to make the world think that iPhones are immune to government snooping.

>The FBI believes they are serving the people by hunting down terrorists.

No, they don't have any credibility in the matter. They're working an emotionally poignant tragedy to curry favor for the expansion of their authority.

…something something eternal vigilance…
> rely on corporations to protect the people from an overreaching government?

Corporations aren't fundamentally different from the government. Both are just groups of people, at an abstract level.

It's actually not uncommon for local governments to literally exist as incorporated entities. Or for corporations to serve as the de facto government for a region.

It's a relatively recent phenomenon that we view these as completely different concepts, but they're not as distinct as we often think. It's more accurate to think of government as a special case of corporations rather than a completely different concept.

Well... yes, they are groups of people, but governments are rather different. Governments include everyone and act on their behalf. They are also responsible for creating and enforcing law. The distinction is valid.
> Governments include everyone and act on their behalf. They are also responsible for creating and enforcing law.

It's more accurate to think of governments as a special case of corporations.

Governments don't always "include everyone", and as we've seen, they definitely don't necessarily act on their constituents' behalf.

In certain contexts, corporations have also been responsible for creating and enforcing law, even though that's not the context we are used to today in the US.

It's more accurate to think of corporations as a special case of governments, what with corporations being a recent legal structure created by governments.
The difference is that corporations have (mostly) voluntary membership but unelected leadership, whereas nations have (mostly) involuntary membership and elected leadership. So it still stands that it should not be the expected state of affairs that corporations are seen as stewards of the common good, rather than the government. It really ought to be the other way around, and the fact that it isn't is sign of a problem.

I don't remember who said it, but there is a quote along the lines of: "People should look to the private sector for growth, and to the government for justice. Increasingly, they look to the government for growth and to the private sector for justice."

Edit: Found proper quote and source thanks to mbrock's pointing out where I likely heard it last.

The quote is:

"We have come to rely upon capitalism for justice and the government for economic stimulation, precisely the opposite of what reason would suggest." - Donald Kaul

And it comes from here: http://articles.philly.com/1990-10-17/news/25891604_1_budget... (Timothy Taylor did quote Kaul in the podcast mentioned in the comment below)

Timothy Taylor talked about that idea as guest on the 1 February episode of EconTalk with Russ Roberts.
> Corporations aren't fundamentally different from the government.

Yes, and that is the problem. Both are enormous institutions with tremendous wealth, resources, and power over individuals. A democracy is supposed to check this kind of power, but instead we're relying on it, only from a different source. The corporations' interests are currently aligned with the people's only by good fortune. When they're not, who will check them? Who will check the government?

Corporate interests are not a sustainable, effective, or remotely wise defense of liberty. The fact that Cook and Zuckerberg are doing our fighting for us is evidence that the correct methods are not functioning properly.

A corporatocracy.

It's not so surprising when you consider that corporations can span many countries. Apple doesn't need the U.S. nearly as much as the U.S. needs Apple.

Just like governments, corporations are groups of individual people nominally organized around a common goal. If the government overreaches to a degree that will have a significant negative effect on corporations' bottom lines, as would Apple being forced to backdoor its software, we should absolutely expect corporations to step in on the side of their customers.

Of course corporations will be pragmatic about when they step in to "protect the people" as you put it. But let's not kid ourselves about governments ever being fully (mostly, even) on the side of the people.

> But let's not kid ourselves about governments ever being fully (mostly, even) on the side of the people.

Exactly. What kind of democracy is this?

It's not, it's a republic. In fact, the Founding Fathers considered democracy a terrible form of government.

"Democracy is the most vile form of government" (James Madison)

"A simple democracy is the devil's own government." (Benjamin Rush, signed Declaration of Independence)

"Democracy will soon degenerate into an anarchy..." (John Adams)

"The democracy will cease to exist when you take away from those who are willing to work and give to those who would not." (Thomas Jefferson)

Many, many more at http://www.godtheoriginalintent.com/democracy_republic_quote... (sorry about the choice of web site, but the selection of quotations is impressive.)

That’s simply a discrepancy in definitions. ”Democracy” as used in your quotes is not “democracy” as used elsewhere here. With democracy the people you quoted meant something more specific than the people using it here.

Today democracy is simply a catch-all term.

That Jefferson quote shows a lot of chutzpah for a slave owner.
Yeah, true. But I imagine his comment was about a law that absolved all debts. Democracy had a rocky start, including bread-and-circuses laws. Folks were not used to wielding voting power, and misused it terribly for a time.
The US of A is not a democracy it's supposed to be a republic. When companies act as the mouthpiece for the people, they are not doing so because they are protecting the people. They are doing it to protect their own interests (corporatism) and any company that is speaking out in this situation, is merely playing lip service to the people (consumers/products). There's nothing they can do. They are at the mercy of the government, laws and any types of intimidation that may be applied by the any agency of the state. Only the people of the US of A can rise up and make a true difference. We must stop believing that we are here to serve the state (government). We must stand up and demand that the state serve the people.
We're seeing a real power struggle between these powerful tech corps and governments.

What was really revealing was Tim Cook's answer on 60 minutes when pinned down about Apple's international tax strategies - why don't you being this money back to the US thereby making it taxable. His answer essentially: because I don't want to.

Privacy, tax avoidance, H1Bs - more showdowns to come.

>> because I don't want to.

Well, he also doesn't HAVE to. If you don't HAVE to do something, especially if it's beneficial to not do that thing, why would you?

Because you're a good person, perhaps?
That's not how taxes work. Why don't you donate extra money to the government that there is no law saying you have to pay?
Nothing revealing about that. It's an obvious stance for Apple to take. Change the tax laws.
Do keep in mind that we got the Magna Carta because the nobles and the church wanted limits on the power of the king, not because of the wishes of the people. So sometimes powerful interest groups do act in service of the common good and a stronger rule of law.

That said, 13th century England was not supposed to be a government of the people and for the people, so being in a similar situation now is arguably less than ideal.

Maybe 13th century England was not supposed to be a government of the people, but arguably all governments claim and have always claimed to be for the people.
Eh, I'm not so sure about that. We don't really have many even nominal principalities these days, so it's hard to imagine a state where both the people and the government are expected to serve the sovereign as a matter of course. But republicanism is more the outlier, historically, even if it enjoys a lot of contemporary success (whether in practice or in theory, is a matter of some debate, but nonetheless...).
Not really. Kings and emperors might have had a moral duty towards the people, but that is hardly equivalent to them "serving" the people or governing "for" the people. Then there are colonies like the Belgian Congo and some Spanish possessions in the Americas, which were very explicitly run for the benefit of the respective European crown, not their inhabitants. Theocracies have generally been about pleasing God, not the people, with the underlying assumption that God's plan is definitionally the best for the people and that the priest class has unquestionable knowledge of such plan. There are probably even more examples.

Governments explicitly "on behalf of the people" are more or less an historical rarity, even if all governments have needed to keep people below the successful armed revolt threshold as a practical matter.

I'm sure the people did wish for it, but not being able to afford armor or horses their voices where not heard.

You're ignoring the desires of the people simply because they didn't have the political leverage to gain them.

No. I am not. I am just saying that they weren't the defining factor in the decision back then, and they don't seem to be the deciding factor in the decision now (but that might come down to bias in which segment of "the people" I hear from the most).

I am saying that powerful interest groups can, occasionally, half-by-accident, represent the best interests of the powerless. We probably shouldn't rely on them to do so, and it is not the ideal state of affairs, but it can happen.

I think it was either this study [1] or another more recently that discussed how the only times our democracy/republic represents average people's interests is when those interests align with those of more powerful groups. Virtually every time they did not align, the government did not support the average person's interests.

Thus, furthering lazaroclapp's point that sometimes there are special interests (the church, companies, nobles/rich people) that are aligned with average people. That is beneficial for society, but it in no way is a solution to the problem. We need to actually restructure our government so it is not an oligopoly.

[1] http://journals.cambridge.org/action/displayAbstract?fromPag... http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1...

If only corporations truly had the interests of the citizens at heart.

-- Speaking at the Mobile World Congress, an annual tech and telecommunications conference here, Mr. Zuckerberg said that Facebook would play its part in the fight against global terrorism, but that weakening the digital security of technology companies was a bad idea.

-- “I don’t think building back doors is the way to go, so we’re pretty sympathetic to Tim and Apple,” said Mr. Zuckerberg, in reference to Apple’s chief executive, Timothy D. Cook.

That's about at weak as "protection" gets. He's giving a speech at a tech conference so he needs to mention the elephant in the room. He hedges, knowing that consumer trust is the cornerstone of Facebook's ability to collect and monetize data. That he needs to throw cautious support to Apple to have the people on his side, but that he also needs to show that Facebook is against terrorism. Because we all cower like a fucking scared bunch of children whenever we hear the word "terrorist" and we want to feel like we're so important that the security of our stupid instagram pictures, grocery lists, and sexts is that fucking important.

True, it's not his place to speak his mind. He needs to speak for the thousands of employees at Facebook. He needs to speak for their stock price, their financial well being, their ability to send their children to college, to show up to work happy that they are the scions and mechanics of a good, benevolent engine of prosperity, peace, and progress.

Therefore, it's pointless to listen to what any of these people - Zuckerberg, Cook, Pichai - say. They speak for their companies, big, gray amalgamations with no feelings, no brothers, no father or mother, just a lot of interchangeable children and no goddamn soul.

They speak for the business decisions that will keep their investors, boards, and employees happy. They could have extremely radical or enlightened views about encryption and terrorism, but they shut up and they do their job - make the stock price go up. Play up our protection of the consumer, but make sure we're still open to spying for the FBI and the CIA. Talk both sides of the issue, leave everyone feeling happy, let the storm roll over, keep making money.

It's just business, nothing personal.

I think free market has always done a better job of protecting Individual liberties from the government. In fact a lot of Americans take for granted what these profit mongering corporations are doing for them. If this had to happen in China or India the corporations would bend over and grease up because there you wont succeed without government's approval at every step.

I really wonder what Apple would do if Chinese government asks similar backdoor. May be they have already complied.

When has this free market existed? And how has it not been explicitly provided by the government; what markets we've had at various points in history have always been fought for and defended from others by their parent governments.
That is the only job governments are supposed to do. Protect freedom of its subjects from outsiders. You cant credit the Bank's security guard for the wealth that the bank builds.
You can when the bank was created by the guard in the first place.
Before you get too breathless over this, know that Apple has been unlocking phones for the government, in nearly this exact situation, for a long time now:

http://www.npr.org/2016/02/22/467602161/the-seeds-of-apples-...

This is an entirely new stance from Apple. Historically, they've been on the other side.

They were pretty clear that there are major differences in the case in the article you linked to. It's not rare for a company to provide info/help to law enforcement when asked/compelled. It was easy to do on iOS 7. The ask in this case is totally different.
"They were pretty clear that there are major differences in the case in the article you linked to."

No, there really aren't. From the article:

"The cases are different, but the underlying legal question is very similar," says Alex Abdo, a lawyer with the American Civil Liberties Union. "The question in the New York case is whether the government can rely on this very old statute to conscript Apple into government service."

Moreover, the "ask" in this case is nearly identical. Apple is being asked only to bypass the 10-failed-attempt device wipe, so that investigators can enumerate all 10,000 codes:

http://arstechnica.com/apple/2016/02/encryption-isnt-at-stak...

...which means that it's effectively exactly the same thing that Apple has done in previous cases. The only technological difference is one that has been manufactured by Apple.

This whole thing boils down to a question of whether or not Apple should facilitate a brute-force attack on a single phone, under a search warrant, for a known criminal. And they've done same thing 70-some times in the past.

but it wasn't a brute force attack those 70 times so how is it the same thing?
This is also a brute force attack. The terrorist had a four-digit passcode. They're going to try 0000-9999 and find the one that works. They just need Apple to disable the software that wipes the device after ten bad passcode attempts.

Everything that you've read about a "backdoor" or a "key" is totally uninformed commentary on the matter. The intarwebz are outraged (outraged!), but they don't even understand the debate.

>this is also a brute force attack

The other times weren't though.

> they don't even understand the debate

Look in a mirror lately?

Yes, they were. Apple installed software which brute-forced a four-digit PIN in those other cases, same as what's being asked here.
This is not true. Such tools exist, but are not what Apple used. They just extracted data. It wasn't encrypted so that was all they needed to do.
It is just as easy to do in this case. iOS 7 does not include code for extracting data from a locked device. Apple flashed a special build onto those phones to do that. Similarly, Apple is being asked to flash a special build that allows PIN brute-forcing, and if they don't want the build to leave their premises, they've been given the option of brute-forcing the PIN themselves.
The order explicitly requires the cracking tool to not be written to flash.

Just as easy? Maybe if you ignore the effort to create it and secure it. I really can't believe writing secure software is being trivialized in the comments here.

That part is exactly the same as what they've done 70-some times previously. They didn't make some FBI agent sit there and tap out 0000 through 9999...they installed a piece of software to do it quickly. The software was signed with their key so that it would install on an iPhone.

The only difference is that this time the software they install would also have to turn off the delete-after-ten-attempts thing.

(You're probably having a hard time with this because the debate sounds absoultely ridiculous when the facts are laid out plainly. Totally understandable. The technical debate is absolutely ridiculous. The legal debate is the only one that matters, but it's not technical at all.)

Arguably, one of the reasons that Apple implemented the security measures they did was to get rid of similar situations. That's why there was kerfluffle about it when they announced it.
Not at all, this time would require Apple to literally sign a lie.

Also, before had zero risk of going wrong. This is difficult and already fucked up by the FBI.

Especially given that corporations only exist through an exercise of government power.
Well who the heck do you think run corporations?
Apple has an incentive to serve its customers and provide a product that they want. Governments have no such incentive and indeed do their best to ignore the wishes of their "customers." Companies measure success by profit. Governments measure success by the whims of unaccountable bureaucrats and egomaniacial politicians.
The kind where we've allowed the GOP and Roger Ailes' propaganda apparatus to demagogue about terrorism and security for far too long without challenging the lies, and so now we have a population which has been thoroughly groomed to accept this kind of dangerous trespassing on our privacy without objection.

So Apple is all we've got left. The top-rank leftists in our politics today—Hillary, Sanders, and Obama—are all failing us.

Failing? No, Hillary and Obama are giddy participants, eager to push forward the exact same agenda you're talking about. They are the political creators after all, directly responsible. Hillary couldn't be more of a hawk and Obama has pushed forward on spying at every opportunity. Ailes? Laughable compared to real political power in DC; Obama is the head of the US military and NSA, he's the one choosing to push the actual programs forward. You might as well try blaming Glenn Beck or Sean Hannity, they're sideshow clowns next to real power.
I don't often find reason to praise Facebook, but this would be one.

When news of the FBI's demands to Apple first appeared, I hoped to hear from Google, Twitter, Facebook, and Amazon, as online service providers. Mozilla and Wikimedia as related infrastructure. Also Samsung, LG, Lenovo, and Dell, as hardware providers, and T-Mobile as a mobile services provider (AT&T and Verizon are assumed to be in the tank with the FBI/NSA/CIA).

This puts the list of supporters at Twitter, Google, and Facebook. Good work.

Waiting on Microsoft and Amazon.

https://plus.google.com/104092656004159577193/posts/PyMCaHdE...

>“I don’t think building back doors is the way to go, so we’re pretty sympathetic to Tim and Apple,” said Mr. Zuckerberg

Shortened the article for ya.

Nice one.

And not only that, but "backdoor" isn't accurate. It's not what has been requested. "Backdoor" sounds more provocative though, and helps build numbers for the Apple side of the debate.

If Apple can crack the phone open, let's see it happen. And then after that, they should improve iOS security so not even Apple can crack it.

I'm not impressed that Apple can if they wanted to, build in a system to weaken my phone's security. They should patch that opportunity in the next release.

Backdoor is not what is not mentioned today but it is what will be sought when Apple does make an unbreakable phone.

If a loudly media backed ruling to force Apple to comply with the FBI is then followed by Apple making a phone which makes it impossible to comply with such requests in the future, it will much easier to get legislation or rulings requiring the all phones have an inbuilt backdoor.

This is why the FBI is forcing Apple specifically to do what they or another organization (eg McAfee) might do. Especially since the phone in question, while spectacular from a media perspective, probably has very little interesting on it.

What Apple should have done is quietly comply and NOT set a precedent. Then quietly make it impossible to comply on later phones. Instead they're making a scene about an issue they probably will and should lose.
The order came from a public court. According to an article in the nytimes Apple asked the FBI to keep it secret.
I understand your point. But I think too many people have already hosed down the idea of true backdoor features inbuilt for all phones to get around encryption. It was raised previously, and smacked down by the majority, including from many voices within the government.

I think honesty is the best option. Apple should say "yes, we can help this time, but we believe in privacy and security, so in future our phones will not be able to be cracked by this or any method". Apple gets to be the good guys for customers, AND help the FBI in this instance. Win win.

In future, the FBI couldn't ask Apple anything because we all know their phones are unbreakable.

But Apple have dug themselves a hole this time by refusing to go the full distance even though it's technically possible. Probably not the best move IMHO.

I'm of course only presuming it's possible to make such an unbreakable phone in future.

This article does nothing to explain anything that Zuckerberg said that might illuminate his position.

All he said, according to this article, was:

"I don’t think building back doors is the way to go, so we’re pretty sympathetic to Tim and Apple.”

“It’s disappointing to the mission that we’re trying to do.”

We're talking about a company that gives away your information to FBI, CIA, and publicly via an API. Of course they are going about it the wrong way - you just simply give them the data to begin with, as a business model.

"While these companies have said they would comply, when legally obliged to, with handing over information on their users, they say they believe that creating technological back doors to their digital systems can lead to potential abuse by governments worldwide."

This article is overlooking that it's not only governments that people would have to worry about if intentional backdoors are implemented.

Facebook don't encrypt our private chats to my knowledge and I have read articles of immigration agents having access to private Facebook chats [1].

So given this seems to be the case, isn't Zuck a huge hypocrite and this is just a PR stunt?

[1] https://news.ycombinator.com/item?id=5864427

I might be conspirator here. but I heard Apple did worked with govt several incidents. This whole thing appears like a setup to trust these corporations who's bread and butter is selling our data for profit.(where does ethics come here?). a company which bought WhatsApp for billions of dollars and providing service for free is not doing a charity. especially it's stock holders won't be happy about it. it appears like a setup to gain trust on these corporations which govt, corporations continue to use. I don't have a problem personally, if it helps to catch a terrorist. but I dont trust profit based corporations talking about ethics. it's just a PR stunt.
Zuckerberg seems to be a bit of a fair weathered fan for privacy. Facebook has traditionally been very if not entirely compliant with providing government agencies with data. Due to a couple occurances with my personal use of Facebook, I have found that it is quite likely that they even do extracurricular surveillance as well. Just my opinion
If we want to keep fighting issues like these we need all tech companies / CEO's to voice the issues with these problems and all future tech related problems, these lawmakers really shouldn't be allowed to make laws without the backing of all / most / reasonable number of the tech giants, just because "GoDaddy" supports it isn't good enough, if "enemies" are on the same page with a bill then you might be in the right direction.
Can somebody explain to me why Apple couldn't create this exploited OS and restrict it to only run on the specific device in question?

If that's the case, then they could post the source code on Github and it wouldn't make any difference. Modifying the code to remove the device restrictions would invalidate the signature and any iPhone would refuse to run it. Isn't that the whole point of code signing?

I'm finding it hard to see how Apple's stance is anything other than meaningless grandstanding. Since the vulnerability already exists, the security of similar iPhones is currently reliant on the security of Apple's private signing key. After releasing this exploited OS, the security of similar iPhones would still rely on the security of Apple's private signing key. Nothing at all would change, it's Apple's fault for allowing this vulnerability to be there in the first place.

Where am I wrong on this? I've been hoping Apple would answer this question for me but instead I've just gotten more hyperbole.

There isn't any fool proof way to single out this device from any other. There are certainly ways they could try and build something that relied on checking the serial number, or something of the like reported by the hardware.

But then someone could just build a hardware level hack, to make any other device report it's serial number as if it was this phone.

Surely there must be a way to securely identify an iPhone by more than just its serial number. If that's not the case then isn't that a security issue on its own?
Not if nothing really relies on that serial number, right?
They probably could build a version of the OS that worked only for single devices. In the latest court case about San Bernadino, that's what the FBI is asking for. There's a unique device id, as I understand it, that the OS could detect. I believe that Apple is opposing it on principle, and out of concern of the precedent that it would set. Once it's been done once, the fact that it's been done will significantly lower the bar for it to be done in other circumstances.
That interpretation doesn't seem to line up with what apple stated.

> "Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control."

The part about being able to guarantee such control seems to indicate that future requests may not require Apple's involvement.

FYI, just because Apple said it doesn't necessarily mean it's true.
The CEO made a public statement. Any number of his employees or security experts could call him out if he were lying. You think all computer security experts are in cahoots on this?

Cook could have lied and said building a special OS was impossible. But he didn't because he knows someone will find out. When you're facing a subpoena, you don't knowingly lie.

No but you can get away with pretending to be an idiot. Or forgetful.
I think you greatly underestimate what it takes to rise to the top of a tech company. Pretending to be an idiot in tech matters doesn't generally work.
> When you're facing a subpoena, you don't knowingly lie.

Not that I believe Apple's CEO is lying, however…

You don't knowingly lie if you think the risk of getting caught is unacceptably high. That last part is important, I think, and indeed, you state, "because he knows someone will find out", so I know you get it. However, I don't think we should forget that a great deal of the concern we have presently in this thread about the government's capability in introspecting our technology is indirectly the result of the DNI lying under oath¹.

¹I know your post says subpoena, but it seems similar enough that its worth reminding…

No employee at Apple is going to call him out on it, and everyone else can be written off as speculating.

Additionally, that letter is written with very carefully fuzzy language so as to remain true-ish.

As in, Apple can't make this change and guarantee that nobody else will use it. In the same way that any software change (which they do regularly) could open up a security flaw. That doesn't mean it's likely, or any more likely than any other software update.

> No employee at Apple is going to call him out on it, and everyone else can be written off as speculating.

I wouldn't put it past the NSA to have snapped up a former iOS developer for explicitly the purpose of breaking into iPhones. An ex employee could certainly call him out.

> Additionally, that letter is written with very carefully fuzzy language so as to remain true-ish.

Cook is trying to be as clear as possible to a public who doesn't understand encryption or why Apple is standing up to the FBI. That's a lot to swallow, and yes his letter is carefully worded for good reason. Given that there is a backdoor that Apple could create, it's not unthinkable that with more details, 3rd parties could figure out how to get in too.

> it's not unthinkable that with more details, 3rd parties could figure out how to get in too.

This sounds like a misunderstanding. No clever third parties are going to find a way to break code signing. To exploit the security hole Apple already created would require having Apple's signing certificate so that a phone could install the code. If it wasn't for the certificate, it would be quite a bit more trivial to hack a firmware to do a malicious thing and install it on any phone.

Yes, it's clearly on principle, or more likely for PR. But the problem is, there is no principle here. What, that a company should be able to refuse legal requests for evidence? I would HOPE the barrier to entry would be lowered after this. The FBI shouldn't get a rubber stamp to search information like this, but if they DO have probable cause, of course they should have access. Apple has zero legs to stand on here.
It's not a request for evidence. If it were, there would indeed be no leg to stand on. It's a request to do work. It is a legal compulsion to build something against their will.
What request for evidence can you imagine that doesn't involve some work? It always involves some, maybe even a lot. They're not trying to get Apple to write a whole new OS despite how Apple is trying to spin it.
It's a demand for invention, and the legal precedent it sets is that the government can just tell a private company "we tell you what you have to invent, because the law says you have to turn over all information we need."

Except that invention != turning over information.

The Justice Department would like to change this, so that complying with the Writs act literally means doing anything they tell you to do.

Which is a massive, blatant power grab.

Calling it an invention is a misuse of the term and puts writing software on an undeservedly high pedestal. There is no "invention" here except in the sense that an Apple copyright lawyer might say. That is, trivial obvious changes.
That's just silly. The "pedestal," as you call it, that they're defending is a non-insane interpretation of writs.

If the government wants to go past that, pass a law, and hope it doesn't run afoul of the Constitution.

For instance, there's also a law that compels telecom providers to give the government cooperation in installing monitoring equipment in their pipes. But that's an exceptional situation, which is why they had to pass an additional law: it does not just follow from All Writs.

It'd be the same if Apple was building a sewer system:

---

FBI: "Hey, company building a sewer system!"

Apple: Hi.

FBI: "We have an ongoing investigation, and need your cooperation."

Apple: Rock on. I'll comply with the law! I have access to the system at all of these points. If you need access to that, just ask.

FBI: "No, we need access to a specific toilet bowl in a specific house."

Apple: ... I don't have access to that. They haven't flushed it; it's still in their house.

FBI: "Yeah, but you designed the system. So to comply with our request for information, we need you to come up with an easy way for us to break the system."

Apple: Break it how? Gee, FBI, this sounds a lot more involved than just giving you access to some information.

FBI: "No, this is just like turning over some papers. Now, we need your engineers to drop everything and immediately come up with a foolproof way of suddenly, and violently, reversing the flow and pressure of any arbitrary customer's toilet so that we can use it to propel an FBI Fecal Trawler drone into their house."

Apple: Whoa. You're asking us to develop, for you, a massive new operational capability. But there's not a law that compels us to suddenly spend our time being FBI contractors! Also, if we develop this the way you are asking us, that means many of our engineers will be working on, and learn how to, turn our toilet connections literally into deadly weapons! That's just ... gross, and immoral! And probably a breach of our duty to our customers!

FBI: No. It's law. Turn over our writs.

Apple: This is insane. You got laws passed to make telecom companies do this kind of thing -- I'm sorry, but until you get a similar law passed, and have to take it before the public in the way that will entail, I really think this is government overreach! ... Why are you even talking to me about this? Go in through the front door or something.

FBI: We threw the key away.

---

And yet the reporting on this story continues to be "Oh, Apple, why you can't be like those good nerds on </scorpion> who know how to help their country?"

Apple has explicitly stated they can do what is asked at every opportunity.

You ever been responsible for writing secure software? It isn't easy. Locking it down to a single device is in principle possible. No one wants to be responsible for really doing it though if they can avoid it. Especially not when it is obvious this is not a one time thing. Not at all. You think every device manufacturer can do it without error too? There will be a lot of secret cracking tools if this gets started.

Is it really that hard? Just make the very first thing executed a check for the specific device ID and crash immediately if it doesn't match. Since the code is signed the check can't be removed or changed.
How would you do the check? One must ensure that the ID can't be spoofed on the way to the code. This would only be the case with very special hardware. AFAIK this isn't the case here.
There is a way in but it's a lot of work. They have to create a new weird custom build of an OS with modifications and try to ensure it only works on a specific device (and that the code that makes it work on one specific device and not others can't be circumvented). To do it once? Sure. For San Bernadino terroists? Sure. But there are hordes of prosecutors across the country who have already reported in that they have stacks of warrants for iPhones ready to go, requesting a special build, engineer time, and a complicated procedure for every single one the moment the precedent is established.

So the real question is: Can the FBI compel apple to create a "department of helping the FBI hack into iPhones?"

Correct me if I'm wrong but Apple would be allowed to charge law enforcement a reasonable fee for the service, right?
I'm really trying to figure out what this case is really about, vs. what the players are saying it is about.

The government says it just wants to unlock this one iPhone. But is it really just looking for a legal precedent in a case that the public is likely to support the unlocking?

Apple says is it afraid of creating a "master key" that could fall into the wrong hands. But doesn't it already have such a key, in the form of a signing key controlling what payloads the iPhone will agree to load? Is Apple primarily concerned with both precedent and perception of security on its phones?

I personally feel that any mechanism by which iPhones could be unlocked with a warrant -- but only with a warrant (ie. the gov't physically lacks the capability to do it themselves) -- is a good compromise. It's in Apple's interest to push back on such requests, so you have two powerful and well-funded entities adversarially fighting to define the line of what can get unlocked and what can't.

Now NSL's, those are a whole different kettle of fish.

The problem is that there is no mechanism by which iPhones can have a back door, but only for the good guys and only with a warrant. That does not exist. And it never can exist.

There is no grey area for compromise here. The encryption is either secure and free of known backdoors—and thus it grants real security—or it isn't, and it doesn't.

You are making that up. Of course there is such a mechanism. What do you think software signing is but a way for the good guys and only the good guys to run code on your device? It's exactly the same. All Apple has to do is make a piece of software that only runs on this phone and sign it. Then nobody can be attacked except this one phone. And it had to go through a warrant and all!

And to your last point: this software is not secure. That's why we have this backdoor option.

(comment deleted)
(comment deleted)
(comment deleted)
Now wait. If the passcode is complex then it is secure, which is a very typical requirement for security.
Which doesn't change regardless of the outcome of this FBI case.
Indeed, people who valued their security highly, like terrorists, would still have security, but the common person would not.
(comment deleted)
The problem with that thinking is that there is no firm definition of the "Good Guys", and the guys you think are good today, may not be so good tomorrow.

> this software is not secure. That's why we have this backdoor option.

It's not perfectly secure, but still awfully secure if even the US Government can't break it themselves.

> still awfully secure

I believe they were just sloppy:

http://abcnews.go.com/US/san-bernardino-shooters-apple-id-pa...

"San Bernardino Shooter's iCloud Password Changed While iPhone was in Government Possession"

The information wasn't "awfully" secured.

After watching this whole thing play out, I'm seriously wondering whether 'sloppy' was actually 'on purpose because this is a great chance to establish precedent'.
> All Apple has to do is make a piece of software that only runs on this phone and sign it.

(Emphasis added)

Just wondering how they can manage to produce something that will only run on this phone?

Easy. Since iOS software must be signed by Apple they could simply hard code a check for a specific device ID, and immediately exit if it doesn't match. Then they sign that specific binary.
(comment deleted)
That isn't really easy.

99% of the phone can be tampered with when running, after the signature is checked at install. They'd need to put that check in the secure enclave to make sure that it wasn't simply bypassed. That might not even be possible on that model.

By your definition then, the iPhone doesn't grant real security since Apple is capable of installing this modified iOS version.

So given that the iPhone is not secure, what do you think about whether Apple should execute this court order?

The iPhone does grant real security, it just requires the user to choose an encryption key that isn't trivially brute forced. (And depending on the circumstances, forego use of the fingerprint reader.)

If the dead attacker had a twelve character passphrase, any amount of help from Apple would be utterly useless. Apple could write all the back-doors they liked but if the content is encrypted and the key is unknown, brute forcing is the only option.

The addition of the secure enclave makes it potentially infeasible to extract the UID so that the brute forcing could be performed on a powerful supercomputer. It depends how well the enclave has been hardened against firmware changes. Can the enclave receive a seamless firmware update while in a locked state? Can the enclave firmware be rewritten to output the UID to the main CPU? We don't know.

The iPhone is secure when used with a complex passcode (something like 11 years to crack an 8 character password), even if Apple aids the FBI. So individuals who know and care enough, like terrorists, will still be just as secure.

But common people won't. So no, Apple should absolutely not destroy the security of hundreds of millions of individuals just because some government agency wants a shot at access to some dead guy's phone.

What happens when the PRC or Saudi equivalent of the FBI demands the same for an FBI agents phone? Why should the populace and Apple have to suffer for making the world more secure?

(comment deleted)
> So no, Apple should absolutely not destroy the security of hundreds of millions of individuals

Wait, how did you get to that point?

(comment deleted)
(comment deleted)
(comment deleted)
I'm pretty sure iOS updates are signed per device, as that's why everyone backs up their signatures for old versions (so that they can go back while Apple isn't signing them). So Apple could only sign this backdoor for one device.

http://www.saurik.com/id/12

Did you miss the part where the government said they were fine with Apple keeping the custom iOS software version in their possession, and not giving it to the government?

http://www.nytimes.com/aponline/2016/02/20/us/politics/ap-us...

"Apple may maintain custody of the software, destroy it after its purpose under the order has been served, refuse to disseminate it outside of Apple and make clear to the world that it does not apply to other devices or users without lawful court orders," the Justice Department told Judge Sheri Pym on Friday. "No one outside Apple would have access to the software required by the order unless Apple itself chose to share it."

(comment deleted)
This argument just doesn't add up to me.

Regardless of this court order, Apple already has possession of keys that can sign iOS updates to disable security features. So this "master key" already exists.

Meanwhile the government is saying that Apple can delete the tool the moment after the court order is executed, so then what is there to steal?

I just don't get the argument that this tool is any more of a "master key" than the actual "master key" Apple already has.

This begs the question: can FBI in theory write the modified OS without Apple, and just command Apple to sign it with Apple's private key so it can be loaded without knowing the passcode and booted?
(comment deleted)
(comment deleted)
Monday, create a tool for phone A. Tuesday, delete the tool. Wednesday, recreate that same tool, but now for phone B. Thursday, delete the tool. Friday, recreate that same tool, but now for phone C. ...

What do you think is going to happen? Oh yeah, there's the git logs too.

This is not about one phone. It never was. It's about establishing a behavior.

Also, there's no master key. It does not exist. Apple does not have an "actual master key". Maybe Google does, but Apple has said quite clearly, that no such software or key to decrypt phones exists.

The master key they have is the ability to sign firmware updates for all phones that could disable security. The point is, it isn't a new master key. If the key was somehow lost, Apple phones would be vulnerable, just like in the dystopian hypotheticals being thrown around here.
You're thinking of this from the wrong angle. What the FBI is working to build is a legal master key to get information from modern smartphones. It's not difficult to determine this is their objective, as the director of the FBI has asked for as much from Congress.

If you didn't realize that, it's easy to see how you're caught up in the wrong argument.

The problem is, Apple designs the software, loads it onto the device, and gives it to the government so they can do their brute force on it.

What's preventing the government from just copying the software off the device and keeping it for themselves? Obviously they'd have to do some work to make it universal, but do we really think an agency with pretty much unlimited budget, and brilliant mathematicians, couldn't get it done?

Interesting question. I don't know the answer but would be interested to hear anyone with more information weigh in.
"To do some work to make it universal" = code change = thrown hash (the signature which requires the Apple key to create, and proves the software hasn't been tampered with, will be broken/no longer valid)

Cryptographic hashes like SHA and AES are designed for "dispersion" meaning, in the idea case, flipping only one bit of the input leads to a 50% probability of every single bit in the hash flipping. So while it's theoretically possible to make a change to the code, and find a way to insert that change that both (1) does the same thing and (2) hashes the same way as the original build, it's probably beyond the realm of what even a motivated attacker could do today.

The warrant allows that the phone could be entirely in Apple's possession with the FBI having only programmatic access to the PIN input. Imagine, say, an isolated SSH server with serial access to a PIN input API.
(comment deleted)
did you miss the part where the government said they would never do this ever again?

once the precedent is set, the floodgates will open.

My understanding was that the malformed update would allow them to bypass the 10-attempt limit and also the delays between attempts, allowing a brute force attack. Meaning a device with a sufficiently strong password would still be capable of being secure, barring any secret government technology that we don't know about that can crack 64 character random passwords(which probably does exist).

HOWEVER, if I'm not mistaken, the newer iPhones (the one in question is a 5c) hold the delay-between-attempts limit IN HARDWARE, so a firmware upgrade would do nothing. The encryption is all done in dedicated hardware on the device. Someone please correct me if I'm wrong.

You're correct. Each attempt takes 80ms as a hardware limitation.
Each attempt takes 80 ms. That's in hardware. There is a separate retry delay that increases exponentially then tops out at 1 hour per unsuccessful attempt. The 10-try limit is the number of consecutive unsuccessful attempts before the device erases its stored encryption keys (effectively wiping itself).

It seems that the attempt limit at least is not hardcoded and can be updated, as it has been increased in the past by an iOS update. I would suspect the same is true for the attempt retry delay time. Either way, this is only specifically applicable to devices newer than the 5c, which doesn't have a Secure Element (or "Secure Enclave" in Applespeak).

In any case, given a software image made to the FBI's specifications, the time to crack a phone depends on the complexity of the user passcode. If the user had a 4-digit numeric PIN it could be cracked in under 15 minutes. On the other hand, with a sufficiently complex passcode the expected time to brute force the device could be literally in the millions of years.

It is about the precedent. Consider that the current fully secure Apple device situation is point A, and the fully exploited your private data is easily extracted by criminals easily cracked Apple device situation is point Z.

The FBI is currently arguing for point B - just this device. The argument is - it is so close to point A, there is no issue!

If the FBI wins point B, then they will argue for point C. - it is so close to point B, there is no issue!

If the FBI wins point C, then they will argue for point D. - it is so close to point C, there is no issue!

Repeat over and over.

At about point M or sooner an exploit or the extraction processes to the gradually less secure device would probably become available to governments through means legal or otherwise and we would probably hit point Z straight away.

Apple are trying to stop the inevitable by not starting, the FBI are arguing for point B.

It's not just the FBI. If Apple builds an OS update to make that specific iPhone easier to unlock, they'll be setting an international precedent for all countries that they do business in. So the Russians, Chinese, Saudis, etc will see it as an option when they want access to a phone that they see as in their national interest to unlock. This could even lead to a phone with US state secrets being cracked for a rival country.
And they wouldn't just ask Apple.
And they wouldn't be limited to devices in their jurisdiction belonging to the dead or incarcerated. Governments can ask Apple or Microsoft to push updates that copy data to controlled cloud storage accounts. The unwitting target will just unlock their device in their home country like they usually do before the trojan security update starts working.
Yep. Imagine your flight through Asia making an unplanned outage in Thailand and finding yourself in prison as a result of the lese majeste laws[1]. Except instead of it being because of a public Facebook post you made[2] while in another country, it's because of a private text you sent.

[1] This is not an imaginary scenario. [2] This has actually happened.

Foreign countries do not need legal precedent to ask Apple to do things.
The domestic government doesn't need legal precedent to ask Apple to do things either; it usually just helps in the case of political cover and the inevitable pushback from the public or other branches of government.

With regards to international politics, if the USA can demand that Apple unlocks devices for any reason, then the US government will have a hard time defending a decision to aid Apple in resisting a foreign power when it requests the same broad privilege.

(comment deleted)
Somewhere in the middle, say point W, the image leaks and you wind up with the POTUS phone being tapped by Russia. Or by terrorists. Or a wanna-be POTUS assassin. It's worse than Pandora's box - once we open this box we will never be able to demonstrably prove that attempts to close it have succeeded, just like Ken Thompsons "cc hack"[1]. If and once Apple makes this image every Apple user on the planet, including the government, would be perpetually weary of it.

Basically, lim(consequences) = no guarantees that USA secrets are actually secret. If they can't keep the lid on one employee (Snowden) how on earth could they trust themselves with something this dangerous? 'Z' is inevitable.

The wording/example that Apple used really appeals to the common person, but you need to frame it for the government if you are talking to the government.

[1]: https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html

(comment deleted)
This is step by step slippery slope fallacy.

You are not addressing the issue at hand. You are instead arguing that if we somehow don't take your side here, then there will never be another point at which we can argue the pros and cons of possible subsequent escalations or refusals.

Which is why it's a fallacy.

I hadn't heard of this fallacy before, I agree that what I wrote may be interpreted as a good example of it. I shouldn't have used the word inevitable.

I don't think that if the FBI wins the current battle then all is lost. But I do think that the FBI intends to fight all the battles until they win the long game.

That said, I don't hold any side in the argument.

This is a valid pointing out of a common fallacy, and I do not think merits the downvotes.

The OP is using fallacious reasoning, even if it is accurate reasoning :-)

Alternatively, it may be an example of an actual slippery slope - and therefore not a fallacy.
That does seem to be the argument. It's a slippery slope fallacy. There is no reason to assume this sets any sort of precedent.

And it should be pointed out that point A never existed. Apple's device is not fully secure, or they wouldn't be capable of complying with the FBI.

Theoretical question: can the FBI create the modified OS without Apple, and simply command Apple to sign it with Apple's private key, so that it can be installed on this phone without entering the passcode?

Granted without the source code it would be quite difficult, but in theory, is signing the software with Apple's bootloader private key which is the same for each class of phones the only thing required?

Nothing, but that would be terrible. We WANT Apple to do it because they could ensure the software is device locked.
Apple could just bindiff to figure out what changed in the FBI's version.
Yes that would be possible.

It's weird to me that the phone will accept updates while locked...

> It's weird to me that the phone will accept updates while locked...

I suppose this was left there to be able to reset the phones to the factory state after 10 wrong attempts to enter the code.

If the government honestly wanted that iPhone cracked it'd turn to someone like Chipworks and simply subpoena whatever info they needed from Apple.

They're forcing Apple to kill its own children as a sick sort of game.

Apple's endgame is saving face and customer trust. Just last year they were touting customer controlled security and privacy. This year the FBI wants them to help access a phone and what do you, they actually can! Oops. Failure on Apple's part which I'll come back to. Now, it sounds to me like Apple is just going to disable the auto-erase on pin failure and retry timeout, but not many people will understand that.

The FBI's endgame is requiring companies to build backdoors into their devices. Once they are able to successfully compel a company such as Apple to help them break into the phone, they are very close to compelling congress to pass laws to require that the option be available in the first place. "Hey, the court told them to do it before so why should they be allowed to block future need?". Here is where Apple's screw up comes into play. After all this they could shore up the security gaps to further remove themselves from the equation, but after a successful court order the FBI will move to block them from making an even more secure device.

IMO the main issue is how far the government can lawfully push a third party to help with an ongoing investigation.

Putting aside the technical issues for a minute, let's say everyone agrees Apple ought to help the US government's investigation of the San Bernideno terrorism case. Fine, and Apple might want to help, but how does their desire to help weigh against the hassle and expense of creating a new build of the OS every time something bad happens? Will it eventually get to a point where every impounded phone, of which I have to believe there are millions, can have a warrant issued and Apple has to help get the data out? They'd have to set up an entire department just to comply with the FBI's requests. At the scale of global law enforcement, it doesn't look so unreasonable that this ongoing nusiance will cost a ton of money and impair their ability to operate for their shareholders.

There's the encryption stuff, and how we have a right to privacy, but the real question is just how far a company has to go when the government asks for help with an investigation.

Corporations make good PR so you can trust them with more of your personal data, while PRISM still is operating, Facebook and Apple are still cooperating with NSA.

The more and more NSA friendly corporations back Apple the less I trust all of them.

> while PRISM still is operating, Facebook and Apple are still cooperating with NSA.

[citation needed]

>I'm really trying to figure out what this case is really about, vs. what the players are saying it is about.

If the government hacks the iPhone themselves, they don't get the legal precedent they are so desperate to establish in this case. This paves the way for legislation that forces technology companies to install backdoors in software/hardware. This case is not about the data on the phone itself, the government is simply continuing the crypto wars.

https://en.wikipedia.org/wiki/Crypto_Wars

The government is not capable of hacking the phone themselves.
I think that Apple is concerned about class action lawsuits that will target Tim Cooks claims that not even apple can access customer data.

They are really in a terrible position. No CEO wants to do interviews dedicated to a conflict with law enforcement. This is about a massive pile of unaccessable cash and the threat of a major lawsuit.

It makes sense that cook wants to invest in legislators who will listen to their lobbying cash and provide class action protection over gambling in the courts.

Facebook 'protecting' user data is so laughable that it suggests this is all public reassurance theatre.
Good for Mark. Not an easy position to justify to shareholders. I can think of one ceo who is outrageously cowardly in contrast.

http://arstechnica.com/tech-policy/2016/01/att-ceo-wont-join...

That's unsurprising. Didn't Snowden say AT&T was always willing to help the NSA?

Plus their CEO studied accounting. When you see a tech company led by someone without an engineering degree or somewhat similar experience, its days are numbered.

Don't forget, one of the issues is: on which legal basis is Apple requested to help:

The question is, is this act (the whole text follows):

https://en.wikipedia.org/wiki/All_Writs_Act

"(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction."

a reasonable legal ground in this case to demand from a company to change their products, in this case make a special version of the operating system? Is this act good to mean "we can order anything to anybody"? Especially when there is "the Communications Assistance for Law Enforcement Act of 1992" (CALEA).

"All Writs" appears to be too dangerous to be used for precedents like this one, "change your products to help us." What is the next requested change going to be? Give us the change you've made ("obviously not an "unnecessary burden" anymore"). Make more changes, permanently. ("you've agreed already before!").

More on All Writs Act of 1789.

The Dangerous All Writs Act Precedent in the Apple Encryption Case

http://www.newyorker.com/news/amy-davidson/a-dangerous-all-w...

"Tim Cook, the C.E.O. of Apple, which has been ordered to help the F.B.I. get into the cell phone of the San Bernardino shooters, wrote in an angry open letter this week that “the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create.” The second part of that formulation has rightly received a great deal of attention: Should a back door be built into devices that are used for encrypted communications? Would that keep us safe from terrorists, or merely make everyone more vulnerable to hackers, as well as to mass government surveillance? But the first part is also potentially insidious, for reasons that go well beyond privacy rights.

The simple but strange question here is exactly the one that Cook formulates. What happens when the government goes to court to demand that you give it something that you do not have? No one has it, in fact, because it doesn’t exist. What if the government then proceeds to order you to construct, design, invent, or somehow conjure up the thing it wants? Must you?"

I agree there's a legitimate question about the legal basis for the FBI's request. But assume rational behavior on the part of the FBI here: if they had a more solid legal basis for the request, why wouldn't they use it? The fact they didn't provide one implies the key issue in the debate is the extent to which private companies should legally have to provide help for investigations (bear in mind the FBI is fairly budget-constrained). I actually find it difficult to see a lot of malice in the FBI's actions. They've forced a "public" debate (really just within the tech industry, but I think that's the useful definition of "public" for this issue). I think it's disingenuous to complain about national security letters, then turn around and whip the FBI for bringing an issue more into the public consciousness. (I think they've taken advantage of the San Bernardino shootings to force the debate, but that's exactly how you force a debate.) Finally - I see the FBI's behavior as a sign of progress. This isn't the bad old days of Skipjack and NSA backdoors in Official Windows - times have changed, the tech has changed (and improved), but I see the government's behavior on the whole trending toward being more democratic, not less.
> They've forced a "public" debate

Didn't Tim Cook force it this time?

Prediction: within 2 years Apple will have iPhone 7s, on which no one can bypass the encryption no matter what. All they'd have to do is put secure enclave software into ROM burned at the factory, and make it self-destruct if it's tampered with. "Sorry officer, not even we can bypass exponential back-off on this CPU."
I'm not much for conspiracy theories, so I decided to make my own.

<tinfoil> What if the FBI's request is just a ruse to obscure the fact that the NSA has already unlocked & decrypted the phone and found evidence needed in the criminal charges? </tinfoil>

Please call your representative and senators about this. Not email, not mail - call. Even if it means holding for half an hour. It makes a difference, and they need to hear us.
The nightmare scenario is as follows.

Sure, unlocking this one phone sounds pretty reasonable. Apple will maintain control of the unlock mechanism, the FBI gets it warrant obliged, end of story. This is what the government side is spinning (see the nytimes op-ed today from William Bratton, NYC police commissioner).

The reality is that is not the end of the story. New York City has already said they have 200 phones waiting to be unlocked. Given an FBI win in the case, and Apple building the unlock mechanism, there's no reasonable defense against these unlocks. And this is just one city.

I wonder how many full time Apple employees would be required to service the steady flow of requests from law enforcement across the world to unlock phones. Hundreds? Thousands? I'm sure they already have law enforcement liaisons, but we're talking a whole other level of commitment in order to essentially create a worldwide law enforcement IT help desk.

Somewhere during the process of industrializing the unlocking of phones, a lot of people are going to start saying it would make sense if Apple would just provide the ability to unlock directly to law enforcement agencies. That would solve the problem of law enforcement heavily burdening Apple with all these requests.

Assuming Apple capitulated to that (presumably forced to capitulate because I doubt Tim Cook would do it willingly), we finally reach the nightmare scenario where access to the unlocker is no longer strictly enforceable and it's only a matter of time to where criminals have it. This is a true Pandora's Box, because there's no patch that will plug this hole.

This is a true slippery slope, in that its progression is all but assured. The only thing capable of stopping it is to have hardware that is incapable of having an unlocker created for it. Hopefully that's where we're at with newer phones, although that seems to not be fully confirmed. It's one thing for law enforcement to make Apple open a lock it has the capability to open. It's another to require that Apple make their product less secure than they otherwise would make it. I don't see that happening through the courts. At the very least, it would require an act of congress, probably followed with a lengthy court battle over the constitionality of such a requirement.

Apple should just build their sysyem so that it can not be backdoored. Make the TrustedZone non upgradable or give the signingkey to the use (Smartcard in the package of the phone). User can either keep or destroy the key, as they see fit.

More security for everybody. No backdoors. The FBI can as for speciak version all they want.

To be sure, they could still ask apple for a prober backdoor, but at least they can anker it to a individuel case.

Ok, a few question for someone who has been a bit too depressed to follow the latest evolutions since the Snowden revelations:

- If the NSA approached Apple to ask for the same, would it be legal for Apple to talk about it? To refuse it?

- Hasn't the NSA already done that?

- Would the Chinese government allow a non-backdoored iPhone on their market?

I am sorry but I really do not see any reason to believe that Apple's devices are not already rooted to the core. This one FBI issue seems to be a perfect PR occasion.

It's really is a win-win situation for both parties:

Apple gets to be shown as a customer-knight in shining armor defending their customers to the bone.

Government gets to convince public that they don't already have the data.