I don't think the genie can be put back into the bottle. If Congress passes laws to require it on US-bound devices, I could see interested parties importing from Asia and Europe and/or embargoes on our devices abroad.
It could hurt US companies abroad because they will rightfully think the US Gov't has a backdoor. I think Apple and Google would use their lobbying funds to make sure the author's hopes never happen.
> How is the public interest served by a policy that only thwarts lawful search warrants?
Perhaps the answer is that judges act as rubber stamps now, authorizing way too many search warrants. The author assumes that the judges are fairly applying the 4th amendment.
Exactly. Our government is as overbearing and oppressive as it's been in a very long time. I read somewhere that judges approve something like 99% of the search warrants presented to them. They no longer serve as a check on law enforcement.
I'd love to hear otherwise, to hear how judges are doing a good job balancing the interests of people against the interests of law enforcement.
I did not downvote you, but there's a perfectly good explanation for why 99% of warrants would be approved.
Consider that the police know what warrants a judge is likely to approve and which he's likely to turn down. Over time, police departments will learn to submit the warrants they can get approved and not bother wasting a judge's time with warrants that won't be approved.
So very high approval rates do not necessarily signal the loss of the judge's ability or willingness to check police power. Just that everybody involved is doing their jobs as professionals in their domain.
You can not say that about pursuing prosecution, as that is at least intended to be an adversarial process, anomalously high conviction rates do indicate to me a corruption of justice proceedings. Acquittals in China are quite rare, for instance. The reason is that the CPC considers itself the source of justice and sees no issue with doing away with impartiality in matters of political importance.
99% seems too high. On the other hand, outright acquittals are very low in Germany, as well (as they should be).
Outright convictions for everything the prosecution charged are also not too common, but that the prosecutor deems something illegal and grave enough to charge, the court concurs by opening proceedings, and then in the trial everything falls completely apart basically only happens when the trial brings a complete surprise with it.
And most of those times the "complete surprise" is just a key witness refusing to testify or not remembering anymore (as it happens too often in domestic abuse cases).
> there's a perfectly good explanation for why 99% of warrants would be approved.
Your argument is that the approval rate could be 99% legitimately. Even if true it doesn't actually provide any evidence that judges are not acting as a rubber stamp, it only attempts to discount some evidence in favor of it. Moreover, the fact that the approval rate is 99% is still evidence that judges are not being very critical in approving warrants. The high rate makes it statistically more likely that judges are approving warrants uncritically than would be the case if the rate was lower.
> Moreover, the fact that the approval rate is 99% is still evidence that judges are not being very critical in approving warrants.
No it is not.
> The high rate makes it statistically more likely that judges are approving warrants uncritically than would be the case if the rate was lower.
As I said in another sub-thread, you are going to have to explain the statistics involved if you want to make an argument from them. Otherwise you are just being circular. You cannot expect a statement to be its own proof.
Yes it is. There is no question that it is evidence, so you can only be questioning whether the evidence supports the proposition. You want a mathematical proof? OK. Without knowing the percentage of approved warrants we can't exclude the possibility that exactly zero warrants were approved, which would be a hard disproof of the proposition that judges are uncritically approving warrants. Discovering that the percentage is nonzero eliminates the possibility that it is 0%, which increases the probability that the proposition is correct. Continuing by induction, with each warrant not approved the possibility that it was approved uncritically is eliminated, whereas with each warrant approved the possibility that it was approved uncritically is retained. So the higher the percentage of approved warrants the more it supports the proposition that they are being approved uncritically. QED.
What you're arguing is that it's weak evidence. It could be that there were many legitimate warrants requested and few illegitimate ones. But that's a weak argument unless you can present some contrary evidence for the opposite position. All you're doing is claiming that the proposition hasn't been strongly proved, not proving it incorrect.
Your position is circular. You are defining 'critical-ness' with the sole criteria being the approval rate. If we accept that as the only criteria, then sure the proposition stands, but then it loses meaning and becomes nothing more than a rhetorical device.
Generally speaking, we mean 'critical' to involve the weighing of a decision against an ethical standard. Assuming the standard isn't changing, we would expect an equilibrium to emerge where the parties involved would come to understand the standard, especially given that the warrant process is not adversarial. So there's no reason not to expect the approval rate to settle at close to 100%, with the few denials being law enforcement attempts to skirt the boundaries.
Anything less than a very high rate would indicate that the standards are inconsistent or are being inconsistently applied. The only reason I can see to be inconsistent is to game statistics like this one that seem to mean more to certain people than they actually do.
> Your position is circular. You are defining 'critical-ness' with the sole criteria being the approval rate. If we accept that as the only criteria, then sure the proposition stands, but then it loses meaning and becomes nothing more than a rhetorical device.
There is nothing circular about it. There is no requirement to exclude other evidence. Regardless of what other evidence exists, discovering that there is a very high approval rate makes it more likely that warrants are approved uncritically than it was before the approval rate was known.
> Assuming the standard isn't changing, we would expect an equilibrium to emerge where the parties involved would come to understand the standard, especially given that the warrant process is not adversarial. So there's no reason not to expect the approval rate to settle at close to 100%, with the few denials being law enforcement attempts to skirt the boundaries.
The fact that the process is not adversarial only makes it more likely that judges are approving warrants they shouldn't be. Moreover, prosecutors have every incentive to try to "skirt the boundaries" as often as possible, unless the boundaries are so broad they don't need to be skirted.
> Anything less than a very high rate would indicate that the standards are inconsistent or are being inconsistently applied.
Or that prosecutors are continually testing the fences as they have every incentive to do.
> I read somewhere that judges approve something like 99% of the search warrants presented to them. They no longer serve as a check on law enforcement.
Where? Most sources I can find (usually focussing on individual departments) indicate rejected warrants applications aren't tracked, so there would likely be no basis for this conclusion.
Even if it was true, it would likely be misleading -- the fact that a warrant is approved doesn't mean its approved with the scope originally sought. Most sources I've seen also suggest that while rejections are uncommon, limiting the scope of the warrant is not.
I don't have a good source for my 99% comment for the general case, that's just something I ran across a while ago. However, Wikipedia makes the same claim for FISA warrants.[1] Of course, there is also some discussion that these are only "final" requests to that court.
Just using the FISA numbers as a starting point for discussion, I'm not ready to believe that 11 requests denied and 33,942 warrants issued is something that makes sense. I'd bet that the Russian Parliament is less of a rubber stamp on Putin. :)
I too was surprised by the author's question. It's as if he hasn't been following the news lately about the apparent impotence of the 4th amendment these days. Yet his wiki page says he "has been regarded as a leading scholar on Fourth Amendment jurisprudence in electronic communications and surveillance." In light of that, he comes across as extremely naive. (or worse?)
His Wikipedia page also relates his career in the DoJ and as a US Attorney, a very different background from the typical libertarian HN reader.
I don't agree with Orin Kerr on this, but I'm willing to accept that he's likely seen things about the day-to-day business of law enforcement that I just don't understand. It's worth us spending at least a few moments entertaining the thought that maybe we are the naive ones.
> but I'm willing to accept that he's likely seen things about the day-to-day business of law enforcement that I just don't understand...that maybe we are the naive ones.
I'm sorry, but no, no, no. I'm perfectly clear on what exactly this move by Apple enables, which is that more criminals -- some horrible -- will go free.
But context is important here:
1. By the same token, more innocent people who never should have been charged will also go free.
2. Giving up many of our constitutional rights would also result in more criminals being apprehended, but few of us would do that, because we understand the importance of these rights for our system of government. Why is this any different?
3. Most importantly, many of us would be much more amenable to a compromise here if the government hadn't horribly abused their power over the past 15-20 years. Prosecutorial misconduct and out-of-control blackops agencies have become such a problem that almost any solution is worth consideration. You think Apple would have done this if our government had a reputation for fairly using its power?
So no, not falling for the "we've seen things you kids would never understand" ploy -- that's been pulled on us before. It's not working this time.
Of course from his perspective, not being able to access crucial evidence puts peoples lives in danger constantly. So it's not that unreasonable of a position to take.
But he has been exposed to highly unusual circumstances with a high bias.
> I don't agree with Orin Kerr on this, but I'm willing to accept that he's likely seen things about the day-to-day business of law enforcement that I just don't understand.
Sorry, it's more likely he's just vested in the current (not-privacy-respecting) system of governance. One which has major drawbacks for many folks who are pushing the envelope or who just happen to be on the wrong side of one of the many folks who have access to the government's powers.
Besides, a sufficiently competent criminal could benefit from the same level of security that Apple allegedly provides, using crypto. If something is lawful and technically possible, making it available to the masses (under the assumption that Apple's statements are correct) does not sound like a bad thing.
The only really consistent position will become to treat a person's digital trace as we treat the contents of their head. The two are merging sooner rather than later.
I'll leave it to other hackers to put it more eloquently. Any means to bypass the encryption on iOS 7 and before are vulnerabilities that adversaries can use to bypass the encryption on iOS 7 and before. Apple is basically saying that they didn't build in back doors, which this author is making the case for. iOS 8 data is still available to the government by other means than warrants and at much, much, much higher expense.
i thought they salted user PINs with a hard-wired nonce that's specific to every device - then when the fuzz needs to get the device unlocked apple looks up what the hard-wired nonce is for that specific device, and then crack the 4 digit pin.
anyone have details on how apple actually unlocked devices?
>apple looks up what the hard-wired nonce is for that specific device, and then crack the 4 digit pin.
Not quite. There are two nonces involved. One is (probably) easy for Apple to extract (the randomly generated, re-writable value in effaceable storage) and the other is (supposedly) very difficult to extract, because it's burned into the CPU hardware. If all works as intended, the only way to extract the second one is to decap the CPU and read it with a microscope.
Also, you can have arbitrarily long PINs, including alphanumeric.
If Apple's security PDF is correct, the only obvious way Apple can break the PIN is via brute force, which I believe they claim to provide when LEAs request it.
"The first question is whether the government can lawfully compel the telephone’s owner to divulge the passcode. I believe the answer is that yes, a person can in fact face punishment for refusal to enter in the password to decrypt his own phone. If the government obtains a subpoena ordering the person to enter in the passcode, and the person refuses or falsely claims not to know the passcode, a person can be held in contempt for failure to comply."
Soooooooooo... there already is a legal mechanism to force the phone's owner to divulge the password. Why isn't that enough?
This actually isn't entirely settled law. Some argue that the 5th ammendment protection from self-incrimination would give someone the right not to give up their passcode. But different courts have ruled differently in differnet situations/jurisdictions, so far.
As mentioned in the article, the current (and consistent across existing rulings) legal theory is that the 5th amendment doesn't apply if it's already been "proven" that you know the passcode, since the self-incrimination is divulging the fact that you know the passcode to incriminating files (therefore, by implication you're responsible for the existence of said files)
And since you're not proving this to a jury, but rather a judge, the standard of proof is going to be pretty low for a smartphone. Orin Kerr thinks possession of a phone at time of arrest will be enough to prove to a judge that you know the passcode, and given how low-level judges operate in the real world I'm inclined to agree (in practice, not legal theory or what's just.)
Anyway, iCloud backups are still fair game, so it's not like LEOs can't typically get the information they want anyway even without the passcode.
Because most people use their phones on a daily basis, it would be rather difficult to convince a jury that you don't remember, especially when most, if not all, members of the jury will have a smart phone themselves.
I agree it's odd that they're actually marketting it as anti-law enforcement.
There are certainly other reasons to appreciate secure encryption though. But "not even a disgruntled apple employee, or one paid by your business competitor" brings up questions that are not good marketting to put in people's heads. Even "not even a hacker, cause we used actual secure crypto" is not what they want people to think about.
Now, personally, I include "not even law enforcement" in my list of attackers I'd like to defend from, and there's nothing wrong with that (and there's not supposed to be in America, the 4th ammendment and all). But the fact that it's actually good marketting generally (or at least they're betting on it) -- well, we have Snowden to thank for that. And I doubt it will last.
Also, of course, there are a variety of reasons the iphone crypto as a system isn't all that secure -- including but not limiting to the fact that we still have trust apple (we can't see the code, or the code in the updates pushed out regularly).
Not that I disagree that it's a benefit to make it harder for law enforcement
Apple's architecture decision proves a quiet point - that Apple feels it has been illegally pressured by the government (notably the NSA) to crack too many cell-phones, and that their own business and the rights of their users are at risk from an overly aggressive government. I interpret Apple's move as a self-defense mechanism to attempt to stop the immoral actions of a government over-stepping it's bounds, and to protect the people that Apple cares about most - their users.
The public is interested in (and is served by) a technical solution to lawful search warrants because the public no longer believes that lawful warrants are just.
While I do understand the situation the law enforcement is dealing with, it is not an excuse to not allow us to have complete privacy and full encryption support on our digital devices. Nobody including governments has any rights to have any access to my personal data. If I don't share it with anybody, it's mine just as my personal thoughts in my head.
I agree with what Apple is doing and I want them to do more. There are still some remaining holes that need to be closed up and all users should be encouraged to enable 2FA with the mandated switch in a few years.
Is this actually new in iOS 8? I thought this has been the design of iMessage from the beginning -- namely that Apple does not have the decryption keys.
What Apple does have is the directory of recipient public keys that your device should use to encrypt its messages. (Background: iMessage encrypts each message separately for every recipient device, which shows just how far Apple went to protect key security. Not only does Apple not have the keys, private keys never have to be exchanged among devices ever.)
But technically speaking -- I have no idea if they actually do this -- that gives them a way to insert a "wiretap" of sorts in the form of an additional, silent recipient that you don't know about. Think of it as adding another device to your iCloud account, only it's not yours. Still, this could at least be discovered by monitoring the size of the outgoing data to see if it matches the expected number of recipients.
The article is referring to the contents of the phone's storage, not iMessage. Apparently before iOS 8, Apple could decrypt the contents of a phone's storage, and would do so when presented a warrant.
The arguments in this article are hinged on one crucial premise: Apple stills owns your device even after selling it to you. This is different from gmail where your data is on servers owned by google. The analogy to this premise is that the producers of a safe that they sell to you must be able to provide the government a key to the safe. This clearly does not make sense, and neither does requiring Apple to always have a backdoor to your device.
The arguments in this article are hinged on one crucial premise: Apple stills owns your device even after selling it to you.
Hu? That idea isn't even mentioned in the article, and it seems entirely irrelevant.
The analogy to this premise is that the producers of a safe that they sell to you must be able to provide the government a key to the safe. This clearly does not make sense..
It may not make sense to you, but key escrow is a thing both for encryption keys[1] and for physical keys[2].
I agree there are pretty serious problems in both cases
[1] This is basically what happens in iOS 6 and below: Apple has a key they use to unlock the device. Another example is the aborted Clipper chip: http://en.wikipedia.org/wiki/Clipper_chip
The point is that when someone sells you a thing, they should no longer be responsible to someone else for it. You should be responsible. It is now your thing.
I would rather let a few murderers go free than expand the government's power to store and retrieve private communications. You never know what benign things you might be doing today that will one day be dangerously illegal (or maybe just embarrassing enough to hurt you now that you have some kind of power).
This could be the reason why iPhone 6 has not been approved in China. With heavy smuggling they will get plenty. A lot of arguments assume the (American) government is decent, but iPhone is a global device. Let's hope Apple products have the same security all over the world.
For most of us, Orin Kerr is on the opposite side of the privacy debate. He thinks that current online privacy laws go too far in the direction of protecting the accused. There is a summary of one of his talks at http://hlrecord.org/?p=10987%7COrin. (It's a shame there is no recording or transcript of that talk.)
I think the main difference between my opinions and his is that he places much more trust in government.
> Because the victim isn’t alive to share his password, and the phone will have locked before the body was found, the government won’t be able to search the phone to find the messages. Apple’s policy will keep the police from finding the killer. That seems bad.
The problem with this argument is that it applies to all secure encryption. The purpose of encryption is to keep people not authorized to access private data from being able to access it. The fact that it may work as designed is hardly a sufficient excuse to backdoor everything.
Kerr's position seems to be that the government should be authorized to unlock everything in one way or another. The list of problems with that is long and well known. We can't actually trust anyone, including the government, with the keys to everything. Once they have the keys there is nothing to stop them from using them without a warrant.
And backdoors are security vulnerabilities. You intend for them only to be used by the government using constitutional process but they end up being used by criminals and foreign intelligence.
Meanwhile a required lack of security causes chilling effects. Politically unpopular groups will be afraid to communicate if their devices are compelled to spy on them and corrupt government officials can use that to harass and oppress them. Not to mention the small matter that it enables corrupt government officials to harass and oppress them.
I think Orin's point is not that everything should have a backdoor (which would not comport with his many previous writings on tech and law), but that Apple's shift, and in particular the public way in which it has been done, could trigger unintended consequences from the courts or Congress. Hence the "dangerous game" title.
There's this quotation by Scalia (whom I respect a lot, despite him mostly ruling otherwise than I would have), that four Justices probably don't think the Exclusionary Rule was a good idea in the first place (somewhere in the Pepperdine interview with Kenneth Starr).
If you're interested in the exact wording I can look it up tonight.
The Fourth Amendment prohibits unreasonable searches and seizures, not all searches and seizures. Given a warrant is properly issued, a court can hold a person in contempt if they refuse to provide the documents listed in the warrant. So the question is, what is the punishment for contempt? Congress can legislate that for specific situations.
I don't understand the passage I quoted to be sarcasm; he's advocating that iPhones have a backdoor under the justification that it would help the government prosecute evildoers.
These are the fruits of the abuse of the fourth amendment.
This action is a prime example of why (ethics and liberties aside) getting carried away with surveillance and warrentless snooping was ultimately a bad idea even for those who were doing it.
There are reasons for fair treatment of citizens that stem directly from practicality. But lack of foresight and hubris seem all too common with government officials as of late.
The very first sentence starts with a faulty premise: "Apple has announced that it has designed its new operating system, iOS8, to thwart lawful search warrants"
Why couldn't Apple have designed it to remove itself from the burden of having to play fisherman? While it's true that there may have been moral drivers in this design decision, it makes sound business sense as well.
You can't betray what you don't know. Which is the ultimate position to take in order to be competitive in a privacy conscious world. Besides, warrants are rubber stamps now (as pointed out here and many places elsewhere) and are by no means the carefully measured moderator of state influence they may have once been.
Orin Kerr is clearly a lawyer. He argues not for what is right but for what is permissible given the existing body of law. Where the existing body of law is wrong, his writings have no sympathy for the damage inflicted on its victims nor any sense that resisting such wrongs is noble.
If the government never abused its authority, I would be much more sympathetic to Kerr's position. Given the facts of prosecutorial abuse, vague and conflicting laws, the ongoing gutting / suspension of habeas corpus, "three felonies a day" -- http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.asp... -- and many more reasons not to rest moral authority on our body of law, I find his insistence that we revere lawfulness to be foolish at best. It's important to stand up to unjust laws.
Leaving aside warrants which are merely held to be lawful (where the true facts, might we know them, show the opposite), it's not just lawful warrants that this technology protects against. Law-abiding citizens may be compelled to reveal private information via totally unjust mechanisms such as National Security Letters. Consider Nick Merrill's experience: http://en.wikipedia.org/wiki/Nicholas_Merrill#Challenging_th...
Let's not even get into protecting yourself from the NSA. Any tools which help us resist such tyranny, even at the risk and expense of civil disobedience, are to be applauded. Reserve your condemnation for the John Yoo of the tech world.
Orin Kerr is definitely a lawyer, and has been working and writing on digital crime and civil rights for years. For example, he was part of the defense team during weev's appeal of his conviction.
I do think he thinks beyond the technicalities of the law. And I think he's correct that there are legitimate reasons to pierce device encryption. If a victim is murdered, and their phone is locked, it sure would be nice too see if there were some evidence on that phone that could help catch the killer.
That said, he knows better than most what the law does say, and I think that makes this an op-ed worth reading carefully. I found two of his points interesting.
1) A passcode is probably not covered by Fifth Amendment protections. Thus a phone owner who refuses to lock their phone could be punished by the court anyway.
2) An encryption system strong enough to thwart legitimate and legal police actions could lead to a legislative "backlash" (my word, not Orin's) of increased consequences for failure to unlock. This is the "game" in the title of the op-ed. Technology and law are often in tension and an escalation from one side could trigger an escalation from the other.
But I disagreed with his state that "The policy switch doesn’t stop hackers, trespassers, or rogue agents. It only stops lawful investigations with lawful warrants." That seems wrong to me because it's not just a policy change, it's an improvement in how the OS encryption actually works. Seems to me that could help keep out some bad guys too.
I completely agree with your assessment of Kerr, and there is nothing wrong with purely legal analysis.
What got to me initially was the deliberate limiting of legal scope to warranted privacy violations, as though warrantless privacy violations are insignificant. He's welcome to do so, but he should be clearer about this and less rhetorically dedicated to his agenda.
EDIT: I see now that he reasons this technology only affects warranted privacy violations, since Apple has a policy of refusing unwarranted inquiries. He is overlooking the possibility that Apple may nonetheless be pressured, deceived, or compelled to violate users' privacy. He doesn't realize that Apple's claim of being invulnerable to warrants also protects the user from Apple's own vulnerabilities. It's not just USA law enforcement that targets users by exploiting Apple's access to protected data.
My understanding is that warrantless privacy violations have grown tremendously since the Patriot Act, both in scope and quantity -- that we have many new laws or codes since then which reclassify previously warrantful privacy violations as now warrantless.
He asks "How is the public interest served by a policy that only thwarts lawful search warrants?"
This is a nasty rhetorical trick. Does Apple's policy change serve any other purpose than to thwart lawful search warrants? Kerr puts "no" in your head, but of course the answer is yes.
He then makes appeal to the "civil libertarian tradition" of protection from warrants, saying that Apple is thumbing its nose at "that great tradition". What a joke. Apple is selling a product with powerful capabilities, some of which can be used to break the law, all of which have legitimate lawful purposes. Are Ford, Boeing, Delta, Budweiser, Louisville Slugger, Smith & Wesson all playing dangerous games as well?
Lastly, this is about removing Apple's ability to unlock. Just like Colin Percival's tarsnap. Doing proper security via proper cryptography. Minimizing untrusted third parties. Apple is getting criticized by Kerr for doing the right thing for its users. There are no victims in this action. It should matter not a whit that this makes the government work harder to violate privacy. Apple has no general duty to offer permanent taps for the government's pleasure.
This is why focusing only on warrantful privacy violations is a travesty of justice.
Right. The claim "The policy switch doesn’t stop hackers, trespassers, or rogue agents. It only stops lawful investigations with lawful warrants." is invalid because "hackers, trespassers, or rogue agents" might either get warrants or plausibly claim to have warrants. Indeed, the chief problem Apple is trying to address is that everybody suspects the NSA has been engaging in massive secret fishing expeditions. Warrants are too easy to obtain. Law officers might easily BE the bad guy or WORKING FOR a bad guy, in which case denying them access provides a social good. In the current context (the era of "parallel construction" and gag orders), the fact that a judge rubber-stamped a warrant does not provide much evidence that social good is met by serving that warrant. If cops have to work a little harder to get their job done, on balance that's probably a good thing.
> 1) A passcode is probably not covered by Fifth Amendment protections. Thus a phone owner who refuses to lock their phone could be punished by the court anyway.
No, Kerr either doesn't know the case law or is completely ignoring a huge chunk of it to make his point. I prefer the latter, but regardless, his point about the 5th Amendment is completely wrong as this is far from a settled issue and other courts have ruled differently:
"Get real Orin - the government can serve the warrant the old fashioned (constitutional) way: on the intended target," wrote one of the commenters on the article itself.
Gag orders served on service providers such as Apple preventing people from knowing the government is looking at their data a effectively made irrelevant. This is a big deal, whether or not the Fifth Amendment allows people to ultimately deny the government access.
Sad to see a legal expert sounding like an apologist and a shill for the entitlement mentality which seems to afflict the security, law enforcement and entertainment industrial complexes.
With all due respect, being somewhat of a privacy and security freak (although I use social networks etc.), all I can read while going through the article is a crybaby whining about how it is harder than before to get user data.
The article makes an assumption that the warrants and the snooping is only done in legal and genuine cases, which has been continuously been proved wrong lately. Not to mention all the secret courts, FISA orders etc
This seems likely to be more than a little related to the recent warrant canary discovery. My expectation is that Apple was recently forced to do something they considered unlawful and the iOS8 changes will prevent that issue in the future.
Apple left the canary there to not alarm their customers. As far as we know, they could have received millions of warrants and never removed it for market reasons, or they could have received warrants that told them to not change that page as to not harm ongoing investigations.
Anyway, it is very conveniently timed with the release of ios8, and their month old marketing plan of announcing that new 'super secure feature' that "we can't comply to warrants even if we wanted BS". I'd have to be a huge fool to not thing that this is a pure marketing ploy to force me to move to IOS8, and nothing more.
Also, you probably can still access iCloud pictures that the phone uploads automatically by just guessing random urls or something or another.
112 comments
[ 2.8 ms ] story [ 153 ms ] threadIt could hurt US companies abroad because they will rightfully think the US Gov't has a backdoor. I think Apple and Google would use their lobbying funds to make sure the author's hopes never happen.
> How is the public interest served by a policy that only thwarts lawful search warrants?
Perhaps the answer is that judges act as rubber stamps now, authorizing way too many search warrants. The author assumes that the judges are fairly applying the 4th amendment.
This article is very disturbing.
Exactly. Our government is as overbearing and oppressive as it's been in a very long time. I read somewhere that judges approve something like 99% of the search warrants presented to them. They no longer serve as a check on law enforcement.
I'd love to hear otherwise, to hear how judges are doing a good job balancing the interests of people against the interests of law enforcement.
Consider that the police know what warrants a judge is likely to approve and which he's likely to turn down. Over time, police departments will learn to submit the warrants they can get approved and not bother wasting a judge's time with warrants that won't be approved.
So very high approval rates do not necessarily signal the loss of the judge's ability or willingness to check police power. Just that everybody involved is doing their jobs as professionals in their domain.
Outright convictions for everything the prosecution charged are also not too common, but that the prosecutor deems something illegal and grave enough to charge, the court concurs by opening proceedings, and then in the trial everything falls completely apart basically only happens when the trial brings a complete surprise with it.
And most of those times the "complete surprise" is just a key witness refusing to testify or not remembering anymore (as it happens too often in domestic abuse cases).
Your argument is that the approval rate could be 99% legitimately. Even if true it doesn't actually provide any evidence that judges are not acting as a rubber stamp, it only attempts to discount some evidence in favor of it. Moreover, the fact that the approval rate is 99% is still evidence that judges are not being very critical in approving warrants. The high rate makes it statistically more likely that judges are approving warrants uncritically than would be the case if the rate was lower.
No it is not.
> The high rate makes it statistically more likely that judges are approving warrants uncritically than would be the case if the rate was lower.
As I said in another sub-thread, you are going to have to explain the statistics involved if you want to make an argument from them. Otherwise you are just being circular. You cannot expect a statement to be its own proof.
Yes it is. There is no question that it is evidence, so you can only be questioning whether the evidence supports the proposition. You want a mathematical proof? OK. Without knowing the percentage of approved warrants we can't exclude the possibility that exactly zero warrants were approved, which would be a hard disproof of the proposition that judges are uncritically approving warrants. Discovering that the percentage is nonzero eliminates the possibility that it is 0%, which increases the probability that the proposition is correct. Continuing by induction, with each warrant not approved the possibility that it was approved uncritically is eliminated, whereas with each warrant approved the possibility that it was approved uncritically is retained. So the higher the percentage of approved warrants the more it supports the proposition that they are being approved uncritically. QED.
What you're arguing is that it's weak evidence. It could be that there were many legitimate warrants requested and few illegitimate ones. But that's a weak argument unless you can present some contrary evidence for the opposite position. All you're doing is claiming that the proposition hasn't been strongly proved, not proving it incorrect.
Generally speaking, we mean 'critical' to involve the weighing of a decision against an ethical standard. Assuming the standard isn't changing, we would expect an equilibrium to emerge where the parties involved would come to understand the standard, especially given that the warrant process is not adversarial. So there's no reason not to expect the approval rate to settle at close to 100%, with the few denials being law enforcement attempts to skirt the boundaries.
Anything less than a very high rate would indicate that the standards are inconsistent or are being inconsistently applied. The only reason I can see to be inconsistent is to game statistics like this one that seem to mean more to certain people than they actually do.
There is nothing circular about it. There is no requirement to exclude other evidence. Regardless of what other evidence exists, discovering that there is a very high approval rate makes it more likely that warrants are approved uncritically than it was before the approval rate was known.
> Assuming the standard isn't changing, we would expect an equilibrium to emerge where the parties involved would come to understand the standard, especially given that the warrant process is not adversarial. So there's no reason not to expect the approval rate to settle at close to 100%, with the few denials being law enforcement attempts to skirt the boundaries.
The fact that the process is not adversarial only makes it more likely that judges are approving warrants they shouldn't be. Moreover, prosecutors have every incentive to try to "skirt the boundaries" as often as possible, unless the boundaries are so broad they don't need to be skirted.
> Anything less than a very high rate would indicate that the standards are inconsistent or are being inconsistently applied.
Or that prosecutors are continually testing the fences as they have every incentive to do.
How'd this get from "I read somewhere" to "fact"?
Where? Most sources I can find (usually focussing on individual departments) indicate rejected warrants applications aren't tracked, so there would likely be no basis for this conclusion.
Even if it was true, it would likely be misleading -- the fact that a warrant is approved doesn't mean its approved with the scope originally sought. Most sources I've seen also suggest that while rejections are uncommon, limiting the scope of the warrant is not.
Just using the FISA numbers as a starting point for discussion, I'm not ready to believe that 11 requests denied and 33,942 warrants issued is something that makes sense. I'd bet that the Russian Parliament is less of a rubber stamp on Putin. :)
[1] http://en.wikipedia.org/wiki/United_States_Foreign_Intellige...
I don't agree with Orin Kerr on this, but I'm willing to accept that he's likely seen things about the day-to-day business of law enforcement that I just don't understand. It's worth us spending at least a few moments entertaining the thought that maybe we are the naive ones.
I'm sorry, but no, no, no. I'm perfectly clear on what exactly this move by Apple enables, which is that more criminals -- some horrible -- will go free.
But context is important here:
1. By the same token, more innocent people who never should have been charged will also go free.
2. Giving up many of our constitutional rights would also result in more criminals being apprehended, but few of us would do that, because we understand the importance of these rights for our system of government. Why is this any different?
3. Most importantly, many of us would be much more amenable to a compromise here if the government hadn't horribly abused their power over the past 15-20 years. Prosecutorial misconduct and out-of-control blackops agencies have become such a problem that almost any solution is worth consideration. You think Apple would have done this if our government had a reputation for fairly using its power?
So no, not falling for the "we've seen things you kids would never understand" ploy -- that's been pulled on us before. It's not working this time.
But he has been exposed to highly unusual circumstances with a high bias.
Sorry, it's more likely he's just vested in the current (not-privacy-respecting) system of governance. One which has major drawbacks for many folks who are pushing the envelope or who just happen to be on the wrong side of one of the many folks who have access to the government's powers.
That's really all that matters to me.
i thought they salted user PINs with a hard-wired nonce that's specific to every device - then when the fuzz needs to get the device unlocked apple looks up what the hard-wired nonce is for that specific device, and then crack the 4 digit pin.
anyone have details on how apple actually unlocked devices?
Not quite. There are two nonces involved. One is (probably) easy for Apple to extract (the randomly generated, re-writable value in effaceable storage) and the other is (supposedly) very difficult to extract, because it's burned into the CPU hardware. If all works as intended, the only way to extract the second one is to decap the CPU and read it with a microscope.
Also, you can have arbitrarily long PINs, including alphanumeric.
If Apple's security PDF is correct, the only obvious way Apple can break the PIN is via brute force, which I believe they claim to provide when LEAs request it.
Soooooooooo... there already is a legal mechanism to force the phone's owner to divulge the password. Why isn't that enough?
And since you're not proving this to a jury, but rather a judge, the standard of proof is going to be pretty low for a smartphone. Orin Kerr thinks possession of a phone at time of arrest will be enough to prove to a judge that you know the passcode, and given how low-level judges operate in the real world I'm inclined to agree (in practice, not legal theory or what's just.)
Anyway, iCloud backups are still fair game, so it's not like LEOs can't typically get the information they want anyway even without the passcode.
There are certainly other reasons to appreciate secure encryption though. But "not even a disgruntled apple employee, or one paid by your business competitor" brings up questions that are not good marketting to put in people's heads. Even "not even a hacker, cause we used actual secure crypto" is not what they want people to think about.
Now, personally, I include "not even law enforcement" in my list of attackers I'd like to defend from, and there's nothing wrong with that (and there's not supposed to be in America, the 4th ammendment and all). But the fact that it's actually good marketting generally (or at least they're betting on it) -- well, we have Snowden to thank for that. And I doubt it will last.
Also, of course, there are a variety of reasons the iphone crypto as a system isn't all that secure -- including but not limiting to the fact that we still have trust apple (we can't see the code, or the code in the updates pushed out regularly).
Not that I disagree that it's a benefit to make it harder for law enforcement
I agree with what Apple is doing and I want them to do more. There are still some remaining holes that need to be closed up and all users should be encouraged to enable 2FA with the mandated switch in a few years.
What Apple does have is the directory of recipient public keys that your device should use to encrypt its messages. (Background: iMessage encrypts each message separately for every recipient device, which shows just how far Apple went to protect key security. Not only does Apple not have the keys, private keys never have to be exchanged among devices ever.)
But technically speaking -- I have no idea if they actually do this -- that gives them a way to insert a "wiretap" of sorts in the form of an additional, silent recipient that you don't know about. Think of it as adding another device to your iCloud account, only it's not yours. Still, this could at least be discovered by monitoring the size of the outgoing data to see if it matches the expected number of recipients.
Hu? That idea isn't even mentioned in the article, and it seems entirely irrelevant.
The analogy to this premise is that the producers of a safe that they sell to you must be able to provide the government a key to the safe. This clearly does not make sense..
It may not make sense to you, but key escrow is a thing both for encryption keys[1] and for physical keys[2].
I agree there are pretty serious problems in both cases
[1] This is basically what happens in iOS 6 and below: Apple has a key they use to unlock the device. Another example is the aborted Clipper chip: http://en.wikipedia.org/wiki/Clipper_chip
[2] https://www.schneier.com/blog/archives/2011/07/physical_key_...
In this case it is more similar to car manufacturer being asked under warrant to produce a new electronic key for a car.
They have specialized skills and tools that allow them to do that, as did Apple prior to iOS 8.
No one is making the argument that Apple retain ownership of the device.
(To be clear - I think Apple is doing the right thing here. But there is no point in trying to confuse the issue with inaccurate arguments)
I think the main difference between my opinions and his is that he places much more trust in government.
The problem with this argument is that it applies to all secure encryption. The purpose of encryption is to keep people not authorized to access private data from being able to access it. The fact that it may work as designed is hardly a sufficient excuse to backdoor everything.
Kerr's position seems to be that the government should be authorized to unlock everything in one way or another. The list of problems with that is long and well known. We can't actually trust anyone, including the government, with the keys to everything. Once they have the keys there is nothing to stop them from using them without a warrant.
And backdoors are security vulnerabilities. You intend for them only to be used by the government using constitutional process but they end up being used by criminals and foreign intelligence.
Meanwhile a required lack of security causes chilling effects. Politically unpopular groups will be afraid to communicate if their devices are compelled to spy on them and corrupt government officials can use that to harass and oppress them. Not to mention the small matter that it enables corrupt government officials to harass and oppress them.
If you're interested in the exact wording I can look it up tonight.
My phone needs to be protected from all intruders, regardless of my own government, other governments, corporations, or single actors.
This action is a prime example of why (ethics and liberties aside) getting carried away with surveillance and warrentless snooping was ultimately a bad idea even for those who were doing it.
There are reasons for fair treatment of citizens that stem directly from practicality. But lack of foresight and hubris seem all too common with government officials as of late.
Why couldn't Apple have designed it to remove itself from the burden of having to play fisherman? While it's true that there may have been moral drivers in this design decision, it makes sound business sense as well.
You can't betray what you don't know. Which is the ultimate position to take in order to be competitive in a privacy conscious world. Besides, warrants are rubber stamps now (as pointed out here and many places elsewhere) and are by no means the carefully measured moderator of state influence they may have once been.
If the government never abused its authority, I would be much more sympathetic to Kerr's position. Given the facts of prosecutorial abuse, vague and conflicting laws, the ongoing gutting / suspension of habeas corpus, "three felonies a day" -- http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.asp... -- and many more reasons not to rest moral authority on our body of law, I find his insistence that we revere lawfulness to be foolish at best. It's important to stand up to unjust laws.
Leaving aside warrants which are merely held to be lawful (where the true facts, might we know them, show the opposite), it's not just lawful warrants that this technology protects against. Law-abiding citizens may be compelled to reveal private information via totally unjust mechanisms such as National Security Letters. Consider Nick Merrill's experience: http://en.wikipedia.org/wiki/Nicholas_Merrill#Challenging_th...
Also http://techpresident.com/news/24272/nick-merrill-fought-fbi-...
Let's not even get into protecting yourself from the NSA. Any tools which help us resist such tyranny, even at the risk and expense of civil disobedience, are to be applauded. Reserve your condemnation for the John Yoo of the tech world.
I do think he thinks beyond the technicalities of the law. And I think he's correct that there are legitimate reasons to pierce device encryption. If a victim is murdered, and their phone is locked, it sure would be nice too see if there were some evidence on that phone that could help catch the killer.
That said, he knows better than most what the law does say, and I think that makes this an op-ed worth reading carefully. I found two of his points interesting.
1) A passcode is probably not covered by Fifth Amendment protections. Thus a phone owner who refuses to lock their phone could be punished by the court anyway.
2) An encryption system strong enough to thwart legitimate and legal police actions could lead to a legislative "backlash" (my word, not Orin's) of increased consequences for failure to unlock. This is the "game" in the title of the op-ed. Technology and law are often in tension and an escalation from one side could trigger an escalation from the other.
But I disagreed with his state that "The policy switch doesn’t stop hackers, trespassers, or rogue agents. It only stops lawful investigations with lawful warrants." That seems wrong to me because it's not just a policy change, it's an improvement in how the OS encryption actually works. Seems to me that could help keep out some bad guys too.
What got to me initially was the deliberate limiting of legal scope to warranted privacy violations, as though warrantless privacy violations are insignificant. He's welcome to do so, but he should be clearer about this and less rhetorically dedicated to his agenda.
EDIT: I see now that he reasons this technology only affects warranted privacy violations, since Apple has a policy of refusing unwarranted inquiries. He is overlooking the possibility that Apple may nonetheless be pressured, deceived, or compelled to violate users' privacy. He doesn't realize that Apple's claim of being invulnerable to warrants also protects the user from Apple's own vulnerabilities. It's not just USA law enforcement that targets users by exploiting Apple's access to protected data.
My understanding is that warrantless privacy violations have grown tremendously since the Patriot Act, both in scope and quantity -- that we have many new laws or codes since then which reclassify previously warrantful privacy violations as now warrantless.
He asks "How is the public interest served by a policy that only thwarts lawful search warrants?"
This is a nasty rhetorical trick. Does Apple's policy change serve any other purpose than to thwart lawful search warrants? Kerr puts "no" in your head, but of course the answer is yes.
He then makes appeal to the "civil libertarian tradition" of protection from warrants, saying that Apple is thumbing its nose at "that great tradition". What a joke. Apple is selling a product with powerful capabilities, some of which can be used to break the law, all of which have legitimate lawful purposes. Are Ford, Boeing, Delta, Budweiser, Louisville Slugger, Smith & Wesson all playing dangerous games as well?
Lastly, this is about removing Apple's ability to unlock. Just like Colin Percival's tarsnap. Doing proper security via proper cryptography. Minimizing untrusted third parties. Apple is getting criticized by Kerr for doing the right thing for its users. There are no victims in this action. It should matter not a whit that this makes the government work harder to violate privacy. Apple has no general duty to offer permanent taps for the government's pleasure.
This is why focusing only on warrantful privacy violations is a travesty of justice.
Please watch this before re-reading Kerr: https://www.youtube.com/watch?v=eT2fQu50sMs
No, Kerr either doesn't know the case law or is completely ignoring a huge chunk of it to make his point. I prefer the latter, but regardless, his point about the 5th Amendment is completely wrong as this is far from a settled issue and other courts have ruled differently:
http://www.outsidethebeltway.com/federal-appeals-court-fifth...
Gag orders served on service providers such as Apple preventing people from knowing the government is looking at their data a effectively made irrelevant. This is a big deal, whether or not the Fifth Amendment allows people to ultimately deny the government access.
Their sense of ENTITLEMENT is ENORMOUS.
"We are ENTITLED to YOUR PRIVATE DATA."
The article makes an assumption that the warrants and the snooping is only done in legal and genuine cases, which has been continuously been proved wrong lately. Not to mention all the secret courts, FISA orders etc
Apple left the canary there to not alarm their customers. As far as we know, they could have received millions of warrants and never removed it for market reasons, or they could have received warrants that told them to not change that page as to not harm ongoing investigations.
Anyway, it is very conveniently timed with the release of ios8, and their month old marketing plan of announcing that new 'super secure feature' that "we can't comply to warrants even if we wanted BS". I'd have to be a huge fool to not thing that this is a pure marketing ploy to force me to move to IOS8, and nothing more.
Also, you probably can still access iCloud pictures that the phone uploads automatically by just guessing random urls or something or another.