The Department of Homeland Apple

The ridicule was all over the twitters, as word spread that a judge ordered Apple to unlock an encrypted iPhone. It was particularly ironic, given that the people mocking the order had it wrong.  At Techdirt, Mike Masnick explains.

So… have you heard the story about how a magistrate judge in California has ordered Apple to help the FBI disable encryption on the iPhone of one of the San Bernardino shooters? You may have because it’s showing up everywhere. Here’s NBC News reporting on it:

A federal judge on Tuesday ordered Apple to give investigators access to encrypted data on the iPhone used by one of the San Bernardino shooters, assistance the computer giant “declined to provide voluntarily,” according to court papers.

Many people are now mocking this ruling, pointing out that with end-to-end encryption it’s actually impossible for Apple to do very much to help the FBI, which makes the order seem ridiculous. But that’s because much of the reporting on this story appears to be wrong.

So if it’s wrong, what’s right?

[T]he order does not tell Apple to crack the encryption when Apple does not have the key. Rather, it is asking Apple to turn off a specific feature so that the FBI can try to brute force the key.

Completely different.  And at the same time, maybe not different at all. When the issue of cellphone privacy was all the rage, and the geeks were screaming that they had a simple answer, encryption, and there wasn’t a damn thing the courts could do about it, I tried to explain that as much as they understood code, they were clueless as to how the law worked.

I explained that a judge, faced with tech impossibility, would just order that it happen. Like ordering the sun to rise in the west, the law doesn’t recognize technological capability or impossibility. The judge orders an outcome and it becomes a party’s problem to make it happen. Can’t be done? Courts enforce the laws of the United States, not the laws of physics.

So Magistrate Judge Sheri Pym did not order Apple to crack the encryption, but instead ordered Apple to disable a feature that would wipe the drive after 10 bad tries at entering the encryption key, so that the government could go the brute force route.  Don’t all you twitter mockers feel bad now?  Well, don’t put on your hair shirts yet.

Apple’s reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set forth in paragraph 3, using an alternate technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way.

Not only does the court order Apple to make the sun rise in the west, but it tells it how the sun should rise, and then, if the sunrise protocol fails to meet the government’s requirements, allows Apple to politely seek the government’s acquiescence. When the order says, “and the government concurs,” what are the alternatives should the government reply, “nope, a Tequila sunrise or you’re going to jail, Apple”?

It’s not like Mag. Pym is an uncaring Luddite, of course, as she does sit in the Central District of California.

To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.

Whether the demands of the order are technologically feasible is one issue. Apple has refused to comply with the government’s “request” voluntarily, and so the government made Mag. Pym work, work, work. It puts Apple in a difficult technological spot, as the confluences of various factors clash. Maybe Apple can do it. Maybe they can’t. Maybe they don’t want to. Maybe they don’t want to find out. Maybe they want to make sure it doesn’t happen, even if it can be done, because Apple doesn’t want to give the government a way to break into an iPhone, either through the front door, back door or side door.

From the government’s perspective, as well as the court’s, it doesn’t give a damn what Apple wants. It wants in because that’s what the government says is critical to whatever hyperbolic claim of saving lives from terrorists it spouts. And from the government’s point of view, that’s its job. And the government gets what it wants.

But who made Apple an adjunct to law enforcement?  Apple didn’t commit any crime. Apple didn’t shoot anyone. What does Apple have to do with any crime in the first place? Yet, the subtext of the order is that Apple, the maker of the encrypted phone, can be made a slave to the government’s demands, and that the Magistrate Judge has the authority to order a business, unrelated to the commission of any crime, to spend its time and money, expend its devs’ efforts, to comply with its order, upon pain of contempt. Why?

The question should not be whether it’s “unreasonably burdensome” for Apple to comply with the order, but whether Apple should have to lift a finger at all.  If Apple chooses not to voluntarily become a division of law enforcement, and has done nothing criminal, then what authority does a court have to make it a slave to the government’s demands?

Of course, the law’s answer is that when the government says it really, really needs a private company to do its bidding, then that’s what it must do. It’s not that the geeks were wrong from a principled position that it’s crazy that the government can turn a tech company into a slave to the government’s demands, but that they don’t get how the law works.

Precedent says that the government can do this, and so it can. How unreasonable and ridiculous you think it may be is no longer the issue. Welcome to the law. Now get it done, bitches, and stop all your whining. You’ve been ordered.

22 thoughts on “The Department of Homeland Apple

  1. Ehud Gavron

    Zucher v Stanford be damned; as you correctly point out Apple is not a party to this matter and has not been charged (criminally or otherwise) in relation to it. Unfortunately, this will require Apple to either bend over … or spend more on their IHC to splain to the MJ why this is onerous.

    The Judge doesn’t care. History will.

    Ehud

  2. Paul Gregory

    It’s incomprehensible that a court can order ‘innovation’? A NEW thing? (I won’t go into the whole forced labor thing)

    Judge: Apple, create this thing that the government wants!
    Apple: Certainly Your Honor. How?
    Judge: You KNOW how. Just do it!
    Apple: If you say so, Your Honor. How long do we have?
    Judge: 1 Week (month, year)
    Apple: Which of our people should we order to work around the clock to comply with your order?
    Judge: That’s up to you, now go do it!

    Apple: You there, Engineer, Build me this thing that will do what the FBI wants.
    Engineer: I don’t want to do this. Find someone else.
    Apple: You’re fired (?!?)
    and so on…

    If I were Tim Cook, I’d tell Judge Pym that the FBI is free to hire away any of their engineers it wants, as long as the engineers agree. I’m not sure how many with enough knowledge will join the FBI, as the length of the employment will be just as long as needed to crack the phone.

    1. Mark Draughn

      This is the source of my confusion as well. If I read it correctly, Zurcher v. Stanford Daily is about people who are in possession of evidence that may be useful in a matter before the courts. Apple doesn’t have any evidence. I think it’s a bit like the case where a judge orders a driver to take a blood alchohol/drug test and then somebody tries to enforce it against a doctor who refuses to do the test. How could the judge get personal jurisdiction over the doctor? How far does this go? I have a nice camera, so could a judge order me to go take crime scene photos for the police? If I didn’t have a camera, could a judge order me to make one? Because that’s kind of what this judge is ordering Apple to do. Then again, as Scott points out, I’m just a techie, and the judge has indeed ordered it, and he’s got a lot more guys with guns working for him than Apple or I do.

  3. paul

    This is a perplexing order. Standard digital forensic analysis procedure is to clone the hardrive and only analyze the cloned drive(s). This way it does not matter if the hardrive is erased etc. This can be, and frequently is, automated along with the brute force password attempts which kind of obviates the courts demands.

    My opinion means nothing but given the technical side of this and meaninglessness (technically) of the demands it seems like this is designed just to inconvenience apple for not playing nicely and getting rid of encryption altogether.

    1. Andrew Cook

      This is not a technical blog, so I’ll keep this short. There is no forensically-sound way to clone an iPhone. Cloning the flash chip in the phone is not enough, due to a randomly-assigned untraceable permanent key burned into the CPU, and a randomly-generated untraceable temporary key stored inside the CPU package. Without access to the temporary key, which is the first thing erased in a wipe, there’s no way to recover the data, and without severe tampering with the original device there’s no way to obtain that key. Working on the original device is the only possible method, and this court order seems to dictate the least technically invasive way to do so. Legally, it’s still pretty damn invasive.

      1. Marc Whipple

        And as Apple points out, you can’t un-know something. Right now, they may legitimately not know for sure whether they can do this or not. If they can, once it is known – and it WILL be known – then not only will every self-important prosecutor on the planet insist on Apple doing it so they can get another distro charge on J. Random Drugdealer, it will incentivize every black hat or just plain hardware geek on the planet to try to figure out how the thing was done.

        Whereas if they claim they can’t, the judge and/or prosecutor can always accuse them of stonewalling and charge them with obstruction or contempt or something. No, the only winning move here is not to play. It’s basically the same principle as people who argue the government should have a master crypto key to, well, everything, and that it could be strictly controlled. No. Just no. If such a thing existed it would be in the hands of every major government who cared to have it in days if not hours, and in the hands of organized crime not long thereafter.

        To get all geeky, “There are some perils a man must flee.” The only way to avoid certain kinds of power from being misused is not to allow them to be used at all.

        1. tim

          Right now, they may legitimately not know for sure whether they can do this or not.

          No one is doubting that they can do this or not. On this model iphone they can do it. Its an update to the code to disable a feature, signing the code so that the phone thinks its legitimate code, and then installing the code on the device. Which only Apple can do.

          Now obviously Tim Cook himself can’t do this. It takes an experienced engineer. And there are not many of them that could perform the change. So I’m curious what happens if the engineer declines to make the change?

          1. SHG Post author

            I suspect Apple has more than one. But that’s only one of many questions, and it’s unlikely that it will be dispositive.

          2. Mackenzie Brunson

            From the order: “The software (sic) will load and run from Random Access Memory “RAM” & will not modify the iOS on the actual phone, the user data partition or system partition on the devices flash memory.” I’m not 100%, but I think this sentence makes the order impossible to fulfill. How can Apple write the code to do what the order requests without modifying the iOS? iPhones require you to agree to each and every update and would seemingly not be able to meet these demands without changing the iOS. They would first have to create new code to work around the software updates issues, before the brute force attack can even begin. But, that would require them to modify the iOS. This order makes zero sense.

  4. Patrick Maupin

    It’s a terrible order, of course, but there is no order which cannot be made worse by fighting it and losing and setting a precedent.

    Apple may be particularly vulnerable to loss here. As the right-to-repair people explain, when you buy an Apple device, you miss out on many of the traditional benefits of ownership. For example, if a third-party repair shop replaces the home key/fingerprint sensor, Apple will quite cheerfully brick the device because of the unauthorized repair.

    Depending on exactly what they’re smoking that morning, some appellate court might find that Apple’s continued exertion of control over the devices means that Apple is screwed in this matter.

    1. Marc Whipple

      What exertion of control? Apple sold a device with advertised properties. Once it leaves Apple’s care and custody, it’s not “Apple exerting control” for the device to continue to have those properties. It’s not like Apple is threatening to sue the FBI under the DMCA or file for patent infringement or something if *they* want to try to get around the feature.

      Even the home button thing isn’t an exertion of control. Again, the device has advertised security features. Replacing the fingerprint sensor with one which Apple has not had the ability to confirm could defeat those security features. I’d argue that it is neither illogical nor an exertion of control for ANY such repair to cause the device to immediately stop functioning. It is merely the device conforming to spec. The bad argument here isn’t that it happens, it’s that it doesn’t happen all the time.

      1. Patrick Maupin

        Apple sold a device with advertised properties.

        Yeah, and one of those was to actually, you know, work.

        Once it leaves Apple’s care and custody, it’s not “Apple exerting control” for the device to continue to have those properties.

        And in some cases, it apparently stops working after the next time it phones home. In other words, Apple adds new software that breaks a previously existing phone. There are documented cases of this happening for no good reason — no repairs having been done to the phone. In any case, if security were truly that paramount, the wipe would happen right after the new sensor was installed, not some indeterminate time later.

        The bad argument here isn’t that it happens, it’s that it doesn’t happen all the time.

        Is there enough room on Apple’s cock for all the lips, or do you guys have to take turns?

  5. st

    Courts don’t enforce the laws of physics because those laws enforce themselves. Apple is subject to the laws of economics, which also enforce themselves. Apple must serve the interests of consumers or Apple will die. Others who better serve consumers will take Apple’s place.

    The court can threaten death to Apple, or dismemberment with fines and sanctions, or caging the executives. From Apple’s perspective, the penalties for submission are at least as dire as those for defiance. Apple didn’t put encryption into iPhones to spite the government, they did it to sell iPhones.

    If Apple caves to the government’s demands, Apple will certainly lose many customers, and competitors not so easily hauled into US courts will happily sell encrypted products to them. Expect Apple to fight this with all the formidable resources available to a half Trillion dollar global entity.

    1. SHG Post author

      I don’t think you understood the “laws of physics” analogy. Courts weren’t enforcing the laws, but ruling against them. The word “enforce” can be tricky to the unwary. Make better sense now?

      1. st

        Certainly the courts can rule against the laws of physics. Two things are infinite: the universe and human stupidity; and there’s some question about the universe. The only tools available to courts are coercion and violence. Physics doesn’t care, doesn’t respond to threats or guns, and court rulings violating the laws of physics are null and void as far physical outcomes are concerned. Every time, no exceptions. Perhaps a detailed study of the oft-misrepresented tale of King Canute and the tides should be required for magistrates. Just kidding.

        Apple does care about the courts, as it employs people who can experience those unpleasant tools. But Apple is bound by ironclad laws of physics and economics. Like physics, court rulings cannot change the laws of economics.

        I get the point that Apple had been so ordered. King Canute so ordered, but he did so to demonstrate the limits of his power. A corporation that serves actual consumers answers to a higher power. Apple CEO Tim Cook seems to understand this fact, if his open letter is any indication.

  6. Corporate Tool

    The former prosecutor/Magistrate seems not to distinguish between a warrant for existing evidence and a Change Order to “reasonably” add new product features.

  7. Pingback: The Last Bite of Apple’s iPhone | Simple Justice

  8. Pingback: US v. Apple: The Government Seizes The Narrative (Update) | Simple Justice

Comments are closed.