Slashdot Mirror
ACLU Shows How the Apple-FBI Fight Was About Much More Than One Phone (theverge.com)
Russell Brandom reports for The Verge: Apple's San Bernardino fight may be over, but the government is still seeking both Apple and Google's help in unlocking phones. New research from the American Civil Liberties Union shows 63 different cases in which the government compelled help from Apple or Google in unlocking a handset. It's unclear how many of the orders were filled, although companies often complied with such orders where possible before last year. The bulk of the cases target Apple, but nine of the orders also look to compel Google's help, typically to reset the password on a given device. The devices include phones from Alcatel, Kyocera, and Samsung, many of which shipped without the default device encryption that blocked the use of traditional forensic tools in the San Bernardino case.
So Apple complied with the requests in drug cases but started a big fight over a terrorist? Did they change their policy or is there a technical difference between the cases?
The revelation that Apple and Google are both receiving many of these requests and have complied on some of them, reversing course only recently, is an important artifact in the narrative.
The "San Bernardino" case was different because the FBI was trying to compel Apple to write new software to assist them in breaking their own phone. Apple had been cooperating with the FBI up until that point, including providing them with a copy of the phone's backed up data from several weeks prior. I don't believe the government should be able to compel someone to write code against their will.
Generally speaking, I have no problems with law enforcing requesting assistance in accessing encrypted data, but keep in mind this whole push for encryption on consumer devices and on the web in general partly came about because the government was caught spying on its citizens. As such, I take a pretty dim view of this same government and their rumblings about wanting to require a back door (and they just *hate* that term) in all encrypted products, because they've demonstrated they can't be trusted with that sort of responsibility. Not only have they demonstrated an absolute willingness to snoop on absolutely everyone, they also have a pretty poor track record in keeping secret data secure. How many breaches shall I cite? How long before foreign governments *cough China* has access to those universal keys as well?
Irony: Agile development has too much intertia to be abandoned now.
It is, in my opinion, acceptable for law enforcement to demand cooperation from third parties when that cooperation is limited to turning over data which the third parties have in their possession. So, for example, if Joe Smith backed up his criminal plans to Apple's servers, and Apple has access to those backups, then it would be reasonable for Apple to turn them over to law enforcement when law enforcement presents a court-issued warrant for the backups.
The San Bernardino case was different because Apple didn't actually have the data in its possession. What the FBI wanted was not the data, but instead they wanted Apple to crack the security on the phone. One reason that is different is because it harms Apple to even admit that the cracking is possible. Apple was not a conspirator. The government should not have the ability to harm a private company to solve a case that the company is not involved in.
Put another way, if someone used a motel room to plan a terrorist attack, it would be reasonable for law enforcement to demand, again through a warrant, that the motel manager unlock the room. However, it would not be reasonable for them to go to the company who made the locks the motel uses and insist that they provide a master key. Even if the FBI accidentally dropped the only key to the room down a sewer grate, it would still be unreasonable to have the lock manufacturer reduce the security of their product.
Of course, all of that is just my opinion (which is what you asked for).
The first amendment guarentees everyone the freedom to practice their religion. It does not guarantee that you will not witness other's practicing of their religion.
http://www.washingtontimes.com...
I guess the example I was thinking about doesn't involve the ACLU...however, I have seen previous examples where the ACLU sought to prevent other's from exercising their religion because they didn't like it, not because somehow the state was involved.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Yes, when the party in question has the key to the encryption, it is acceptable for the FBI to subpoena the party in question to provide the key. As part of due process the party in question can then attempt to quash the subpoena if it has grounds to do so.
This is different than "write a new operating system and install it on this phone so that we can access the data without having the key" (or, if you consider the lavabit case: "rewrite your application to collect the user's key so that we can subpoena it from you" or from the traditional safe perspective "invent a new drill that can drill into your drill-proof safe"). What I want to know is whether the FBI was even planning on paying Apple for their work in developing a new operating system or were they just expecting Apple to slave away for them for free?
If I have been able to see further than others, it is because I bought a pair of binoculars.
"FBI Admits It Urged Change Of Apple ID Password For Terrorist’s iPhone"
http://www.buzzfeed.com/johnpa...
If I have been able to see further than others, it is because I bought a pair of binoculars.
"If they are presented with a court-ordered warrant, they should cooperate to any extent possible."
GODDAMNIT NO! Not ANY extent. There are limits to what a court can ask. The court cannot ask for things that violate the Constitution. Warrants are not unlimited in scope in power, in fact they are supposed to very limited to enumerated specifics.
Good-bye
Freedom OF religion includes freedom FROM religion... [I]f you dissolve the separation of Church and State, don't count on it being your sect in charge.
None of the three things you quoted ("Freedom OF religion," "Freedom FROM religion," or "separation of Church and State") are actually law or in the Constitution or anything like that.
The First Amendment ACTUALLY says "Congress shall make no law respecting the establishment of a religion or prohibiting the free exercise thereof..."
You don't get to demand that the government use its force to suppress religious practices that you don't like any more than you get to demand that they suppress speech or printed opinions that you don't like. "Freedom from religion," "Freedom of worship," and similar slogans are intended to trick people into thinking that exercising religious liberty is something you can only do in your house of worship. It's not. The government is expressly prohibited from interfering with The People living a life guided by the tenets of their religion. Even in scenarios where the government disagrees.
I remember downloading porn on an old 9600 baud modem back in the early 90s. Then the savior came in the form of the 14.4 modem and we ushered in a new era of porn. No longer did we wait hours for our porn to download, we only had to wait 30 minutes. In the time of watching a tv show, you could have a single porn image. Now with even greater advances in download speeds, you can have millions of porn images delivered per second. Kids these days have it so easy!
Support your local school shooter, give them your firearms.
I already stated: "I have no problems with law enforcing requesting assistance in accessing encrypted data". In particular, is it acceptable to demand cooperation through the courts? Sure: that's at the heart of the All Writs Act. But I feel that in this case Apple was within its right to argue with the court that this was too far a stretch for existing legal precedent, for reasons I already stated.
I don't believe for a minute that Apple is some saint (I don't even own an iPhone), but that doesn't mean they're not right in this case. Nor should the relationship China has with its citizens and relevant laws thereof affect our relationship with our own government. There are plenty of oppressive regimes around the world, after all. If anything, I believe it serves as a prudent warning as to what could easily happen when a government gains too much power over its citizenry. Perhaps Apple understands that better than most, having dealt with the Chinese government first-hand.
As for two cases of high-profile government-related data breaches, let's just go with the two big ones:
1) Disclosure of NSA's national surveillance program in the US, thanks to Edward Snowden's leaks. Had he wished, he could have leaked much more damaging information to US interests, but has chosen not to.
2) Massive data breach at the Office of Personnel Management. Over 21 million people's personal data was compromised, including biometric data, security clearances, logins and passwords, etc.
Irony: Agile development has too much intertia to be abandoned now.
Simply because the FBI says they "cracked an iPhone 5c does not mean they actually did. More likely is they did not but knew that they would lose the case and didn't want to set a precedence. They knew very well that in all likelihood, the iPhone contained nothing. The terrorists used burner phone which they destroyed, why would they use a work issued phone at all for anything but work?
If you want news from today, you have to come back tomorrow.
How many of those prior cases demanded that the vendor create a customised "FBiOS" to bypass all protections, and how many involved a much more limited order to provide the password to unlock one specific phone?
I think you'll find the change in tune is more about what they're now being ordered to do. Consider also that Apple and Google created these encryption features in part to avoid the burden of the increasing number of unlock requests.
Why would anyone engrave "Elbereth"?
I don't believe so. There are two steps here:
1: Build an OS that allows access to the data without knowing the key. For this particular phone this isn't that hard, since it doesn't have the secure enclave. The only thing that has to be done is to remove the timeout/lock after failing to enter the PIN so the FBI can enter all 10000 combinations from 0-0-0-0 to 9-9-9-9 and hope that the guy didn't use a longer PIN.
2: Install this OS onto a locked phone that can no longer sync because the Apple ID password was changed.
Just like building the Taj Mahal in two steps: Step 1: Place a brick on the ground. Step 2: build the Taj Mahal.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Apple did not get a warrant to build the software. A warrant demands information that exists. Apple got a warrant for information Apple had stored for the phone - i.e., iTunes purchase history, iCloud data, including backups, etc, which they complied with fully.
The FBI had the courts do an ex-parte (the affected party is not part of the proceedings, i.e., Apple's presence wasn't requested or required) ruling to use the All Writs Act to create a writ on Apple - Apple is to create the software.
That's the request - Apple must create the software. Apple was not part of the proceedings (they were not required to be, and probably didn't even know about it). All Apple got one day was a court order forcing them to create the software.
Yes, Apple had no say in this - they feds came knocking and said "create this piece of software". Apple objected, and per their rights, sought a motion to vacate the order. And that's where this whole case blew up - Apple was ordered to create the software, Apple didn't want to, and was exercising their legal rights. Now what happened was the FBI withdrew their request that Apple create the software.
Using your example, say the murderer used some special kind of lock that is unpickable. They have a warrant to search the premises but can't get through the lock. So what the FBI did was use the courts to force the lock maker to create a key for them - the lock maker was not a part of the court case, it just got the request that said "you must create a key to unlock this lock".
The revelation that Apple and Google are both receiving many of these requests and have complied on some of them, reversing course only recently, is an important artifact in the narrative.
Note that this may not have been a choice by the companies. As I understand it (IANAL), if the company can comply and can't show any egregious harm that would be caused by compliance, they have to comply or be in contempt of court, and judges have extremely wide latitude in the penalties they can apply for contempt. So the change may have been that security improvements made it impossible for them to comply, or -- as Apple was arguing -- impossible to comply without egregious harm.
On the Google side, for example, one thing that changed was that Google removed the device admin and Android device manager features that allowed the password to be remotely reset. IIRC, the remote reset features were removed in Lollipop. In Marshmallow my team moved password verification into the trusted execution environment. The TEE app (called Gatekeeper) that manages password authentication does allow a "forcible" password change, where the old password is not provided, but higher layers don't offer any way to do this, and doing it will cause the TEE-based crypto keystore to permanently and irrevocably invalidate all authentication-bound keys. Such as the one used for device encryption. So a forcible reset doesn't let you in, it bricks the device (until factory reset).
Previously, device admins could remotely reset passwords so that enterprises could let users into their managed devices when they'd locked themselves out. No more. Now all the admin can do is wipe the device. Android device manager will still allow you to change the password remotely, but you have to provide the old one (and you have to have configured Android device manager on the device, and you have to be able to log into the Google account associated with the phone).
These changes were made to eliminate the potential for abuse by Google, rogue employees, etc. But they had the side effect of making it impossible for Google to comply with password reset requests.
(Disclosure/disclaimer: I'm a Google Android engineer. I work on the TEE-based password manager and crypto keystore. All of the above is publicly available information, however. I tried to avoid expressing any opinions, sticking only to facts. If you find an opinion, however, it's mine and not Google's.)
The ACLU believes no such thing. However, they do believe that no religious practice should in any way have anything to do with the government. Sorry if you don't get the distinction.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
Due process. The Constitution is pretty clear. [...] If they are presented with a court-ordered warrant, they should cooperate to any extent possible. [...] Frankly, it's repulsive that Apple thinks it doesn't have to comply with a lawful warrant
You seem to be woefully ignorant of a few important facts:
1) Contrary to your statement, Apple complied with the warrants that were issued, turning over all of the data that they had on the suspects under investigation, and they even provided engineers to assist the FBI in applying known techniques to recover data the FBI had but was unable to access.
2) As you likely know, warrants have limits. If a cop is on his way to serving a warrant at a drug den, he can't conscript pedestrians he passes on the street to assist him in serving the warrant. Warrants don't work like that. They can't compel assistance from third-parties. All they can do is compel you to turn over something in your possession, but Apple never had the iPhone's data, nor a means to access it, so a warrant cannot demand those from Apple.
3) The government is using a writ to compel Apple in this case. Writs are not Constitutionally-enshrined, and they're typically just used to fill procedural holes, but they actually can be used to compel action, provided the writ doesn't contradict other laws. That fact is laid out plainly in the 1789 All Writs Act that established them in modern American law. Unfortunately for the government, there's a law on the books (see: CALEA) that explicitly denies the government the right to demand that telecommunication device manufacturers modify hardware or software in response to a request of this nature (see section 1002).
4) If the whole point of due process is that both sides get to have their day in court, then due process never occurred here. This writ was issued ex parte, this is, at a hearing where Apple was explicitly excluded. Really, you could say that due process only began when Apple filed its appeal.
5) A warrant gives the government the right to violate your right to be secure in your person and papers, but because we're presumed innocent until proven guilty, if there's a question regarding the legality of a court order (and there aren't extenuating circumstances, of course), it's better to sort those questions out before someone's rights may have been unlawfully violated. This is particularly true if the government is testing out a new legal theory that is not widely accepted (e.g. it was shot down just a few weeks prior at a similar case in New York) but that they trying to get established as precedent. Especially so when the precedent would have wide-ranging effects across an entire society.
6) As others pointed out, no, you are not required (legally or otherwise) to cooperate to any extent possible. We are not slaves to the government. When the government inevitably oversteps its bounds it's our obligation to take steps to ensure that the government is restored to its rightful place. How you choose to fulfill that obligation is left to you, but the four boxes are the typical means by which we do so.