ACLU Shows How the Apple-FBI Fight Was About Much More Than One Phone

Russell Brandom reports for The Verge: Apple's San Bernardino fight may be over, but the government is still seeking both Apple and Google's help in unlocking phones. New research from the American Civil Liberties Union shows 63 different cases in which the government compelled help from Apple or Google in unlocking a handset. It's unclear how many of the orders were filled, although companies often complied with such orders where possible before last year. The bulk of the cases target Apple, but nine of the orders also look to compel Google's help, typically to reset the password on a given device. The devices include phones from Alcatel, Kyocera, and Samsung, many of which shipped without the default device encryption that blocked the use of traditional forensic tools in the San Bernardino case.

Re:Question to fellow Slashdotters

[eam]

It is, in my opinion, acceptable for law enforcement to demand cooperation from third parties when that cooperation is limited to turning over data which the third parties have in their possession. So, for example, if Joe Smith backed up his criminal plans to Apple's servers, and Apple has access to those backups, then it would be reasonable for Apple to turn them over to law enforcement when law enforcement presents a court-issued warrant for the backups.

The San Bernardino case was different because Apple didn't actually have the data in its possession. What the FBI wanted was not the data, but instead they wanted Apple to crack the security on the phone. One reason that is different is because it harms Apple to even admit that the cracking is possible. Apple was not a conspirator. The government should not have the ability to harm a private company to solve a case that the company is not involved in.

Put another way, if someone used a motel room to plan a terrorist attack, it would be reasonable for law enforcement to demand, again through a warrant, that the motel manager unlock the room. However, it would not be reasonable for them to go to the company who made the locks the motel uses and insist that they provide a master key. Even if the FBI accidentally dropped the only key to the room down a sewer grate, it would still be unreasonable to have the lock manufacturer reduce the security of their product.

Of course, all of that is just my opinion (which is what you asked for).

Re:Question to fellow Slashdotters

[spire3661]

"If they are presented with a court-ordered warrant, they should cooperate to any extent possible."

GODDAMNIT NO! Not ANY extent. There are limits to what a court can ask. The court cannot ask for things that violate the Constitution. Warrants are not unlimited in scope in power, in fact they are supposed to very limited to enumerated specifics.

Re:WTF

[Frosty+Piss]

The FBI and city of San Bernadino both have a legal right to access the data, so why is it Apple's choice about if they will help them?

Sure, at the very least, San Bernardino has a "right" to the data on the phone. That is separate and different from saying that Apple is obligated to crack the phone for them.

By the way...

[Frosty+Piss]

Simply because the FBI says they "cracked an iPhone 5c does not mean they actually did. More likely is they did not but knew that they would lose the case and didn't want to set a precedence. They knew very well that in all likelihood, the iPhone contained nothing. The terrorists used burner phone which they destroyed, why would they use a work issued phone at all for anything but work?

Re:Ok, got it

[shawn2772]

The revelation that Apple and Google are both receiving many of these requests and have complied on some of them, reversing course only recently, is an important artifact in the narrative.

Note that this may not have been a choice by the companies. As I understand it (IANAL), if the company can comply and can't show any egregious harm that would be caused by compliance, they have to comply or be in contempt of court, and judges have extremely wide latitude in the penalties they can apply for contempt. So the change may have been that security improvements made it impossible for them to comply, or -- as Apple was arguing -- impossible to comply without egregious harm.

On the Google side, for example, one thing that changed was that Google removed the device admin and Android device manager features that allowed the password to be remotely reset. IIRC, the remote reset features were removed in Lollipop. In Marshmallow my team moved password verification into the trusted execution environment. The TEE app (called Gatekeeper) that manages password authentication does allow a "forcible" password change, where the old password is not provided, but higher layers don't offer any way to do this, and doing it will cause the TEE-based crypto keystore to permanently and irrevocably invalidate all authentication-bound keys. Such as the one used for device encryption. So a forcible reset doesn't let you in, it bricks the device (until factory reset).

Previously, device admins could remotely reset passwords so that enterprises could let users into their managed devices when they'd locked themselves out. No more. Now all the admin can do is wipe the device. Android device manager will still allow you to change the password remotely, but you have to provide the old one (and you have to have configured Android device manager on the device, and you have to be able to log into the Google account associated with the phone).

These changes were made to eliminate the potential for abuse by Google, rogue employees, etc. But they had the side effect of making it impossible for Google to comply with password reset requests.

(Disclosure/disclaimer: I'm a Google Android engineer. I work on the TEE-based password manager and crypto keystore. All of the above is publicly available information, however. I tried to avoid expressing any opinions, sticking only to facts. If you find an opinion, however, it's mine and not Google's.)