Does the FBI have to tell Apple how it cracked the iPhone? The answer is not straightforward, and is illustrative of the many problems surrounding encryption.
The many discontents of encryption
Encryption is a very important security measure and it is also a real pain. For one thing, once encrypted, devices have a shorter battery life, and transmit data at a slower speed. In order to encrypt a device, valuable real estate can be taken up by the security hardware. At AMREL, we are familiar with this challenge, because our customization services are often asked to add Trusted Platform Modules (TPM) to our computer platforms.
In addition, high-security encrypted devices create bizarre unforeseen consequences. Soldiers are sometimes ordered to use systems for which that they are not cleared. Repairmen often lack clearance, so a broken encrypted device must be disposed rather than fixed.
Apple vs. FBI
In the latest round of “Game of Phones,” another unforeseen consequence appears possible. After months of applying legal pressure to Apple, is it the FBI who will ironically be forced to yield up their secrets? Will they be forced to tell Apple how they did their hack?
How did the FBI crack the iPhone in the first place? Rumors have been circulating that the Israeli company Cellebrite Mobile Synchronization cracked the iPhone used in the San Bernardino terrorist shootings. That the FBI had to use an outside contractor to crack the iPhone is plausible. For one thing, there is a reason that the phrases “FBI” and “leading-edge technological capabilities” rarely appear together.
That an Israeli company did the hack is also believable, for that country has earned a reputation for expertise in encryption. Israel has developed these skills because its computer networks are under constant attacks. In addition, it has the highest number of programmers per capita of any country in the world. There is even a highly developed ancient tradition of cryptology and secret codes within Jewish mysticism.
Still any rumor in the Middle East has to be greeted with skepticism. I have met hackers who have valued reputation over the risk of legal retribution by falsely claiming exploits. The Cellebrite rumor appears to have some credibility. Around the time of the hack, it is a matter of official record that the FBI paid over $200,000 to this company. A lot of people seem to believe this rumor, because the shares of its parent company, Japan’s Sun Corporation, have risen 40% since March 2.
Our lips are sealed
The fact that it is likely that a private corporation was the one to hack the iPhone is significant in the issue of who tells what to whom. Supposedly, the government is bound to inform companies of vulnerabilities in their encrypted systems, as determined by something called the “Vulnerabilities Equities Process” (VEP).
The VEP was developed in a thoroughly transparent process and actively shared with the public by the administration. Just kidding. Everything about the VEP is opaque. The Electronic Freedom Foundation (EFF) had to sue under the Freedom Information Act to get a highly redacted version of the VEP, which can be viewed here. The EFF is not impressed with this document. Judging by information about government actions as revealed by the Snowden leaks, the EFF has dubbed the VEP as “…so much vaporware.”
The weird world of administrative law
Or is it? Just how meaningful is the VEP? IF Apple could persuade a court that according to VEP, the government has to reveal the vulnerabilities of their encryption, would the administration have to follow their own rules? The VEP belongs to that surreal realm of “administrative law.” Congress didn’t pass it. By and large, it’s not determined by court rulings or precedent. It’s just something that a bunch of administrative agencies made up.
I called a lawyer who has more than fifty years of experience of using the law to annoy the government. I asked, “Do government agencies have to follow their own made-up rules?” Her answer was a definitive, absolute, unqualified “Maybe.” In addition, she said that whatever decision is made by the courts, it will be “political.”
“It is a tale told by an idiot, full of sound and fury signifying nothing”
It is extremely unlikely a court will determine if the VEP applies or not. The fact that a private party (Cellebrite) probably hacked the iPhone is significant, because the VEP does not apply to private parties. The VEP only applies to vulnerabilities discovered directly by government agencies themselves.
Furthermore, according to the Washington Post, “FBI Director James B. Comey has said that the solution works only on iPhone 5Cs running the iOS 9 operating system — what he calls a ‘narrow slice’ of phones. Apple said last week that it would not sue the government to gain access to the solution.”
So after months of the FBI pressuring Apple to hack its own iPhone, it withdraws from the case, and says never mind. After months of declaring that the iPhone hack will endanger all iPhones, Apple has similarly dismissed its efforts to force the FBI to reveal its secrets. Some have suggested that the “narrow slice” description is accurate and Apple is not truly worried about the security of its future platforms.
The one thing that is clear from all this brouhaha is that our legal structure is completely inadequate for dealing with issues raised by new technologies. In the original court case, the FBI sued Apple on the basis of a law written in 1789.
In the meantime, I have a sinking feeling that the privacy of the average user was not a great concern in this latest round of legal wrangling. As Elliot Hannon wrote in Slate, “We’re all digital piñatas really.”