Apple–FBI encryption dispute



The Apple–FBI encryption dispute concerns whether and to what extent courts in the United States can compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected. There is much debate over public access to strong encryption.

In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.

The most well-known instance of the latter category was a February 2016 court case in the United States District Court for the Central District of California. The Federal Bureau of Investigation (FBI) wanted Apple to create and electronically sign new software that would enable the FBI to unlock a work-issued iPhone 5C it recovered from one of the shooters who, in a December 2015 terrorist attack in San Bernardino, California, killed 14 people and injured 22. The two attackers later died in a shootout with police, having first destroyed their personal phones. The work phone was recovered intact but was locked with a four-digit passcode and was set to eliminate all its data after ten failed password attempts (a common anti-theft measure on smartphones). Apple declined to create the software, and a hearing was scheduled for March 22. However, a day before the hearing was supposed to happen, the government obtained a delay, saying it had found a third party able to assist in unlocking the iPhone. On March 28, the government claimed that the FBI had unlocked the iPhone and withdrew its request. In March 2018, the Los Angeles Times reported "the FBI eventually found that Farook's phone had information only about work and revealed nothing about the plot" but cited only government claims, not evidence.

In another case in Brooklyn, a magistrate judge ruled that the All Writs Act could not be used to compel Apple to unlock an iPhone. The government appealed the ruling, but then dropped the case on April 22, 2016, saying it had been given the correct passcode.

Background


In 1993, the National Security Agency (NSA) introduced the Clipper chip, an encryption device with an acknowledged backdoor for government access, that NSA proposed be used for phone encryption. The proposal touched off a public debate, known as the Crypto Wars, and the Clipper chip was never adopted.

It was revealed as a part of the 2013 mass surveillance disclosures by Edward Snowden that the NSA and the British Government Communications Headquarters (GCHQ) had access to the user data in iPhones, BlackBerry, and Android phones and could read almost all smartphone information, including SMS, location, emails, and notes. Additionally, the leak stated that Apple had been a part of the government's surveillance program since 2012, however, Apple per their spokesman at the time, "had never heard of it".

According to The New York Times, Apple developed new encryption methods for its iOS operating system, versions 8 and later, "so deep that Apple could no longer comply with government warrants asking for customer information to be extracted from devices." Throughout 2015, prosecutors advocated for the U.S. government to be able to compel decryption of iPhone contents.

In September 2015, Apple released a white paper detailing the security measures in its then-new iOS 9 operating system. iPhone models including the iPhone 5C can be protected by a four-digit PIN code. After more than ten incorrect attempts to unlock the phone with the wrong PIN, the contents of the phone will be rendered inaccessible by erasing the AES encryption key that protects its stored data. According to the Apple white paper, iOS includes a Device Firmware Upgrade (DFU) mode, and that "[r]estoring a device after it enters DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present."

Apple ordered to assist the FBI
The FBI recovered an Apple iPhone 5C—owned by the San Bernardino County, California government—that had been issued to its employee, Syed Rizwan Farook, one of the shooters involved in the December 2015 San Bernardino attack. The attack killed 14 people and seriously injured 22. The two attackers died four hours after the attack in a shootout with police, having previously destroyed their personal phones. Authorities were able to recover Farook's work phone, but could not unlock its four-digit passcode, and the phone was programmed to automatically delete all its data after ten failed password attempts.

On February 9, 2016, the FBI announced that it was unable to unlock the county-owned phone it recovered, due to its advanced security features, including encryption of user data. The FBI first asked the National Security Agency to break into the phone, but they were unable to since they only had knowledge of breaking into other devices that are commonly used by criminals, and not iPhones. As a result, the FBI asked Apple Inc. to create a new version of the phone's iOS operating system that could be installed and run in the phone's random access memory to disable certain security features that Apple refers to as "GovtOS". Apple declined due to its policy which required it to never undermine the security features of its products. The FBI responded by successfully applying to a United States magistrate judge, Sheri Pym, to issue a court order, mandating Apple to create and provide the requested software. The order was not a subpoena, but rather was issued under the All Writs Act of 1789. The court order, called In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate #5KGD203, was filed in the United States District Court for the Central District of California.

The use of the All Writs Act to compel Apple to write new software was unprecedented and, according to legal experts, it was likely to prompt "an epic fight pitting privacy against national security." It was also pointed out that the implications of the legal precedent that would be established by the success of this action against Apple would go far beyond issues of privacy.

Technical details of the order
The court order specified that Apple provide assistance to accomplish the following: The order also specifies that Apple's assistance may include providing software to the FBI that "will be coded by Apple with a unique identifier of the phone so that the [software] would only load and execute on the SUBJECT DEVICE"
 * 1) "it will bypass or disable the auto-erase function whether or not it has been enabled" (this user-configurable feature of iOS 8 automatically deletes keys needed to read encrypted data after ten consecutive incorrect attempts )
 * 2) "it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available"
 * 3) "it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware"

There has been much research and analysis of the technical issues presented in the case since the court order was made available to the public.

Apple's opposition to the order
The February 16, 2016 order issued by Magistrate Judge Pym gave Apple five days to apply for relief if Apple believed the order was "unreasonably burdensome". Apple announced its intent to oppose the order, citing the security risks that the creation of a backdoor would pose towards customers. It also stated that no government had ever asked for similar access. The company was given until February 26 to fully respond to the court order.

On the same day the order was issued, chief executive officer Tim Cook released an online statement to Apple customers, explaining the company's motives for opposing the court order. He also stated that while they respect the FBI, the request they made threatens data security by establishing a precedent that the U.S. government could use to force any technology company to create software that could undermine the security of its products. He said in part:

"The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake."

In response to the opposition, on February 19, the U.S. Department of Justice filed a new application urging a federal judge to compel Apple to comply with the order. The new application stated that the company could install the software on the phone in its own premises, and after the FBI had hacked the phone via remote connection, Apple could remove and destroy the software. Apple hired attorneys Ted Olson and Theodore J. Boutrous Jr. to fight the order on appeal.

The same day, Apple revealed that in early January it had discussed with the FBI four methods to access data in the iPhone, but, as was revealed by a footnote in the February 19 application to the court, one of the more promising methods was ruled out by a mistake during the investigation of the attack. After the shooter's phone had been recovered, the FBI asked San Bernardino County, the owner of the phone, to reset the password to the shooter's iCloud account in order to acquire data from the iCloud backup. However, this rendered the phone unable to backup recent data to iCloud, until the new iCloud password was entered. This however, requires the phone to be unlocked. This was confirmed by the U.S. Department of Justice, which then added that any backup would have been "insufficient" because they would not have been able to recover enough information from it.

Legal arguments
The government cited as precedent United States v. New York Telephone Co., in which the Supreme Court ruled in 1977 that the All Writs Act gave courts the power to demand reasonable technical assistance from the phone company in accessing phone calling records. Apple responded that New York Telephone was already collecting the data in question in the course of its business, something the Supreme Court took note of in its ruling. Apple also asserts that being compelled to write new software "amounts to compelled speech and viewpoint discrimination in violation of the First Amendment. ... What is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone's user?" Apple argued that the FBI had not made use of all of the government's tools, such as employing the resources of the NSA. A hearing on the case was scheduled for March 22, 2016.

San Bernardino County District Attorney Michael Ramos filed a brief stating the iPhone may contain evidence of a "lying dormant cyber pathogen" that could have been introduced into the San Bernardino County computer network,  as well as identification of a possible third gunman who was alleged to have been seen at the scene of the attack by eyewitnesses. The following day, Ramos told the Associated Press that he did not know whether the shooters had compromised the county's infrastructure, but the only way to know for sure was by gaining access to the iPhone. This statement has been criticized by cyber-security professionals as being improbable.

Tim Cook's statements
In an interview for a Time magazine cover story, Cook said that the issue is not "privacy versus security ... it's privacy and security or privacy and safety versus security." Cook also said, "[T]his is the golden age of surveillance that we live in. There is more information about all of us, so much more than ten years ago, or five years ago. It's everywhere. You are leaving digital footprints everywhere."

In a March 21, 2016, Apple press conference, Cook talked about the ongoing conflict with the FBI, saying, "[W]e have a responsibility to protect your data and your privacy. We will not shrink from this responsibility."

FBI withdrawal of request
On March 21, 2016, the government requested and was granted a delay, saying a third party had demonstrated a possible way to unlock the iPhone in question and the FBI needed more time to determine if it will work. On March 28, 2016, the FBI said it had unlocked the iPhone with the third party's help, and an anonymous official said that the hack's applications were limited; the Department of Justice withdrew the case. The lawyer for the FBI claimed that they were using the alleged extracted information to further investigate the case.

On April 7, 2016, FBI Director James Comey said that the tool used could only unlock an iPhone 5C like that used by the San Bernardino shooter as well as older iPhone models lacking the Touch ID sensor. Comey also confirmed that the tool was purchased from a third party but would not reveal the source, later indicating the tool cost more than $1.3 million and that they did not purchase the rights to technical details about how the tool functions. Although the FBI claimed they were able to use other technological means to access the cellphone data from the San Bernardino shooter's iPhone 5C, without the aid of Apple, law enforcement still expresses concern over the encryption controversy.

Some news outlets, citing anonymous sources, identified the third party as Israeli company Cellebrite. However, The Washington Post reported that, according to anonymous "people familiar with the matter", the FBI had instead paid "professional hackers" who used a zero-day vulnerability in the iPhone's software to bypass its ten-try limitation, and did not need Cellebrite's assistance. In April 2021, The Washington Post reported that the Australian company Azimuth Security, a white hat hacking firm, had been the one to help the FBI. In 2020, the New York Times reported that "new data reveals a twist to the encryption debate that undercuts both sides," with public records showing that at least 2,000 US law enforcement agencies had since acquired "tools to get into locked, encrypted phones and extract their data," mostly from Cellebrite and Grayshift.

Other All Writs Act cases involving iPhones
Apple had previously challenged the U.S. Department of Justice's authority to compel it to unlock an iPhone 5S in a drug case in the United States District Court for the Eastern District of New York in Brooklyn (In re Order Requiring Apple Inc. to Assist in the Execution of a Search Warrant Issued by the Court, case number 1:15-mc-01902 ), after the magistrate judge in the case, James Orenstein, requested Apple's position before issuing an order. On February 29, 2016, Judge Orenstein denied the government's request, saying the All Writs Act cannot be used to force a company to modify its products: "The implications of the government's position are so far-reaching – both in terms of what it would allow today and what it implies about Congressional intent in 1789 – as to produce impermissibly absurd results." Orenstein went on to criticize the government's stance, writing, "It would be absurd to posit that the authority the government sought was anything other than obnoxious to the law." The Justice Department appealed the ruling to District Court Judge Margot Brodie. Apple requested a delay while the FBI attempted to access the San Bernardino iPhone without Apple's help. On April 8, after the FBI succeeded, the Justice Department told the Brooklyn court it intended to press forward with its demand for assistance there, but on April 22, the government withdrew its request, telling the court "an individual" (the suspect, according to press reports) had provided the correct passcode.

In addition to the San Bernardino case and the Brooklyn case, Apple has received at least nine different requests from federal courts under the All Writs Act for iPhone or iPad products. Apple has objected to these requests. This fact was revealed by Apple in court filings in the Brooklyn case made at the request of the judge in that case. Most of these requests call upon Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS7 and older" (as in the Brooklyn case), while others "involve phones with more extensive encryption, which Apple cannot break" and presumably seek to order Apple to "design new software to let the government circumvent the device's security protocols and unlock the phone" (as in the San Bernardino case).

Reactions
National reactions to Apple's opposition of the order were mixed. A CBS News poll that sampled 1,022 Americans found that 50% of the respondents supported the FBI's stance, while 45% supported Apple's stance. Also, 1,002 surveyed Americans who own smartphones were divided into two sides; 51% were against Apple's decision, while 38% supported their stance.

Support for Apple
The Reform Government Surveillance coalition, which includes major tech firms like Google, Microsoft, Facebook, Yahoo!, Twitter, and LinkedIn, has indicated its opposition to the order. By March 3, the deadline, a large number of amicus curiae briefs were filed with the court, with numerous technology firms supporting Apple's position, including a joint brief from Amazon.com, Box, Cisco Systems, Dropbox, Evernote, Facebook, Google, Lavabit, Microsoft, Mozilla, Nest Labs, Pinterest, Slack Technologies, Snapchat, WhatsApp, and Yahoo!. Briefs from the American Civil Liberties Union, the Electronic Frontier Foundation, Access Now, and the Center for Democracy and Technology also supported Apple.

The think tank Niskanen Center has suggested that the case is a door-in-the-face technique designed to gain eventual approval for encryption backdoors and is viewed as a revival of the Crypto Wars.

U.S. Representative Mike Honda, a Democrat who represented the Silicon Valley region, voiced his support for Apple.

On February 23, 2016, a series of pro-Apple protests organized by Fight for the Future were held outside of Apple's stores in over 40 locations.

Zeid Ra'ad al-Hussein, the United Nations High Commissioner for Human Rights, warned the FBI of the potential for "extremely damaging implications" on human rights and that they "risk unlocking a Pandora's box" through their investigation.

General Michael Hayden, former director of the NSA and the Central Intelligence Agency, in a March 7 interview with Maria Bartiromo on the Fox Business Network, supported Apple's position, noting that the CIA considers cyber-attacks the number one threat to U.S. security and saying that "this may be a case where we've got to give up some things in law enforcement and even counter terrorism in order to preserve this aspect, our cybersecurity."

Salihin Kondoker, whose wife was shot in the attack but survived, filed a friend of the court brief siding with Apple; his brief said that he "understand[s] that this software the government wants them to use will be used against millions of other innocent people. I share their fear."

Edward Snowden said that the FBI already has the technical means to unlock Apple's devices and said, "The global technological consensus is against the FBI."

McAfee founder and Libertarian Party presidential primary candidate John McAfee had publicly volunteered to decrypt the iPhone used by the San Bernardino shooters, avoiding the need for Apple to build a backdoor. He later indicated that the method he would employ, extracting the unique ID from inside the A7 processor chip, is difficult and risks permanently locking the phone, and that he was seeking publicity.

Ron Wyden, Democratic senator for Oregon and a noted privacy and encryption advocate, questioned the FBI's honesty concerning the contents of the phone. He said in a statement, "There are real questions about whether [the FBI] has been straight with the public on [the Apple case]."

Support for FBI
Some families of the victims and survivors of the attack indicated they would file a brief in support of the FBI.

The National Sheriffs' Association has suggested that Apple's stance is "putting profit over safety" and "has nothing to do with privacy." The Federal Law Enforcement Officers Association, the Association of Prosecuting Attorneys, and the National Sheriffs' Association filed a brief supporting the FBI.

"With Apple's privacy policy for the customers there is no way of getting into a phone without a person's master password. With this policy there will be no backdoor access on the phone for the law enforcement to access the person's private information. This has caused a great dispute between the FBI and Apple's encryption. Apple has closed this backdoor for the law enforcement because they believe that by creating this backdoor it would make it easier for law enforcement, and also make it easier for criminal hackers to gain access to people's personal data on their phone." Former FBI director James Comey says that "We are drifting to a place in this country where there will be zones that are beyond the reach of the law." He believes that this backdoor access is crucial to investigations, and without it many criminals will not be convicted.

Senator Dianne Feinstein of California, a Democrat and vice chairman of the Senate Intelligence Committee, has voiced her opposition to Apple. All candidates for the Republican nomination for the 2016 U.S. presidential election who had not dropped out of the race before February 19, 2016, supported the FBI's position, though several expressed concerns about adding backdoors to mobile phones.

On February 23, 2016, the Financial Times reported that Bill Gates, founder of Microsoft, has sided with the FBI in the case. However, Gates later said in an interview with Bloomberg News "that doesn't state my view on this." He added that he thought the right balance and safeguards need to be found in the courts and in Congress, and that the debate provoked by this case is valuable.

San Bernardino Police Chief Jarrod Burguan said in an interview:

"I'll be honest with you, I think that there is a reasonably good chance that there is nothing of any value on the phone. What we are hoping might be on the phone would be potential contacts that we would obviously want to talk to. This is an effort to leave no stone unturned in the investigation. [To] allow this phone to sit there and not make an effort to get the information or the data that may be inside of that phone is simply not fair to the victims and their families."

Manhattan District Attorney Cyrus Vance Jr., said that he wants Apple to unlock 175 iPhones that his office's Cyber-Crime Lab has been unable to access, adding, "Apple should be directed to be able to unlock its phones when there is a court order by an independent judge proving and demonstrating that there's relevant evidence on that phone necessary for an individual case."

FBI Director Comey, testifying before the House Judiciary Committee, compared Apple's iPhone security to a guard dog, saying, "We're asking Apple to take the vicious guard dog away and let us pick the lock."

Apple's iOS 8 and later have encryption mechanisms that make it difficult for the government to get through. Apple provided no backdoor for surveillance without the company's discretion. However, Comey stated that he did not want a backdoor method of surveillance and that "We want to use the front door, with clarity and transparency, and with clear guidance provided by law." He believes that special access is required in order to stop criminals such as "terrorists and child molesters".

Calls for compromise
Both 2016 Democratic presidential candidates&mdash;former Secretary of State Hillary Clinton and Senator Bernie Sanders&mdash;suggested some compromise should be found.

U.S. Defense Secretary Ashton Carter called for Silicon Valley and the federal government to work together. "We are squarely behind strong data security and strong encryption, no question about it," he said. Carter also added that he is "not a believer in back doors."

In an address to the 2016 South by Southwest conference on March 11, President Barack Obama stated that while he could not comment on the specific case, "You cannot take an absolutist view on [encryption]. If your view is strong encryption no matter what, and we can and should create black boxes, that does not strike the balance that we've lived with for 200 or 300 years. And it's fetishizing our phones above every other value. That can't be the right answer."

Proposed legislation
On April 13, 2016, U.S. Senators Richard Burr and Dianne Feinstein, the Republican Chair and senior Democrat on the Senate Intelligence Committee, respectively, released draft legislation that would authorize state and federal judges to order "any person who provides a product or method to facilitate a communication or the processing or storage of data" to provide data in intelligible form or technical assistance in unlocking encrypted data and that any such person who distributes software or devices must ensure they are capable of complying with such an order.

Freedom of Information Act lawsuit
In September 2016, the Associated Press, Vice Media, and Gannett (the owner of USA Today) filed a Freedom of Information Act (FOIA) lawsuit against the FBI, seeking to compel the agency to reveal who it hired to unlock Farook's iPhone, and how much was paid. On September 30, 2017, a federal court ruled against the media organizations and granted summary judgment in the government's favor. The court ruled that the company that hacked the iPhone and the amount paid to it by the FBI were national security secrets and "intelligence sources or methods" that are exempt from disclosure under FOIA; the court additionally ruled that the amount paid "reflects a confidential law enforcement technique or procedure" that also falls under a FOIA exemption.

Background
On August 31, 2016, Amy Hess, the FBI's Executive Assistant Director, raised concerns with the Office of Inspector General alleging there was a disagreement between units of the Operational Technology Division (OTD) of their capability to access Farook's iPhone; namely between the Cryptographic and Electronic Analysis Unit (CEAU) and the Remote Operations Unit (ROU). She also alleged that some OTD officials were indifferent to FBI leadership (herself included) giving possibly misleading testimony to Congress and in court orders that they had no such capability.

Findings
Ultimately, the Inspector General's March 2018 report found no evidence that the OTD had withheld knowledge of the ability to unlock Farook's iPhone at the time of Director Comey's congressional testimony of February 9 and March 1, 2016. However, the report also found that poor communication and coordination between the CEAU and ROU meant that "not all relevant personnel had been engaged at the outset".

The ROU Chief (named by Vice to be Eric Chuang) said he only became aware of the access problem after a February 11 meeting of the Digital Forensics and Analysis Section (DFAS) - of which the ROU is not a member. While the OTD directors were in frequent contact during the investigation, including discussions about Farook's iPhone, Asst. Dir. Stephen Richardson and the Chief of DFAS, John F. Bennett, believed at the time that a court order was their only alternative.

Chuang claimed the CEAU Chief didn't ask for their help due to a "line in the sand" against using classified security tools in domestic criminal cases. The CEAU Chief denied such a line existed and that not using classified techniques was merely a preference. Nevertheless, the perception of this line resulted in the ROU not getting involved until after John Bennett's February 11 meeting asking "anyone" in the bureau to help.

Once Chuang "got the word out", he soon learned that a trusted vendor was "almost 90 percent of the way" to a solution after "many months" of work and asked they prioritize its completion. The unnamed vendor came forward with their solution on March 16, 2016, and successfully demonstrated it to FBI leadership on March 20. The US Attorneys Office was informed the next day and they withdrew their court action against Apple on March 28.

When asked why the ROU was not involved earlier the Chief of Technical Surveillance Section (TSS), Eric Chuang's superior, initially said it was not in his "lane" and it was handled exclusively by the DFAS because "that is their mandate". He later claimed that Farook's phone was discussed from the outset but he did not instruct his unit chiefs to contact outside vendors until after February 11. In either event, neither he nor the ROU were asked to request help from their vendors until mid-February. By the time the Attorneys Office filed their February 16 court order, the ROU had only just begun contacting its vendors.

The CEAU Chief was unable to say with certainty that the ROU had been consulted beforehand and that the February 11th meeting was a final "mop-up" before a court action was filed. The CEAU's search for solutions within the FBI was undocumented and was handled informally by a senior engineer that the CEAU Chief personally trusted had checked with "everybody".

On the other hand, it's possible that Hess' asking questions is what prompted the February 11 "mop-up" meeting. During the CEAU's search Hess became concerned that she wasn't getting straight answers from the OTD and that unit chiefs didn't know the capabilities of the others. The Inspector General stated further:

"... the CEAU Chief may not have been interested in researching all possible solutions and instead focused only on unclassified techniques that could readily be disclosed in court that OTD and its partner agencies already had in-hand."

Both Hess and Chuang stated the CEAU Chief seemed not to want to use classified techniques and appeared to have an agenda in pursuing a favorable ruling against Apple. Chuang described the CEAU Chief as "definitely not happy" that they undermined his legal case against Apple and had vented his frustration with him.

Hess said the CEAU Chief wanted to use the case as a "poster child" to resolve the larger problem with encrypted devices known as the "Going Dark challenge". The challenge is defined by the FBI as "changes in technology [that] hinder law enforcement's ability to exercise investigative tools and follow critical leads". As The Los Angeles Times reported in March 2018, the FBI was unable to access data from 7,775 seized devices in their investigations. The unidentified method used to unlock Farook's phone - costing more than $1 million to obtain - quit working once Apple updated their operating system.

Conclusion
The Inspector General's report found that statements in the FBI's testimony before Congress were accurate but relied on assumptions that the OTD units were coordinating effectively from the beginning. They also believe the miscommunication delayed finding a technical solution to accessing Farook's iPhone. The FBI disputed this since the vendor had been working on the project independently "for some time". However, according to Chuang – whom described himself as a "relationship holder" for the vendor – they were not actively working to complete the solution and that it was moved to the "front burner" on his request; to which the TSS Chief agreed.

In response to the Inspector General's report, the FBI intended to add a new OTD section to consolidate resources to address the Going Dark problem and to improve coordination between units.