Cybersecurity

A law issued in 1789 may put your iPhone at risk

  • Reading time: 5 min
A law issued in 1789 may put your iPhone at risk

“We have even put that data out of our own reach- because we believe the contents of your iPhone are none of our business,” said Apple in a statement released in 2016. The company, that has been refusing orders from the Federal Bureau of Investigation (FBI) to unlock devices seems to be in a pickle.

In 2019, the FBI started investigating the case of Mohammed Saeed Alshamrani, a military trainee who killed three US sailors and wounded several others in a terror attack on a military base in Pensacola, Florida. Back then, Apple refused to break into his iPhone and claimed that the company provided every piece of information available to it, including iCloud backup, account information, and transactional data for multiple accounts.

On May 18, 2020, Attorney General William Barr and FBI director Christopher Wray had a press conference after they successfully broke into the iPhone – with no thanks to Apple according to Barr. FBI finds out that the gunman ties with Al Qaeda in the Arabian Peninsula (AQAP) began in 2015. Barr said that Apple’s decision has dangerous consequences for public safety and national security. “We are confident that technology companies are capable of building secure products that protect user information and at the same time, allow for law enforcement access when permitted by a judge,” he said. On the same day, Apple issued a statement saying that “There is no such thing as a backdoor just for the good guys, the American people do not have to choose between weakening encryption and effective investigations.”

In May 2020, Digital Trends requested a comment from Apple on the incidence as to whether this would force the company to rethink its encryption, or whether the average iPhone user should be concerned. But there was no response from the company.

In 2016, the FBI was investigating the case of Syed Rizwan Farook, the gunman of the San Bernardino, Calif., mass shooting. Farook is killed and the FBI has a warrant to access information on his phone but they can’t ask him for this unique decryption key and Apple doesn’t have it either. In March 2016, the FBI was able to crack his iPhone 5C running Apple’s iOS 9 mobile operating system.

There was no other way for the FBI to unlock the iPhone but to guess the code. However, Apple designed a security system that can wipe a phone’s data following too many incorrect guesses. The FBI asked Apple to write a workaround that turns this feature off. Apple refused. But the FBI found a way to hack the iPhone. “Apple has attempted to design and market its products to allow technology, rather than the law, to control access to data which has been found by this Court to be warranted for an important investigation,” the US attorneys said.

Federal officials refused to identify the person/organization that helped them crack the phone. This came as no surprise. According to The New York Times, Stewart A. Baker, a lawyer at Steptoe & Johnson and the Department of Homeland Security’s first assistant secretary for the  police said: “The method used is proprietary to the company that helped the FBI so it’s possible that the government won’t reveal the method that allowed them to crack the iPhone”.

Apple engineers have also begun developing new security measures that will make it impossible for the government to open an iPhone. Experts said that the government might have used different methods in order to unlock the iPhone. One of these methods is removing a chip and fooling it. This mechanism blocks password guessing, in order to find the user’s password and unlock the data. Another mechanism used by the government might be the NAND chip. This method could allow the FBI to replace the original NAND chip by another one that has a copy of the content. This procedure mirror’s the phone storage chip and copies it onto another chip.

What is really interesting is that a new iPhone has upgraded a chip known as the A7 with Secure Enclave, a security processor that has a unique numerical key which is essential to the security of information stored on the phone. This numerical key is not known to the company. Thus, new iPhones may be less susceptible to NAND-mirroring. But how was the FBI able to unlock Alshamarani’s iPhone?

In fact, the Silicon Valley company was ordered by a federal magistrate judge in California to help unlock the smartphone. Timothy D. Cook, Apple chief-executive opposed to the order via a public letter he published on February 16, 2016. “The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers,” he said.

Cook avowed that this order has implications far beyond the legal case at hand. “The US government is asking us to create a new version of IOS that bypasses security,” he said. This software does not exist today and if so, it would have the potential to unlock any iPhone in someone’s physical possession. The US government suggested that this tool can be used on one iPhone. But according to Cook, once created, this technique can be used to crack other iPhones.

What is more important, privacy or security? This is the FBI-Apple debate that would define the future of digital privacy.

In fact, the US government invoked the All Writs Act (AWA) signed by President Georges Washington in 1789. Courts have tended to use this law when there are extraordinary circumstances- which applies to cases such as Farook and Alshamrani. Under this law, federal judges have the power to issue orders to compel people to do things within the limits of the law.

The Communications Assistance for Law Enforcement Act (CALEA) already limits the ability of law enforcement agents to dictate design and software configurations. According to the Center for Internet and Society at Stanford Law School, CALEA applies to the manufacturer- Apple is the case- and providers of telecommunications services.  According to the Legal Information Institute at Cornell Law School, CALEA permits the strongest encryption deployed by a manufacturer under the section 1002 (b) (3): “A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer- unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication”. In fact, this act limits court orders written under the AWA.

Neil Richards, professor of law and a privacy law expert at Washington University in St. Louis pointed out that intermediaries’- Apple for example- decisions on our behalf directly affect our civil liberties, including our right to privacy. “Law enforcement demands would be unconstitutional in the physical world and few companies are courageously standing up for the rights of their users,” he said for “The Source”.

It’s completely understandable that the FBI is seeking criminals to Justice. But this might put the user’s privacy at risk. In fact, privacy is secured under the International Human Rights law as well as the EU’s General Data Protection Regulation (GDPR). Undoubtedly, the Apple and FBI dispute is opening a new debate on digital rights.

Tags: