Welcome!

Cloud Security Authors: Elizabeth White, Zakia Bouachraoui, Pat Romanski, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo, Mobile IoT, Cloud Security

@CloudExpo: Blog Post

Apple vs FBI - The Basics, Explained By @BobGourley | @CloudExpo #Cloud

An update on the ongoing battle between Apple and the U.S. government regarding Syed Rizwan Farook's iPhone

#AppleVsFBI – #FBIVsApple – The Basics, Explained, with Links to Original Documents

This post provides an update on the ongoing battle between Apple and the  U.S. government regarding Syed Rizwan Farook's iPhone, recovered by police after the horrific massacre in San Bernadino on December 2, 2015.

It is just days before the March 22, 2016, hearing in this long-running, highly publicized dispute between the FBI and Apple, with the FBI’s demands of Apple being variously termed “jailbreak,” put a backdoor into, brute force access, compromise security of, or any number of other descriptors, in the case officially known as In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203. It is a good time, among all the massive press coverage and legal wrangling, to get back to some of the basics of the legal proceedings.

On February 9, 2016, FBI Director James Comey announced that the FBI was unable to unlock the iPhone and requests Apple to help. Apple concluded it could not help to the extent required to access the phone data. After attempting to resolve the matter out of court, Apple was ordered by U.S. Magistrate (Central District of California) Sheri Pym on Feb. 16 to assist the FBI in accessing Farook’s iPhone. On Feb. 25, Apple filed a motion to have the court vacate the order. Apple’s motion to vacate is supported by a who’s who of the security and tech law fields, in the form of amicus briefs filed last week by numerous influential individuals, companies and NGOs.

General overview of the law
Technology companies have obligations under (and subject to the conditions of) U.S. law to produce data related to criminal proceedings in their possession. However there are statutory obligations (known as the All Writs Act) that put limits on those obligations. Apple argues in its motion, as do the many tech and public interest companies that have filed friends of the court briefs in this case, that the FBI is exceeding the statutory limits in its request of Apple to help the FBI provide access to the potentially relevant data that may be stored on the SB killer’s phone.

In essence, Apple and friends argue, the government’s demands in this case exceed the intent of the All Writs Act.  Apple and its supporters also contend that the government’s request violate the constitutional rights of Apple. Which specific constitutional rights are asserted to be violated differs somewhat among the briefs, and there hasn’t been time to review and inventory the arguments of all briefs.

Below is an outline of the law under which the Government has obtained an order to compel Apple to “unlock” Farook’s iPhone, and Apple’s defense to that Order.

The order

All Writs Act
The order at issue in this case was made pursuant to the All Writs Act, § 28 U.S.C. 1651 (“AWA”). The AWA says that a court may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Basically this law has great latitude in its application, and thus has the potential for abuse. That is, it has vast potential to be used to issue writs (orders) that are not “appropriate in aid of their respective jurisdiction” or “agreeable to the usages and principles of law.”

As pointed out in the amicus brief of 32 Law Professors (in support of Apple), “the AWA tasked the federal courts with a role that was “somewhat constrained.” This provision should not be construed so broadly as to essentially endow courts with legislative authority.  Nor should it be used to give the district court a roving commission” to enlist third parties into law enforcement.” This professors’ amicus brief (as well as Apple’s and many others, argue that overreaching is what the court would do if it does not vacate the order.

Specific demands of the Order
The court’s order requires Apple to perform a very specific and extensive set of tasks. By way of example, the first two parts of those orders are the following:

  1. Apple shall assist in enabling the search of a cellular telephone, Apple make: iPhone 5C, Model: A1532, on the Verizon Network, (the “SUBJECT DEVICE) pursuant to a warrant of this Court by providing reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE.
  1. Apple's reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

Those first two specific orders—and the remaining five—go beyond mere technical assistance. The court order is in essence a work order requiring Apple to perform specific deliverables.

Motion to Vacate and supporting arguments of Apple and Amici
In its Motion to Vacate, Apple objects to these directives because it believes them to be unreasonable (and thus outside the court’s powers under AWA) and because no other views on “reasonableness” (in particular, Apple’s) were considered by the court in making its “reasonableness” determination. Apple begins with arguing that “[T]he software envisioned by the government simply does not exist today.”

The Table of Contents of Apple’s motion to vacate goes on to very clearly outline Apple’s argument why the order should be vacated. That is, the Motion to Vacate explains in great detail why Apple believes the order requires Apple to provide unreasonable assistance and thus, runs afoul of the AWA. In addition to exceeding the scope of the AWA, the order if not vacated would, Apple further argues, violate Apple’s constitutional rights to free speech and due process.

Apple’s Motion to Vacate the order compelling it to assist the FBI makes the following arguments. In crafting its Motion to Vacate, Apple’s own words are clearer than any third pary (such as mine) summation.

  1. The All Writs Act Does Not Provide A Basis To Conscript Apple To Create Software Enabling The Government To Hack Into iPhones. [because]
    1. The All Writs Act Does Not Grant Authority To Compel Assistance Where Congress Has Considered But Chosen Not To Confer Such Authority
    2. The All Writs Act Does Not Authorize Courts To Compel The Unprecedented And Unreasonably Burdensome Conscription Of Apple That The Government Seeks
      1. Apple’s Connection To The Underlying Case Is “Far Removed” And Too Attenuated To Compel Its Assistance
      2. The Order Requested By The Government Would Impose An Unprecedented And Oppressive Burden On Apple And Citizens Who Use The iPhone
      3. The Government Has Not Demonstrated Apple’s Assistance Was Necessary To Effectuating The Warrant.
    3. Other Cases The Government Cites Do Not Support The Type Of Compelled Action Sought Here.
  2. The Order Would Violate The First Amendment And The Fifth Amendment’s Due Process Clause
    1. The First Amendment Prohibits The Government From Compelling Apple To Create Code
    2. The Fifth Amendment’s Due Process Clause Prohibits The Government From Compelling Apple To Create The Request Code

That, in essence, is the core of In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203.

Of course many other issues are raised in the amicus filings, and ther are additional related filings that have occurred that are relevant to this matter, such as ongoing proceedings in a similar case in Brooklyn, New York, and a recently-released report of the Congressional Research Service that covers the California proceeding (as well as analgous actions if an individual owner of the data/phone is being compelled to provide law enforcement.  I summarize that report here.  There is no paucity of widely available information about this case on the Internet. When in doubt about, it is best to stick to the original documents such as those I have linked in this article.

Apple’s request to vacate the order will be heard on March 22, 2016.

The following are the Amicus Briefs in Support of Apple

  • 32 Law Professors
  • Access Now and Wickr Foundation
  • ACT/The App Association
  • Airbnb, Atlassian, Automattic, CloudFlare, eBay, GitHub, Kickstarter, LinkedIn, Mapbox, Medium, Meetup, Reddit, Square, Squarespace, Twilio, Twitter and Wickr
  • Amazon, Box, Cisco, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest, Pinterest, Slack, Snapchat, WhatsApp, and Yahoo
  • American Civil Liberties Union, ACLU of Northern California, ACLU of Southern California, and ACLU of San Diego and Imperial Counties
  • AT&T
  • AVG Technologies, Data Foundry, Golden Frog, the Computer & Communications Industry Association (CCIA), the Internet Association, and the Internet Infrastructure Coalition
  • BSA,The Software Alliance, the Consumer Technology Association, the Information Technology Industry Council, and TechNet
  • Center for Democracy & Technology
  • Electronic Frontier Foundation and 46 technologists, researchers, and cryptographers
  • Electronic Privacy Information Center (EPIC) and eight consumer privacy organizations
  • Intel
  • iPhone security and applied cryptography experts including Dino Dai Zovi, Dan Boneh (Stanford), Charlie Miller, Dr. Hovav Shacham (UC San Diego), Bruce Schneier (Harvard), Dan Wallach (Rice) and Jonathan Zdziarski
  • Lavabit
  • The Media Institute
  • Privacy International and Human Rights Watch

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...