Welcome!

Cloud Security Authors: Elizabeth White, Zakia Bouachraoui, Pat Romanski, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo, Mobile IoT, Cloud Security

@CloudExpo: Blog Post

Apple vs FBI - The Basics, Explained By @BobGourley | @CloudExpo #Cloud

An update on the ongoing battle between Apple and the U.S. government regarding Syed Rizwan Farook's iPhone

#AppleVsFBI – #FBIVsApple – The Basics, Explained, with Links to Original Documents

This post provides an update on the ongoing battle between Apple and the  U.S. government regarding Syed Rizwan Farook's iPhone, recovered by police after the horrific massacre in San Bernadino on December 2, 2015.

It is just days before the March 22, 2016, hearing in this long-running, highly publicized dispute between the FBI and Apple, with the FBI’s demands of Apple being variously termed “jailbreak,” put a backdoor into, brute force access, compromise security of, or any number of other descriptors, in the case officially known as In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203. It is a good time, among all the massive press coverage and legal wrangling, to get back to some of the basics of the legal proceedings.

On February 9, 2016, FBI Director James Comey announced that the FBI was unable to unlock the iPhone and requests Apple to help. Apple concluded it could not help to the extent required to access the phone data. After attempting to resolve the matter out of court, Apple was ordered by U.S. Magistrate (Central District of California) Sheri Pym on Feb. 16 to assist the FBI in accessing Farook’s iPhone. On Feb. 25, Apple filed a motion to have the court vacate the order. Apple’s motion to vacate is supported by a who’s who of the security and tech law fields, in the form of amicus briefs filed last week by numerous influential individuals, companies and NGOs.

General overview of the law
Technology companies have obligations under (and subject to the conditions of) U.S. law to produce data related to criminal proceedings in their possession. However there are statutory obligations (known as the All Writs Act) that put limits on those obligations. Apple argues in its motion, as do the many tech and public interest companies that have filed friends of the court briefs in this case, that the FBI is exceeding the statutory limits in its request of Apple to help the FBI provide access to the potentially relevant data that may be stored on the SB killer’s phone.

In essence, Apple and friends argue, the government’s demands in this case exceed the intent of the All Writs Act.  Apple and its supporters also contend that the government’s request violate the constitutional rights of Apple. Which specific constitutional rights are asserted to be violated differs somewhat among the briefs, and there hasn’t been time to review and inventory the arguments of all briefs.

Below is an outline of the law under which the Government has obtained an order to compel Apple to “unlock” Farook’s iPhone, and Apple’s defense to that Order.

The order

All Writs Act
The order at issue in this case was made pursuant to the All Writs Act, § 28 U.S.C. 1651 (“AWA”). The AWA says that a court may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Basically this law has great latitude in its application, and thus has the potential for abuse. That is, it has vast potential to be used to issue writs (orders) that are not “appropriate in aid of their respective jurisdiction” or “agreeable to the usages and principles of law.”

As pointed out in the amicus brief of 32 Law Professors (in support of Apple), “the AWA tasked the federal courts with a role that was “somewhat constrained.” This provision should not be construed so broadly as to essentially endow courts with legislative authority.  Nor should it be used to give the district court a roving commission” to enlist third parties into law enforcement.” This professors’ amicus brief (as well as Apple’s and many others, argue that overreaching is what the court would do if it does not vacate the order.

Specific demands of the Order
The court’s order requires Apple to perform a very specific and extensive set of tasks. By way of example, the first two parts of those orders are the following:

  1. Apple shall assist in enabling the search of a cellular telephone, Apple make: iPhone 5C, Model: A1532, on the Verizon Network, (the “SUBJECT DEVICE) pursuant to a warrant of this Court by providing reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE.
  1. Apple's reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

Those first two specific orders—and the remaining five—go beyond mere technical assistance. The court order is in essence a work order requiring Apple to perform specific deliverables.

Motion to Vacate and supporting arguments of Apple and Amici
In its Motion to Vacate, Apple objects to these directives because it believes them to be unreasonable (and thus outside the court’s powers under AWA) and because no other views on “reasonableness” (in particular, Apple’s) were considered by the court in making its “reasonableness” determination. Apple begins with arguing that “[T]he software envisioned by the government simply does not exist today.”

The Table of Contents of Apple’s motion to vacate goes on to very clearly outline Apple’s argument why the order should be vacated. That is, the Motion to Vacate explains in great detail why Apple believes the order requires Apple to provide unreasonable assistance and thus, runs afoul of the AWA. In addition to exceeding the scope of the AWA, the order if not vacated would, Apple further argues, violate Apple’s constitutional rights to free speech and due process.

Apple’s Motion to Vacate the order compelling it to assist the FBI makes the following arguments. In crafting its Motion to Vacate, Apple’s own words are clearer than any third pary (such as mine) summation.

  1. The All Writs Act Does Not Provide A Basis To Conscript Apple To Create Software Enabling The Government To Hack Into iPhones. [because]
    1. The All Writs Act Does Not Grant Authority To Compel Assistance Where Congress Has Considered But Chosen Not To Confer Such Authority
    2. The All Writs Act Does Not Authorize Courts To Compel The Unprecedented And Unreasonably Burdensome Conscription Of Apple That The Government Seeks
      1. Apple’s Connection To The Underlying Case Is “Far Removed” And Too Attenuated To Compel Its Assistance
      2. The Order Requested By The Government Would Impose An Unprecedented And Oppressive Burden On Apple And Citizens Who Use The iPhone
      3. The Government Has Not Demonstrated Apple’s Assistance Was Necessary To Effectuating The Warrant.
    3. Other Cases The Government Cites Do Not Support The Type Of Compelled Action Sought Here.
  2. The Order Would Violate The First Amendment And The Fifth Amendment’s Due Process Clause
    1. The First Amendment Prohibits The Government From Compelling Apple To Create Code
    2. The Fifth Amendment’s Due Process Clause Prohibits The Government From Compelling Apple To Create The Request Code

That, in essence, is the core of In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203.

Of course many other issues are raised in the amicus filings, and ther are additional related filings that have occurred that are relevant to this matter, such as ongoing proceedings in a similar case in Brooklyn, New York, and a recently-released report of the Congressional Research Service that covers the California proceeding (as well as analgous actions if an individual owner of the data/phone is being compelled to provide law enforcement.  I summarize that report here.  There is no paucity of widely available information about this case on the Internet. When in doubt about, it is best to stick to the original documents such as those I have linked in this article.

Apple’s request to vacate the order will be heard on March 22, 2016.

The following are the Amicus Briefs in Support of Apple

  • 32 Law Professors
  • Access Now and Wickr Foundation
  • ACT/The App Association
  • Airbnb, Atlassian, Automattic, CloudFlare, eBay, GitHub, Kickstarter, LinkedIn, Mapbox, Medium, Meetup, Reddit, Square, Squarespace, Twilio, Twitter and Wickr
  • Amazon, Box, Cisco, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest, Pinterest, Slack, Snapchat, WhatsApp, and Yahoo
  • American Civil Liberties Union, ACLU of Northern California, ACLU of Southern California, and ACLU of San Diego and Imperial Counties
  • AT&T
  • AVG Technologies, Data Foundry, Golden Frog, the Computer & Communications Industry Association (CCIA), the Internet Association, and the Internet Infrastructure Coalition
  • BSA,The Software Alliance, the Consumer Technology Association, the Information Technology Industry Council, and TechNet
  • Center for Democracy & Technology
  • Electronic Frontier Foundation and 46 technologists, researchers, and cryptographers
  • Electronic Privacy Information Center (EPIC) and eight consumer privacy organizations
  • Intel
  • iPhone security and applied cryptography experts including Dino Dai Zovi, Dan Boneh (Stanford), Charlie Miller, Dr. Hovav Shacham (UC San Diego), Bruce Schneier (Harvard), Dan Wallach (Rice) and Jonathan Zdziarski
  • Lavabit
  • The Media Institute
  • Privacy International and Human Rights Watch

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...