In a hearing today with the House Committee on the Judiciary Hearings, called The Encryption Tightrope: Balancing Americans' Security and Privacy, FBI director James Comey started off the hearings by describing the problems inherent with encrypted communications and saying that "going dark" is a grave, growing and extremely complex problem.
We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet, or a laptop — evidence that may be the difference between an offender being convicted or acquitted. If we cannot access this evidence, it will have ongoing, significant impacts on our ability to identify, stop, and prosecute these offenders.
We would like to emphasize that the Going Dark problem is, at base, one of technological choices and capability. We are not asking to expand the Government’s surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to us to keep America safe.
However, Apple presented the problem as a constitutional issue, with the first and fifth amendments coming into play; by being compelled to create code (and where code is synonymous with speech) the government is attempting to compel Apple to say something that it disbelieves, as well as compelling Apple to work for the government without recourse. Bruce Sewell, representing Apple, suggested that:
The FBI is asking Apple to weaken the security of our products. Hackers and cyber criminals could use this to wreak havoc on our privacy and personal safety. It would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.
Furthermore, in evidence presented by the FBI and acknowledged by Apple, there are hundreds of phones waiting in the queue to be decrypted:
As we have told them — and as we have told the American public — building that software tool would not affect just one iPhone. It would weaken the security for all of them. In fact, just last week Director Comey agreed that the FBI would likely use this precedent in other cases involving other phones. District Attorney Vance has also said he would absolutely plan to use this on over 175 phones. We can all agree this is not about access to just one iPhone.
Susan Landau, professor of cybersecurity policy at of the Worcester Polytechnic Institute, who also attended the hearing, emphasised the fact that it's not a question of submitting to security but rather of enforcing it:
Despite appearances, this is not a simple story of national security versus privacy. It is, in fact, a security versus security story although there are, of course, aspects of privacy embedded in it as well.
Stealing your login credentials provides criminals and nation states the most effective way into your system—and a smartphone provides one of the best ways of securing ourselves.
That’s why Apple’s approach to securing phone data is so crucial.
But law enforcement continues to see electronic surveillance in twentieth century terms, and it is using twentieth-century investigative thinking in a twenty-first century world. Instead of celebrating steps industry takes to provide security to data and communications, the FBI fights it.
In cross examination by members of the committee, the director of the FBI admitted that they had made a mistake when they reset the iCloud password for the account, preventing co-operation and allowing Apple to provide automatically backed up resources. However, he also said that they would not be doing their job unless they tried out all possibilities in order to gain access to the phone.
Many of the questions were positive and were looking to understand the problem; however, a few of the Congress members kept returning to the criminal angles and murders where Apple would not be able to assist in breaking into suspects' (or victims') phones. Several expressed the view that they would sacrifice personal security in the benefit of wider public security, seemingly without understanding the irony that weakening security for one weakens security for all. Later on, Dr Landau pointed out that whether or not Apple could get into the phone, if an encrypted app (such as Telegraph) was used, there would be no way of finding out what the communications were in any case. They pointed out that these applications and encryption routines were already widely available as open-source projects or existing applications, regardless of the outcome of this particular case. Indeed, she highlighted that this was part of a discussion with the NSA over a decade ago when stronger encryption was being used by foreign competitors and other aggressors while weaker security was mandated across the American public. Dr Landau stated she believed that the FBI were still in the past, believing that they could legislate away encryption.
When asked whether or not the backdoor could be limited to a single phone, Sewell stated that there was no technical limitation that would prevent it being used in additional phones; and that even if a key could be tied to a specific phone, the large queue of other phones which were in the hands of other law enforcement agencies would require an automated delivery mechanism and ability for individuals to be able to request a backdoored operating system. This would lead to human failures in the long term, or simple mistakes, which could be used trivially as a security vulnerability to break into actors' phones. Potentially the same backdoor could be subverted by foreign agencies or criminals once created. Even if the software were just used for this one phone, as the FBI originally requested, they asked for the software to be shipped through the mail on a hard drive to the FBI offices, which clearly presents a highly vulnerable single point of failure.
Apple also clarified that they have a 24x7, 365 day a year, security hotline on which they offer law enforcement advice and support in these cases. In the specific San Bernadino case, Apple received a call at 2:47am, had responded by 2:48am, and provided data as requested by search warrants within 24 hours, as well as despatching support engineers to advise the FBI how to get into the phone. Had the FBI not reset the password it is very likely that the information would already be in the FBI's hands. Apple has continued to provide information that they are able to under the existing infrastructure.
Members of the congress have five days to ask any additional information from the participants.
Meanwhile, in the UK, the Investigative Powers Bill will be read and rushed through on Wednesday which would give the UK government the ability to immediately request the backdoor software from Apple. In addition, external agents and other countries would be in the queue in order to gain access to this information as well.
Ironically, the ACM Turing Award for 2015 was awarded on the 1st March 2016 to Whitfield Diffie and Martin Hellman, the same day that this hearing was attended. These two created what is now known as Diffie-Hellman public key cryptography, which is widely used in commerce today:
“Public-key cryptography is fundamental for our industry,” said Andrei Broder, Google Distinguished Scientist. “The ability to protect private data rests on protocols for confirming an owner's identity and for ensuring the integrity and confidentiality of communications. These widely used protocols were made possible through the ideas and methods pioneered by Diffie and Hellman.”
As Bruce Sewell noted, "The world is watching this case".