Apple’s latest iPhone security update is polarising an already heated debate over law enforcement’s access to smartphones.
The divisions were on full display when Apple announced this week it would block access to the Lightning port on the bottom of iPhones, which law enforcement sometimes uses to break into the devices during investigations. Privacy advocates cheered the move as an important safeguard against criminals and other bad actors who seek to steal people’s personal or financial information, while opponents of the change warned that it would take away another critical tool for investigators to solve cases.
Consider how far apart each side sounds:
Sen. Tom Cotton, R-Ark, who is hawkish on national security issues, insisted Apple “should be more than willing to cooperate with valid warrants from US law enforcement. Criminals and terrorists should never take precedence over the safety of the American people.”
Privacy advocates said this distorts the issue.
“Framing this news as ‘Apple is taking steps to stop the cops from unlocking iPhones’ profoundly misses the point,” said Kevin Bankston, director of the Open Technology Institute at the nonpartisan think tank New America. “Apple is helping to ensure against a broad range of attacks by anyone and everyone who might attempt to leverage the same class of vulnerability that the police have been exploiting. Any hack that the cops can use can be used by bad guys, too, whether they be criminals or spies or repressive foreign regimes, and that’s who Apple is in an arms race with.”
The FBI has sparred for years with Apple over its struggles accessing data on locked iPhones, which are now protected by encryption so strong even the company does not have the key – and this latest development shows there’s no apparent movement toward a compromise.
If anything, the new development opens up another front in the larger battle over what access tech companies must grant investigators to consumer devices at the center of investigations.
Undercutting one of the FBI’s most reliable workarounds is sure to stir up debate on Capitol Hill, where top law enforcement officials are urging lawmakers to pass legislation that would compel Apple and other tech companies to create a guaranteed way to access data on consumer devices.
It’s part of a “cat-and-mouse” game that has gone on for years, said Jamil Jaffer, director of the National Security Law and Policy Program at George Mason University, who is supportive of government access.
“What Apple seems to be doing is that every time law enforcement finds a way to get in, they cut off access, all the while refusing to work with law enforcement to find a privacy-protective way of providing lawful access,” said Jaffer, who formerly served as a congressional staffer and associate counsel to President George W. Bush. “And to be frank, it’s not just chipping away; the privacy community, allied with key technology companies, has been taking a sledgehammer to law enforcement capabilities.”
But proponents of tough security on consumer devices, such as Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, say there will always be ways for investigators to get the data they need.
“There will always be security flaws in every model of iPhone, every version of iOS, despite Apple’s best efforts,” Pfefferkorn said. “Vendors like Cellebrite – as well as the FBI’s own internal staff, jailbreakers, bug bounty hunters, and so on – will hammer on every new version to find the bugs and then develop or update their tools to exploit those bugs.”
“Apple is doing the responsible thing here,” she added. “If a company learns that its product’s security has been undermined by a third-party tool, the only responsible thing to do is fix the security flaw.”
Apple’s latest update would allow users to disable the Lightning port on the bottom of iPhones an hour after locking them, a change Apple said is designed to help “defend against hackers, identity thieves and intrusions into their personal data,” as my colleagues Craig Timberg and Tony Romm report. But investigators equipped with data extraction devices currently use the Lightning port to pull information from iPhones without having to break through the devices’ heavy encryption. In criminal cases, this sometimes happens only days after an iPhone has been seized. Apple’s update would ostensibly limit investigators’ window to just 60 minutes.
Apple hasn’t even rolled out the update yet, but there are signs there may already be a way for law enforcement to get around it. Shortly after Apple’s announcement, Vice’s Motherboard reported that the company Grayshift, which sells an iPhone-cracking tool called GrayKey for $15,000 (roughly Rs. 10.27 lakhs), appeared to have a solution in the works. Per Motherboard’s Joseph Cox and Lorenzo Franceschi-Bicchierai:
“Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible. That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.
“‘Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,’ a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff.
“‘They seem very confident in their staying power for the future right now,’ the email adds.
“A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago.”
Law enforcement has turned increasingly to GrayKey and other encryption-breaking tools as the encryption debate has heated up in recent years and officials search for ways to respond to the problem they call “going dark.”
As the debate continues, Jaffer said he’s concerned about what will happen if each side keep digging in.
“The real worry that we all ought to have is that we end up in a situation where neither side is willing to work together in good faith and a mass casualty terrorist attack or a compelling case comes along,” he said. “Then we’ll have lost on both privacy and security because we’ll have people who’ve been harmed and we’ll end up in a legislative situation where the law overcorrects. Ultimately the right time to address this issue is now, in the relative peace that we enjoy where fair debates can be had on the merits.”
© The Washington Post 2018