Did anyone really think the FBI needed Apples help to get into an iPhone? Our last article set out how the FBI were trying to set a precedent in order to make their lives easier in the future, but with some corner shops apparently offering to help you get into your phone when you have been locked out was it worth all the time and money.
The Mail on Sunday set about their own investigation by buying an iPhone 5C and a device known as an IP Box which they purchased online for around £120. They set a random 4 digit code and left the IP Box try to guess the pass code without tripping the 10 attempts and you’re out feature. Some may be skeptical at their claims that it guessed the code 3298 after six hours but they claim that with the code they were able to access all the data on the device, as well as change its pass code to one of their choosing. There is some contention as the phone which was tested was on iOS7 whereas the one the FBI had was on iOS9 [meaning that the one the FBI has is more secure].
The device the Mail used is not something new, police have had boxes with a multitude of cables for different devices which they could plug in and extract the phone’s data in the past, but these were fast outdated with companies like Apple and Google trying to patch any security flaws in order to stop criminals rather than law enforcement. A source has reported that updated versions of these boxes have been developed, which when plugged in will extract all the phones data into a single file, it is unclear whether this device will work on encrypted devices as data is encrypted and decrypted as it is accessed on newer android devices.
The FBI can no longer peruse Apple in the courts on this occasion as the All Writs Act prevents them from continuing as their goal to unlock the phone has been met. It has also theorised that they knew they had a weak case and that is why they were taking expert witnesses to court rather than being able to continue on the facts of the case alone. The FBI have taken their new found knowledge and offered to help other law enforcement to access any phones they may have which need unlocking, but they have not told Apple how they accessed the device.
This is not the end of the story as the California Assembly Bill (AB1681) has emerged from Section 22762 of the Business and Professions Code which required smartphones manufactured on or after July 1st 2015 to include a technological solution at the time of the sale which could consist of hardware, software or both that once initiated and successfully communicated to the smartphone would render it inoperable.
We have gotten used to the idea that we can remote wipe and disable our smartphones for a while, but this new addition will provide a potential invasion of privacy as it requires a smartphone manufactured on or after January 1st 2017 and sold in California to be capable of being decrypted and unlocked by its manufacturer, or its operation system provider. The Bill also provides for a civil penalty of $2500 for each smartphone which breaches this requirement.
Although this has not been signed into law many commentators have seen this legislation coming for a long time. This may be Californian law but manufacturers are unlikely to produce a specific phone which may be sold there, also with the development of the internet it makes it likely to spread. This new legislation runs contrary to the Communications Assistance for Law Enforcement Act which prohibits the government from making manufacturers of telecommunication devices develop backdoors into their systems. The Guardian reported that the White House is declining to offer public support for long-awaited legislation that would give federal judges clearer authority to order technology companies such as Apple to help law enforcement crack encrypted data, according to sources familiar with the discussions.
This is not the only piece of legislation being proposed in the US, Senators Richard Burr and Dianne Feinstein have released their draft proposal of what is known as the The Compliance With Court Orders Act 2016, although it has Act in the title it has not yet been proposed to congress, let alone signed into law. Tim Cook said he did not want to capitulate to something he felt was wrong, meaning that he wanted legislation rather than a judge telling Apple to unlock a phone but it is doubtful that he wanted this. The proposal does not outlaw encryption, but instead compels decryption. Anyone who encrypts any communications must provide a means to provide intelligible version of whatever the court orders. This applies to all app stores, works on GitHub, messaging apps and more. Again the White House have refused to back the legislation.
The problem with this new proposal is that not only can law enforcement make such an order, but an official, such as a mayor is also entitled to make such an order due to the way this draft has been written. The Electronic Frontier Foundation stated that ‘the senators are pushing Congress to destroy fundamental aspects of computer security.’ It does not just open up a door for law enforcement to surveil criminals, it also opens a door for criminals to surveil us.
The legislation is unlikely to pass, we saw the UK government propose similar legislation with the Draft Communications Data Bill, or snoopers charter which was promptly shelved due to substantial resistance. It has been suggested that such moves are being made to make it easier for law enforcement as budgets are being cut, if they do not have to spend so much on decrypting people’s phones and hard drives then the government will be able to cut, or at least defend their cuts to policing and security.
The Hungarian Government also plan to criminalise the use of applications for encrypted communication as part of as part of a new anti-terrorism legislation package put forward by the Interior Ministry. If the package is implemented in its present form, anyone caught using encrypted software can be punished by 2 years of prison. The providers would be obliged to ensure access to the content of the encrypted messages, and they would have to provide the identification data of the users as well as the IP address used for registration. Failure to comply qualifies as misdemeanor, and is also punishable with a 2 years prison sentence.
Given that the Apple case revolved around the issue of decryption it is perhaps amusing that Facebook announced that WhatsApp is now completely encrypted. Previously encryption only covered one-to-one conversations, but this new development will also encrypt group chats and voice calls. This new means that not even Facebook will be able to see your messages or hear your calls, which could potentially cause problems for law enforcement as well as cyber-criminals and hackers.
In a statement WhatsApp said “The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cyber criminals. Not hackers. Not oppressive regimes. Not even us.” Although Amnesty International have dubbed this move a huge victory for free speech, FBI attorney James Baker reportedly criticised the move saying encryption threatens the work of law enforcement.
If The Compliance With Court Orders Act 2016 is to pass the WhatsApp will have to make a u-turn or shut down services such as Lavabit did due to the FBI demanding that Ladar Levison hand over all of the encryption keys of users in order to decrypt emails.