So how much did the FBI pay to get into the San Bernardino shooters phone? FBI director James Comey indicated that they paid more than he “will make in the remaining seven years”, which has been estimated in the region of $1.3m (around £900,000), although several US government sources have stated that they had paid under $1m.
Given that such a large amount of money has exchanged hands it is surprising that the identity of the hacker is unknown to Comey, although he said that the payment was “worth it” as the FBI now has a piece of hardware, or software, which can be used to crack the password on other iPhone 5C’s running iOS9.
According to research firm IHS Technology, there are about 16 million such phones in use in the US, and according to Apple more than 80% of them run iOS 9. The FBI confirmed that it would not tell Apple about the security flaw exploited in the hack, partly because the law enforcement agency does not know how it works.
It is unknown if the hack has been sold to any other agencies, or third parties. When a security flaw is discovered by developers it is usual to undergo a period of responsible disclosure, this means that the offending service provider, or developer, is informed of the security flaw and given a reasonable period in which to fix the flaw.
As the FBI’s external hacker is unknown, and there has been a refusal to share information with Apple, the iPhone 5C has been left vulnerable meaning that anyone with an iPhone without a fingerprint sensor is at risk of being hacked. It is still unclear what information the FBI now has access to, with some US news outlets reporting that nothing of interest has actually been found on the device in question.
Authorities have been known to offer big rewards for finding bugs in various software. Last year Zerodium – a firm that negotiates bug bounties – offered $1m for a web-based exploit against iOS 9, which was subsequently claimed.
On Tuesday 19th April, Apple revealed that US authorities had asked for user data 1,015 times during the second half of 2015. This number is up from 971, during the first half of 2015, and 788 during the last half of 2014. Apple received significantly fewer requests during the second half of 2013, totaling 638.
The information requested related to services such as iMessages, emails, photos and device backups. Apple provided data in response to 82% of the requests, about average for the California technology company. While the number of requests has gone up, the number of users affected by such requests has fluctuated, with the number of users being roughly the same in the latter half of 2014 and 2015.
The number of requests is consistent with the changing world of consumers using tools such as iMessage, email, contact lists and diaries, which can all be backed up as part of an iCloud account, as opposed to a landline which can be tapped with the help of a phone company.
Apple stated in their transparency report that “If there’s a question about the legitimacy or scope of the request, we challenge it, as we have done so as recently as this year”. Unfortunately Apple is facing a rapidly increasingly number of requests relating to national security, which often come accompanied with a gagging order, or are classified.
In the latter half of 2015, the US government made between 1,250 and 1,499 national security requests to Apple, affecting between 1,000 and 1,249 accounts. That’s up from 750 to 999 requests, affecting 250 to 499 accounts during the first half of 2015.
On Tuesday 19th April, the Electronic Frontier Foundation (EFF) filed a lawsuit in federal court seeking to find out whether the government had ever used a court order to make a company break their encryption. The US recently jailed a man for several months after refusing to decrypt hard drives suspected of containing indecent images of children.
The court order states that the man will remain in custody “until such time that he fully complies” with an order to decrypt the devices. The man, a former police sergeant, has not yet been charged with possessing illegal images, and is appealing against his detention.
According to his appeal, he appeared at the district attorney’s office to enter passcodes for the hard drives – but they failed to work. When he was ordered to explain why he failed to enter the correct passcodes he invoked his Fifth Amendment rights, not to self-incriminate.
The EFF stated: “Compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them.”
A district court had ruled that the man would not be compelled to decrypt the hard drives, however, when investigators took the case to a federal court they were issued a warrant to search the devices. The government invoked the All Writs Act in order to force the man to cooperate in the criminal investigation, this is the same law which was used by the FBI to try and compel Apple to decrypt the iPhone.
The man’s appeal contends that he should not be forced to decrypt the hard drives because the investigators do not know for certain whether indecent images are stored on them. The EFF agreed, by stating that “Complying with the order would communicate facts that are not foregone conclusions already known to the government”.
Given that many services, such as WhatsApp, are becoming fully encrypted we could see a spat of similar cases compelling users to divulge their passwords. Although these cases are clearly centered within the US, their ramification will be felt worldwide as other countries follow suit in order to obtain sensitive, and potentially crucial, information relating to investigations.