18May

Why Apple Refused to Unlock a Terrorist’s Phone

It was a headline grabber and an awful one at that. Back in December of 2015, the San Bernardino County Department of Public Health was hosting an office Christmas party when Syed Rizwan Farook (a health inspector for the Department and US Navy Iraq War veteran) and his wife Tashfeen Malik perpetrated a mass shooting at the rented ballroom, killing 14 and seriously injuring another 22. The couple died a few hours later in a gunfight with police, bringing the immediate threat to a close, but leaving many unanswered questions. As the investigation of the terrorists and the horrific attack unfolded over the next several months, Farook’s government issued – and locked – iPhone took center stage. And so began a square off between the FBI and Apple, drawing lines in the sand between national security versus privacy rights.

 

Just a few months prior to the attack, Apple reported in a whitepaper that it had added enhanced privacy features to their operating systems. Now, after ten unsuccessful attempts to unlock a 5C using the wrong PIN, the AES encryption key would be erased, thus rendering the iPhone and its contents permanently inaccessible.

 

In February 2016, the FBI announced it was unable to unlock Farook’s iPhone 5C due to the phone’s advanced security features. The Feds knew they only had ten cracks at it and thus were measured in their approach. After the NSA said it was unable to help, the FBI turned to Apple, requesting the technology company create a new version of the IOS (Apple’s operating system) that would disable certain security features and thus allow the Feds to access the phone’s data. When Apple refused, citing its policy to never undermine the security features of its products, the FBI successfully applied for a court order mandating Apple create and provide them with the requested software. Apple still refused, stating that the creation of a backdoor posed a greater sustained security risk to their customers and that no other government entity had ever requested this sort of access. The Justice Department filed suit to compel Apple to comply with the order. After a whole lot of legal wrangling and very little progress, on March 28th of that year, the DOJ announced they had successfully unlocked the phone without Apple’s help and thus withdrew their lawsuit.

 

As it turned out, the disputed iPhone revealed nothing regarding the terrorism plot.

 

SO HOW DID THE FEDS ACCESS THE IPHONE?

 

The FBI stated it engaged a third party who provided them with a tool able to unlock the 5C iPhone – a technology that purportedly cost the agency more than $1.3 million. While a number of media outlets filed a Freedom of Information Act lawsuit seeking to compel the FBI to reveal who they hired to unlock the phone and how much the entity was paid to do so, a federal court ruled against the plaintiffs and granted summary judgment to the FBI.  The Washington Post later reported Australian white hat hacking firm Azimuth Security had ultimately leveraged a zero-day vulnerability in the iPhone’s software to bypass the ten-try PIN limit.

 

SECURITY VS PRIVACY

 

While the San Bernardino attack was heartbreaking in so many ways, the ensuing national security versus privacy debate related to that iPhone is one that we will be contesting long into the future in one form or another.

 

At a privacy conference in 2018, Apple CEO Tim Cook said, “We at Apple believe that privacy is a fundamental human right. But we recognize that not everyone sees things as we do.” Cook went on to implore big tech to end the collection and sale of user data and called for comprehensive data privacy laws.

 

While his speech had more to do with big tech than government security requests, the argument is essentially the same. Many however believe that Apple and its leadership are insincere, or at least inconsistent, in their approach to privacy. In a 2019 article in The Atlantic titled “Apple’s Empty Grandstanding About Privacy,” reporter Ian Bogost suggests Apple’s willingness to allow data exploitive apps into its App Store is contradictory to its pro-privacy stance. Bogost writes, “If Apple really objected to data-hungry business models, it could take much more aggressive action during app review. Apple owns the platform and its tools. It is in the best position to enforce a set of values about data access and collection, if the company truly believes in them.”

 

Surely popular applications available in Apple’s App Store, like Facebook and TikTok, are behemoth players in the big data debate. The question is, if Apple allows these tech companies who clearly are accessing user data onto their platform, then why not let the government access data that might be necessary for national security.

 

IT’S NOT THAT SIMPLE

 

When the DOJ filed its lawsuit, big tech firms like Microsoft, Facebook, Twitter, and LinkedIn opposed the order – and many more filed amicus curiae briefs in support of Apple’s position, often citing the slippery slope and extremely damaging implications were Apple to comply with the order.

 

Even former NSA Director, General Michael Hayden, backed Apple’s position on the San Bernardino phone. In a March interview that year he said, “This may be a case where we’ve got to give up some things in law enforcement and even counter terrorism in order to preserve this aspect, our cybersecurity.”

 

Edward Snowden, the notorious computer intelligence consultant, weighed in stating that the government already had the means to unlock the iPhone and “The global technology consensus is against the FBI.”

 

Others questioned whether the FBI was being completely forthcoming in their reasons for their Apple request.

 

While a lineup of politicians and pundits took hard stances on the issue, others called for compromise. At a SXSW conference that year, President Barack Obama perhaps hit the nail on the head when he stated “You cannot take an absolutist view on [encryption]. If your view is strong encryption no matter what, and we can and should create black boxes, that does not strike the balance that we’ve lived with for 200 or 300 years. And it’s fetishizing our phones above every other value. That can’t be the right answer.”

 

WHAT HAPPENS NEXT?

 

The debate over security versus privacy and the scope of big tech will continue to rage on for years to come. It is difficult to justify allowing big tech into our phones and data for their own financial gain, while prohibiting law enforcement the same access. If we had a crystal ball, our guess would be that privacy legislation will eventually forbid both; but not without a mighty fight. With literally trillions of dollars on the line for big tech companies, we are certainly in store for a battle royal, as law enforcement argues safety and national security are greater goods than individual privacy.

 

Data privacy is poised to be a massive showdown. Thank goodness we can keep up with the news in real time on our iPhones.

 

Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.

 

18 May, 2021