Doug Lhotka

Ok, Apple vs FBI.

I might as well write about a third rail, but I’ve gotten so many questions about what’s going on that it’s simpler to chime in.

Let me begin by saying that I’ve worked with a lot of law enforcement professionals over the years, and have the highest respect for their integrity and professionalism.  They have a tough job, and take their duty to stand between us and the bad guys very seriously.  I do not remotely, condemn them for making the request of Apple – in their role, with their charter, I’d probably do the same thing.  Likewise, Apple is acting on their own good character – this is not a marketing stunt as some have suggested, I believe it’s an honest principled position.

That’s not a cop out, this simply is one of those times when people of good conscience and character disagree.  Balancing security, privacy and liberty is very hard in the digital age.

Couple of things to start:  First, Apple is not being asked to break their encryption.  They’re being asked to create a special version of iOS that bypasses the protections against brute force attacks, so the FBI can break the encryption the hard way – by trying every PIN until it unlocks.   Right now, iOS has an escalating timeout on wrong passwords – after 9 it locks for an hour, and after 10, it wipes the phone (assuming that feature is turned on).  It’s those two features that they’re being asked to bypass (and to allow electronic passcode testing instead of tapping with fingers, but that’s less impactful).  A version of iOS that does that would to be digitally signed (validated as real) by Apple in order to be loaded on a device.  Once that code is created, it’s about 2 minutes work to enable it to be loaded on different devices, or to be loaded on any device at all.    This is not a universal back door –  it removes the barriers that protect the door against someone battering it down, which is still a significant reduction in security.

As an aside, it’s unfortunate that county that issued the phone failed to install basic MDM (mobile device management) software, which could have unlocked it remotely.  That’s a best practice.  It’s also unfortunate that this is an option – Apple allows loading of new iOS versions on locked devices without wiping memory.  I see reports today they’re working on closing that gap, so this whole thing may be a moot point going forward.

But let’s set that aside – this was always going to come to a head.

We can also set aside some wilder speculation:  ABC reports a rather esoteric means to extract the data directly from the chips.  I’ve seen some commentary that the chips could be removed intact, and the memory read out using the standard pinouts, loaded onto a separate machine, and brute forced external to iOS (I’m far removed from my soldering iron days, so I don’t know if that’s possible).  If that capability existed, it’d be something that would probably be a highly protected capability.  Conspiracy theories abound that the suit is a smokescreen to protect such a capability by unnamed three letter agencies.  Let’s leave that for the movie plots.

So the net is that Apple can do what’s being asked, though at a significant cost (they’d have to pull engineers off their commercial development activities), and at significant risk – both of precedent, and of the software leaking.   The question is should they do it?

I believe that such a question needs to be decided through the legislative process, with full public debate, by Congress.  Not by individual states, and especially not by the judiciary.  Apple is doing us all a service by forcing that debate to happen.