Skip to main content

How San Bernardino changes the FBI’s war on encryption

How San Bernardino changes the FBI’s war on encryption

/

Apple won its encryption fight. Now what?

Share this story

As of last night, Apple’s San Bernardino troubles are officially over. Yesterday, the FBI announced that it no longer needs Apple’s help in breaking into an iPhone linked to last year’s attacks, thanks to a new method for unlocking the phone submitted by an anonymous outside source. For the first time in weeks, Apple’s lawyers can breathe easy.

But San Bernardino was just one battle in a much larger fight. The FBI’s Going Dark Initiative has been pushing for encryption backdoors since 2014, and they have no intention of stopping now. As soon as last night's filing came in, the Department of Justice announced its intention to continue challenging devices with strong encryption. "It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety," the department said in a statement. In other words, the fight is still going. The question is just how and where it will play out.

For now, Apple's lawyers can breathe easy

If nothing else, the last two weeks will make prosecutors far more cautious before taking on new encryption challenges. After forcefully demanding Apple’s help for weeks, the FBI’s sudden retreat in San Bernardino was embarrassing, and the sub rosa nature of the exploit marketplace makes it hard to ensure that such a reversal won’t happen again.

At the same time, the recent New York ruling means any attorney considering an encryption-breaking order will be facing much more hostile terrain than they would have before the San Bernardino order was proposed. In February, Judge Orenstein handed down a vigorous rejection of the government’s proposal to compel Apple’s help through the All Writs Act, calling it "so expansive…as to cast doubt on the All Writs Act’s constitutionality if adopted." Now that the San Bernardino case has folded, that ruling is the closest companies have to legal precedent. The New York case differs from the San Bernardino case in a few ways. The target is a drug dealer, and the phone is running iOS 7, which doesn’t encrypt contacts or iMessages. But as the case heads to appeals court, it may settle any lingering legal questions about the power of the All Writs Act.

That doesn’t mean investigators are entirely out of options when faced with an encrypted phone. The last two weeks also showed that there’s at least one way into an iPhone that Apple hasn’t protected against yet, and the government seems likely to keep that method secret indefinitely. The method itself is reportedly already classified, and there’s no clear legal mechanism for forcing the government to disclose it. Some have pointed to the equities review process as a way the method might become public, but the government’s history suggests it’s not hard to keep methods like this secret. There are probably limitations to the method. Hardware-based methods may not work on phones with a Secure Enclave (5s and later), while software-based methods could be closed off by future iOS updates. In either case, the method is probably restricted to cases where the government is in physical possession of the phone. But for the time being, the FBI should have the new unlocking method entirely to itself.

But while that method was able to unlock Syed Farook’s iPhone, it’s a short term fix, and it’s hard to imagine any combination of vulnerabilities that will fully satisfy the FBI’s needs. The Manhattan district attorney has more than 100 iPhones waiting to be unlocked, and he’s not the only one. Exploits aren’t a reliable way to make sure all those phones can be accessed. The new attack may not work on all of them, and a patch might abruptly close off access partway through an investigation. As Apple deploys stronger and more advanced security protections, it’s not clear law enforcement groups can keep up. (The NSA probably can, but they’re not sharing.) If the FBI can successfully argue it has a legal right to that data, there’s no reason to settle for a string of vulnerabilities.

The FBI’s best path forward now runs through Congress

As a result, the FBI’s best path forward now runs through Congress. Senators Feinstein and Burr are already circulating a draft bill that would impose fines on companies that make devices inaccessible to warrants. The bill’s future is uncertain, but it’s likely to be only an opening salvo in a larger push that will take place after election day. Last year’s legislative effort on encryption lost momentum after President Obama withdrew his support, but that could well change in 2017. Both Hillary Clinton and Donald Trump have expressed support for the FBI’s position, and either one will likely be far more sympathetic to the FBI’s case than Obama.

That leaves Apple in a tricky place, along with encryption in general. By most measures, they’ve won. The government backed down and Apple won’t have to face any similar court orders for a while. But it’s still a precarious position, and there’s no guarantee that law enforcement’s future efforts will be any less messy than this one. Just nine days before the exploit was demonstrated, President Obama told a SXSW crowd that he worried putting the issue off would only lead to a hurried legislative fix after a future attack, like an encryption-focused version of the Patriot Act. "After something really bad happens," Obama said, "the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that are dangerous and not thought through." That’s still a real threat for Apple and the rest of the industry. There’s very little principled opposition to encryption controls in Congress to stop such a push.

"After something really bad happens, the politics of this will swing"

The sad truth is that there will be more attacks, and some will inevitably involve encryption. In some ways, they’re already here. Five months after the Paris attacks, investigators now say the attackers communicated in part through file drops encrypted with TrueCrypt, a popular disk encryption utility. TrueCrypt is an open-source project, developed anonymously, so legal restrictions won’t stop anyone from using it. But for technologists, the Paris link is the political equivalent of a loaded gun. San Bernardino showed that US law enforcement has no problem using such events for political advantage, and half the country is happy to come along for the ride.

Apple was able to withstand that pressure, but the FBI might be more canny next time, choosing a smaller company like Lavabit without enough fame to push back against public opinion or enough money to withstand a sustained legal fight. Apple’s stand in San Bernardino would still matter in a case like that, offering an example of how to face down a government order and come away clean. Would it be enough? In the months to come, we’re likely to find out.