Apple vs. the FBI: all the news on the battle for encryption's future

The FBI partnered with an Australian security firm called Azimuth Security to gain access to an iPhone linked to the 2015 San Bernardino shooting, a new report from The Washington Post reveals. Before now, the methods the FBI used to get into the iPhone were kept secret. It was only clear that Apple wasn’t involved, as the company had refused to build a backdoor into the phone, kicking off a legal battle that only ended after the FBI successfully hacked the phone.

The phone at the center of the fight was seized after its owner, Syed Rizwan Farook, perpetrated an attack that killed 14 people. The FBI attempted to get into the phone but was unable to due to the iOS 9 feature that would erase the phone after a certain number of failed password attempts. Apple attempted to help the FBI in other ways but refused to build a passcode bypass system for the bureau, saying that such a backdoor would permanently decrease the security of its phones.

A federal court ruled yesterday that the FBI does not have to disclose either the name of the vendor used or price the government paid to hack into the iPhone 5C of mass shooter Syed Farook, according to ZDNet. The device became embroiled in a heated national controversy and legal standoff last year when Apple refused to help the FBI develop a backdoor into it for the purpose of obtaining sensitive information on Farook and his wife Tashfeen Malik, both of whom participated in the terrorist attack that left 14 dead in San Bernardino, California in December 2015.

The Justice Department originally filed a lawsuit against Apple to compel it to participate by creating a special version of its mobile operating system, something Apple was vehemently against because of the risk such a tool posed to users. But very soon after, the government withdrew from the case when a third-party vendor secretly demonstrated to the FBI a workable method to bypass the iPhone’s security system. Three news organizations — the Associated Press, Vice News, and USA Today — filed a Freedom of Information Act lawsuit in September 2016 to reveal details of the hacking method used. Because it was not clear how many phones the workaround could be used on, and whether the FBI could use it surreptitiously in the future, the lawsuit was seeking information that would be pertinent to the public and security researchers around the globe.

Three news organizations are jointly suing the FBI for information on how the agency broke into the iPhone of San Bernardino shooter Syed Farook.

On March 28th, the FBI bought a way to break into the iPhone at the center of the San Bernardino fight — and ever since, the tech world has been wondering what they'll do with the new bug. The White House maintains a process for disclosing any vulnerabilities that might post a threat to public safety, and you might think that a method for unlocking possibly stolen iPhones would qualify. But federal agencies are very good at circumventing that process (take this Firefox bug, for instance), and from the beginning the question wasn't whether the FBI would wriggle out of the process, but how.

Today, we got the explanation we've been waiting for: the bureau simply didn't pay for the right to do anything it might not want to do. "The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," executive assistant director Amy Hess said in a statement obtained by The Daily Dot. "We did not, however, purchase the rights to technical details about how the method functions….As a result, currently we do not have enough technical detail about any vulnerability that would permit any meaningful review under the VEP [Vulnerabilities Equities Process]."

As 2015 drew to a close, you might be forgiven for thinking the encryption debate was all talk. There had been a lot of speeches and it was clear the FBI didn’t like Apple’s default encryption system — but what could they actually do about it? They had been leaning on Congress all year and getting nowhere.

Then, everything changed. On February 16th, the FBI took Apple to court over an iPhone used by one of the San Bernardino attackers, putting encryption at the center of the largest terrorism-linked shooting in the US in years. A similar phone-unlocking order was already being argued in New York, and the two cases plunged Apple into a legal crisis, as the company faced the possibility that a single ruling might undo years of security work.

The Justice Department has withdrawn from its legal dispute with Apple over a locked iPhone in New York, the government said in a court filing made late Friday. The department said the FBI no longer needs the company's help unlocking the phone, involved in a drug-trafficking case, as it has obtained the passcode from someone else.

The withdrawal is the second high-profile case the FBI has stepped away from in recent weeks after finding alternative means to unlocking a phone without Apple's help. Last month, the agency ended a similar case in San Bernardino after paying a third party for a way to hack into a phone. Recently, Director James Comey said the FBI paid more than $1 million for the help.

The FBI's new iPhone exploit may be more expensive than anyone suspected. Speaking at the Aspen Security Forum, Director Comey said the method that broke into the San Bernardino iPhone cost "more than I will make" in his remaining seven years at the FBI. Reuters calculates Comey's projected earnings over that period at $1.3 million.

Presented the day before FBI experts were due to testify in the San Bernardino case, the new method brought the San Bernardino trial to an abrupt close, ending months of legal efforts to compel Apple's help in unlocking the phone. Within a week, the method broke through the phone's lock screen protections. Earlier this week, government officials told CNN that no new leads had resulted from the information found on the phone.

Four tech coalitions representing major companies like Apple, Google, and Facebook have written an open letter to Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA), expressing their "deep concerns" over a bill that would require smartphone makers to decrypt data on demand for law enforcement agencies. The letter was signed by Reform Government Surveillance, the Computer and Communications Industry Association, the Internet Infrastructure Coalition, and the Entertainment Software Association, and was published online Tuesday. You can read it in full below.

Four coalitions representing Apple, Microsoft, Google, Amazon, and other major tech companies have published an open letter expressing their concerns over a controversial US bill that would require smartphone makers to decrypt data on demand. The letter, published this week, is addressed to the bill's sponsors, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA), and signed by four industry groups: Reform Government Surveillance, the Computer and Communications Industry Association, the Internet Infrastructure Coalition, and the Entertainment Software Association. In addition to Apple, Microsoft, Google, and Amazon, the coalitions represent companies like Facebook, Netflix, eBay, and Dropbox.

For months, the FBI pressured Apple to break security measures on an iPhone used in the San Bernardino attacks, only to call off the case at the last minute when it was presented with a third-party method for breaking into the phone. But while the bureau's legal arguments have been detailed exhaustively, it's remained silent on exactly what it expected to find on the phone, which was issued to the San Bernardino attacker Syed Farook by his employer.

National security requests to Apple more than doubled over the course of 2015, according to a transparency report published today. The report lists between 1,000 and 1,249 accounts affected by national security requests in the second half of 2015, indicating that at least some private information was disclosed in each instance. That's a marked contrast from the first half of 2015, which saw between 250 and 499 accounts affected by requests. Total requests also rose from 750–999 to 1,250–1,499 over the same period.

It's unclear what might be behind the rise. Apple was restricted from reporting national security requests before 2015, a restriction that was lifted with the USA Freedom Act, so we have no earlier data to compare with today's report. As a result, it's possible that the first half of 2015 was abnormally low, or that the higher numbers have precedent in earlier years.

In a new filing entered today by Apple in its legal dispute with the FBI over a locked iPhone in New York, the company says the agency "has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here." The company points to the San Bernardino case, where "the government ultimately abandoned its request after claiming that a third party could bypass [security] features without Apple’s assistance."

The San Bernardino fight might be over, but the government hasn't given up on its battle against Apple's security measures. In a filing today, US Attorney Robert L. Capers announced the government's intention to continue its appeal of a New York case, in which the government sought to compel Apple's help in unlocking an iPhone linked to a methamphetamine smuggling case. "The government’s application is not moot," Capers writes in the filing, "and the government continues to require Apple’s assistance in accessing the data that it is authorized to search by warrant."

In February, magistrate Judge Orenstein rejected the government's attempts to compel Apple's help under the All Writs Act, calling the argument "so expansive... as to cast doubt on the All Writs Act's constitutionality if adopted." The government had previously announced its intention to appeal that ruling, although some had speculated the appeal would be dropped in the wake of the government's retreat in the San Bernardino case. Today's filing makes it clear that the government will continue that fight, pressing the appeals court to overturn Orenstein's ruling in the months to come.

Today, legislators from the House and Senate published the text of a new bill that would require smartphone manufacturers to decrypt data in response to law enforcement demands. Introduced by Senators Diane Feinstein (D-CA) and Richard Burr (R-NC), the bill does not establish any new civil or criminal penalties for companies unable to comply, simply stating companies "must provide in a timely manner responsive, intelligible information or data, or appropriate technical assistance to obtain such information."

While the bill doesn't name any company specifically, it comes on the heels of Apple's high-profile court fight with the FBI, which saw the company resisting demands to break lockscreen security measures on a phone linked to the San Bernardino attack. Apple CEO Tim Cook told employees the government's request would "undermine the very freedoms and liberty our government is meant to protect."

The FBI's new method for unlocking iPhones won't work on most models, FBI Director Comey said in a speech last night at Kenyon University. "It's a bit of a technological corner case, because the world has moved on to sixes," Comey said, describing the bug in response to a question. "This doesn't work on sixes, doesn't work on a 5s. So we have a tool that works on a narrow slice of phones." He continued, "I can never be completely confident, but I'm pretty confident about that." The exchange can be found at 52:30 in the video above.

The FBI isn't keeping its new iPhone attack secret from everyone. According to a new report in National Journal, the FBI has already briefed Senator Diane Feinstein (D-CA) on the methods used to break into the iPhone at the center of Apple's recent legal fight. Senator Richard Burr (R-NC) is also scheduled to be briefed on the topic in the days to come. Feinstein and Burr are both working on a new bill to limit the use of encryption in consumer technology, expected to be made public in the weeks to come.

The disclosures come amid widespread calls for the attack to be made public, particularly from privacy and technology groups. However the FBI's new method works, the ability to unlock an iPhone without knowing its passcode represents a significant break in Apple's security measures, one Apple would surely like to protect against if it hasn't already. At the same time, law enforcement has a clear incentive to keep the attack secret, so as to use the same method in future cases.

The FBI will assist in unlocking an iPhone and an iPod connected to a murder case in Arkansas, the Associated Press reports, just a few days after the Bureau announced it had accessed the iPhone used by one of the San Bernardino shooters without Apple's help. The FBI agreed to a request from prosecuting attorney Cody Hiland in the case against 18-year-old Hunter Drexler on Wednesday afternoon, a short time after the presiding judge agreed to delay the trial until June to accommodate the process.

Drexler and a 15-year-old boy called Justin Staton stand accused of murdering Robert and Patricia Cogdell last July. Both plead not guilty, and Drexler's attorney, Patrick Benca, said he and his client were "not concerned about anything on that phone," but but prosecutors say that recorded phone conversations indicate Staton used the iPod in question to plan the murders.

Apple's San Bernardino fight may be over, but the government is still seeking both Apple and Google's help in unlocking phones. New research from the American Civil Liberties Union shows 63 different cases in which the government compelled help from Apple or Google in unlocking a handset. It's unclear how many of the orders were filled, although companies often complied with such orders where possible before last year.

The bulk of the cases target Apple, but nine of the orders also look to compel Google's help, typically to reset the password on a given device. The devices include phones from Alcatel, Kyocera, and Samsung, many of which shipped without the default device encryption that blocked the use of traditional forensic tools in the San Bernardino case.

As of last night, Apple’s San Bernardino troubles are officially over. Yesterday, the FBI announced that it no longer needs Apple’s help in breaking into an iPhone linked to last year’s attacks, thanks to a new method for unlocking the phone submitted by an anonymous outside source. For the first time in weeks, Apple’s lawyers can breathe easy.

But San Bernardino was just one battle in a much larger fight. The FBI’s Going Dark Initiative has been pushing for encryption backdoors since 2014, and they have no intention of stopping now. As soon as last night's filing came in, the Department of Justice announced its intention to continue challenging devices with strong encryption. "It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety," the department said in a statement. In other words, the fight is still going. The question is just how and where it will play out.

The dispute between the FBI and Apple over an iPhone connected to the San Bernardino terrorist shootings came to an unexpected end earlier today, as the FBI revealed it had managed to break into the phone without Apple's assistance. Details of how exactly it achieved this remain unclear.

"It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety," said the Department of Justice in a statement, "either with cooperation from relevant parties or through the court system."

The Department of Justice first announced the existence of the new attack on March 21st, less than 24 hours before the first hearing on the order was scheduled to begin. According to prosecutors, the method was first demonstrated to law enforcement on the 20th and was sufficiently plausible that the bureau could no longer continue its case, which was premised on the claim that only Apple was capable of unlocking the San Bernardino iPhone. The government was scheduled to report on the effectiveness of the exploit on April 5th, but the FBI's researchers appear to have finished early.

The FBI abruptly halted its heated case against Apple on Monday, citing a new break-in method from an unnamed "outside source." In the days since, the security industry has been puzzling over the identity of that mysterious source. But now, the mask is being lifted. Cellebrite, an Israeli mobile forensic software company, is reportedly helping the FBI get into Syed Farook’s device, according to reports from Reuters and Ynet.

The FBI "has been reportedly using the services of the Israeli-based company Cellebrite in its effort to break the protection on a terrorist's locked iPhone, according to experts in the field familiar with the case," Ynet reports. The Verge reached out to Cellebrite yesterday afternoon for comment and hasn’t yet heard back.

Yesterday, the government made a surprising retreat in the San Bernardino encryption case, after an unnamed source revealed a new method of breaking iPhone lockscreen protections. After a hastily assembled conference call, the parties agreed to put the court order on hold until it could be determined whether Apple's help was still necessary.

But excerpts from a court transcript of that proceeding, published here for the first time, show the government was far less prepared for the new method than some have assumed. "We only learned about this possibility today, this morning," Assistant US Attorney Tracy Wilkison told the judge in the conference call. "We have a good faith basis at this point in order to bring it up." That timeline is consistent with recent court filings, which show the first successful demonstration of the method coming that Sunday.

Last night, Apple’s month-long struggle with the FBI was abruptly paused, with the FBI putting the order to compel Apple on hold until it can try out a new attack it believes will unlock the San Bernardino iPhone. If the attack works (and the FBI seems confident that it will), it would mean a sudden end to the fight that has consumed both sides since February. It’s still possible the new method will fail and the case will resume in April, but after months of high-stakes legal sparring, the fight looks very close to being finished.

But despite FBI claims to the contrary, this fight was always much bigger than a single iPhone, and it’s unclear what this last twist means for the larger privacy issues at stake. Can the FBI compel companies to break their own security? Is the iPhone a warrant-proof space? For all the legal and political maneuvering, the San Bernardino fight was shaping up to answer those questions, either through a new legal precedent or a new law. But while the case itself is all but settled, the bigger issues seem more confused than ever.