As 2015 drew to a close, you might be forgiven for thinking the encryption debate was all talk. There had been a lot of speeches and it was clear the FBI didn’t like Apple’s default encryption system — but what could they actually do about it? They had been leaning on Congress all year and getting nowhere.
Then, everything changed. On February 16th, the FBI took Apple to court over an iPhone used by one of the San Bernardino attackers, putting encryption at the center of the largest terrorism-linked shooting in the US in years. A similar phone-unlocking order was already being argued in New York, and the two cases plunged Apple into a legal crisis, as the company faced the possibility that a single ruling might undo years of security work.
The FBI's encryption cases are over
Now, two months later, that fight is effectively over. The government backed out of the San Bernardino case on March 28th, after paying for a new method to break into the phone, and on Friday, the government pulled a similar move in New York. Late Friday night, investigators said they had discovered the passcode to the iPhone at the center of the New York case. It was an embarrassing retreat, announced at a time that would generate as little press coverage as possible, and hastily close an appeal that prosecutors had sworn to continue just two weeks earlier.
But it’s also the end of something much larger. With the New York case closed, the government is no longer using the courts to try to force Apple to break its own security. There are plenty of other iPhones that prosecutors would like to unlock, but no active cases, and given the retreats in both New York and San Bernardino, it doesn’t seem likely prosecutors will start up a new case any time soon. Prosecutors will leave New York with a new ruling in place that strikes down the legal reasoning behind the government’s unlocking request, and there’s now no prospect that ruling will be overturned. After months of high-stakes legal maneuvering, the FBI’s encryption cases are over, and the bureau is leaving in a far worse spot than it started.
Each new piece of news has made the FBI’s hack look worse
The only win the FBI has from the past three months is a secret new method for unlocking iPhones, disclosed to the agency at the close of the San Bernardino case — but in the weeks since then, each new piece of news has made the FBI’s hack look worse. On April 7th, FBI Director James Comey told an audience the hack doesn’t work on any phones newer than a 5S, which cuts out three-quarters of active iPhones up front. Two weeks later, he told a different crowd that the price tag had been well over $1 million. Over the same period, a steady trickle of anonymous leaks made it clear that there were no new leads coming from the now-unlocked San Bernardino phone, just the expected confirmation that the two shooters hadn’t used that particular phone to coordinate with accomplices. One million dollars is a very high price tag for that information, and given the narrow benefits of the new hack, it seems fair to say the fight has cost the FBI more than it has cost Apple.
"Identifying these vulnerabilities... can take an unacceptable amount of time."
Buying hacks is even worse as a longterm strategy. The vulnerability market is a complex and expensive place, and there are a lot of well-heeled criminals, brokers, and other governments willing to pay top dollar for a way to unlock a seized phone. At the same time, trying to find the bugs first is a bigger task than the FBI can afford to take on. Amy Hess, the FBI’s executive assistant director for science and technology, said as much at a recent congressional hearing. "Identifying these vulnerabilities and developing lawful intercept or lawful access solutions can take an unacceptable amount of time, require significant skill and resources, and the results of these efforts can be ephemeral, at best," Hess told the committee. When Rep. Diana DeGette (D-CO) asked if the FBI could develop those capabilities on its own, Hess replied simply, "No, Ma’am." For the FBI’s top techie, it’s a bracing admission: the bureau cannot hack its way out of the encryption problem.
The FBI can still take companies to court, but that path is a lot harder than it was a few months ago. When the San Bernardino fight began in February, there was very little established case law interpreting the All Writs Act and US v. Telephone, the most relevant precedent — but that’s not true anymore. In New York, Magistrate Judge Orenstein rejected the government’s interpretation of US v. Telephone in a blistering 50-page ruling, Apple’s biggest legal victory so far. The FBI’s retreat on Friday means that decision stands, which is bad news for anyone hoping to compel tech companies to unlock their products. Orenstein’s decision doesn’t have the precedent-setting power of an appeals court ruling, but it’s still the only time a judge has come to a conclusion on whether the FBI should actually have the powers it’s pushing for. If Comey was hoping to set a precedent, he sure wasn’t hoping for this one.
Then there’s the practical fact that the government has now backed out of two cases in a row: once because a new method was discovered, and once because the passcode for the phone itself was discovered. Next time a locked iPhone comes up, prosecutors will have to make a very convincing case that there is no other way to find the subject’s passcode and no lingering vulnerabilities waiting to be discovered. In both cases, it will be very hard to say for sure. As any security expert will tell you, there are always more undiscovered vulnerabilities out there.
If Comey was hoping to set a precedent, he sure wasn’t hoping for this one
The result leaves the FBI back where it started, only with fewer options and less credibility. There’s still the chance of getting an anti-encryption law through Congress — one recent example was introduced earlier this month — but the odds are no better than they were last year. If anything, the FBI’s courtroom misadventures have made the issue seem less urgent. How serious can the problem be, when they keep finding ways to unlock phones at the last minute?
The FBI’s loss won't put the issue to rest entirely. The government has lost crypto battles before — most notably with the Clipper Chip fight in the ‘90s. Intelligence agencies responded by going underground, working behind the scenes to undermine standards and weaken systems. The FBI is unlikely to give up on its encryption-breaking "Going Dark" initiative. But for the last two months, the courts have not been on the bureau’s side, and the broader political landscape has never been less favorable. For anyone in the business of strong security, it’s the best news in years.