It’s Security, Stupid! Why Apple is right to resist unlocking shooter’s iPhone.

Share this page

This is not a subject that I usually write about on these pages. However, I chose to write about it, both because it is a subject of which I am very qualified to speak and because there is a lot of misinformation floating around about the situation involved.

First, you should know my qualifications to speak to this issue.

For a number of my many years in the IT industry, as a part of my job, I held a security clearance. I have worked in “need-to-know” environments, where I had to have an armed guard, watching my every move, even though I had a very high clearance. I have since moved on from the IT industry, but the last salaried position that I held in that industry was overseeing UNIX security for a major oil company. At that time, I was a member of InfraGard, which defines itself as follows. “InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.”

In short, I have been deeply involved in both protecting my employer’s data and in sharing necessary information about security threats with proper authorities. An added qualification that I have to speak on this subject, is that I am fluent in numerous programming languages and I have had access to proprietary code on several occasions, so I am very aware of how companies protect proprietary code.

Now, let’s get on to the facts surrounding this issue.

Reasonable Cause

In order to get a search warrant, any law enforcement must show “reasonable cause”. In this case, the FBI needs to show reasonable cause to believe that the iPhone in question contains evidence that is relevant to the case. But when the FBI went before the judge, they failed to point out one very critical piece of information. According to reports, the shooters had “smashed” all other phones, computers, and disk drives. They “smashed” them. They destroyed these devices with a hammer. But they didn’t destroy this iPhone. That alone, blows the “reasonable cause” argument completely out of the water.

If the shooters went to the trouble of physically destroying all of their other computing devices, it’s because they thought that law enforcement might be able to get something incriminating off of those devices. It follows then that if the perpetrators didn’t do the same thing to this iPhone, it’s because they knew that there was nothing useful to law enforcement on that device. So this means that the likelihood of there being anything on the shooter’s iPhone that would help the FBI, is diminishingly small and certainly doesn’t rise to a level that would justify a search warrant, which would weaken the rights of all Americans, for what is most likely, a fishing expedition.

Also keep in mind that no Apple representatives were present when the judge issued the order, so the FBI’s abridged version of “reasonable cause” was all the the judge had to go on. For this reason alone, Apple has more than enough justification to challenge the order.

Code Security

Large companies that have massive amounts of proprietary code, tend to segment that code. They do this for several reasons.

  1. There is no one person, who has enough information about the code to be able to compromise the code.
  2. There is no one person who has enough information about the code that they could re-implement that code, after taking new employment.
  3. There is no one person who has enough information about the code that they could sell that information to the highest bidder.
  4. Even if a hacker manages to get a job working on that code, that hacker won’t have enough information to crack all of the security within the code.

The idea is that as long as the various pieces of the security measures in the code are segmented among several people, no one person has the knowledge to compromise the code in any way.

International Segmentation

Most international companies (like Apple) probably go a step further, in that part of their development is intentionally done in another country… or two. Such international dispersion of responsibility protects the companies that employ such measures from lawsuits that might seek to expose such code. As it turns out, such measures also make it impossible for such companies to release all of their code.

The foreign companies that work with U.S. companies in such a way are usually not an “owned” subsidiary of the U.S. company, but are rather, a “friendly” company that is not responsible to the U.S. company. They may even have an agreement that would prevent them from producing the kind of code that would be required to unlock the shooter’s iPhone.

Does Apple employ such measures? Who knows? But considering all that they have done to insure the security of their customers’ computers and phones, I would be very surprised if I learned that they don’t have some sort international protective measures in place. If they do, then in order for Apple to comply, the FBI would have to get a court order in another country, forcing that “friendly” company to assist Apple in creating the backdoor. The chances of that happening are effectively zero.

Ultimate Security

When thinking about electronic security, think of a house. The more doors and windows the house has, the more vulnerable it is to break-in, because that’s where most break-ins occur. The fewer doors and windows a building has, the more secure it is. So now let’s think of a computer or iPhone.

With a properly secured computer, what you have is a vault for your data. It has a front door that is opened with a security code. It also has four walls that have no doors or windows to be exploited. There are no skylights in the ceiling and there is no basement entrance. Now let’s electrify the walls and put a security system on all of the walls. Then add a few more measures to prevent unauthorized entrance. Each measure is designed and implemented, independent of anyone other measures. I’ve just described security on the iPhone.

If you wanted to put in a back door into that building, you would have to talk to the people who electrify the walls and have them turn off the electricity. But that would expose that the walls were electrified. Oops! Then you would have to talk to the people who monitor the alarms. But that would expose the fact that there was an alarm and probably what kind of alarm. Oops! Maybe there is a K9 patrol and the dogs would have to be locked up, while the door is being installed. But again, you have just exposed that there is a K9 patrol. Oops! With each step, you are informing others of the various security measures that are in place. Just exposing that those measures are in place, weakens your security.

So the only way to avoid exposing all of these things to other parties, thus permanently weakening your security, is to not install that back door.

Sure, Apple could probably bring together the various people needed to create that back door. But in doing so, they would likely expose information to one or more of those people, that would enable that person to hack the software at a later date, without all of the other people. That person could hack the operating system himself, get a job with a competing company and use his unique knowledge to implement a similar system for his new company, or he could simply sell his newly acquired knowledge to the highest bidder. Regardless of how it happens, the hack would be, as they say in security circles, “in the wild”.

As it is, there is no backdoor. If there is no back door, then the device is secure. If Apple were to install a backdoor, even if only for the few hours it would take to extract the information from the iPhone, then they would risk revealing the various segments of security to a single person. Then ask yourself if the FBI would not be willing to hire that person, at an exorbitant salary, to get him to share his newly acquired proprietary knowledge with the FBI.

Full Circle

This brings us back to “Reasonable Cause”. If there were really reasonable cause to believe that this iPhone contained something critical, then such a court order might be justified. But since the shooters went to such lengths to physically destroy all of their other computing devices, including other cell phones, it’s clear that all this whole case is about, is what amounts to an FBI hissy fit, because iOS is the ONLY cell phone operating system that they have not been able to hack.

If you have an Android or Microsoft operating system on your smartphone, then the FBI already has a backdoor that they can use to access the information on your phone. Granted, they are supposed to get a court order, before using that backdoor. But the important point is that the key to that backdoor is not in the hands of the court. It’s in the hands of the FBI. This is like saying that the FBI needs a search warrant to search your house, but then giving them a key to your back door and the code to disable your alarm. If they decide to enter your home, will they go to the court and ask the court’s permission to use that key. If so, will they do it EVERY time they want to enter someone’s home. Will they request the Court’s permission EVERY time they want to access the data on your phone. The point is that, as long as they are in possession of the backdoor key, they can access that information, without you or the court ever knowing they did it.

This whole thing is really a red herring. It’s not just a fishing expedition. But the FBI is using this fishing expedition, as a red herring, to get Apple to create the backdoor that they have been unable to create on their own. Even if Apple were to take the phone, get all of the various people to do their part to create the backdoor, download the information, and then destroy all versions of the code that created that backdoor. There would still be people who would have been exposed to the theory involved and knowing that much, it shouldn’t take a good programmer long to re-create that backdoor and that’s the guy the FBI will hire.

Chain of Custody

There are the talking heads on TV, who keep repeating, ad nausium, that Apple could take the iPhone, put in the backdoor, extract the data to give to the FBI and then destroy the backdoor and the phone. But there is a serious legal problem with that scenario. It’s called “Chain of Custody”.  This means is that there must be an absolute and unbroken chain of possession of the evidence, if the evidence is to ever be used in a court of law. If a policeman takes a piece of evidence from a crime scene, back to the station and places that evidence on his desk and then goes for a cup of coffee, without specifically handing over authority of that evidence to another policeman (usually in the evidence room), then that evidence is considered to be compromised. An indeterminate chain of custody would make it easy for an attorney to get his client off, by simply discrediting the veracity of the evidence as having possibly been replaced at a time when it was not in proper custody. In some cases, this could even result in the evidence not being admissible in a court of law.

So what this all comes down to is that, in order to maintain a valid and substantial chain of custody of that iPhone, the FBI could not just allow Apple to take that phone and work their magic. An FBI agent would have to be in the room with the phone at all times. So ask yourself what happens, at the moment that Apple actually breaks into the iPhone. There is a better than 50/50 chance that the FBI agent will claim that the phone is FBI evidence and take the unlocked iPhone back to his superiors for examination and the FBI would then have the cherished backdoor to the iPhone that they have been unable to hack, on their own. Then, we would all be at risk.

It could be an agent, who is up for promotion and suspects, incorrectly, that you may hold the key to some case he is working on and decides to use that backdoor to get data off of your phone, that he can then pretend to find another way. Maybe it’s an agent who thinks, incorrectly, that you are having an affair with his wife and decides to use that backdoor to hack your phone data.

The point is that what the FBI is asking, is not just for Apple to produce a key, but they want the key in their possession. The legal system and the courts have not kept up with technology. It used to be that the FBI had to go to the court, to get a court order to tap a telephone. Then they had to present that order to the phone company and the phone company supervisor would order some technician to implement the tap. This process had to be followed for each and every tap. So the FBI did not hold the key. They had to involve several other people. But with smartphone hacks, the FBI holds the key and they can easily use that key at any time, with nobody outside of the FBI ever being the wiser.

Apple is not only doing the right thing, but they are on solid legal ground. The FBI is using this fishing expedition to try and force Apple to build them a backdoor into the iPhone and they are using the flimsiest of arguments. The chances that the iPhone in question has anything of importance on it is virtually nil. I’m not always a fan of Apple’s politics. But I’m a fan of their technology. They do keep customer security in mind, when they develop technology. They are keeping customer security in mind, as they fight this case. For this reason, I am proud that I carry an iPhone and I thank Apple for standing up for my rights, where many other companies, with less honorable leadership, would have bowed to the FBI’s realistically unwarranted demands.

As a final note, I would not be surprised, should the FBI actually win, that they find that Apple has no control over one or more of the pieces of code needed to create the backdoor and that the FBI would have to attempt to get a court order in some other country, if they have any hope of unlocking that iPhone. The whole thing is probably an exercise in futility, on the FBI’s part, as well as being blatantly unconstitutional. I want them to protect me. But I want them to do it within the limits of the Constitution, so I know that my own rights are being protected, at the same time.

Thank you, Tim Cook and Apple Inc.

Read Apple’s letter to customers, explaining why they feel it necessary to fight this unnecessary and probably illegal request, here.

Share this page
Follow us on social media

Comments are closed.