If you've been paying attention to the news in the past few weeks, you've probably heard about a battle between Apple and the FBI. There's currently a court case pending between the two that deals with the government's access to a given piece of technology. The FBI is invoking the All Writs Act of 1789, claiming that Apple must comply with investigation demands when it's for a compelling and legal reason. In this case, the FBI wants access to an iPhone that was owned by a terrorist in order to investigate any communication the terrorist had with outsiders. The FBI is asking Apple to comply because:
- The iPhone is locked with a passcode, and hence is encrypted. Any attempt of reading the data is impossible unless the phone is unlocked, which decrypts the information.
- If the passcode is attempted eight times incorrectly, the phone gets wiped.
- The FBI has already attempted to reset the phone's cloud backup's password, thus eliminating all other ways of accessing this phone's data.
Since the FBI is stuck at a wall and can't make any moves for fear of data being wiped, they want Apple to engineer a solution that prevents the phone from getting erased for investigative purposes.To put this in layman's terms, the FBI wants Apple to create a version of their operating system that removes the delay between incorrect passcode attempts, as well as the rule for erasing the data.For people who do not understand how encryption, backdoors, and operating systems works, this seems like a simple stance to take. Support the FBI so we can figure out who the terrorist talked to, and catch the bad guy. Why is Apple holding their ground on just one iPhone?Let's take a look at a few of these ideas and really understand the security implications that could impact not just this phone, but your own security and privacy in the cyber world. Encryption - Protecting your data from the bad guysWhat is encryption? To put it simply, it's a tool used to scramble your information so no one on the outside can understand it. Encryption requires a secret "key," and that key helps you decrypt and read the information.Did you ever have secret notes you gave to your friends back in grade school? Maybe to someone you liked, but you didn't want someone else reading that note? A common way of keeping that communication safe was to jumble up the characters so that only the person who had a legend could understand it. Unintentionally, you may have used what's called a Caesar cipher, which is the act of shifting a set of letters by a certain amount to "encrypt" your information. For instance, if I had the following phrase and I wanted to encrypt it, I could use this cipher and shift the alphabet two spaces to make my phrase secret:And the only person who would understand it is the person you told the secret to. You'd say "take each letter and go up the alphabet by two so you can read it!"This is the simplest and weakest of techniques, but succinctly demonstrates the concept of encryption. There are complex algorithms used so people who are on your Wi-Fi network (whether it's at home, work, or at some random coffee chop) can't read your information. Sites for your banking, social networks, and purchases use encryption so people can't pretend that they are you (known as identity theft).In general, things that are encrypted can always be decrypted. However, time is the limiting factor here. If you were given a note to decipher that was time-sensitive, what good is the contents of that note if it took you twenty years to solve? By then, the information most likely does not matter. Or if attempted too many times, it may get destroyed.By weakening encryption, you have a lesser guarantee that someone won't be able to decrypt information in a timely manner. If you've ever used a passcode on a smartphone, a delay gets added into attempts after you've done it multiple times. If you've tried accessing a phone about seven or eight times, it'll say you can't do it again for another minute. This value goes up exponentially on every preceding attempt, which makes sense. Given that the weakest passcode setting limits your possibilities to 10000 values (from 0000 to 9999), a delay is necessary for someone to not try 10000 times in a short amount of time.This is what the FBI wants removed. There is hardware you can attach to phones that can input passcodes faster than humans can, and without this delay, they can access a device in just a few seconds (versus several days after many incorrect attempts). Without the fear of having the data get wiped, anyone could try multiple times, and an attacker could access this data within an acceptable amount of time. Backdoor - An idealistic concept that's near impossible to implement securelyBackdoors are what you think they are. They are doors that aren't channeled from the main entrance, but can still be used to get inside a place. If you own a house, you most likely own a backdoor from your patio or lawn. They're incredibly common.So, what does a patio door have to do with an iPhone, or with technology for that matter? In software, a backdoor is a technique to gain access to a system's operations without having to deal with the security. Instead of dealing with a password or a passcode, someone could just find this hidden door and gain access to everything, decrypted and all.Why does this pose a threat? Hopefully it's obvious to you. If a hacker were to exploit a backdoor technique on one phone, then it could be used on everyone else's phones (given that they are running the same operating system). If you still don't understand how scary this is, consider the following scenario:A door company creates doors for houses. They ask a doorknob company to assist in coming up with knobs and locks on the doors. Each house should have a separate set of keys and locks, since well, that just makes sense. You don't want two houses to be accessible with the same key, right? This agreement is set forth between the door company and the doorknob/key company, that each group of doors should have a different set of keys in order to enforce privacy. But what if the doorknob company had a secret master key that could unlock any lock they've ever built? All of a sudden, this trust is completely violated. What if someone from the lock company had a bad day and decided to mess with someone's life? What if they came up to a door and opened it at free will? What if it was your house?Even worse, what would happen if this key was duplicated? Now all of a sudden, every door is accessible, and potentially several people out there could open any door they wanted to. People who spite you could now easily seek revenge on you at any time, given that they knew your address.In a quasi-exaggerated sense, this is what the FBI wants. They want a master-key that would grant them access to any smartphone. However, they wouldn't open the backdoor at their own whim; it would only be used for investigative purposes at appropriate times. The main question here though is, how can we trust our own government with those words? That sounds like a rather depressing thing to say, but consider the precedents that have been set in regards to backdoors. Do you feel at ease if you've known that your entire Internet browsing history has been silently snooped by the NSA? It's frightening to think about, considering that the NSA could very well have access to any American's data at the touch of a key. Imposing this backdoor on a mobile phone could further compromise every American's security and privacy. All of a sudden, a government official could inspect your call history, text messages, and recent activity for "investigative purposes." It's a chilling thought. One-off Operating System updates - exclusive patching is never perfectly secure (or exclusive)The FBI is asking Apple to create a one-off update for their operating system that removes the timing delay of passcode attempts. Apple has stated that it's possible to do, and that it would take a few weeks. However, imposing that weakening of security on consumers is incredible. So rather, the FBI would like Apple to deliver an update only to the FBI so they can update phones at their discretion. Regardless of what secure channels you use to deliver this update, there is always that chance that it could be leaked to the public. Consider all the instances where you've seen things that should have been kept secluded, leaked. A few examples, to spin up your mind:
- Starcraft II's Heart of the Swarm ending, leaked in 2010
- Quentin Tarantinos' The Hateful Eight script, leaked last year
- Several popular Christmas-time movies leaked online on torrent sites, this past Christmas
- The NCAA March Madness bracket leaked while the show was ongoing, just a few weeks ago
Given the nature of these items, you must trust that people won't "accidentally" send things to other parties that could potentially spread them like wildfire. While I don't think anyone at Apple would necessarily leak their new OS like this, when it's in the hands of another group, anything can happen. Maybe another whistleblower could leak it to the public? Again, it seems unlikely, but distributing the data (no matter how secure the party is) always has a chance of being intercepted. Now, what does the FBI want again?The FBI here is asking Apple to weaken their encryption policies so they can access this device. However, by accessing one device, they'd be able to access every device with this technique. The result of Apple vs. FBI sets a precedence to the privacy values of Americans, and it also echoes the power of the government's access to privacy to the entire world.It's hard to take a stance, because both sides are convincing. The FBI wants Apple to comply so they can solve a terrorist attack in California, making Apple look like the bad guy. Apple claims that weakening security will give the government access to anyone's device at a whim, making our government look like the bad guy.The idea to take home is this: How much do we value our own privacy (and lives), and are we willing to trust our government to honor that privacy? Can Apple come up with a way to help the FBI without the expense of 100+ million Americans's security being breached? Can we trust the government with weakened encryption standards, and to not snoop at everyone's data "for investigative purposes?" The past has shown otherwise, unfortunately.To conclude, John Oliver puts it beautifully in this segment. If you scrolled down to the bottom to get the tl;dr, then just watch this:https://www.youtube.com/watch?v=zsjZ2r9Ygzw What are your thoughts? I'd love to hear them.Until next time,Corey