Last week, the news that a magistrate ordered Apple to help the Federal Bureau of Investigation (FBI) hack an iPhone used by one of the San Bernardino shooter suspects has polarized the media. Despite the fact that this is happening outside our jurisdiction, the U.S. legal fight will be closely watched in Canada where the debate around encryption technology had been abnormally quiet despite its far-reaching consequences for anyone with a smartphone.
The tech issue, explained:
The principal suspect of the San Bernardino shooting created a password to lock his phone which has its data encrypted. The issue is that, a few years ago, Apple began making iPhones with additional encryption software that they could not unlock, all in the name of consumer privacy and cybersecurity. Apple's operating system uses two factors to secure and decrypt data on the phone: the password the user chooses and a unique 256-bit secret key that is embedded in the phone when manufactured. When the user enters the correct password, the phone performs a calculation which combines these two codes and if the result is the correct passcode, the device and data are unlocked. To prevent someone from brute-forcing the password, the device has a user-enabled function that limits the number of guesses someone can try before the passcode key gets erased. Once one of the two factors is missing, the data can no longer be decrypted and therefore becomes permanently inaccessible.
In addition to the auto-erase function, Apple has another protection against brute force attacks: time delays. Each time a password is entered on the phone, the system needs 80 milliseconds to process that password and determine if it's correct. The objective is to prevent someone from quickly entering a new password to try again, making it prohibitively longer to determine the password.
The order compelling Apple to assist agents in search
On February 16th, a U.S. federal magistrate in California ordered Apple to help the FBI unlock an iPhone used by one of the attackers in the assault in San Bernardino that killed 14 people in December. The order is accompanied by the Government's ex parte application which explains in more details the reasoning behind the order.
The judge ordered Apple to provide reasonable technical assistance to assist law enforcements agents in obtaining access to the data on the device. According to the judge, such reasonable technical assistance shall (1) allow to bypass or disable the auto-erase function whether or not it has been enabled, (2) enable the FBI to submit passcodes to the device for testing, (3) ensure that when the FBI submits passcodes to the device, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.
As a suggestion, the judge adds that reasonable technical assistance may include providing the FBI with a special version of its operating system that essentially eliminates the protections once installed on the phone, and allowing the FBI to enter password guesses electronically rather than through the touchscreen so that the FBI can run a password-cracking script that races through the password guesses automatically.
In short, this order is not simply about unlocking a phone; rather it's about ordering Apple to create a new software tool to eliminate specific security protections the company built into its phone software to protect customer data.
Apple Inc. chief executive Tim Cook responded by opposing the order, as it has implications far beyond the legal case at hand. It has published a letter explaining how the United States government has demanded that it takes an unprecedented step which threatens the security of customers. Its main argument is that once a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge. In other words, once created, the technique could be used over and over again, on any number of devices.
The Department of Justice's motion to compel Apple Inc. to comply with the February 16th order:
The Justice Department demanded on February 19th that a judge immediately order Apple to give it the technical tools to get inside the phone. They base themselves on American jurisprudence to say that the Court's order is lawful and binding and that the urgency of the investigation requires this motion now that Apple has made its intention not to comply patently clear.
The outcome of the legal battle could reverberate loudly in Canada
If Apple loses its appeal to have the order tossed out, this would set a precedent for future cases in which Apple or other tech companies could be compelled to write software that undermine the security of newer-model phones. The Apple case could encourage Canadian law enforcement to attempt similar orders for all kinds of third party companies operating in Canada, such as telecommunication or software companies.
Last month, in Canada, Sproat J. of the Superior Court of Justice issued a very important decision (R. v. Rogers Communications) for organizations that find themselves subject to a search warrant or production order seeking personal information in their records about third parties. The Court found that an organization in this situation has standing — and potentially a duty — to challenge the order if it constitutes an undue interference with the privacy interests of the third parties. This decision underscore the importance of obtaining legal advice before responding to such a request, to assist in determining whether the order should be challenged, especially if there are privacy or security concerns at stake such as in the Apple case.