The FBI’s Access to iPhone Data: Apple Fights Back

Episode Notes

Transcript

Digital Detectives

The FBI’s Access to iPhone Data: Apple Fights Back

05/30/2018

Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 91st edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics cybersecurity and information technology firm in Fairfax, Virginia.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, ‘The FBI’s Access to iPhone Data: Apple Fights Back’. What’s next?

Sharon D. Nelson: Before we get started I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit  HYPERLINK “http://www.pinow.com/”pinow.com to learn more.

John W. Simek: Our guest today is Nate Cardozo, a Senior Staff Attorney on EFF’s Civil Liberties Team where he focuses on cybersecurity policy and defending coders’ rights.

Nate has litigated cases involving electronic surveillance, freedom of information, digital anonymity, online free expression, and government hacking. As an expert in technology law and civil liberties, Nate works on EFF’s Who Has Your Back Report and regularly assists companies in crafting rights-preserving policies and advising on compliance with legal process.

Thanks for joining us today Nate.

Nate Cardozo: Thanks for having me John. Thanks Sharon.

Sharon D. Nelson: Sure. Well Nate, why don’t we start out by asking you exactly what it is you do for the Electronic Frontier Foundation and what your expertise is?

Nate Cardozo: Sure. So again, thanks for having me on. I am a lawyer on the Civil Liberties Team here at EFF as John mentioned in the introduction. What does that mean? The Civil Liberties Team at EFF is our oldest team. EFF was founded in 1990 to defend privacy and free expression in the digital world. And so we essentially defend for the lawyers out there the First and Fourth amendment as it applies to the online arena.

For non-lawyers what that means is we work on issues involving free expression on the Internet and on issues of digital search and seizure. Essentially when the government comes knocking to ask for your data, either from you or from the cloud providers that we have to store our data with in the modern era.

I have been with EFF since 2009. I am a senior lawyer here now and I work mainly on cybersecurity issues at this point, from encryption, to the Computer Fraud and Abuse Act, to anti-botnet provisions, to the application of international law, to US computer programmers and coders.

My work is less litigation today than it was a few years ago because I have branched more into the policy arena. So for instance, I organized and led a briefing on Capitol Hill last month for Senate side staffers on device encryption, where we brought a panel of computer science experts to tell Senate staff what they are not hearing from folks like the FBI.

John W. Simek: Well Nate, tell us a little bit about the FBI’s stance on encryption today and especially with regards to smartphones, and I know Sharon and I are pretty familiar with the term, but perhaps our listeners aren’t familiar with what it means when they use the term going dark?

Nate Cardozo: Well, so the FBI has been using the term going dark since at least 1996. Director Louis Freeh of the FBI at the time warned that encryption was making it so that criminals were going dark. Their communications were no longer accessible to the FBI. And that was in 1996. Obviously now, we are 22 years later and several FBI Directors later and Director Christopher Wray is using almost exactly the same language as his predecessors did going back over the last two decades.

The FBI wants a world where at the push of a button they can get access to any information that exists. In the abstract that’s not necessarily a bad idea, if the FBI gets a warrant from a neutral magistrate signed on probable cause that’s reasonably specific, I don’t necessarily have a problem with the FBI searching my digital data, especially if they have evidence that I committed a crime.

(00:04:51)

The issue is what do they need to do so that those searches are always 100% effective? Today they are not necessarily a 100% effective, just like searches in the physical world are not necessarily a 100% effective. And it’s the FBI’s position and it has been the FBI’s position for two decades now, going on two decades that device manufacturers and service providers both within the United States and outside the United States should manufacture their devices or engineer their services to give FBI a backdoor into our data.

Of course the FBI doesn’t like the term backdoor, so they have rephrased it in many different ways. They have called it exceptional access, they have called it lawful access, they have called it a side door, they have called it a trapdoor, they have called it a window, they have called it a workaround, you name it.

And so that’s the FBI’s stance on encryption, they want to get in, they don’t really care how, they just want the nerds down in Mountain View or Cupertino to give them a magic key into all of our data.

Sharon D. Nelson: Well, I am glad you gave us so many synonyms for going dark. I like that string. That was good.

Well, I know the three of us have been following the history of this for quite a while, but because of our subject matter today and because some of our listeners won’t really be as attuned to these issues as we are, could you please give us a brief description or synopsis of the FBI versus Apple confrontation over the San Bernardino cellphone?

Nate Cardozo: Sure. You will probably remember that in December 2015 a really tragic event happened in San Bernardino, California. Two San Bernardino County employees shot up their workplace and killed more than a dozen people. The two shooters died in a shootout with law enforcement later that day and they left behind three phones; their two personal phones and the male shooter left behind his work phone as well.

The shooters destroyed their personal phones. So of the three phones, two were completely nonfunctional. They had been beaten to death with a hammer essentially. The third phone, the work phone, the male shooter’s work phone was found on the floor of their car and it was not damaged.

The FBI took that phone and took it to court and got a federal magistrate judge in Southern California to sign an order ordering Apple to design a custom version of iOS to bypass the security features that kept the FBI from opening that phone.

Apple fought the order in court and a whole bunch of organizations, including the Electronic Frontier Foundation where I work, filed amicus briefs in support of Apple. And we won in a sort of weird way. On the literal eve of the hearing, my colleagues and I were on our way to the airport to fly to SoCal when we heard this. The government announced surprise, we have actually found a way into the phone, we hired an outside contractor and he unlocked it for us, so now we don’t need Apple’s help, despite the fact that they had testified under oath in front of the judge that there was no possible way to get into the phone except have Apple help. So that’s what happened.

And the court fight disappeared, because the FBI got what it wanted without Apple’s help. So the court battle never came to anything. The battle in Congress however continued and we saw Senator Feinstein from California, along with her colleague Richard Burr from North Carolina, introduce a bill that would have banned encryption altogether, sort of in response to the court battle in San Bernardino. And we saw the FBI’s Inspector General look into what had happened, look into why the FBI was so very wrong when it told the court that there was no possible way of getting into the phone.

The Inspector General released its report, I think last month, in 2018, and it essentially found that elements within the FBI were much more concerned with the legal precedent than they were with actually getting into the phone. So they didn’t even look in the right places for a way to hack the phone. The FBI didn’t contact its Operational Technology Division, which is where its hackers live to ask them for their help. They simply took it on faith that no way existed.

John W. Simek: Yeah, that was interesting, certainly the way that finally played out, but Nate, what do you think is the likelihood that the FBI is going to get a backdoor on indoor cellphones?

Nate Cardozo: Well, I am going to give you a lawyer answer, it depends.

Sharon D. Nelson: I know that answer. I know that answer.

John W. Simek: I do expert witnessing and I do the same answer, it depends.

Nate Cardozo: You probably charge a whole lot of money for saying it depends; my it depends are pro bono luckily, because I work at a nonprofit, so it depends.

(00:09:50)

So the surefire way that FBI will get a backdoor into all of our phones is if the companies capitulate and that’s my nightmare scenario. My nightmare scenario is that Google and Apple and Facebook, all silently, without telling us, without telling the public give the FBI what it has been asking for, without waiting for a court to order it or without waiting for Congress to mandate it.

I don’t think that’s very likely, but it’s certainly possible. And if they do that, then we will lose without even knowing that we have lost.

Will the FBI get an American Court to order backdoors in a way that will hold up on appeal? I doubt it. There are significant First Amendment problems there.

A case that EFF brought in the late 90s called Bernstein v. DOJ found that code is speech and First Amendment protected activity and that includes when folks like Apple write code. And so you can’t, just like the government can’t compel you to say something that you don’t believe in, the government can’t compel you to code something that you don’t believe in. So this is one of those weird areas where the fact that companies have First Amendment rights is actually good for us.

Could Congress mandate a backdoor? Yeah, probably. There are regulatory ways that Congress could use something like the FCC. It’s not that it would be illegal to create the iPhone; it’s just that it would be illegal to sell it with a radio that would connect to the cell network. So they could do it, they could mandate it.

What’s the likelihood? And here’s where the it depends comes in. Congress is very, very good right now at not doing anything. So is Congress actually going to pass a backdoor mandate? The safe money is on no, but that’s just because the safe money is on Congress not passing anything in particular.

John W. Simek: So in other words, business as usual.

Nate Cardozo: Business as usual, and again, this is a weird spot where Congress’ complete and utter incompetence is good for the American people.

Sharon D. Nelson: The more they do nothing, the more we are all better off for it, right?

John W. Simek: I love that spirit.

Nate Cardozo: Yeah, the status quo works. And I will give you an example of how the status quo works. The FBI has been testifying for about a year that it has 7,775 phones that it can’t break into. We know that number is simply not true for now two independent reasons.

The first is that the FBI has access to tools from a company called Cellebrite and a company called Grayshift. GrayKey is manufactured by Grayshift and Cellebrite’s tool I think is just called Cellebrite, I don’t know, it probably has a fancy name.

John W. Simek: It’s called UFED.

Nate Cardozo: UFED, all right. So Cellebrite’s UFED and Grayshift’s GrayKey have been reported to be able to break into anything that’s currently on the market. So they can actually do it, so 7,775 phones that they can’t break into, unless they try I guess is the actual number.

But then just yesterday The Washington Post reported that it’s not actually 7,000; that was a misstatement by the FBI, it’s actually about 1,200, so only about 15% of the number that the FBI has been claiming for the last year.

So the FBI actually can get into our phones if they try and there’s not even that big a backlog apparently.

Sharon D. Nelson: Well, one of the things that strikes me is that ignorance plays so much of a part here. Nobody in Congress knows what they are talking about, or very few know what they are talking about when they talk about this. When you hear the FBI talk, I think they are almost relying on the public’s ignorance because they make a credible argument insofar as it goes and then you find out that the underpinnings of the argument are completely worthless. People just don’t know how to vet it.

So would you say that ignorance about the technology is a huge part of the struggle between the FBI and privacy?

Nate Cardozo: Oh absolutely. And that’s where organizations like EFF come in. We held, as I mentioned earlier, we held a briefing for Senate staff last month on Capitol Hill and sitting in the front row were the staffers for McConnell and Schumer, sitting next to each other; they asked very good questions. So it’s our job to try and educate policymakers and the public about these issues.

I mean if you ask the question to the average person on the street, should the FBI be able to get into a terrorist’s iPhone? The answer is obviously yes. I would answer the same way. But if we reframe the question and say, should the government have the power to mandate that all of our devices be insecure to identity thieves, organized crime and abusive spouses, then the answer for the average person on the street would probably be no, and that is certainly what my answer would be.

So making sure that policymakers and the public are asking the right questions is key.

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

(00:14:59)

John W. Simek: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including Distributed Denial of Service mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients’ peace of mind knowing their information is secure. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit  HYPERLINK “http://www.pinow.com/”www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is The FBI’s Access to iPhone Data: Apple Fights Back and what’s next? Our guest is Nate Cardozo, a Senior Staff Attorney on EFF’s Civil Liberties Team, where he focuses on cybersecurity policy and defending coders’ rights.

Nate has litigated cases involving electronic surveillance, freedom of information, digital anonymity, online free expression, and government hacking.

John W. Simek: Well Nate, you mentioned a little bit about Cellebrite and Grayshift. Can you talk some more and dig into a little more detail about those companies and their products and how they get into iPhones, even the newest model of the iPhones?

Nate Cardozo: Sure. So the public doesn’t actually know the answer to that last question you asked. But Cellebrite and Grayshift are forensic technology companies. They create tools to help law enforcement access and preserve digital evidence. You may have had personal experience with Cellebrite, if you have ever gone into an Apple Store and had them transfer your data from your old iPhone to a new one. That little box that they plug your phone into is manufactured by Cellebrite and it will pull the data and settings off of one device and plop it on another.

The version of the box that the Apple stores have require you to type in your passcode before that happens. So they don’t bypass the security features of the phone.

However, the version that Cellebrite sells to law enforcement has a way or several ways of bypassing the security features of the phone to be able to pull data off without the user’s passcode.

Grayshift is a slightly newer entrant into the marketplace but their product called GrayKey has gained a lot of traction in the past six to eight months maybe. Both of them advertise that their devices can break into even the newest model of Apple’s iPhone and almost certainly any Android device on the market.

We don’t know exactly how they do it. We think that they do it with some sort of vulnerability in the Lightning port but we don’t know. If Apple knew, they would almost certainly patch the vulnerabilities that GrayKey and Cellebrite use.

John W. Simek: Well also, the latest version of iOS is going to do that, disable the USB capability through the Lightning port after you have to what, unlock it after so many days or something like that?

Sharon D. Nelson: Seven days I believe it is.

Nate Cardozo: After seven days or something like that. It’s yet to be seen whether that’s going to make a real difference. Apple is talking about rolling this out in software. They are talking about being able to add this capability to existing devices. I don’t have to tell you guys, but if you can turn it off in software, that means you can turn it back on in software.

It’s not like there’s going to be a physical break in the circuit on the Lightning port. So I think it’s probably only a matter of time before Cellebrite and GrayKey figure out a way past Apple’s latest remediation.

John W. Simek: I guess what worries me is that this whole GrayKey product, if it works as advertised, somebody is going to break into a law enforcement facility somewhere and get their hands on the physical device, then the bad guys have it.

Nate Cardozo: Oh yeah, absolutely. And if Grayshift and Cellebrite can build these things, who else can build them? Cellebrite is an Israeli company, I would be shocked if the Russians, and the French, and the Turkish, and the Japanese, and the Chinese weren’t building equivalence. They are just not selling them on the open market.

(00:19:52)

Sharon D. Nelson: Yes, I would be very surprised if there were not devices and technologies that we simply don’t know about. I think you are right about that.

I have been happy to see Tim Cook and Apple kind of dig in their heels on privacy issues. Can you tell our listeners what steps Apple has taken to rebuff these technologies which assault our privacy?

Nate Cardozo: Well, they do a couple of things. They run a Bug Bounty Program, so they will pay researchers to disclose vulnerabilities to them instead of to companies like Cellebrite or Grayshift. They don’t pay as much as Cellebrite and Grayshift do; that’s partly by design and that’s partly just the way the economics work.

My friend Katie Moussouris, who runs Luta Security had done a study with MIT and Harvard about the economics of vulnerability disclosure and her conclusions were that the companies will never be able to pay as much as the Cellebrites of the world, so that’s one step that they have done.

Another is just the simple cat-and-mouse game. Every time the jailbreaking community releases a new tool, Apple reverse engineers it. I would be surprised if Apple isn’t trying to get its hands on a GrayKey device or a Cellebrite device or both to see how they work. If I were Apple I would certainly be trying to do that.

Apple has not been very public about the steps that its taken to fight back against these technologies, but Apple is not public about really very much of anything until it has been released.

John W. Simek: So Nate, is this a constant struggle between which side has the upper hand, because it seems to be flipping back and forth with where the balance of power is between the governments and privacy advocates and then it flips back over again?

Nate Cardozo: Sort of. I think the governments really have the upper hand and I am not sure privacy advocates have ever had the upper hand. So I would push back against that and say no, this is a constant struggle in which the government has the upper hand, full stop.

Sharon D. Nelson: Okay, full stop there, all right.

Well, just to kind of reinforce your point, I know when we lecture we talk about the UK, Australia, Russia and China, they all have some fairly draconian measures in place with respect to encryption. Can you tell our listeners a little bit about that?

Nate Cardozo: Sure. End-to-end encryption and device encryption are nominally illegal in Russia and China. It is technically against the law to sell an iPhone in either of those countries. That said, China is one of Apple’s biggest markets. So China has not been enforcing those regulations and neither has Russia.

Russia has started enforcing regulations with regard to end-to-end encrypted messaging like Telegram; they are trying hard to shut down Telegram, but they are not shutting down iMessage or WhatsApp.

China of course has taken a much more aggressive stance against end-to-end encrypted messaging and it’s very difficult to use an encrypted messenger in China.

Australia and the UK have passed laws that give the government the power to ban strong encryption, either device encryption or end-to-end encrypted messaging, they haven’t actually done it yet though. So they passed the law to give the government the power to make the iPhone illegal, but they haven’t actually flipped the switch yet.

So we are sort of in a waiting game to see what the UK and Australia do with regard to encryption. They have the legal authority to do it at any time, but they haven’t actually done it yet.

Sharon D. Nelson: That’s a nice summary and I don’t think most of the folks listening to this podcast will know that.

Nate Cardozo: Google the Investigatory Powers Act in the UK and look at what the Investigatory Powers Commission is doing and I apologize for giving you heartburn when you do that.

Sharon D. Nelson: In advance, thank you.

Nate Cardozo: Yeah.

John W. Simek: Well Nate, a lot of folks, especially lawyers are worried about the privacy of their data, especially given recent events and we have lately been seeing these overblown headline saying that, encryption is dead. I think the most recent one was about encrypted email is dead and PGP is broken and yada yada. What would you tell those folks?

Nate Cardozo: Well, no one should be using PGP, but that was true before the story about that. PGP is a disaster and it’s really easy to get wrong. We haven’t recommended PGP for the average user in a very long time.

That said, there are some encryption programs that are getting more and more widespread and easier and easier to use. Signal, which is put out by a nonprofit called the Signal Foundation is true end-to-end encrypted messaging. Its algorithm, the Signal Protocol, is included in WhatsApp and iMessage, which is Apple’s proprietary version has a similar, but not quite as good proprietary algorithm in its messaging protocol. Device encryption is now default on iOS devices and very easy to turn on on both Mac and Windows desktop and laptop machines.

(00:25:01)

So right now, at least in the United States, encryption is quite alive and in better health than it has been in a long time. It’s legal to sell. It’s legal to develop. It’s legal to use. And it’s legal to export. And it’s our job at EFF to make sure that it stays safe and legal for all of us to use.

So yeah, there are challenges, but it’s certainly not dead, just don’t use email; email is not secure.

Sharon D. Nelson: Yeah, I don’t think that’s the first time we have heard that. We sure want to thank you for joining us today Nate. We always enjoy our guests from the EFF and you might be the wittiest of the speakers to date. Thank you for telling this —

John W. Simek: Don’t tell Cindy to listen to this.

Sharon D. Nelson: Okay. All right, Cindy can’t listen. But it was a pleasure and very, very educational, along with being a very rousing good story told by an obvious master storyteller. Thanks for being with us.

Nate Cardozo: Thanks. And check out  HYPERLINK “http://www.eff.org” eff.org to keep up on all the encryption news.

John W. Simek: That does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com/”legaltalknetwork.com or on Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at  HYPERLINK “http://www.senseient.com/”senseient.com.

We will see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com/”legaltalknetwork.com and in iTunes.

[Music]

Continue Reading