Papers and Articles on Encryption and the FBI/Apple Dispute
Dr. John E. Savage
Dr. Kamlesh Bajaj
Outline of the Dispute
Apple has designed the iPhone so that if a user makes more than 10
incorrect password attempts, the phone will erase all the data stored
on it. The FBI has asked Apple to bypass this feature so that it can
read the encrypted contents of an iPhone that was owned by one of the
killers of 14 people in San Bernardino, CA last December. Apple has
refused to honor this request, although it has provided data that the
party in question has stored on its iCloud. The response of the FBI
has been to acquire a
court order, invoking the All Writs Act of
1789, issued by a Federal court on February 16, 2016.
The following day in a letter entitled
Message to Our Customers Tim Cook, Apples's CEO, explains his
refusal to comply. He said that for Apple to satisfy the FBI's request
would require it to write a new version of its operating system,
which, once it was produced, could be used to unlock all of its
recently sold phones. Furthermore, governments all over the world could
demand access to it. This would have the effect of violating the
security of personal of information stored on all of these
A New York Times summary of the case as of March 22, 2016 is
Commentary on the Apple vs FBI Issue
Apple Can Comply with the FBI Court Order, Trail of Bits Blog, by Dan Guido, February 18, 2016
In this article, Dan Guido provides a detailed technical
argument showing that Apply can comply with the court order but, to do
so, it must use its secret key (in a Public Key Encryption system) to "sign"
the new version of the iOS operating system so that it will be approved
by the iPhone hardware and downloaded when a transfer to the phone is attempted.
Preliminary thoughts on the Apple iPhone order in the San Bernardino case:
Part 2, the All Writs Act, by Orin Kerr, The Washington Post, Febuary 19, 2016.
"This is the second post in the series. It focuses on the existing law on
whether a court has the power under All Writs Act to order Apple's assistance.
... This post explores what we know and don't know about whether the AWA
authorizes the Apple order. ... I don't know which side should win. Part of
the reason is that I'm waiting on development of the facts. But as this post
has showed, part of the problem is that the scope of authority under the AWA
is just very unclear as applied to the Apple case. This case is like a
crazy-hard law school exam hypothetical in which a professor gives students an
unanswerable problem just to see how they do."
Analyzing Apple's Argument that First Amendment Applies to Its Code,
by Steve Lohr, New York Times, February 25, 2016.
"Computer code is incomprehensible to anyone without programming skills, but
Apple argued in a court filing on Thursday that code is a form of speech. So,
the company contends, the government's order to crack a locked iPhone
used by one of the San Bernardino killers would violate Apple's First
Apple Goes to Court, and F.B.I. Presses Congress to Settle iPhone Privacy Fight,
by Katie Benner, Eric Lichtblau and Nick Wingfield, New York Times, February 25, 2016.
"The legal wrangling over a federal court order requiring Apple to help law
enforcement break into an iPhone intensified Thursday, with the company filing
its formal response and asking the court to drop its demand.
Other technology companies — Microsoft, Google, Twitter, Facebook and
also moved to throw their weight behind Apple in court. The companies said
they planned to file one or more briefs backing Apple next week in federal
court in California.
"The larger question isn't going to be answered in the courts, and shouldn't
be," James B. Comey Jr., the FBI director, said in a hearing of the House
Intelligence Committee earlier on Thursday. "It's really about who do we want
to be as a country and how do we want to govern ouseelves."
One Issue Matters in the Clash Between Apple and the FBI by Christopher
Mims, Wall Street Journal, February 25, 2016
"At the heart of the contest between Apple and the FBI is the fact that if a
judge agrees, Apple can be forced to make the data on any iPhone available
to any law-enforcement agency that demands it. Since Apple has admitted it can
build sotware to do this, how it is accomplished is immaterial, save to a
handful of lawyers and judges.
A more sophisticated tracking and spying device than the smartphone you carry
in your pocket every day has never been invented. Do we want a legal precedent
that can transform the 'Internet of Things' into an 'Internet of Surveillance'?"
Feds Are Wrong to Warn of "Warrant-Proof" Phones by Woodrow Hartzog, MIT Technology Review, March 17, 2016
"Throughout history, communications have mainly been ephemeral. We need to be sure we can preserve that freedom."
Ready to Rumble, Apple vs. FBI: Privacy and security hang in the balance, says privacy expert Lisa Sotto,
SC Magazine, April, 2016
"'It should never have escalated to this, privacy should have
been addressed,' says Lisa Sotto, managing partner in the New York
office of Hunton & Williams, who focuses on privacy and cybersecurity
issues. The government, she says, should have 'worked with tech
companies to craft policies and processes.' But escalated it has into
what Justin Harvey, chief security officer for Fidelis Cybersecurity,
calls 'a landmark case,' noting that he is 'aware of people getting
compelled to unlock a phone, but I've never heard of a manufacturer
being ordered to decrypt something by court order.'
security issues of the iPhone case, by Susan Landau, Science,
June 17, 2016
"This article is based on S. Landau, Testimony, House of
Representatives Committee on the Judiciary, 'The encryption tightrope:
Balancing Americans' security and privacy,' 1 March 2016."
Going Dark versus Encryption
Going Dark: Are Technology, Privacy, and Public Safety on a Collision
Course?, A Conversation with FBI Director James Comey,
Brookings Institution, Washington, DC, October 16, 2014. A transcript
of the talk can be found on the FBI website
"I wanted to meet with you to talk in a serious way about the impact of
emerging technology on public safety. And within that context, I think it's
important to talk about the work we do in the FBI, and what we need to do the
job you have entrusted us to do.
There are a lot of misconceptions in the public eye about what we in the
government collect and the capabilities we have for collecting information.
My job is to explain and clarify where I can with regard to the work of the
FBI. But at the same time, I want to get a better handle on your thoughts,
because those of us in law enforcement can't do what we need to do without
your trust and your support. We have no monopoly on wisdom."
Lawful Hacking: Using Existing Vulnerabilities for
Wiretapping on the Internet, by Steven M. Bellovin, Matt Blaze, Sandy Clark,
and Susan Landau, Northwestern Journal of Technology and Intellectual Property,
Volume 12, Issue 1, 2014.
"In this paper, we explore the viability and implications of an alternative method for
addressing law enforcements need to access communications: legalized hacking of target
devices through existing vulnerabilities in end-user software and platforms. The FBI
already uses this approach on a small scale; we expect that its use will increase,
especially as centralized wiretapping capabilities become less viable."
Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All
Data and Communications by H. Abelson, R. Anderson, S. M. Bellovin,
J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, M. Green, S. Landau,
P. G. Neumann, R. L. Rivest, J. I. Schiller, B. Schneier, M. Specter, and
D. J. Weitzner, Computer Science and Artificial Intelligence Laboratory,
MIT, Report MIT-CSAIL-TR-2015-026, July 6, 2015.
"We have found that the damage that could be caused by law enforcement
exceptional access requirements would be even greater today than it would
have been 20 years ago. In the wake of the growing economic and social cost
of the fundamental insecurity of today's Internet environment, any proposals
that alter the security dynamics online should be approached with
caution. Exceptional access would force Internet system developers to
reverse forward secrecy design practices that seek to minimize the impact on
user privacy when systems are breached. The complexity of today's Internet
environment, with millions of apps and globally connected services, means
that new law enforcement requirements are likely to introduce unanticipated,
hard to detect security flaws. Beyond these and other technical
vulnerabilities, the prospect of globally deployed exceptional access
systems raises difficult problems about how such an environment would be
governed and how to ensure that such systems would respect human rights and
the rule of law."
Need for Ubiquitous Data Encryption, by Mike McConnell, Michael
Chertoff and William Lynn, Washington Post, July 28, 2015
"We recognize the importance our officials attach to being able to decrypt a
coded communication under a warrant or similar legal authority. But the issue
that has not been addressed is the competing priorities that support the
companie's resistance to building in a back door or duplicated key for
decryption. We believe that the greater public good is a secure communications
infrastructure protected by ubiquitous encryption at the device, server and
enterprise level without building in means for government monitoring."
Hacker Chief Explains How to Keep Him Out of Your System, by Kim Zetter,
WIRED, January 28, 2016
Rob Joyce, head of NSA's Tailored Access Operations, explains on a
TAO rarely needs to break encryption to break into a computer system.
Don't Panic: Making Progress on the "Going Dark" Debate, The Berkman
Center for Internet & Society, Harvard University, February 1, 2016.
"We argue that communications in the future will neither be eclipsed
into darkness nor illuminated without shadow. Market forces and
commercial interests will likely limit the circumstances in which
companies will offer encryption that obscures user data from the
companies themselves, and the trajectory of technological development
points to a future abundant in unencrypted data, some of which can
fill gaps left by the very communication channels law enforcement
fears will "go dark" and beyond reach."
FBI director: Encryption 'the hardest question I've seen in
government', The Hill, February 25, 2016.
"I think the larger question is not going to be answered in the courts and
shouldn't be, because it's really about who do we want to be and how do
we want to govern outselves," Comey said duirng a Hourse Intelligence
Committee hearing on Thursday. Comey said Thursday that it is not his
intention to undermine online privacy for forcing policy changes.
"I've been very keen to keep the Bureau ot of the policy-making business. I
think our role is to make folks understand what are the costs associated with
moving to a world of universal strong encryption," Comey said. "I love
encrytion. I love privacy," he added.
The Encryption Wars and Privacy Shield, The Cybersecurity Podcast, New America.
At 50 minutes into this hour-long podcast General Hayden explains his position concerning end-to-end encryption.
Here are seven articles describing techniques that can be used to break
the security of the iPhone.
Who Needs Apple When the FBI Could Hack Terrorist iPhone Itself, by
Selina Wang, March 4, 2016, BloombergBusiness.
This article quotes a cybersecurity researcher who says that "the
FBI could learn something from back-alley
techies in China
who break into iPhones all the time." They replace memory chips
of low capacity with chips of higher capacity. He believes this idea could
be used to facilitate cracking the iPhone.
The article also observes "All systems contain flaws and they continue to be
found every month in Apple's software, according to Jason Syversen, a former
manager at the Defense Advanced Research Projects Agency (DARPA) and now
chief executive officer of cyber security firm Siege Technologies."
Hacking Might Help FBI Unlock iPhones by Robert McMillan, March 3, 2016,
The Wall Street Journal
The author describes a "long shot" approach to breaking the
security of an iPhone. He proposes using an ion beam to strip away
layers of a chip on the phone so that the internal secret key can be
4 New Ways to Bypass Passcode Lock Screen on iPhones, iPads running
iOS 9 by Darlene Storm, COMPUTERWORLD, March 7, 2016
Some of these techniques may not be available on iOS versions later
The FBI Could Have Saved Money with this iPhone 5c Hack: A
Technique Known as NAND Mirroring Can Bypass the Phone's
Passcode Limit by Michael Kan, COMPUTERWORLD, September
iPhone Forensics Experts Demonstrate Basic Proof Of Concept
That The iPhone Hack The FBI Says 'Doesn't Work' Actually Does
Work, techdirt, March 28, 2016.
Jonathan Zdziarski has a video that shows that NAND mirroring works.
That's the way to do it: A Cambridge don shows the FBI how to
save money on phone hacking, The Economist, September 22, 2016.
Sergei Skorobogatov, a computer scientist at Cambridge
University, gives another proof that NAND mirroring works.
Securing Phones and Securing Us (Revisited), by Susan
Landau, Lawfare, September 15, 2016.
Susan Landau comments on Skorobogatov's technique and its legal implications.
Update: FBI says it may have found a way to crack shooter's iPhone, COMPUTERWORLD, by James Niccolai, March 21, 2016.
The article suggests that the FBI may have learned of a way to clone the memory of the iPhone.
5 Ways Cyber Experts Think the FBI Might Have Hacked the San Bernardino
iPhone, by Amy Nordrum, IEEE Spectrum, April 5, 2016.
The article suggests that the FBI may have learned of a way to clone the memory of the iPhone.
The FBI paid more than $1 million to crack the San Bernardino iPhone
by Mark Berman and Matt Zapotosy, The Washington Post, April 21, 2016.
"FBI Director James Comey suggested Thursday that the bureau paid more than $1
million to access an iPhone belonging to one of the San Bernardino attackers,
the first time the agency has offered a possible price tag in the high-profile case."
Dark, Going Forward: A Primer on the Encryption Debate, Report by the Majority Staff
of the Homeland Security Committee of the US House of Representatives,
June 2016. (Note: You may have trouble printing the first two pages of
"The Committee has produced this primer to briefly describe important themes
and considerations surrounding the widespread use of encryption technologies
including the practical and economic value encryption brings to certain
industries and the wider market; the impact ubiquitous encryption is having on
law enforcement; the ways in which various governments around the world are
responding to this challenge; and a discussion of some existing legislative
proposals. Finally, this document explains why future progress in addressing
these challenges will likely depend on a more formal national discussion
involving the necessary stakeholders in the form of a national commission on
US Policy Recommendations Concerning Encryption
and Security in a Changing World: Report and Recommendations of The
President's Review Group on Intelligence and Communications
Technologies, US White House December 12, 2013.
"On August 27, 2013, the President announced the creation of the Review Group
on Intelligence and Communications Technologies. The immediate backdrop for
our work was a series of disclosures of classified information involving
foreign intelligence collection by the National Security Agency. The
disclosures revealed intercepted collections that occurred inside and outside
of the United States and that included the communications of United States
persons and legal permanent residents, as well as non-United States persons
located outside the United States. Although these disclosures and the
responses and concerns of many people in the United States and abroad have
informed this Report, we have focused more broadly on the creation of sturdy
foundations for the future, safeguarding (as our title suggests) liberty and
security in a rapidly changing world."
The President's Review Group has made 46 recommendations. One of them,
Recommendation 29 shown below, speaks directly to encryption policy.
We recommend that, regarding encryption, the US Government should:
support and not undermine efforts to create encryption standards;
not in any way subvert, undermine, weaken, or make vulnerable generally available
commercial software; and
- increase the use of encryption and urge US
companies to do so, in order to better protect data in transit, at rest, in
the cloud, and in other storage.
A Worldwide Survey of Encryption Products, by Bruce Schneier, Schneier on
Security, February 11, 2016.
"Data security is a worldwide problem, and there is a wide world of encryption
solutions available to help solve this problem. Most of these products are
developed and sold by for-profit entities, although some are created as free
open-source projects. They are available, either for sale or free download,
all over the world.
In 1999, a group of researchers from George Washington University attempted to
survey the worldwide market for encryption products. The impetus for their
survey was the ongoing debate about US encryption export controls. By
collecting information about 805 hardware and software encryption products
from 35 countries outside the US, the researchers showed that restricting the
export of encryption products did nothing to reduce their availability around
the world, while at the same time putting US companies at a competitive
disadvantage in the information security market.
Seventeen years later, we have tried to replicate this survey."
Privacy and Encryption in the News
Lawmakers Introduce Compromise Encryption Bill, by Katie
Bo Williams, The Hill, February 29, 2016.
What Happens When the Surveillance State Becomes an Affordable
Gadget? by Robert Kolker, Bloomberg Businessweek, March 10, 2016.
Facebook, Google and WhatsApp plan to increase encryption of user data, by Danny
Yadron, The Guardian, March 14, 2016.
American Tech Giants Face Fight in Europe Over Encrypted Data, by Mark
Scott, New York Times, March 27, 2016.
Facebook's WhatsApp Launches 'End-to-End' Encryption by Robert McMillan,
The Wall Street Journal, April 5, 2016.
Encryption Bill Draft Mandates 'Technical Assistance'
by Cory Bennett, The Hill, April 7, 2016.
Letter in Support of Email Privacy Act (April 26), Center for Democracy and Technology Website, April 26, 2016.
FBI director floats international framework on encrypted data
access by Michael Kan, Computerworld, March 23, 2017
UK reportedly set to enforce anti-encryption proposals in wake of
Manchester attack, by Jason Murdock, International Business Times,
May 25, 2017
Millions of high-security crypto keys crippled by newly discovered flaw
Factorization weakness lets attackers impersonate key holders and decrypt their data by Dan Goodin, Ars Technica, October 16, 2017