Apple’s latest iPhone security update is polarizing an already heated debate over law enforcement’s access to smartphones.
The divisions were on full display when Apple announced this week it would block access to the Lightning port on the bottom of iPhones, which law enforcement sometimes uses to break into the devices during investigations. Privacy advocates cheered the move as an important safeguard against criminals and other bad actors who seek to steal people’s personal or financial information, while opponents of the change warned that it would take away another critical tool for investigators to solve cases.
Consider how far apart each side sounds:
Sen. Tom Cotton (R-Ark.), who is hawkish on national security issues, insisted Apple “should be more than willing to cooperate with valid warrants from U.S. law enforcement. Criminals and terrorists should never take precedence over the safety of the American people.”
If Apple is willing to store Chinese customers’ data on a state-owned firm’s servers, then it should be more than willing to cooperate with valid warrants from U.S. law enforcement. Criminals and terrorists should never take precedence over the safety of the American people. https://t.co/uWRYjFDhm7— Tom Cotton (@SenTomCotton) June 14, 2018
Privacy advocates said this distorts the issue.
“Framing this news as ‘Apple is taking steps to stop the cops from unlocking iPhones’ profoundly misses the point,” said Kevin Bankston, director of the Open Technology Institute at the nonpartisan think tank New America. “Apple is helping to ensure against a broad range of attacks by anyone and everyone who might attempt to leverage the same class of vulnerability that the police have been exploiting. Any hack that the cops can use can be used by bad guys, too, whether they be criminals or spies or repressive foreign regimes, and that’s who Apple is in an arms race with.”
The FBI has sparred for years with Apple over its struggles accessing data on locked iPhones, which are now protected by encryption so strong even the company does not have the key — and this latest development shows there’s no apparent movement toward a compromise.
If anything, the new development opens up another front in the larger battle over what access tech companies must grant investigators to consumer devices at the center of investigations.
Undercutting one of the FBI's most reliable workarounds is sure to stir up debate on Capitol Hill, where top law enforcement officials are urging lawmakers to pass legislation that would compel Apple and other tech companies to create a guaranteed way to access data on consumer devices.
It's part of a “cat-and-mouse” game that has gone on for years, said Jamil Jaffer, director of the National Security Law and Policy Program at George Mason University, who is supportive of government access.
“What Apple seems to be doing is that every time law enforcement finds a way to get in, they cut off access, all the while refusing to work with law enforcement to find a privacy-protective way of providing lawful access,” said Jaffer, who formerly served as a congressional staffer and associate counsel to President George W. Bush. “And to be frank, it’s not just chipping away; the privacy community, allied with key technology companies, has been taking a sledgehammer to law enforcement capabilities.”
But proponents of tough security on consumer devices, such as Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, say there will always be ways for investigators to get the data they need.
“There will always be security flaws in every model of iPhone, every version of iOS, despite Apple's best efforts,” Pfefferkorn said. “Vendors like Cellebrite — as well as the FBI's own internal staff, jailbreakers, bug bounty hunters, and so on — will hammer on every new version to find the bugs and then develop or update their tools to exploit those bugs.”
“Apple is doing the responsible thing here,” she added. “If a company learns that its product's security has been undermined by a third-party tool, the only responsible thing to do is fix the security flaw.”
Apple's latest update would allow users to disable the Lightning port on the bottom of iPhones an hour after locking them, a change Apple said is designed to help “defend against hackers, identity thieves and intrusions into their personal data,” as my colleagues Craig Timberg and Tony Romm report. But investigators equipped with data extraction devices currently use the Lightning port to pull information from iPhones without having to break through the devices’ heavy encryption. In criminal cases, this sometimes happens only days after an iPhone has been seized. Apple’s update would ostensibly limit investigators’ window to just 60 minutes.
Apple hasn't even rolled out the update yet, but there are signs there may already be a way for law enforcement to get around it. Shortly after Apple's announcement, Vice’s Motherboard reported that the company Grayshift, which sells an iPhone-cracking tool called GrayKey for $15,000, appeared to have a solution in the works. Per Motherboard's Joseph Cox and Lorenzo Franceschi-Bicchierai:
"Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible. That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.
'Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,' a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff.
'They seem very confident in their staying power for the future right now,' the email adds.
A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago."
Law enforcement has turned increasingly to GrayKey and other encryption-breaking tools as the encryption debate has heated up in recent years and officials search for ways to respond to the problem they call "going dark."
As the debate continues, Jaffer said he’s concerned about what will happen if each side keep digging in.
“The real worry that we all ought to have is that we end up in a situation where neither side is willing to work together in good faith and a mass casualty terrorist attack or a compelling case comes along,” he said. “Then we’ll have lost on both privacy and security because we’ll have people who’ve been harmed and we’ll end up in a legislative situation where the law overcorrects. Ultimately the right time to address this issue is now, in the relative peace that we enjoy where fair debates can be had on the merits.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Justice Department inspector general blasted former FBI director James B. Comey for his handling of the investigation into Hillary Clinton's use of a private email server as secretary of state, The Washington Post's Devlin Barrett, Karoun Demirjian, John Wagner and Matt Zapotosky report. Among the findings in the inspector general's report, which was released on Thursday, was that Comey used a personal email account in “numerous instances” to carry out unclassified FBI work.
“We found that, given the absence of exigent circumstances and the frequency with which the use of personal email occurred, Comey’s use of a personal email account for unclassified FBI business to be inconsistent with Department policy,” the report says.
The report found that Comey's statement in July 2016 that it was “possible” that foreign actors hacked Clinton's personal email account -- but that evidence of such a breach would be hard to find -- wasn't grounded in facts.
“The statement thus insinuated that hostile foreign actors may have in fact gained access to former Secretary Clinton’s private email account, based almost entirely on speculation and without any evidence from the [Clinton email] investigation to support his claim,” the report says.
PATCHED: A Russian company accused of being part of Moscow's disinformation campaign in the presidential election had some choice words for special counsel Robert S. Mueller III in a court filing on Thursday. “Having produced not one iota of discovery in this criminal case, the unlawfully appointed Special Counsel requests a special and unprecedented blanket protective order covering tens of millions of pages of unclassified discovery,” Concord Management and Consulting's counsel wrote.
Mueller said in court documents on Tuesday that “uncharged individuals and entities” continue to try to influence U.S. politics and elections in a similar way that Russia interfered in the 2016 election. Mueller was requesting that a judge protect evidence in the case. Here are other examples of Concord's counsel's comments about Mueller:
- “Having made this special request based on a secret submission to the Court ... and a hysterical dithyramb about the future of American elections, one would think that the Special Counsel would cite to case holdings that support this remarkable request.”
- Concord said Mueller's request is based on “fake law, which is much more dangerous than fake news.”
- “Moreover, if the Special Counsel has any lawful authority at all, which he does not, he certainly has no authority to conduct non-criminal alleged national security investigations related to future elections as he appears to admit he is unlawfully doing.”
PWNED: Chinese authorities have built a sprawling surveillance system in a western region of the country that runs on facial recognition technology, secret data collection and apps that harvest information from users' devices to the government, Charles Rollet reports in Foreign Policy. Authorities in the Xinjiang province surveil the Uighur people, who are predominantly Muslim, in the name of counterterrorism and imprison vast numbers of people in camps, according to Foreign Policy. “For those detainees and for millions of others, this Chinese experiment in technological control has transformed Xinjiang into an Orwellian prison state,” Rollet writes. “But for Chinese surveillance companies, it has turned the area into something else altogether: a lucrative market and a laboratory to test the latest gadgetry.”
Chinese authorities have tracked their citizens for years as part of various monitoring programs, but the sophistication of the surveillance mechanisms that the government created in Xinjiang surpasses previous projects, according to Rollet. Peter Irwin, project manager for the World Uyghur Congress, a group based in Germany, said surveillance and imprisonment go hand in hand in Xinjiang. “Information from facial recognition software and surveillance cameras feeds into a central database that may directly lead to Uyghurs being arrested and sent to what the government terms reeducation camps,” Irwin told Rollet.
— On Tuesday, Trump met with Kim Jong Un and said they developed “a very special bond.” On Thursday, the U.S government issued a warning about North Korean malware. The Department of Homeland Security and the FBI said they have identified Trojan malware that North Korea uses to carry out cyberattacks. DHS and the FBI refer to those malware variants as “TYPEFRAME.” “These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections,” DHS and the FBI said in a report.
— The Senate defeated an amendment by Sen. Patrick J. Toomey (R-Pa.) to regulate the authority tasked with reviewing transactions between U.S. and foreign companies that may threaten national security, The Post's Erica Werner reports. The legislation was defeated in a 35-to-62 procedural vote. “The Toomey legislation Thursday involved the Committee on Foreign Investment in the United States, or CFIUS, an interagency committee chaired by the treasury secretary that conducts national security reviews of attempted takeovers of U.S. firms by foreign companies,” Werner writes. “Toomey wanted to give Congress a vote on major CFIUS decisions.” Toomey said his amendment, which the White House opposed, was “a simple question of whether we think that we ought to be accountable, that we ought to take responsibility for the legislative authority that we delegate.”
From Sen. Marco Rubio (R-Fla), who voted against Toomey's amendment:
CFIUS is process used to potentially block attempts by foreign companies to do deals which pose a threat to our national security. Giving big corporations the chance to get congress to overturn these decisions so they can make their big $ is terrible idea https://t.co/qIVFCpKOQK— Marco Rubio (@marcorubio) June 14, 2018
— The CIA told Motherboard's Daniel Oberhaus that it “can neither confirm nor deny” that it has documents about Satoshi Nakamoto, the name associated with the launch of bitcoin 10 years ago. Oberhaus wrote that he also sent a similar Freedom of Information Act request to the FBI and asked for “all internal emails containing Satoshi Nakamoto’s name.” “So if the government actually knows who Nakamoto is, it isn’t too keen on sharing that information just yet,” he writes. “But hey, it was worth a shot — and if you’re reading this, you poor souls in the belly of the FBI’s freedom of information request department, I await your reply.”
— More cybersecurity news from the public sector:
— Facebook has its own — and sometimes idiosyncratic — ways of working with academic researchers, such as handing out $25,000 to a scholar who didn't even request the money in the first place, Bloomberg News's Karen Weise and Sarah Frier report. “The gifts are just one of the little-known and complicated ways Facebook works with academic researchers,” according to Weise and Frier. “For scholars, the scale of Facebook’s 2.2 billion users provides an irresistible way to investigate how human nature may play out on, and be shaped by, the social network. For Facebook, the motivations to work with outside academics are far thornier, and it’s Facebook that decides who gets access to its data to examine its impact on society.”
Facebook's published >180 papers on AI, but just ONE about elections (about the 2010 midterms). Its work w academics has largely related to product decisions, not probing broad societal issues 3/ https://t.co/h4eQcsstdM— Karen Weise (@KYWeise) June 14, 2018
— Elliot Schrage, a top Facebook executive in charge of public policy, said he will leave the social network as the company continues to respond to controversies ranging from data privacy to disinformation on its platform during the 2016 election, The Post's Elizabeth Dwoskin reports. “Schrage, who said that he would lead the search for his replacement, did not reference the recent controversies directly,” Dwoskin writes. “He referred to risks that Facebook has taken over the years that have landed the company in trouble. 'Our company’s history is filled with “real risks taken” — sometimes controversially but always thoughtfully and with care. Yes, there really were “risks” to better help people connect, share and build community,' he wrote.” Schrage, whose responsibilities also included marketing and communications, said he had been thinking about leaving Facebook “for a while,” Dwoskin reports.
— More cybersecurity news from the private sector:
— British police investigating an alleged plot to leak military secrets to China arrested a man in his 70s on Tuesday in Derbyshire, England, the Associated Press reports. “The man was taken to a police station before being released under investigation,” according to the AP. “The Sun newspaper reports that the man is a former employee of jet engine maker Rolls-Royce and the investigation concerns details of Britain’s new F-35 fighter jets.”
More cybersecurity news from overseas:
— After the European Parliament said on Wednesday that software from Russian anti-virus company Kaspersky Lab is “confirmed as malicious,” Robert M. Lee, the founder of the cybersecurity company Dragos, tweeted that authorities should provide evidence to back up the claim:
If Kaspersky software is “confirmed as malicious” (EU Parliament) I would hope there would be some public evidence presented. I’m not endorsing or detracting but only suggesting that if something is such a critical threat that it is in the public’s best interest to know why.— Robert M. Lee (@RobertMLee) June 14, 2018
There very well may be significant concerns. Surely it’s in the public’s best interest to know them. But the “Russian intel agents work there” and “they have relations with the Russian govt” puts literally every other large security vendor at risk of similar critique as well.— Robert M. Lee (@RobertMLee) June 14, 2018
I’ve seen some allegations about Kaspersky that concern me personally. But I’ve not seen evidence. And instead of falling back to people’s past lives maybe we as a community deserve public evidence so we can make our own choice - if the threat is that critical.— Robert M. Lee (@RobertMLee) June 14, 2018
Sources and methods went out the door in even approaching this publicly. Govts have no responsibility in revealing sources and methods to the public - until you’re asking or telling the public to make different choices; then the intel gain loss consideration changes drastically— Robert M. Lee (@RobertMLee) June 14, 2018
Absolutely. Any government or any company has the right to make choices based on any desire they want even secret evidence or hidden suspicion. To claim a public threat without public evidence is irresponsible.— Robert M. Lee (@RobertMLee) June 14, 2018
- Interface Phoenix conference.
- BSides San Antonio conference tomorrow.
- Senate Judiciary Committee hearing on the Justice Department inspector general’s first report on the department and FBI’s actions before the 2016 election on June 18.
- Annual ICIT Forum in Washington on June 18.
- House Judiciary Committee and House Oversight Committee joint hearing on the Justice Department and the FBI’s actions before the 2016 election on June 19.
- Senate Commerce Subcommittee hearing on Cambridge Analytica and data privacy on June 19.
- House Energy Subcommittee hearing titled "Examination of the GAO Audit Series of HHS Cybersecurity" on June 20.
Tensions rise on the border and in the White House briefing room:
Sens. Jeff Flake (R-Ariz.) and Chris Murphy (D-Conn.) comment on the Congressional Baseball Game:
Chef José Andrés speaks out against D.C.'s one-wage initiative: