Isn't the All Writs Act just a red herring in this whole debate? What's preventing the Federal Government from issuing Apple a National Security Letter and forcing them to comply in secrecy?
I don't understand how all of a sudden the government is publicly and calmly asking permission to do something digitally when they have been so forceful and demanding in the recent past.
A NSL is a subpoena, meaning an order to produce information. In these cases Apple does not have the information being sought because it is encrypted on the phones and they don't have the key.
The government is trying to use a dubious legal tactic to force Apple to create a hacking tool that does not exist. It's not an order to produce information, it's an order to do forced work.
But couldn't they write a modified iOS software themselves (obviously not easy as cake, but for the sake of the argument) and use a NSL to get Apple's key to sign the update?
It seems like having the update signed is the issue, not writing the update.
Edit: When looking at the scope of the NSL, it seems like only metadata can be requested, not arbitrary stuff. IANAL, but it seems like using an NSL makes no sense.
>it seems like only metadata can be requested, not arbitrary stuff
I think that Ladar Levison would disagree with that comment. According to wikipedia "US government ordered [Ladar] to turn over its Secure Sockets Layer (SSL) private keys" [0] which imho would be no different that forcing apple to turn over a software-signing key.
>In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
>“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.
This never made much sense to me. Even the capital letter W at 12 point repeated 2,560 times fills up 1 page plus another 10 lines. Maybe 2,560 bytes printed out as ones and zeros? That still seems like it would only work out to 11 pages at 12 point.
They could try. Apple would no doubt challenge both the NSL and the associated nondisclosure order (if one were issued with the NSL) in the courts, though. NSLs aren't magic.
Who's to say they haven't already tried actually? From what I understand, an NSL could be presented and it's validity argued but it would never be presented in an open court.
> From what I understand, an NSL could be presented and it's validity argued but it would never be presented in an open court.
Both the validity of the NSL and the application of a nondisclosure ("gag") order to an NSL (not all NSLs are inherently gag-ordered) are reviewable by court, and gag orders have been struck down by courts.
So its not at all the case that an NSL would never be discussed in open court. Still, its impossible to say what NSLs have been issued with gag orders that haven't been struck down, since those particular orders would not be publicly disclosed.
However looking at Lavabit example they could do the same with Apple - ask them for the key (in digital form so Apple won't print it with font size 4) and then sign their trojan software themselves using it!
If there were true rule of the law and everyone would have been treated equally in US, then either both Lavabit and Apple should give out signing keys, or none at all.
Lavabit was forced and had no choice. As far as my reading and understanding goes, the Gov created some sort of loophole where Lavabit was denied a hearing and because of lack of hearing he was... found guilty (catch 22). I'm sure others can shed more light...
Lavabit did it to themselves. They initially subpoenaed just the account they were interested in. Lavabit claimed it was not possible to comply, so the next request was for master keys.
At this point, Lavabit could've complied by just handing over the original data, but instead decided to get cute. "Contempt of court" is an aptly named crime.
To be fair, Lavabit was out of compliance with legal government orders (they had access to accounts but was withholding on moral grounds). Forcing Apple to hand over "the keys to the kingdom" so as to forge software on their behalf might still lie outside of established governmental powers.
If Apple isn't allowed to publicize that their private key is compromised, then using their private key to sign something is effectively compelled speech.
I hope I'm not stretching an analogy too broadly, but forcing Apple to rewrite it's OS seems to me like it would equivalent of making a locksmith who had invented a theoretical pick-proof lock uninstall each of the locks, open it up and introduce a mechanism to allow for a skeleton key, then reinstall the lock.
More like making a locksmith create a tool that could alter a pick-proof lock and turn it into a pickable lock, and give that tool to the gov't. But as others here have said, there are some key differences between the physical and digital worlds, so there are complications afterwards.
This modification would require having iOS source to modify, which certainly the FBI does not have.
And even if they did, it would take them months from receiving the source code to be even remotely prepared to do a custom iOS build to present to Apple to be signed. Domain expertise, familiarity with a code base, and just "simple" stuff like build/release engineering and QA aren't things you put together overnight.
>You make this sound hard: there are tons of qualified people who could do this in less than a week, including myself. We already have all of these tools just sitting around from the iPhone 4, and some of us have emulators for more recent devices: the only thing we don't have is Apple's key.
If multiple people have the know-how to make this in a week, I can't see it costing more than $25,000, probably less. (Just taking $1 million a year and dividing by 50 and rounding up, trying to get an upper bound. Presumably at least of those people are willing to sell out for a million a year, or 25k a week.)
> A NSL is a subpoena, meaning an order to produce information.
Well, yes and no. They do not come from a court (I've heard), so they are not a subpoena in the court sense, nor a court order. But they are an order to produce information, so I assume calling one a "subpoena" is correct, and I'm not arguing with you there. Just want to make clear for those reading without a law background that NSLs do not involve a court, which "subpoena" might imply.
An NSL (I've heard, hypothetical, yadda yadda) basically amounts to the FBI citing statute authority to demand information about a suspect and does not rest on, nor require, a court case. Indeed, the whole point the government makes about the nondisclosure aspect of an NSL is to keep a matter discreet from the investigated party for reasons of national security or imminent death (which a court case, on which to issue court-ordered subpoenas, would make far more difficult).
U.S. law specifically discusses upgrading an NSL to a court order in district court, for reasons of noncompliance.
Because you have a right not to incriminate yourself.
Fingerprints can be used to unlock phones because your fingerprint is part of evidence.
Passcodes cannot be used to unlock phones because your passcode is information that's gained through testimony, and the 5th Amendment protects you from self-incrimination.
Haven't some courts been going back and forth on whether it's 5th amendment kosher to compel someone to enter a passphrase and decrypt data on disk? I seem to remember a case involving mortgage fraud or similar.
That's an incredibly interesting question. Why doesn't the USGov just spam Apple with NSLs?
I'm guessing that the USG has done this, and they want to move the "debate" into a more public arena so they can get political muscle into a crypto ban. Yadda yadda terrorism leading to fake compromises and "balance". In an election year.
Cynical me expects false flag operations to prop this up further. I hope I'm just being jaded and negative.
> Isn't the All Writs Act just a red herring in this whole debate?
No, since it is the actual legal authority that the government is actually seeking to use.
> What's preventing the Federal Government from issuing Apple a National Security Letter and forcing them to comply in secrecy?
There are legal bounds on NSLs, and NSLs are judicially reviewable and may be altered or voided by the courts if they are "unreasonable, oppressive, or otherwise unlawful".
Further, the nondisclosure orders that can be tied to NSLs (the "comply in secrecy" part) are limited (by Congressional action after the earlier broad use was struck down as unconstitutional) and are themselves judicially reviewable, so NSLs aren't a "get out of judicial review free" card, nor are they a "get secrecy without review free" card.
Perhaps the reason is that they cannot issue NS letters every time they need an access to someone's iPhone, so they are trying to make Apple create for them a tool that they can re-use in all other cases.
Has anyone ever successfully done so? I thought the sheer nature of an NSL (not even being allowed to tell your wife or lawyer about it) made that route impossible.
Yes people have, and they won [1]. The Patriot Act tried really hard to walk the line between disallowing counsel and making the retaining of counsel extremely difficult...
I don't understand how all of a sudden the government is publicly and calmly asking permission to do something digitally when they have been so forceful and demanding in the recent past.