Building a version of iOS that bypasses security . . . . would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
Cook is right in that if it complies with the magistrate’s order, the security of all other users will be weakened. But he is wrong to imply that such compliance will give the US government a “back door.”
The FBI says that it is only asking for access to one IPhone, and on the face of it, that is true. In this instance, the FBI’s inability to break through the PIN protecting the IPhone arises from the fact that a 4-6 digit PIN is needed to unlock it, and the phone will wipe itself if an incorrect PIN is entered more than 10 times. The magistrate’s order directs Apple to develop a workaround to disable this security feature, so that the FBI can try all possible PINs without risking the erasure of phone’s contents. So, strictly speaking, the FBI is not asking Apple to provide the PIN or to decrypt the phone; rather, it is asking Apple to allow it to find the PIN without endangering the phone’s contents.
At present, the requested workaround does not exist, and the magistrate’s order tells Apple to develop such a workaround. So Cook is obviously right, in that a world in which the workaround does exist is less secure from the user’s point of view than a world in which the workaround does not exist. He is correct in a second sense as well. If Apple complies with this magistrate’s order, a precedent will be set, and the next time Apple is presented with such an order, the legal justification for resisting this second order will be weaker.
On the other hand, Apple is not being asked to give the US government a “back door”, at least in any sense that we understand the term. First, a back door implies surreptitious access, which this order manifestly is not. (That’s not to say that in the future, vendors might not be asked to provide workarounds, but that’s a different point.)
Second, a back door implies that this workaround can be used repeatedly and easily on the phones of all users—that is, once developed, it goes on the shelf and can be pulled down for use in all subsequent cases. That may or may not be true in this case. One of two possibilities obtains—IOS updates carrying the workaround either require the PIN for installation or they do not. (I don’t know which is true – maybe someone can tell me…)
- If IOS updates do not require the PIN, then the workaround can be loaded into an IOS update. If this is true, the workaround is software that could be redeployed to comply with subsequent requests. But the solution to this is easy—throw away the software used for workaround after the order has been complied with. As part of the build process for an IPhone, Apple already throws away certain information in its possession so that it is unable to comply with decryption requests, so there’s an internal precedent for such actions.
- If IOS updates require the PIN, then the workaround will require tinkering with the phone’s hardware (which does not require the PIN). If that is true, the workaround is clearly not scalable to large numbers of phones. Again, not a back door, at least not in the way I understand the term.
What I conclude is that Cook uses the term “back door” to mean anything that weakens the security that can be afforded to users, whether or not the “back door” is technological in nature. That’s not an unreasonable definition, but it is different than how the term is generally used.
My own concerns about this latest incident arise from the use of the All Writs statute. Of course, my understanding of this law is that of a lay person rather than that of a real lawyer. That said, I make two points. First, I’m not particularly concerned that this law dates back to the 18th Century – a point that has been emphasized by many Apple sympathizers. There’s no reason that an old law is, ipso facto, irrelevant or inapplicable. On the other hand, I do worry that the interpretation of the law apparently accepted by the magistrate is that the law can be used to compel any private party to expend resources—time, personnel, and money—to serve state interests. If that’s so, what are the limits on its scope of applicability? Can the government use the statute to demand that I build a jail for it?
In practice, the limits are apparently set by what magistrates find reasonable. I’m uncomfortable with that conclusion, and I’d prefer to have some legislative clarification.