The brouhaha with Apple and the FBI's investigation of an act of terrorism is tragic, comedic, scary and ridiculous. The only good "side" to take here is a side that few people, and none of the major actors, appear to be on.
Here are some of the major points.
Why the FBI needed help. The FBI should have submitted the phone to Apple for cracking immediately, using Apple's standard procedure for this. Instead, they bungled it. They changed the password and locked themselves out of the phone and its iCloud backup.
Whose phone? Apple got on it's higher-than-high horse refusing to help crack the phone because it protects the privacy of individuals. But the terrorists had already destroyed their personal phones. This was a terrorist's government-issued work phone. No privacy was involved.
The FBI's "unprecedented" request to Apple. Apple has a department that cracks phones. They crack thousands a year, and hundreds a year just for national security cases. Apple has a formalized process for it, which as of today remains on their website. The FBI's request should have been run-of-the-mill. Details here.
The slippery slope. Apple made claims about how responding to the FBI request would create a master key that would soon render all Apple phones insecure. This was bogus, as I detail here.
Privacy uber alles. Apple stood up as the firm defender of personal privacy -- including that of murderers and other criminals.
Lost opportunity. Apple could have come out of this a hero -- a strong protector of personal privacy and a strong ally of law enforcement against terrorists and criminals. Here is how.
Apple's insecure software. Apple's wants us to think their software is wonderful and their security flawless. No one mentions the scores of bugs that riddle their software. With each release, they introduce at least as many new bugs as they fix. Some of the bugs are security holes! White-hat hackers find some of them and tell Apple; Apple responds by eventually fixing the bugs and eventually releasing the fixes.
Finally cracking the phone. After all the sturm-und-drang, a "private company" approached the FBI and offered to crack the phone -- and cracked it, leading the FBI to withdraw their suit against Apple. The company is Cellebrite, which has a commercial service that cracks iPhones in a forensically sound way. Do you think someone at the FBI could have used Google to find this group before suing Apple? Do you think Apple could have referred the FBI to them quietly instead of making a stink?
No one comes out of this mess looking good, including the media, which did little research and simply took sides. For example, I have found no media outlet mention Apple's standard phone-cracking service, which I published here. After this and the recent events in Europe, who can feel good about either the FBI or Apple?
All well-said and documented.
I'd only add that if Apple were my client and needed the public to believe that their security was "flawless", the last thing I'd want would be publicity about a commercial service that effectively snapped open the phone. Good grief, wouldn't you think that they'd have built at least the 'idea' of a secure lab where only the Apple Wizards could crack the code?
David makes the bungling point from one of efficiency and ethics. I'm just saying that even from the point of Strategic Positioning (my corridor), this was a terrible decision.
dm
Posted by: Diane Meier | 03/31/2016 at 11:11 AM
Not to mention that Apple's intransigence – all of a sudden – is simply the incentive for new federal legislation requiring federal access pursuant to court order, which they would certainly like even less then simply setting up a secure law enforcement aid system to look like and be the good guys.
Posted by: Stephen Shapiro | 03/31/2016 at 12:23 PM
Prove that Cellebrite, or anyone else, actually cracked the phone, and that the FBI isn't lying, saying they did, just to save face.
Posted by: Zeb Quinn | 03/31/2016 at 11:33 PM