Cybersecurity & Tech Surveillance & Privacy

The Very Definition of Digital Age Chutzpah

Benjamin Wittes
Wednesday, March 23, 2016, 9:25 PM

Bloomberg Business is reporting that now that the FBI may have a way into the San Bernadino shooter’s iPhone, Apple wants it to disclose what it’s doing. “Apple lawyers on Monday said that if the case proceeds, the company would want the government to share the nature of the vulnerability it found in the iPhone,” the story reads.

Published by The Lawfare Institute
in Cooperation With

Bloomberg Business is reporting that now that the FBI may have a way into the San Bernadino shooter’s iPhone, Apple wants it to disclose what it’s doing. “Apple lawyers on Monday said that if the case proceeds, the company would want the government to share the nature of the vulnerability it found in the iPhone,” the story reads. Adds the New York Times: "Apple has said it will fight to know more about the flaw in the software or hardware that the third party has presented to law enforcement. A senior executive said in a conference call with reporters Tuesday that if the government found the method did not work and tried to force Apple to help break into the phone, Apple would have questions about what was tried, in order to keep its products as secure as possible."

This may be the digital age’s very definition of chutzpah.

The Bloomberg Business story further reports:

The bureau said it was approached on Sunday by an unidentified third party with a possible way to get into the phone without Apple’s help.The FBI’s new tactic may be subject to a relatively new and little-known rule that would require the government to tell Apple about any vulnerability potentially affecting millions of iPhones unless it can show a group of administration officials that there’s a substantial national security need to keep the flaw secret. This process, known as an equities review, was created by the Obama administration to determine if new security flaws should be kept secret or disclosed, and gives the government a specific time frame for alerting companies to the flaws.

“I do think it should be subjected to an equities review,” said Chris Inglis, former National Security Agency deputy director. “The government cannot choose sides in the tension between individual and collective security so the equities process should be run to put both on a level playing field.”

Such a disclosure would pose a conundrum for the U.S.: By finding a way to crack the iPhone at the center of this one legal battle without Apple’s help, the FBI may give the company the opportunity to close that security gap as well, making law enforcement’s job that much harder.

The FBI declined to comment on whether the review process will be used in the Apple dispute.

If the new method isn’t subject to review, then the government might be in possession of what amounts to a secret tool to hack into iPhones. Apple’s objections to helping the FBI -- mainly that doing so would put the private data of hundreds of millions of its customers at risk -- would be moot, and iPhones would be no safer than if the company had helped the FBI in the first place.

“The equities process is supposed to apply to anytime the government discovers, learns of, buys or uses vulnerabilities of any kind," said Nate Cardozo, staff attorney at the Electronic Frontier Foundation. “If it’s anything where they’re attacking the phone in software, it would be subject to the equities review."

So let me get this straight: Apple’s view is that, on the one hand, it has no obligation whatsoever to help the FBI break into its phones; that it is outrageous that the FBI might ask a federal court to force it do so; that it has a First Amendment right not to and thus that Congress can’t force it to either; and that the FBI is on its own--even when it has a warrant--free to hack devices but without help from the company, at least to the extent that help requires writing code or offending customers.

But, on the other hand, if the bureau happens to manage to succeed in hacking an iPhone--say, with the help of an Israeli company--then it should inform Apple of the nature of the vulnerability so that the company can better secure its devices from future law enforcement investigations. To put the matter simply, not only does Apple have no obligation to give engineering help to the FBI, the FBI has an obligation to give Apple engineering help so that even the company’s most criminal users can be maximally free from FBI surveillance.

Pardon me, but if I were working at the FBI, this wouldn’t sound like a reasonable position to me.

To be sure, the government may decide this is a matter properly subject to the vulnerabilities equities review process, which the White House has described as follows:

there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed.

There is at least some reason, however, to doubt that this particular vulnerability is an appropriate candidate for this sort of interagency process, and there’s no reason whatsoever to think the process--if the government does use it--should conclude disclosure is appropriate here.

Here are some of the equities that, at least in my judgment, should counsel strongly against disclosure in this instance:

First, the FBI has no legal obligation to disclose the vulnerability.

Second, The government is currently taking the view in court that--at least absent this vulnerability--the All Writs Act should compel Apple to help hack the iPhone in question. The search for the vulnerability in fact took place only because Apple refused to play the role the government believes it obligated to play and decided to litigate instead. Turning over the vulnerability to the company now--assuming the vulnerability exists and works--would only cause a renewal of that litigation.

Third, Apple has specifically put itself in an adversarial posture vis a vis law enforcement in this matter. The company is specifically engineering its products to require the search for such vulnerabilities. Under such circumstances, why on earth should the FBI be giving the company aid of a sort that amounts to very in intensive research and penetration testing?

Fourth, Apple and its supporters specifically argued that it was the government’s job to go look for this sort of vulnerability. It did, and to everyone’s surprise, it may have found one. Assuming that solution now works--still a big assumption--it is cheeky in the extreme to demand that the government now stab itself in the back and give up the fruits of the search its critics demanded it conduct.

Fifth, there is a significant limiting principle to government secrecy here. While the FBI has no legal obligation to disclose in this instance, that won’t be true forever. This is an unusual criminal investigation because the perpetrators are deceased. Were they alive and arrested and being prosecuted, by contrast, a law just two years younger than the famously geriatric All Writs Act--The 6th amendment of the Bill of Rights--contains a Confrontation Clause that entitles a defendant to know and examine the methods used against him. So the FBI will be able to keep its tool secret only up until the point at which it wishes to introduce evidence derived from its use in court. Apple can wait.

Finally, Tim Cook has likened the FBI’s demands for his assistance in breaking the San Bernadino iPhone to cancer, and he has given dire--one might say hysterical--warnings as to the cybersecurity consequences of creating a vulnerability for exclusive law enforcement use. The tech world has jumped to attention and saluted, parroting some of the most absurd claims of the company as though it were holy scripture. If some third party has now created what Cook swore would be Armageddon for his company to create, and if the world doesn’t end as a result even as the FBI hacks one or more iPhones, the demonstration that Apple has been full of … hyperbole will be hugely clarifying to the public debate.

Benjamin Wittes is editor in chief of Lawfare and a Senior Fellow in Governance Studies at the Brookings Institution. He is the author of several books.

Subscribe to Lawfare