The Crypto Wars Redux
I was an engineering manager and engineer in the original PGP startup back in the days when the US government was still threatening to prosecute Phil Zimmerman, when the “Clipper Chip” for phones (backdoor), government key escrow, etc were all real threats to liberty. Fortunately those early threats to form the basis of a surveillance state were beaten back. Funny, my original PGP public key is still in a keyserver out there.
Today, post-Snowden, we now know that many of the suspected workings of the NSA were in fact true (back then hardly anyone had ever heard of the NSA). Today the NSA probably has a billion times the computing power (or more). I do wonder whether it is really impossible for the NSA to disassemble an iPhone and get at the unique UID that together with the passcode that encrypts user data on the phone. Whether it takes a scanning electron microscope or whatever. Maybe it really is not possible, or maybe it is.
Along comes the FBI wanting to force Apple to implement a technology that would make every iPhone out there breakable. I’ve read much of what is out there (positions and legal filings of both sides), and in my view, the FBI position is actively ignoring the troubling Consequences of a security-neutered iOS (and what about OS X?). Once such an iOS exists, China and Russia and Iran and so on will simply make access to it a condition of doing business in those countries. Game over. Apple really does have a point about a security-broken iOS, but the troubling risk is not so much for citizens of the USA, it is to people (and anyone they communicate with) who may be persecuted or killed for what is on their phone in any country in which the rule of law is shaky or non-existent.
Read the Apple legal brief for dismissal in its entirety (I have). Reactions to it will likely depend on whether the constituation has real and deep meaning (for me it does), or is just some silly old diatribe meant to be twisted beyond recognition. But for me, Apple presents a strong and well reasoned-case based both on precedent and constitutional bases. The legal reasoning as I read it suggests a meta message by its very rebuttal: the government (FBI in this case) cannot be trusted to respect the letter or spirit of the constitution (why would constitutional arguments be made, otherwise?). Of course through the history of this country law enforcement has always been willing to push the limits of what might or might not be legal. But this time, the risks affect hundreds of millions. This country (and the world) deserve better than for some local judge to decide that.
No rationally objective person can simply reject Apple’s legal argument out of hand. For that reason it seems likely to end up in the Supreme Court. Finally, it doesn’t matter what Apple’s motivations are (the ad-hominem attacks on Apple’s motivations are disgusting at best). To me, the most compelling argument (at least if liberty is a supreme value), is that the government has no business conscripting companies or individuals to be extensions of law enforcement apparatus. George Orwell’s '1984' is a work of genius, and more relevant than ever.
The Cloud Sync security conundrum
These recent legal machinations are interesting and entertaining. But what really interests me is what happens next at Apple.
At present, Apple can be served with a subpoena to deliver user data stored in iCloud. Which begs the question: for the average citizen, what is the point of hyper security for the phone, when all the data is synced to the cloud (in cleartext not encrypted), available within hours to any law enforcement agency? Of course not everyone syncs to the cloud, but the point is that probably 99.999% of users sync to the cloud. So there is actually zero privacy if law enforcement serves a warrant for that data; the phone is irrelevant in a practical sense. A criminal would be a moron (not uncommon of course) to use iCloud to sync the phone, the current case demonstrating that explicitly (the phone in question had not been synced for some time).
So here’s the key question: why is Apple making user data accessible in the cloud to anyone but its owner at all? Because the right way to store data in the cloud is to encrypt it with a key known only to the user. Forgetting law enforcement, it is a SECURITY WEAKNESS to backup anything to the Cloud in such a way that the service provider has any ability at all to get at the data (hackers sooner or later get in). Only the user should have the passphrase (and a UID-equivalent), just as only the user knows the passcode for the phone itself. Why isn’t this done? The answer may be simple: added complexity, particularly syncing across more than one device. But hackers want that data. And so it is The Right Thing To Do, so why doesn’t Apple offer it?
Which leads to the next chilling question: will the “compromise” now not be something as troubling as Clipper Chip or the key escrow of a 15 years ago or so, but something far worse: forced escrow of all user data shoveled into the Cloud in the clear, so that it can be subpoened? This might in fact be a plus for all government employees official phones, if only the security risks were not there. But it’s not a plus for the private citizen. Congress must weigh in here; this should not be left to the courts, or to Apple. That is why we have a democracy.
Thus the “nuclear option” as far as the FBI would figure it: Apple offers an option for iCloud sync in which data sent to the cloud is encrypted by the user device before it ever gets to Apple. So that a subpoena could only produce encrypted gibberish. This would be the FBI’s (or other government’s) worst nightmare, because the end user would be the ONLY party with the ability to decrypt the data.
As always, MPG advises using The Cloud for sensitive data as little as practicable. That’s based on hacker and security risks for starters.
Update 15 March
See WSJ: In Beefing Up iCloud Security, Apple Weighs Privacy Against Convenience:
Apple is working to bolster its encryption so that it won’t be able to decode user information stored in iCloud, according to people familiar with the matter. But Apple executives are wrestling with how to strengthen iCloud encryption without inconveniencing users.
This is the right way to go for the Cloud, Apple or anything else. It’s essential for the future: hackers sooner or later get in, hence all Cloud data should be encrypted gibberish except to the owner of that data. Why Apple waited until 2016 to do the right thing is unclear.