Posts

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

WAG: The Government Made a Significant FISA Back Door Request Just Before December 9, 2015

/2 Comments/in , /by

As I’ve noted, we can be virtually certain that the government has started demanding back doors from tech companies via FISA requests, including Section 702 requests that don’t include any court oversight of assistance provided. Wyden said as much in his statement for the SSCI 702 reauthorization bill request.

It leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without FISA Court oversight.

We can point to a doubling of Apple national security requests in the second half of 2016 as one possible manifestation of such requests.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We might even be able to point to a 2015 request that involved an amicus (likely Amy Jeffress) and got appealed.

Given those breadcrumbs, I want to return to this post on the demand for a back door into the work phone of the San Bernardino killer, Syed Rezwan Farook. In it, I presented a number of other data points to suggest such a request may have come in late 2015. First, in a court filing, Apple claimed to object to a bunch of requests for All Writs Act assistance to break into its phones on the same day, December 9, 2015.

As I noted the other day, a document unsealed last week revealed that DOJ has been asking for similar such orders in other jurisdictions: two in Cincinnati, four in Chicago, two in Manhattan, one in Northern California (covering three phones), another one in Brooklyn (covering two phones), one in San Diego, and one in Boston.

According to Apple, it objected to at least five of these orders (covering eight phones) all on the same day: December 9 (note, FBI applied for two AWAs on October 8, the day in which Comey suggested the Administration didn’t need legislation, the other one being the Brooklyn docket in which this list was produced).

Screen Shot 2016-02-24 at 7.23.53 PM

The government disputes this timeline.

In its letter, Apple stated that it had “objected” to some of the orders. That is misleading. Apple did not file objections to any of the orders, seek an opportunity to be heard from the court, or otherwise seek judicial relief. The orders therefore remain in force and are not currently subject to litigation.

Whatever objection Apple made was — according to the government, anyway — made outside of the legal process.

But Apple maintains that it objected to everything already in the system on one day, December 9.

Why December 9? Why object — in whatever form they did object — all on the same day, effectively closing off cooperation under AWAs in all circumstances?

I suggested that one explanation might have been a FISA request for the same thing. Apple would know that FISC takes notice of magistrate decisions, and would want to avoid fighting that battle on two fronts.

There are two possibilities I can think of, though they are both just guesses. The first is that Apple got an order, probably in an unrelated case or circumstance, in a surveillance context that raised the stakes of any cooperation on individual phones in a criminal context. I’ll review this at more length in a later post, but for now, recall that on a number of occasions, the FISA Court has taken notice of something magistrates or other Title III courts have done. For location data, FISC has adopted the standard of the highest common denominator, meaning it has adopted the warrant standard for location even though not all states or federal districts have done so. So the decisions that James Orenstein in Brooklyn and Sheri Pym in Riverside make may limit what FISC can do. It’s possible that Apple got a FISA request that raised the stakes on the magistrate requests we know about. By objecting across the board — and thereby objecting to requests pertaining to iOS 8 phones — Apple raised the odds that a magistrate ruling might help them out at FISA. And if there’s one lawyer in the country who probably knows that, it’s Apple lawyer Marc Zwillinger.

At the time, Tim Cook suggested that “other parts of government,” aside from the FBI, were asking for more, suggesting the NSA might be doing so.

Aside the obvious reasons to wonder whether Apple got some kind of FISA request, in his interview with ABC the other day, Tim Cook described “other parts of government” asking for more and more cases (though that might refer to state and city governments asking, rather than FBI in a FISA context).

The software key — and of course, with other parts of the government asking for more and more cases and more and more cases, that software would stay living. And it would be turning the crank.

The other possibility is that by December 9, Apple had figured out that — a full day after Apple had started to help FBI access information related to the San Bernardino investigation, on December 6 — FBI took a step (changing Farook’s iCloud password) that would make it a lot harder to access the content on the phone without Apple’s help.

Obviously, there are other possible explanations for these intersecting breadcrumbs (including that the unidentified 2015 amicus appointment was for some other issue, and that it didn’t relate to appeals up to and including the Supreme Court). But if these issues were all related it’d make sense.

Why Did Apple “Object” to All Pending All Writs Orders on December 9?

/22 Comments/in /by

As I noted the other day, a document unsealed last week revealed that DOJ has been asking for similar such orders in other jurisdictions: two in Cincinnati, four in Chicago, two in Manhattan, one in Northern California (covering three phones), another one in Brooklyn (covering two phones), one in San Diego, and one in Boston.

According to Apple, it objected to at least five of these orders (covering eight phones) all on the same day: December 9 (note, FBI applied for two AWAs on October 8, the day in which Comey suggested the Administration didn’t need legislation, the other one being the Brooklyn docket in which this list was produced).

Screen Shot 2016-02-24 at 7.23.53 PM

The government disputes this timeline.

In its letter, Apple stated that it had “objected” to some of the orders. That is misleading. Apple did not file objections to any of the orders, seek an opportunity to be heard from the court, or otherwise seek judicial relief. The orders therefore remain in force and are not currently subject to litigation.

Whatever objection Apple made was — according to the government, anyway — made outside of the legal process.

But Apple maintains that it objected to everything already in the system on one day, December 9.

Why December 9? Why object — in whatever form they did object — all on the same day, effectively closing off cooperation under AWAs in all circumstances?

There are two possibilities I can think of, though they are both just guesses. The first is that Apple got an order, probably in an unrelated case or circumstance, in a surveillance context that raised the stakes of any cooperation on individual phones in a criminal context. I’ll review this at more length in a later post, but for now, recall that on a number of occasions, the FISA Court has taken notice of something magistrates or other Title III courts have done. For location data, FISC has adopted the standard of the highest common denominator, meaning it has adopted the warrant standard for location even though not all states or federal districts have done so. So the decisions that James Orenstein in Brooklyn and Sheri Pym in Riverside make may limit what FISC can do. It’s possible that Apple got a FISA request that raised the stakes on the magistrate requests we know about. By objecting across the board — and thereby objecting to requests pertaining to iOS 8 phones — Apple raised the odds that a magistrate ruling might help them out at FISA. And if there’s one lawyer in the country who probably knows that, it’s Apple lawyer Marc Zwillinger.

Aside the obvious reasons to wonder whether Apple got some kind of FISA request, in his interview with ABC the other day, Tim Cook described “other parts of government” asking for more and more cases (though that might refer to state and city governments asking, rather than FBI in a FISA context).

The software key — and of course, with other parts of the government asking for more and more cases and more and more cases, that software would stay living. And it would be turning the crank.

The other possibility is that by December 9, Apple had figured out that — a full day after Apple had started to help FBI access information related to the San Bernardino investigation, on December 6 — FBI took a step (changing Farook’s iCloud password) that would make it a lot harder to access the content on the phone without Apple’s help. Indeed, I’m particularly interested in what advice Apple gave the FBI in the November 16 case (involving two iOS 8 phones), given that it’s possible Apple was successfully recommending FBI pursue alternatives in that case which FBI then foreclosed in the San Bernardino case. In other words, it’s possible Apple recognized by December 9 that FBI was going to use the event of a terrorist attack to force Apple to back door its products, after which Apple started making a stronger legal stand than they might otherwise have done pursuant to secret discussions.

That action — FBI asking San Bernardino to change the password — is something Tim Cook mentioned several times in his interview with ABC the other night, at length here:

We gave significant advice to them, as a matter of fact one of the things that we suggested was “take the phone to a network that it would be familiar with, which is generally the home. Plug it in. Power it on. Leave it overnight–so that it would back-up, so that you’d have a current back-up. … You can think of it as making of making a picture of almost everything on the phone, not everything, but almost everything.

Did they do that?

Unfortunately, in the days, the early days of the investigation, an FBI–FBI directed the county to reset the iCloud password. When that is done, the phone will no longer back up to the Cloud. And so I wish they would have contacted us earlier so that that would not have been the case.

How crucial was that missed opportunity?

Assuming the cloud backup was still on — and there’s no reason to believe that it wasn’t — then it is very crucial.

And it’s something they harped on in their motion yesterday.

Unfortunately, the FBI, without consulting Apple or reviewing its public guidance regarding iOS, changed the iCloud password associated with one of the attacker’s accounts, foreclosing the possibility of the phone initiating an automatic iCloud back-up of its data to a known Wi-Fi network, see Hanna Decl. Ex. X [Apple Inc., iCloud: Back up your iOS device to iCloud], which could have obviated the need to unlock the phone and thus for the extraordinary order the government now seeks.21 Had the FBI consulted Apple first, this litigation may not have been necessary.

Plus, consider the oddness around this iCloud information. FBI would have gotten the most recent backup (dating to October 19) directly off Farook’s iCloud account on December 6.

But 47 days later, on January 22, they obtained a warrant for that same information. While they might get earlier backups, they would have received substantially the same information they had accessed directly back in December, all as they were prepping going after Apple to back door their product. It’s not clear why they would do this, especially since there’s little likelihood of this information being submitted at trial (and therefore requiring a parallel constructed certified Apple copy for evidentiary purposes).

There’s one last detail of note. Cook also suggested in that interview that things would have worked out differently — Apple might not have made the big principled stand they are making — if FBI had never gone public.

I can’t talk about the tactics of the FBI, they’ve chosen to do what they’ve done, they’ve chosen to do this out in public, for whatever reasons that they have.What we think at this point, given it is out in the public, is that we need to stand tall and stand tall on principle. Our job is to protect our customers.

Again, that suggests they might have taken a different tack with all the other AWA orders if they only could have done it quietly (which also suggests FBI is taking this approach to make it easier for other jurisdictions to get Apple content). But why would they have decided on December 9 that this thing was going to go public?

Update: This language, from the Motion to Compel, may explain why they both accessed the iCloud and obtained a warrant.

The FBI has been able to obtain several iCloud backups for the SUBJECT DEVICE, and executed a warrant to obtain all saved iCloud data associated with the SUBJECT DEVICE. Evidence in the iCloud account indicates that Farook was in communication with victims who were later killed during the shootings perpetrated by Farook on December 2, 2015, and toll records show that Farook communicated with Malik using the SUBJECT DEVICE. (17)

This passage suggests it obtained both “iCloud backups” and “all saved iCloud data,” which are actually the same thing (but would describe the two different ways the FBI obtained this information). Then, without noting a source, it says that “evidence in the iCloud account” shows Farook was communicating with his victims and “toll records” show he communicated with Malik. Remember too that the FBI got subscriber information from a bunch of accounts using (vaguely defined) “legal process,” which could include things like USA Freedom Act.

The “evidence in the iCloud account” would presumably be iMessages or Facetime. But the “toll records” could be too, given that Apple would have those (and could have turned them over in the earlier “legal process” step. That is, FBI may have done this to obscure what it can get at each stage (and, possibly, what kinds of other “legal process” it now serves on Apple).

October 8: Comey testifies that the government is not seeking legislation; FBI submits requests for two All Writs Act, one in Brooklyn, one in Manhattan; in former case, Magistrate Judge James Orenstein invites Apple response

October 30: FBI obtains another AWA in Manhattan

November 16: FBI obtains another AWA in Brooklyn pertaining to two phones, but running iOS 8.

November 18: FBI obtains AWA in Chicago

December 2: Syed Rezwan Farook and his wife killed 14 of Farook’s colleagues at holiday party

December 3: FBI seizes Farook’s iPhone from Lexus sitting in their garage

December 4: FBI obtains AWA in Northern California covering 3 phones, one running iOS 8 or higher

December 5, 2:46 AM: FBI first asks Apple for help, beginning period during which Apple provided 24/7 assistance to investigation from 3 staffers; FBI initially submits “legal process” for information regarding customer or subscriber name for three names and nine specific accounts; Apple responds same day

December 6: FBI works with San Bernardino county to reset iCloud password for Farook’s account; FBI submits warrant to Apple for account information, emails, and messages pertaining to three accounts; Apple responds same day

December 9: Apple “objects” to the pending AWA orders

December 10: Intelligence Community briefs Intelligence Committee members and does not affirmatively indicate any encryption is thwarting investigation

December 16: FBI submits “legal process” for customer or subscriber information regarding one name and seven specific accounts; Apple responds same day

January 22: FBI submits warrant for iCloud data pertaining to Farook’s work phone

January 29: FBI obtains extension on warrant for content for phone

February 14: US Attorney contacts Stephen Larson asking him to file brief representing victims in support of AWA request

February 16: After first alerting the press it will happen, FBI obtains AWA for Farook’s phone and only then informs Apple

On December 10, Intelligence Committees Not Told Any Encrypted Communications Used in San Bernardino

/1 Comment/in , /by

Here’s what Senate Intelligence Chair Richard Burr and House Intelligence Ranking Member Adam Schiff had to say about a briefing on the San Bernardino attack they attended on December 10.

Lawmakers on Thursday said there was no evidence yet that the two suspected shooters used encryption to hide from authorities in the lead-up to last week’s San Bernardino, Calif., terror attack that killed 14 people.

“We don’t know whether it played a part in this attack,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) told reporters following a closed-door briefing with federal officials on the shootings.

But that hasn’t ruled out the possibility, Burr and others cautioned.

“That’s obviously one issue were very interested in,” House Intelligence Committee ranking member Adam Schiff (D-Calif.) said. “To what degree were either encrypted devices or communications a part of the impediment of the investigation, either while the events were taking place or to our investigation now?”

The recent terror attacks in San Bernardino and Paris have shed an intense spotlight on encryption.

While no evidence has been uncovered that either plot was hatched via secure communications platforms, lawmakers and federal officials have used the incidents to resurface an argument that law enforcement should have guaranteed access to encrypted data.

On December 10, we should assume from these comments, the Congressmen privy to the country’s most secret intelligence and law enforcement information, were told nothing about a key source of evidence in the San Bernardino attack being encrypted. Schiff made it quite clear the members of Congress in the briefing were quite interested in that question, but nothing they heard in the briefing alerted them to a known trove of evidence being hidden by encryption.

That’s an important benchmark because of details the FBI provided in response to a questions from Ars Tecnica’s Cyrus Farivar. As had been made clear in the warrant, FBI seized the phone on December 3. But the statement also reveals that FBI asked the County to reset Farook’s Apple ID password on December 6. That means they were already working on that phone several days before the briefing to the Intelligence Committee members (it’s unclear whether that briefing was just for the Gang of Four or for both Intelligence Committees).

While, given what Tim Cook described last night, the FBI had not yet asked for Apple’s assistance by that point, the FBI had to have known what they were dealing with by December 6 — an iPhone 5C running iOS9. Therefore, they would have known the phone was encrypted by default (and couldn’t be open with a fingerprint).

Yet even four days later, they were not sufficiently interested in that phone they had to have known to be encrypted to tell Congress it held key data.

Update: Wow, this, from Apple’s motion to vacate the order, makes this all the more damning.

Screen Shot 2016-02-25 at 6.09.00 PM

To Clarify the Debate, Tim Cook Should Start Shopping for Land in Cork, Ireland

/15 Comments/in , /by

There’s so much blathering from National Security and plain old pundits about FBI’s demand that Apple’s programmers write it a custom operating system that I think, to facilitate reasonable debate, Tim Cook should travel to Cork, Ireland (where Apple already has a presence) and start shopping for land for a new headquarters.

I say this not because my spouse and I are Irish (though the Irish spouse insists that Cork is the Irish equivalent of Texas), and not because I want Apple to take all its Silicon Valley jobs and move them to Ireland, and not because Apple has already been using Ireland as a tax haven, but because it would be the best way to get people who otherwise seem to misunderstand the current state of the world on encryption to better think it through.

FBI’s problem with Apple is that the company tries to offer its users around the globe the strongest possible security as a default option. Plenty of other companies (like Android) offer less perfect security.  Plenty of other apps offer security. Some (like Signal) may even offer better security, but relying on devices (Android phones and desktops) that themselves may be insecure. But the problem with Apple is that all its more recent phones are going to be harder (though not impossible, unless law enforcement fucks up when they first seize the phone, as they did here) to access by default.

Thus far, however, Apple still serves as a valuable law enforcement partner — something lots of the pundits have ignored. Before the All Writs Act order on February 16, Apple had turned over metadata covering the entire period Farook used the phone (he apparently was using the phone into November), as well as the content that was backed up into iCloud until October 19. Presumably, Apple turned over all the same things on the victims Farook killed, up to 14 iPhones full of communications, including with Farook, set to auto-backup as Farook’s phone originally had been. Apple can and surely does turn over all the same things when an iPhone user in Paris or Beijing or Beirut sparks the interest of NSA.

If Apple were to move its headquarters and servers to Cork (perhaps with some redundant servers in Brazil, for example), that would be far less accessible to both US law enforcement and intelligence. And contrary to what you might think from those attacking Apple’s alleged non-compliance here, that would result in significantly less intelligence (or evidence) than both are getting now.

That’s because by offering the best encryption product in the world that relies on US-based servers, Apple ensures that at least the metadata — not to mention any content backed up to iCloud (which in Farook’s case, included content through October plus that from his colleagues) — is readily available. If Apple were to move to Cork, any backed up content would be far harder to get and NSA would have to steal Internet packets to get iMessage metadata (admittedly, that’s probably pretty easy to do from Ireland, given its proximity to GCHQ’s gaping maw, but it does require some work).

The counterexample is the way the terrorists behind the Paris attack used Telegram. Because that’s a non-US messaging system, data including metadata from it was not easily available (though as I understand it its encryption would be fairly trivial for NSA to overcome). Thus, terrorists were able to use an inferior product and obtain more obscurity (until Telegram, under pressure, shut down a bunch of ISIS channels) than they would have if they had used the superior iPhone because Apple’s servers are in the US. If US national security officials force multinational companies to choose between quality of product and US location, one or two may choose to offshore. Alternately, eventually the foreign products may come to rival what Apple is currently offering.

Right now, US officials are guaranteed that if intelligence and criminal targets use the best product in the world, they’ll have evidence readily available. Even ignoring all the economic reasons to want Apple to stay in the US (or better yet to actually pay its fair share of taxes in the US!) that could change if Apple were to decide it could not longer legally offer a secure product while remaining in the US.

On Same Day Cabinet Decided to Punt on Back Doors, Tim Cook Said NSA Would Stop Asking for Them

/1 Comment/in /by

The WaPo has an update on the Administration’s debate about whether to push for legislation for back doors. It reports that the Obama Administration decided to punt — and not ask for legislation right now while continuing efforts to cajole companies to back door their own products. WaPo even provided the date that decision was made: October 1.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

The decision, which essentially maintains the status quo, underscores the bind the administration is in — between resolving competing pressures to help law enforcement and protecting consumer privacy.

[snip]

The decision was made at a Cabinet meeting Oct. 1.

“As the president has said, the United States will work to ensure that malicious actors can be held to account – without weakening our commitment to strong encryption,” National Security Council spokesman Mark Stroh said. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.”

I’m particularly interested in the date given that’s when Tim Cook gave an interview (see NPR’s excerpts) where he stated fairly clearly the NSA would not ask for back doors, but FBI might.

Apple CEO Tim Cook said he doesn’t think we will hear the U.S. National Security Agency asking for a back door into our iPhones, at least not any more. In an interview on NPR’s All Things Consideredon Thursday, Mr. Cook implied that even the FBI is coming around on the need for end-user encryption.

The intelligence community has asked for a back door. They want access into the communications that are going through Apple’s devices. No?

Tim Cook: I don’t think you will hear the [National Security Agency] asking for a back door.

Robert Siegel: The FBI?

Tim Cook: There have been different conversations with the FBI, I think, over time. And I’ve read in the newspapers myself. But my own view is everyone’s coming around to some core tenets. And those core tenets are that encryption is a must in today’s world. And I think everyone is coming around also to recognizing that any back door means a back door for bad guys as well as good guys. And so a back door is a nonstarter. It means we’re all not safe.

When I first read this interview, I was struck by Cook’s certainty about the NSA, compared to his uncertainty about FBI. I wondered at the time whether that certainty meant that the rumored FISC request for a back door was ultimately rejected, which would close off the possibility for NSA for the moment(that would affect FBI, too, but only part of FBI’s requests).

Given the coincidence of these two events — Cook’s stated certainty and the cabinet decision not to pursue back doors right now — I’m all the more curious.

Has FISC secretly told the government it can’t force Apple to back door its products?

On the Apple Back Door Rumors … Remember Lavabit

/12 Comments/in /by

During the July 1 Senate Judiciary Committee hearing on back doors, Deputy Attorney General Sally Yates claimed that the government doesn’t want the government to have back doors into encrypted communications. Rather, they wanted corporations to retain the back doors to be able to access communications if the government had legal process to do so. (After 1:43.)

We’re not going to ask the companies for any keys to the data. Instead, what we’re going to ask is that the companies have an ability to access it and then with lawful process we be able to get the information. That’s very different from what some other countries — other repressive regimes — from the way that they’re trying to get access to the information.

The claim was bizarre enough, especially as she went on to talk about other countries not having the same lawful process we have (as if that makes a difference to software code).

More importantly, that’s not true.

Remember what happened with Lavabit, when the FBI was in search of what is presumed to be Edward Snowden’s email. Lavabit owner Ladar Levison had a discussion with FBI about whether it was technically feasible to put a pen register on the targeted account. After which the FBI got a court order to do it. Levison tried to get the government to let him write a script that would provide them access to just the targeted account or, barring that, provide for some kind of audit to ensure the government wasn’t obtaining other customer data.

The unsealed documents describe a meeting on June 28th between the F.B.I. and Levison at Levison’s home in Dallas. There, according to the documents, Levison told the F.B.I. that he would not comply with the pen-register order and wanted to speak to an attorney. As the U.S. Attorney for the Eastern District of Virginia, Neil MacBride, described it, “It was unclear whether Mr. Levison would not comply with the order because it was technically not feasible or difficult, or because it was not consistent with his business practice in providing secure, encrypted e-mail service for his customers.” The meeting must have gone poorly for the F.B.I. because McBride filed a motion to compel Lavabit to comply with the pen-register and trap-and-trace order that very same day.

Magistrate Judge Theresa Carroll Buchanan granted the motion, inserting in her own handwriting that Lavabit was subject to “the possibility of criminal contempt of Court” if it failed to comply. When Levison didn’t comply, the government issued a summons, “United States of America v. Ladar Levison,” ordering him to explain himself on July 16th. The newly unsealed documents reveal tense talks between Levison and the F.B.I. in July. Levison wanted additional assurances that any device installed in the Lavabit system would capture only narrowly targeted data, and no more. He refused to provide real-time access to Lavabit data; he refused to go to court unless the government paid for his travel; and he refused to work with the F.B.I.’s technology unless the government paid him for “developmental time and equipment.” He instead offered to write an intercept code for the account’s metadata—for thirty-five hundred dollars. He asked Judge Hilton whether there could be “some sort of external audit” to make sure that the government did not take additional data. (The government plan did not include any oversight to which Levison would have access, he said.)

Most important, he refused to turn over the S.S.L. encryption keys that scrambled the messages of Lavabit’s customers, and which prevent third parties from reading them even if they obtain the messages.

The discussions disintegrated because the FBI refused to let Levison do what Yates now says they want to do: ensure that providers can hand over the data tailored to meet a specific request. That’s when Levison tried to give FBI his key in what it claimed (even though it has done the same for FOIAs and/or criminal discovery) was in a type too small to read.

On August 1st, Lavabit’s counsel, Jesse Binnall, reiterated Levison’s proposal that the government engage Levison to extract the information from the account himself rather than force him to turn over the S.S.L. keys.

THE COURT: You want to do it in a way that the government has to trust you—
BINNALL: Yes, Your Honor.
THE COURT: —to come up with the right data.
BINNALL: That’s correct, Your Honor.
THE COURT: And you won’t trust the government. So why would the government trust you?
Ultimately, the court ordered Levison to turn over the encryption key within twenty-four hours. Had the government taken Levison up on his offer, he may have provided it with Snowden’s data. Instead, by demanding the keys that unlocked all of Lavabit, the government provoked Levison to make a last stand. According to the U.S. Attorney MacBride’s motion for sanctions,
At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the F.B.I. a printout of what he represented to be the encryption keys needed to operate the pen register. This printout, in what appears to be four-point type, consists of eleven pages of largely illegible characters. To make use of these keys, the F.B.I. would have to manually input all two thousand five hundred and sixty characters, and one incorrect keystroke in this laborious process would render the F.B.I. collection system incapable of collecting decrypted data.
The U.S. Attorneys’ office called Lavabit’s lawyer, who responded that Levison “thinks” he could have an electronic version of the keys produced by August 5th.

Levison came away from the debacle believing that the FBI didn’t understand what it was asking for when they asked for his keys.

One result of this newfound expertise, however, is that Levison believes there is a knowledge gap between the Department of Justice and law-enforcement agencies; the former did not grasp the implications of what the F.B.I. was asking for when it demanded his S.S.L. keys.

I raise all this because of the rumor — which Bruce Schneier inserted into his excerpt of this Nicholas Weaver post — that FBI is already fighting before FISC with Apple for a back door.

There’s a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly — and they’re losing. This might explain Apple CEO Tim Cook’s somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.

Weaver’s post describes how, because of the need to allow users to access their iMessage account from multiple devices (think desktop, laptop, iPad, and phone), Apple technically could give FBI a key.

In iMessage, each device has its own key, but its important that the sent messages also show up on all of Alice’s devices.  The process of Alice requesting her own keys also acts as a way for Alice’s phone to discover that there are new devices associated with Alice, effectively enabling Alice to check that her keys are correct and nobody has compromised her iCloud account to surreptitiously add another device.

But there remains a critical flaw: there is no user interface for Alice to discover (and therefore independently confirm) Bob’s keys.  Without this feature, there is no way for Alice to detect that an Apple keyserver gave her a different set of keys for Bob.  Without such an interface, iMessage is “backdoor enabled” by design: the keyserver itself provides the backdoor.

So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice.  Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future.

Admittedly, as heroic as Levison’s decision to shut down Lavabit rather than renege on a promise he made to his customers, Apple has a lot more to lose here strictly because of the scale involved. And in spite of the heated rhetoric, FBI likely still trusts Apple more than they trusted Levison.

Still, it’s worth noting that Yates’ claim that FBI doesn’t want keys to communications isn’t true — or at least wasn’t before her tenure at DAG. Because a provider, Levison, insisted on providing his customers what he had promised, the FBI grew so distrustful of him they did demand a key.

The ameriMac

/19 Comments/in , /by

Presumably because of Apple’s rocky PR and financial results of late, Tim Cook gave two purportedly “Exclusive!” interviews, to NBC News and Businessweek. The big takeaway from both “Exclusives!” was the same, however: that Apple will move some production of the Mac back to the US next year.

You were instrumental in getting Apple out of the manufacturing business. What would it take to get Apple back to building things and, specifically, back to building things in the U.S.?
It’s not known well that the engine for the iPhone and iPad is made in the U.S., and many of these are also exported—the engine, the processor. The glass is made in Kentucky. And next year we are going to bring some production to the U.S. on the Mac. We’ve been working on this for a long time, and we were getting closer to it. It will happen in 2013. We’re really proud of it. We could have quickly maybe done just assembly, but it’s broader because we wanted to do something more substantial. So we’ll literally invest over $100 million. This doesn’t mean that Apple will do it ourselves, but we’ll be working with people, and we’ll be investing our money.

Thus far, I have not seen any acknowledgment that this move comes just two months after Lenovo made a similar announcement, that it was going to bring production of formerly IBM products back to Tim Cook’s old stomping grounds in IBM’s former production hub of North Carolina.

And so, perhaps predictably, the analysis of the move has been rather shallow. NBC first focuses on the jobs crisis here, and only later quotes Cook’s comments about skills (which echoes Steve Jobs’ old explanation for why Apple produced in China).

Given that, why doesn’t Apple leave China entirely and manufacture everything in the U.S.? “It’s not so much about price, it’s about the skills,” Cook told Williams.

Echoing a theme stated by many other companies, Cook said he believes the U.S. education system is failing to produce enough people with the skills needed for modern manufacturing processes. He added, however, that he hopes the new Mac project will help spur others to bring manufacturing back to the U.S.

“The consumer electronics world was really never here,” Cook said. “It’s a matter of starting it here.”

Businessweek also focuses on job creation (though Cook makes it clear that he doesn’t think Apple has to create manufacturing jobs, just jobs, which is consistent with his suggestion that someone else will be assembling the Mac in the US).

On that subject, it’s 2012. You’re a multinational. What are the obligations of an American company to be patriotic, and what do you think that means in a globalized era?
(Pause.) That’s a really good question. I do feel we have a responsibility to create jobs. I don’t think we have a responsibility to create a certain kind of job, but I think we do have a responsibility to create jobs.

Matt Yglesias purports to look for an explanation of Apple’s onshoring in this excellent Charles Fishman article on the trend. But with utterly typical cherry-picking from him, he finds the explanation in the 125 words that Fishman devotes to lower US wages rather than the remaining 5,375 words in the article, which describe how teamwork–teamwork including line workers–leads to innovation and higher quality.

Which is too bad, because Fishman’s article and Cook’s comments to Businessweek set up a pretty interesting dialogue about innovation.

Before I look at that, though, let me point to this other comment from Cook, which may provide a simpler explanation for the insourcing.

The PC space [market] is also large, but the market itself isn’t growing. However, our share of it is relatively low, so there’s a lot of headroom for us.

We know Lenovo is insourcing to better provide customized ThinkPads quickly. Here, Cook suggests he sees a way to pick up market share in the PC space. I would suggest it likely the Mac insourcing relates to this perceived market opportunity, and would further suggest that Apple’s reasons might mirror Lenovo’s own: to deliver better responsiveness to US-based customers, if not actual customization (though that would be news).

But that’s not what I find so interesting about the way the Fishman article and Cook interview dialogue.

Fishman’s article largely focuses on why GE has brought production back to its Appliance City in Louisville, KY. And while more docile unions and energy costs are two reasosn GE has made the move, the biggest benefit is that when entire teams–including line workers–focused on products, they could build better quality move innovative products more cheaply. Read more

Computer Returns

/15 Comments/in /by

The Chinese computer company, Lenovo, which bought IBM’s PC division in 2004, has announced it will be opening a small production facility in North Carolina next year.

The world’s No. 2 personal-computer maker says the PC production line now being built at a facility in Whitsett, N.C., will allow the company to become more responsive to U.S. corporate clients’ demand for flexible supplies and product customization. Although the cost of U.S. production will be higher compared with overseas production, an added benefit will be to raise Lenovo’s profile in the U.S., where it ranks fourth in market share by shipment.

[snip]

Lenovo executives said the new production line isn’t a temporary publicity stunt. “I believe this is the first of many steps to increase our production capability,” Mr. Schmoock said. “I’m very, very bullish about what I can get out of this facility.”

Gerry Smith, Lenovo’s head of global supply chain, said the decision to set up a production site in the U.S. is in line with the company’s broader strategy of localizing its production in major markets as much as possible.

The move is interesting simply as a reflection of the way that more customized manufacturing–as Lenovo’s higher-end computers can be–is localizing.

But there’s also an irony here, given all the attention on Apple’s production in China, most recently with the Foxconn riots coinciding with the release of the iPhone 5.

But what it does is present an alternative strategy, with products Cook knows well, as a way to compete better against (among others) Cook’s current company.

If Cook can only get those Apple maps to work he might even return to the Southeast to see how this works!

Before Tim Cook became VP and ultimately CEO of Apple, he worked at IBM–what would become Lenovo’s US headquarters–in North Carolina on manufacturing logistics. And this move is effectively a return of ThinkPad production to IBM’s former stomping grounds.

Apple’s still not going to bring device assembly to the US anytime soon. They sell generic widgets, not customized machines as this plant will produce. And even as expensive as their products are within segments, most of what they sell is still much cheaper than a loaded laptop.