DOJ’s Pre-Ass-Handing Capitulation

In its February 16 application for an All Writs Act to force Apple to help crack Syed Rizwan Farook’s phone, DOJ asserted,

Apple has the exclusive technical means which would assist the government in completing its search, but has declined to provide that assistance voluntarily.


2. The government requires Apple’s assistance to access the SUBJECT DEVICE to determine, among other things, who Farook and Malik may have communicated with to plan and carry out the IRC shootings, where Farook and Malik may have traveled to and from before and after the incident, and other pertinent information that would provide more information about their and others’ involvement in the deadly shooting.


3. As an initial matter, the assistance sought can only be provided by Apple.


4. Because iOS software must be cryptographically signed by Apple, only Apple is able to modify the iOS software to change the setting or prevent execution of the function.


5. Apple’s assistance is necessary to effectuate the warrant.


6. This indicates to the FBI that Farook may have disabled the automatic iCloud backup function to hide evidence, and demonstrates that there may be relevant, critical communications and data around the time of the shooting that has thus far not been accessed, may reside solely on the SUBJECT DEVICE, and cannot be accessed by any other means known to either the government or Apple.

FBI’s forensics guy Christopher Pluhar claimed,

7. I have explored other means of obtaining this information with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the SUBJECT DEVICE.

On February 19, DOJ claimed,

8. The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple.


9. Apple left the government with no option other than to apply to this Court for the Order issued on February 16, 2016.


10. Accordingly, there may be critical communications and data prior to and around the time of the shooting that thus far has not been accessed, may reside solely on the SUBJECT DEVICE; and cannot be accessed by any other means known to either the government or Apple.


11. Especially but not only because iPhones will only run software cryptographically signed by Apple, and because Apple restricts access to the source code of the software that creates these obstacles, no other party has the ability to assist the government in preventing these features from obstructing the search ordered by the Court pursuant to the warrant.


12. Apple’s close relationship to the iPhone and its software, both legally and technically – which are the produce of Apple’s own design – makes compelling assistance from Apple a permissible and indispensable means of executing the warrant.


13. Apple’s assistance is also necessary to effectuate the warrant.


14. Moreover, as discussed above, Apple’s assistance is necessary because without the access to Apple’s software code and ability to cryptographically sign code for the SUBJECT DEVICE that only Apple has, the FBI cannot attempt to determine the passcode without fear of permanent loss of access to the data or excessive time delay. Indeed, after reviewing a number of other suggestions to obtain the data from the SUBJECT DEVICE with Apple, technicians from both Apple and the FBI agreed that they were unable to identify any other methods – besides that which is now ordered by this Court – that are feasible for gaining access to the currently inaccessible data on the SUBJECT DEVICE. There can thus be no question that Apple’s assistance is necessary, and that the Order was therefore properly issued.

Almost immediately after the government made these claims, a number of security researchers I follow not only described ways FBI might be able to get into the phone, but revealed that FBI had not returned calls with suggestions.

On February 25, Apple pointed out the government hadn’t exhausted possible of means of getting into the phone.

Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks. See Hanna Decl. Ex. DD at 34–36 [October 26, 2015 Transcript] (Judge Orenstein asking the government “to make a representation for purposes of the All Writs Act” as to whether the “entire Government,” including the “intelligence community,” did or did not have the capability to decrypt an iPhone, and the government responding that “federal prosecutors don’t have an obligation to consult the intelligence community in order to investigate crime”). As such, the government has not demonstrated that “there is no conceivable way” to extract data from the phone.

On March 1, members of Congress and House Judiciary Committee witness Susan Landau suggested there were other ways to get into the phone (indeed, Darrell Issa, who was one who made that point, is doing a bit of a victory lap). During the hearing, as Jim Comey insisted that if people had ways to get into the phone, they should call FBI, researchers noted they had done so and gotten no response.

Issa: Is the burden so high on you that you could not defeat this product, either through getting the source code and changing it or some other means? Are you testifying to that?

Comey: I see. We wouldn’t be litigating if we could. We have engaged all parts of the U.S. Government to see does anybody that has a way, short of asking Apple to do it, with a 5C running iOS 9 to do this, and we don not.


a) Comey: I have reasonable confidence, in fact, I have high confidence that all elements of the US government have focused on this problem and have had great conversations with Apple. Apple has never suggested to us that there’s another way to do it other than what they’ve been asked to do in the All Writs Act.


b) Comey [in response to Chu]: We’ve talked to anybody who will talk to us about it, and I welcome additional suggestions. Again, you have to be very specific: 5C running iOS 9, what are the capabilities against that phone. There are versions of different phone manufacturers and combinations of models and operating system that it is possible to break a phone without having to ask the manufacturer to do it. We have not found a way to break the 5C running iOS 9.


c) Comey [in response to Bass]: There are actually 16 other members of the US intelligence community. It pains me to say this, because I — in a way, we benefit from the myth that is the product of maybe too much television. The only thing that’s true on television is we remain very attractive people, but we don’t have the capabilities that people sometimes on TV imagine us to have. If we could have done this quietly and privately we would have done it.


Cicilline: I think this is a very important question for me. If, in fact — is it in fact the case that the government doesn’t have the ability, including the Department of Homeland Security Investigations, and all of the other intelligence agencies to do what it is that you claim is necessary to access this information?

d) Comey: Yes.

While Comey’s statements were not so absolutist as to suggest that only Apple could break into this phone, Comey repeatedly said the government could not do it.

On March 10, DOJ claimed,

15. The government and the community need to know what is on the terrorist’s phone, and the government needs Apple’s assistance to find out.


16. Apple alone can remove those barriers so that the FBI can search the phone, and it can do so without undue burden.


17. Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”


18. Regardless, even if absolute necessity were required, the undisputed evidence is that the FBI cannot unlock Farook’s phone without Apple’s assistance.


19. Apple deliberately established a security paradigm that keeps Apple intimately connected to its iPhones. This same paradigm makes Apple’s assistance necessary for executing the lawful warrant to search Farook’s iPhone.

On March 15, SSCI Member Ron Wyden thrice suggested someone should ask NSA if they could hack into this phone.

On March 21, DOJ wrote this:

Specifically, since recovering Farook’s iPhone on December 3, 2015, the FBI has continued to research methods to gain access to the data stored on it. The FBI did not cease its efforts after this litigation began. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention on this case, others outside the U.S. government have continued to contact the U.S. government offering avenues of possible research.

On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone

You might think that FBI really did suddenly find a way to hack the phone, after insisting over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over they could only get into it with Apple’s help. Indeed, the described timing coincides remarkably well with the announcement that some Johns Hopkins researchers had found a flaw in iMessage’s encryption (which shouldn’t relate at all to breaking into such phones, though it is possible FBI is really after iMessages they think will be on the phone). Indeed, in describing the iMessage vulnerability, Johns Hopkins prof Matthew Green ties the discovery to the Apple fight.

Now before I go further, it’s worth noting that the security of a text messaging protocol may not seem like the most important problem in computer security. And under normal circumstances I might agree with you. But today the circumstances are anything but normal: encryption systems like iMessage are at the center of a critical national debate over the role of technology companies in assisting law enforcement.

A particularly unfortunate aspect of this controversy has been the repeated call for U.S. technology companies to add “backdoors” to end-to-end encryption systems such as iMessage. I’ve always felt that one of the most compelling arguments against this approach — an argument I’ve made along with other colleagues — is that we just don’t know how to construct such backdoors securely. But lately I’ve come to believe that this position doesn’t go far enough — in the sense that it is woefully optimistic. The fact of the matter is that forget backdoors: webarely know how to make encryption workat all. If anything, this work makes me much gloomier about the subject.

Plus, as Rayne noted to me earlier, Ellen Nakashima’s first report on this went up just after midnight on what would be the morning of March 21, suggesting she had an embargo (though that may be tied to Apple’s fix for the vulnerability). [Update: Correction — her story accidentally got posted then unposted earlier than that.]

But that would require ignoring the 19 plus times (ignoring Jim Comey’s March 1 testimony) that DOJ insisted the only way they could get into the phone was by having Apple’s help hacking it (though note most of those claims only considered the ways that Apple might crack the phone, not ways that, say, NSA might). You’d have to ignore the problems even within these statements. You’d have to ignore the conflicting sworn testimony from FBI’s witnesses (including Jim Comey).

It turns out FBI’s public argument went to shit fast. Considering the likelihood they screwed up with the forensics on this phone and that there’s absolutely nothing of interest on the phone, I take this as an easy retreat for them.

But that doesn’t mean this is over. Remember, FBI has already moved to unlock this iPhone, of similar vintage to Farook’s, which seems more central to an actual investigation (even if FBI won’t be able to scream terrorterrorterror). There are two more encrypted phones FBI has asked Apple to break open.

But for now, I take this as FBI’s attempt to take its claims back into the shadows, where it’s not so easy to expose the giant holes in their claims.

Updated with Comey testimony.

6 replies
  1. SpaceLifeForm says:

    The iMessage problem is a convienent excuse.
    The iMessage protocol can not work with phone powered off
    as there are no comms to MITM at this point in time.

    Most likely the NSA has gotten involved.
    They already have the comms.
    They likely want to minimize discussion of possible/probable
    attack vectors in public (court).

    Note this is not to imply that NSA was not already
    using the iMessage weakness. Just that they want to
    minimize discussion.

  2. Evangelista says:

    An aspect of the FBI v Apple battle over potential information on the SBCPH iphone issued to Farouk that has interested me throughout the business has been that the fundamentally logical, and simple, means by which the FBI could have (would have and should have if it was an honest agency) obtained Apple help to obtain information the iphone might have contained, would have been to give the iphone to Apple asking Apple to do whatever might be necessary to extract whatever it might contain, in house, at Apple, and then provide the information to the FBI.

    Why did the FBI not do this?

    Or maybe: Why would the FBI not do this?

    The only plausible possible reason is, or would be, that the information the FBI was, and maybe still is, after is information that the FBI does not want, and can not afford to have, escape its agency.

    The question this raises is, what kind of information that the Farouk iphone might have contained could be so potentially damaging and so dangerous to the FBI that the FBI would instigate a national debate to prevent any outside direct agency control to learn (and possibly blow a whistle on)?

    The kind of sleaze the FBI is known to engage in, the known range that known sleaze ranges over, from assassinating witnesses to facilitating pseudo-crimes to facilitating real crimes, to reciprocal back-scratching with known gangsters, looking the other way to allow gang activities, including ‘rub-out’, protecting ‘helpful’ and ‘goodguy’ gangs and gangsters (including judiciary and prosecutor gangs and gangsters), helping them, facilitating for them and so on, including in massive and orchestrated violations of any and all laws and intended constraints, and including crimes right down to the ‘essentially insignificant’ level, like lying to the public, constitutes such a haystack of potential FBI wrong-doings to guess which one among that I am at a dead stump loss to imagine even a wild possibility for a beginning.

    • martin says:

      quote”The only plausible possible reason is, or would be, that the information the FBI was, and maybe still is, after is information that the FBI does not want, and can not afford to have, escape its agency. ” unquote

      Ding! Ding! Ding! Give this person a prize. Meanwhile, Sherlock Holmes has approved your application for his next class in “look for the blindingly obvious first” course in Private Investigator 101. :)

      quote”The kind of sleaze the FBI is known to engage in, the known range that known sleaze ranges over,.. (snip)..constitutes such a haystack of potential FBI wrong-doings to guess which one among that I am at a dead stump loss to imagine even a wild possibility for a beginning.”unquote
      Says Dr. Watson.

      SH axiom #1. “What is the most dangerous reason for this act.”

      Dr. Watson.. “The deceased terrorists were actually patsies set up by the FBI to commit an act of terrorism, but went rogue?”

      S.H…”Elementary my dear Watson.”

  3. jerryy says:

    Jim Comey was not able to completely walk away leaving the suggestion out there that the phones are indeed now crackable — they just needed more time — perhaps to score a few sore-loser points against the folks in Cupertino, the presiding judge has said they (the FBI / DOJ) must show up in April and inform the court about any progress. I guess the court did not fancy itself to be a patsy in the pr stuff going on now.
    While no ruling precedent has yet been set in this case, the motions filed thus far are public records, so in the future a smaller firm facing this kind of pressure would have the ground work ready to go so to speak.

  4. JJ says:

    Given the way Judge Orenstein ruled in New York, and the additional legal arguments levied against it in CA, it was wise of the FBI to back out. However, merely brining this case has allowed the FBI to shout “Back-doors are needed to stop terrorism!” “Secure phones threaten our security!” These are lines congressional members will fight to deliver themselves and hyperbolize upon. And these bromides will show a congress member’s patriotism as they pass legislation that brings about the surveillance state.

  5. Denis says:

    Very well done. An awful lot of effort here rooting out
    these now very questionable statements of facts
    by DoJ and FBI.
    It will be interesting to see how pushy Apple gets at this
    point. Not to put words in her mouth, least of all the types
    of words I frequently rely on, but Marcy seems to be saying
    that DoJ’s case that only Apple could crack the phone was
    bullshit from the git-go. If Apple can now demonstrate that,
    they could demand sanctions and attorney fees for having
    been dragged through all of this and dragged right up to the
    penultimate hour of the hearing before DoJ saying: “Oh, golly,
    our bad. We don’t need Apple to dedicate 10 employees for
    4 months after all. We’re good. . .so never mind.”
    The biggest problem for DoJ will be the sworn affidavits they
    filed. Marcy quotes one dubious, sworn line from FBI guy Pluhar.
    Of course, those affidavits are written by the DoJ suits, not
    the people signing them, and so the statements are awfully
    slippery. The assertions taken as a whole imply that only Apple
    can crack the phone, but if you look at each statement
    individually, that’s not what they actually say. Here’s another
    such statement from the Pluhar affidavit:
    “Because iOS software must be cryptographically signed by
    Apple, only Apple is able to modify the iOS software to change
    the setting or prevent execution of the function.”
    OK, maybe true as far as it goes. But it ignores any possibility
    of cracking the phone w/out modifying the iOS while making
    Apple appear to be essential.
    Anyway, much thanks for linking to DoJ’s Feb16 ex parte
    application. It is not available from the court’s Pacer system
    and I have had a bit of confusion in my brain over these early
    filings and their sequence.
    DoJ’s Feb16 ex parte application was the first document filed
    in this AWA part of the Farook proceeding; it was, apparently,
    sealed. It is stamped with the date “02/16/16″ but it is given
    the document number “18,” at least on the pdf document
    itself. But the court’s docket doesn’t show any filings before
    Feb17. And Document #18 listed in the docket is a Feb25
    order allowing the appearance of an Apple lawyer.
    Pym’s order telling Apple to help out was dated the same day
    as the ex parte application was filed – Feb16 – meaning Pym
    couldn’t have given her order a lot of consideration. It was
    almost certainly typed by the DoJ suits and Pym just signed it.
    But what confuses me most is that Document #1 in the court’s
    list of filed documents is the motion DoJ filed on Feb19 — three
    days after the ex parte application — asking Pym to compel
    Apple to comply with her order granting the ex parte application,
    which is Doc #18. How does a document filed 3 days after
    Doc #18 get numbered “Doc #1, and how can Doc #1 refer to
    Doc #18, which is dated three days after Doc #1? This is
    harder than sorting out my sock-drawer.
    I guess some of the document numbering confusion can be
    attributed to the case being re-assigned and re-numbered at
    least once, but, still, something is not smelling just right in the
    way this thing has gone down. I’m probably biased by the ugly
    rep Riverside County (and neighboring Kern County) have for
    creepy prosecutors and creepier judges.
    “Nearly all of that surveillance was authorized by a single
    state court judge in Riverside County, who last year signed
    off on almost five times as many wiretaps as any other judge
    in the United States. The judge’s orders allowed investigators
    — usually from the U.S. Drug Enforcement Administration —
    to intercept more than 2 million conversations involving
    44,000 people, federal court records show.”
    The Desert Sun: “Justice officials fear nation’s biggest wiretap
    operation may not be legal”

Comments are closed.