Posts

About Apple’s Dead Warrant Canary

There were two significant pieces of Apple security news yesterday.

In laudable news, Apple’s new privacy policy makes clear that it will be unable to unlock locally stored content for law enforcement.

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

I find the comment as interesting for the list of things Apple envisions potentially having to hand over as I do for the security claim (though the security claim is admirable).

  • Photos
  • Messages, including attachments
  • Email
  • Contacts
  • Call history
  • iTunes content
  • Notes
  • Reminders

Though Apple’s promise to protect this kind of data only goes so far; as the NYT makes clear, that doesn’t extend to data stored on Apple’s cloud.

The new security in iOS 8 protects information stored on the device itself, but not data stored on Apple’s cloud service. So Apple will still be able to hand over some customer information stored on iCloud in response to government requests.

Which brings us to the second piece of news. As GigaOm notes, Apple’s warrant canary indicating that it has never received a Section 215 order has disappeared.

When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated:

“Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

Writer and cyber-activist Cory Doctorow at the time recognized that language as a so-called “warrant canary,” which Apple was using to thwart the secrecy imposed by the Patriot Act.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request.

Now, Apple’s warrant canary has disappeared. A review of the company’s last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the “canary” language is no longer there.

Note, GigaOm goes on to mistakenly state that Section 215 is the basis for PRISM, which doesn’t detract from the importance of noting the dead warrant canary. The original PRISM slides indicate that Apple started complying with Section 702 (PRISM) in October 2012, and the ranges in Apple’s government request data probably reflect at least some of its Section 702 compliance to provide content.

So Apple receiving its first Section 215 order sometime last year would reflect either a different kind of request — one not available by targeting someone overseas, as required under Section 702 — or a request for the kind of information it has already provided via a new authority, Section 215.

Many of the things listed above — at a minimum, call history, but potentially things like contacts and the titles of iTunes content (remember, James Cole has confirmed the government could use Section 215 to get URL searches, and we know they get purchase records) — can be obtained under Section 215.

I find Apple’s dead warrant canary of particular interest given the revelation in the recent DOJ IG Report on National Security Letters that some “Internet companies” started refusing NSLs for certain kinds of content starting in 2009; that collection has moved to Section 215 authority, and it now constitutes a majority of the 200-some Section 215 orders a year.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

[snip]

We asked whether the disagreement and uncertainty over electronic communication transactional records has negatively affected national security investigations. An Assistant General Counsel in NSLB told us that the additional time it takes to obtain transactional records through a Section 215 application slows down national security investigations, all of which he said are time-sensitive. He said that an investigative subject can cease activities or move out of the country within the time-frame now necessary to obtain a FISA order. [my emphasis]

These Internet company refusals must pertain to somewhat exotic requests, otherwise the government would simply take the companies to court one time apiece and win that authority. So we should assume the government was making somewhat audacious requests using NSLs, some companies refused, and it now uses Section 215 to do the collection. Another signal that these requests are fairly audacious is that the FISA Court appears to have imposed minimization procedures, which for individualized content must reflect a good deal of irrelevant content that would be suppressed.

While my wildarse guess is that this production pertains to URL searches, everything cloud providers like Apple store arguably falls under the Third Party doctrine and may be obtained using Section 215.

That’s not to say Apple’s dead canary pertains to this kind of refusal. But it ought to raise new questions about how the government has been using Section 215.

This production will likely be increasingly obtained using USA Freedom Act’s emergency provisions, which permit the government to retain data even if it is not legal, if the bill passes. And the bill’s “transparency” provisions hide how many Americans would be affected.

Sadness in the NSA-Telecom Bromance

In his report on an interview with the new Director of NSA, Admiral Mike Rogers, David Sanger gets some operational details wrong, starting with his claim that the new phone dragnet would require an “individual warrant.”

The new phone dragnet neither requires “warrants” (the standard for an order is reasonable suspicion, not probable cause), nor does it require its orders to be tied to “individuals,” but instead requires “specific selection terms” that may target facilities or devices, which in the past have been very very broadly interpreted.

All that said, I am interested in Rogers’ claims Sanger repeats about NSA’s changing relationship with telecoms.

He also acknowledged that the quiet working relationships between the security agency and the nation’s telecommunications and high technology firms had been sharply changed by the Snowden disclosures — and might never return to what they once were in an era when the relationships were enveloped in secrecy.

Oh darn!

Sadly, here’s where Sanger’s unfamiliarity with the details makes the story less useful. Publicly, at least, AT&T and Verizon have had significantly different responses to the exposure of the dragnet (though that may only be because Verizon’s name has twice been made public in conjunction with NSA’s dragnet, whereas AT&T’s has not been), and it’d be nice if this passage probed some of those details.

Telecommunications businesses like AT&T and Verizon, and social media companies, now insist that “you are going to have to compel us,” Admiral Rogers said, to turn over data so that they can demonstrate to foreign customers that they do not voluntarily cooperate. And some are far more reluctant to help when asked to provide information about foreigners who are communicating on their networks abroad. It is a gray area in the law in which American courts have no jurisdiction; instead, the agency relied on the cooperation of American-based companies.

Last week, Verizon lost a longstanding contract to run many of the telecommunications services for the German government. Germany declared that the revelations of “ties revealed between foreign intelligence agencies and firms” showed that it needed to rely on domestic providers.

After all, under Hemisphere, AT&T wasn’t requiring legal process even for domestic call records. I think it possible they’ve demanded the government move Hemisphere under the new phone dragnet, though if they have, we haven’t heard about it (it would only work if they defined domestic drug dealer suspects as associated with foreign powers who have some tie to terrorism). Otherwise, though, AT&T has not made a peep to suggest they’ll alter their decades-long overenthusiastic cooperation with the government.

Whereas Verizon has been making more audible complaints about their plight, long before the Germans started ending their contracts. And Sprint — unmentioned by Sanger — even demanded to see legal support for turning over phone data, including, apparently, turning over foreign phone data under ECPA;s exception in 18 U.S.C. § 2511(2)(f)‘s permitting telecoms to voluntarily provide foreign intelligence data. 

Given that background — and the fact ODNI released the opinions revealing Sprint’s effort, if not its name — I am curious whether the telecoms are really demanding process. If courts really had no jurisdiction then it is unclear how the government could obligate production

Though that may be what the Microsoft’s challenge to a government request for email held in Ireland is about, and that may explain why AT&T and Verizon, along with Cisco and Apple — for the most part, companies that have been more reticent about the government obtaining records in the US — joined that suit. (In related news, EU Vice President Viviane Reding says the US request for the data may be a violation of international law.)

Well, if the Microsoft challenge and telecom participation in the request for data overseas is actually an effort to convince the Europeans these corporations are demanding legal process, Admiral Rogers just blew their cover.

Admiral Rogers said the majority of corporations that had long given the agency its technological edge and global reach were still working with it, though they had no interest in advertising the fact.

Dear Ireland and the rest of Europe: Microsoft — which has long been rather cooperative with NSA, up to and including finding a way to obtain Skype data — may be fighting this data request just for show. Love, Microsoft’s BFF, Mike Rogers.

Magistrate Judge Targets DOJ’s Search ≠ Seizure Theory

The second-and-third-to-last line of Magistrate Judge John Facciola’s opinion responding to a warrant application for information from Apple reads,

To be clear: the government must stop blindly relying on the language provided by the Department of Justice’s Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual. By doing so, it is only submitting unconstitutional warrant applications. [link added, h/t Mike Scarcella]

Over the course of the opinion — which denies a warrant for three entire months of emails, plus account information and correspondence with Apple for a criminal investigation into Defense Contractor kickbacks — Facciola lays out what, over the last 6 months he has found to be a problem with DOJ’s search and seizure guidelines.

  • In the Matter of the Search of Information Associated with [redacted] Stored at Premises Controlled by Yahoo! (13-MJ-728; September 25, 2013) in which Facciola ordered the government to return data not within the scope of the request to Yahoo
  • In the Matter of an Order Authorizing Disclosure of Historical Cell Cite Location (13-MC-199, 13-MC-1005, and 13-MC-1006; October 31, 2013) in which Facciola warned the government he would reject future warrant applications because of “generic and inaccurate boilerplate language”
  • In the Matter of the Search of Information Associated with the Facebook Account Identified by the Username Aaron Alexis (13-MJ-742; November 26, 2013) in which Facciola objected to government’s two-step procedure to search the Navy Yard shooter’s to get all of Alexis’ email
  • In [redacted}@Mac.com (14-MC-228; this case) in which the government listed a bunch of email data to be “disclosed by Apple” but then laid out the authority to “seize” (implicitly all) the underlying emails

Here’s how Facciola describes what is common to all these warrant applications.

In essence, the applications ask for the entire universe of information tied to a particular account, even if it has established probable cause only for certain information.

He goes on to describe that the government uses essentially the same argument it uses in its NSA dragnets to claim that seizing all the phone records from a company don’t count as seizing them.

Any search of an electronic source has the potential to unearth tens or hundreds of thousands of individual documents, pictures, movies, or other constitutionally protected content. It is thus imperative that the government “describe the items to be seized with as much specificity as the government’s knowledge and circumstances allow.” United States v. Leary, 846 F.2d 592, 600 (10th Cir. 1988).

Here, the government has adequately described the “items to be seized”—but it has done so in the wrong part of the warrant and in a manner that will cause an unconstitutional seizure. By abusing the two-step procedure under Rule 41, the government is asking Apple to disclose the entirety of three months’ worth of e-mails and other e-mail account information. See Application at 14-15. Yet, on the very next page, it explains that it will only “seize” specific items related to its criminal investigation; it goes so far as to name specific individuals and companies that, if mentioned in an e-mail, would make that e-mail eligible to be seized. Id. at 15. Thus, the government has shown that it can “describe the items to be seized with [] much specificity”; it has simply chosen not to by pretending that it is not actually “seizing” the information when Apple discloses it. See Facebook Opinion [#5] at 9-10 (“By distinguishing between the two categories, the government is admitting that it does not have probable cause for all of the data that Facebook would disclose; otherwise, it would be able to ‘seize’ everything that is given to it.”).

As this Court has previously noted, any material that is turned over to the government is unquestionably “seized” within the meaning of the Fourth Amendment. See Brower v. Cnty. of Inyo, 489 U.S. 593, 596 (1989) (noting that a “seizure” occurs when an object is intentionally detained or taken). The two-step procedure of Rule 41 cannot be used in situations like the current matter to bypass this constitutional reality because the data is seized by the government as soon as it is turned over by Apple.

[snip]

What the government proposes is that this Court issue a general warrant that would allow a “general, exploratory rummaging in a person’s belongings”—in this case an individual’s e-mail account. Coolidge, 403 U.S. at 467. This Court declines to do so.

This opinion will likely result only in DOJ submitting a new application. It’ll clean up its ways or submit applications in other districts to avoid Facciola. This opinion, by a Magistrate, certainly won’t establish the principle that as soon as DOJ obtains data, it has seized it under the Fourth Amendment.

Still, given how centrally this claim that seizures don’t equal seizures, perhaps the obvious logic of Facciola’s stance will encourage other judges to stop twisting the normal meaning of seize to be solicitous to government demands.

Apple’s Go to Fail Response

if you haven’t already heard, Apple admitted to what has been discovered to be a serious security flaw on Friday.

Essentially, for some of the more careful kinds of security, the flaw would allow an attacker to conduct a Man-in-the-Middle attack when you were sending or receiving data via an Apple operating system. Apple’s announcement Friday pertained to just iOS. But security researchers quickly discovered that the bug affects recent releases of OSX as well. And even if you’re using Chrome or Firefox, the bug may affect underlying applications.

This post, from Google engineer Adam Langley, is one of the best posts on the bug itself. Here’s Wired’s take. Here’s a really accessible take from Gizmodo.

In the wake of the Snowden revelations, the discovery of the bug raises questions about how it got there. Langley thinks it was a mistake. Steve Bellovin does too, though does note that targeting Perfect Forward Security is precisely what a determined hacker, including a nation-state’s SIGINT agency, would need to compromise. Others are raising more questions.

But whether or not this is an intentional backdoor into the security protecting users of most of Apple’s most recent devices, I’m just as interested in Apple’s response … both to the public report, almost 6 months ago, that,

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

And to its discovery — reportedly perhaps as long as a few weeks ago — that it had this serious bug.

Now, if I were a leading device/consumer products company with an incentive to get consumers deeper into the cloud and living further and further online, particularly if I were a leading device/consumer products company sitting on mountains and mountains of cash, upon reading the report last September, I would throw bodies at my code to make sure I really was providing the security my customers needed to sustain trust. And given that this is a key part of the security on which that trust relies, I would think the mountains of cash device/consumer products company might have found this bug.

According to rumors, at least, this bug was not found by Apple with all its mountains and mountains of cash; it was found by a researcher.

Then there’s the radio silence Apple has maintained since issuing its alert about iOS on Friday. It told Reuters over the weekend that it would have a fix to the OSX bug “soon,” so it has, effectively acknowledged that it’s there. But it has not issued an official statement.

It just seems to me there is little that can explain issuing Friday’s security alert — alerting everyone, including potential hackers, that the problem is there, which quickly led to the independent identification of the OSX problem — without at the same time rolling out an OSX announcement and alert. Admitting to the iOS error effectively led to OSX users being exposed to people responding to the announcement. Millions of Apple customers are even further exposed, until such time as Apple rolls out a fix (though you might consider doing your banking on a browser other than Safari to give yourself a tiny bit of protection until that point).

The only thing I can think of that would explain Apple’s actions is if the security researcher who found this bug gave them limited warning, before her or she would have published it.

Otherwise, though, I’m as interested in the explanation for Apple’s two-step rollout of this bug fix as I am in how it got there in the first place.

The Shell Game: What is Microsoft Doing?

[graphic: Google Finance]

[graphic: Google Finance]

What is this so-called tech company doing?

Microsoft sees itself as going head-to-head with Apple and Google. The 10-year chart above comparing Microsoft, Apple, and Google stock tells us this has been a delusional perception.

It also sees itself in competition with IBM. Yet IBM surpassed it in market value two years ago, even after nearly a decade of ubiquity across personal computers in the U.S. and in much of the world. (IBM is included in that chart above, too.)

One might expect a sea change to improve performance, but is the shell game shuffling of Microsoft executives really designed to deliver results to the bottom line?

Tech and business sector folks are asking as well what is going on in Redmond; even the executive assignments seemed off-kilter. One keen analysis by former Microsoft employee Ben Thompson picked apart the company’s reorganization announcement last Thursday — coincidentally the same day the Guardian published a report that Microsoft had “collaborated closely” with the National Security Agency — noting that the restructuring doesn’t make sense.

The new organization pulls everything related to Windows 8 under a single leader, from desktop to mobile devices using the same operating system, migrating to a functional structure from a divisional structure. There are several flaws in this strategy Thompson notes, but a key problem is accountability.

To tech industry analysts, the new functional structure makes it difficult to follow a trail of failure in design and implementation for any single product under this functional umbrella.

To business analysts, the lack of accountability means outcomes of successful products hide failed products under the functional umbrella, diluting overall traceability of financial performance.

But something altogether different might be happening beneath the umbrella of Windows 8.

There’s only one product now, regardless of device — one ring to rule them all. It’s reasonable to expect that every single desktop, netbook, tablet, cellphone running on Windows 8 will now substantially be the same software.

Which means going forward there’s only one application they need to allow the NSA to access for a multitude of devices.

We’ve already learned from a Microsoft spokesman that the company informs the NSA about bugs or holes in its applications BEFORE it notifies the public.

It’s been reported for years about numerous backdoors and holes built intentionally and unintentionally into Microsoft’s operating systems, from Windows 98 forward, used by the NSA and other law enforcement entities.

Now Skype has likewise been compromised after Microsoft’s acquisition of the communications application and infrastructure for the purposes of gathering content and eavesdropping by the NSA, included in the PRISM program.

Given these backdoors, holes, and bugs, Microsoft’s Patch Tuesday — in addition to its product registration methodology requiring online validation of equipment — certainly look very different when one considers each opportunity Microsoft uses to reach out and touch business and private computers for security enhancements and product key validations.

Why shouldn’t anyone believe that the true purpose of Microsoft’s reorganization is to serve the NSA’s needs?

Tech magazine The Verge noted with the promotion of Terry Myerson to lead Windows — it’s said Myerson “crumples under the spotlight and is ungenerous with the press” — Microsoft doesn’t appear eager to answer questions about Windows.

As ComputerworldUK’s Glyn Moody asked with regard to collaboration with the NSA, “How can any company ever trust Microsoft again?”

If a company can’t trust them, why should the public?

The capper, existing outside Microsoft’s Windows 8 product: Xbox One’s Kinect feature is always on, in order to sense possible commands in the area where Kinect is installed.

ACLU’s senior policy analyst Chris Sogohian tweeted last Thursday, “… who in their right mind would trust an always-on Microsoft-controlled Xbox camera in their living room?”

One might wonder how often the question of trust will be raised before serious change is made with regard to Microsoft’s relationship with the NSA. With political strategist Mark Penn handling marketing for the corporation and Steve Ballmer still at the helm as CEO, don’t hold your breath.

Truck-sized Holes: Journalists Challenged by Technology Blindness

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

Note: The following piece was written just before news broke about Booz Allen Hamilton employee Edward Snowden. With this in mind, let’s look at the reporting we’ve see up to this point; problems with reporting to date may remain even with the new disclosures.

ZDNet bemoaned the failure of journalism in the wake of disclosures this past week regarding the National Security Administration’s surveillance program; they took issue in particular with the Washington Post’s June 7 report. The challenge to journalists at WaPo and other outlets, particularly those who do not have a strong grasp of information technology, can be seen in the reporting around access to social media systems.

Some outlets focused on “direct access.” Others reported on “access,” but were not clear about direct or indirect access.

Yet more reporting focused on awareness of the program and authorization or lack thereof on the part of the largest social media firms cited on the leaked NSA slides.

Journalists are not asking what “access” means in order to clarify what each corporation understands direct and indirect access to mean with regard to their systems.

Does “direct access” mean someone physically camped out on site within reach of the data center?

Does “direct access” mean someone with global administrative rights and capability offsite of the data center? Some might call this remote access, but without clarification, what is the truth?

I don’t know about you but I can drive a Mack truck through the gap between these two questions.

So which “direct access” have the social media firms not permitted? Which “direct access” has been taken without authorization of corporate management? ZDNet focuses carefully on authorization, noting the changes in Washington Post’s story with regard to “knowingly participated,” changed later to read “whose cooperation is essential PRISM operations.”

This begs the same questions with regard to any other form of access which is not direct. Note carefully that a key NSA slide is entitled, “Dates when PRISM Collection Began For Each Provider.” It doesn’t actually say “gained access,” direct or otherwise. Read more

Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.

Date

NSA/Business

Cyber Attacks

11-SEP-2007

Access to MSFT servers acquired

15-NOV-2007

Stuxnet 0.5 discovered in wild

XX-DEC-2007

File name of Flame’s main component observed

12-MAR-2008

Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.

11-JAN-2009

Stuxnet 0.5 “ends” calls home

14-JAN-2009

Access to Google servers acquired

Mid-2009

Operation Aurora attacks begin; dozens of large corporations confirming they were targets.

03-JUN-2009

Access to Facebook servers acquired

22-JUN-2009

Date Stuxnet version 1.001 compiled

04-JUL-2009

Stuxnet 0.5 terminates infection process

07-DEC-2009

Access to PalTalk servers acquired

XX-DEC-2009

Operation Aurora attacks continue through Dec 2009

12-JAN-2010

Google discloses existence of Operation Aurora, said attacks began in mid-December 2009

13-JAN-2010

Iranian physicist killed by motorcycle bomb

XX-FEB-2010

Flame operating in wild

10-MAR-2010

Date Stuxnet version 1.100 compiled

14-APR-2010

Date Stuxnet version 1.101 compiled

15-JUL-2010

Langner first heard about Stuxnet

19-SEP-2010

DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”

24-SEP-2010

Access to YouTube servers acquired

29-NOV-2010

Iranian scientist killed by car bomb

06-FEB-2011

Access to Skype servers acquired

07-FEB-2011

AOL announces agreement to buy HuffingtonPost

31-MAR-2011

Access to AOL servers acquired

01-SEP-2011

Duqu worm discovered

XX-MAY-2012

Flame identified

08-JUN-2012

Date on/about “suicide” command issued to Flame-infected machines

24-JUN-2012

Stuxnet versions 1.X terminate infection processes

XX-OCT-2012

Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?

Future Forecast: Roundup of Scattered Probabilities

[The Crystal Ball by John William Waterhouse, c. 1902]

While thinking about forecasting the future, I collected a few short-term predictions for the year ahead worth kicking around a bit. After gazing deeply into my crystal ball, I added a few predictions of my own.

The National Weather Service’s Climate Prediction Center at NOAA forecasts below-average precipitation in the Pacific Northwest along with higher than average temperatures in the Southwest through Summer 2013. Looks like rainfall across areas stricken by drought in 2012 might be normal, but this will not overcome the soil moisture deficit.

My prediction: Beef, pork, and milk prices will remain high or increase — and that’s before any weirdness in pricing due to changes in federal regulations after the so-called “fiscal cliff.” And the U.S. government, both White House and Congress, will continue to do even less than the public expects when it comes to climate change.

The European Commission predicted the UK will lead economic recovery in the EU with a meager 0.9% growth rate anticipated in 2013. The southern portion of the EU is expected to continue to struggle while the rest of the EU stagnates.

My prediction: More mumbling about breaking up the EU, with just enough growth to keep at bay any action to that effect. Silvio Berlusconi will continue to provide both embarrassment and comedic relief to Italy and the EU. (What are they putting in that old freak’s pasta? Or are they doping his hair color?)

In September, the Federal Reserve Bank forecast slowish growth in the U.S. through 2013. Did they take into account the lame duck status of an already lethargic and incompetent Congress in this prediction? Did the Fed Reserve base this forecast on a Romney or an Obama win? This forecast seems oddly optimistic before November’s election.

My prediction: All bets are off now, since the over-long backbiting and quibbling over the so-called fiscal cliff has eroded public sentiment. Given the likelihood of increased food prices due to the 2012 global drought, the public will feel more pain in their wallet no matter the outcome of fiscal cliff negotiations, negatively affecting consumer sentiment. The only saving grace has been stable to lower gasoline prices due to lower heating oil demand–the only positive outcome of a rather warm winter to date.

An analyst forecast Apple sales of iPads will equate nearly 60 percent of the total tablet market in 2013. As an owner of AAPL stock, I rather liked this. Unfortunately, that prediction was made in October, before the release of the iPad Mini. The stock market had something entirely different to say about the forecast–more like a bitchslap to the tune of nearly $200 decline per share between October and year-end. *Ouch!* Not all of that was based on the market’s rejection of the forecast on iPad Mini sales, though; much of that fall was related to the gross failure of Apple’s map application launched alongside the iPhone 5.

My prediction: I will continue to bemoan the failure to sell some AAPL stock in September 2012, while many of you will continue to buy Apple products. I thank you buyers in advance for trying so hard to boost my spirits and bolster my kids’ college fund in the coming year. Oh, and Google Maps will continue to eat at market share; it’s going to be a while before Apple recovers from its epic map failures. Conveniently, there’s GOOG stock in the kids’ college fund, too.

What about you? Are any of these predictions worth the pixels with which they’re presented?  What do you predict for the year ahead? Do tell.

The ameriMac

Presumably because of Apple’s rocky PR and financial results of late, Tim Cook gave two purportedly “Exclusive!” interviews, to NBC News and Businessweek. The big takeaway from both “Exclusives!” was the same, however: that Apple will move some production of the Mac back to the US next year.

You were instrumental in getting Apple out of the manufacturing business. What would it take to get Apple back to building things and, specifically, back to building things in the U.S.?
It’s not known well that the engine for the iPhone and iPad is made in the U.S., and many of these are also exported—the engine, the processor. The glass is made in Kentucky. And next year we are going to bring some production to the U.S. on the Mac. We’ve been working on this for a long time, and we were getting closer to it. It will happen in 2013. We’re really proud of it. We could have quickly maybe done just assembly, but it’s broader because we wanted to do something more substantial. So we’ll literally invest over $100 million. This doesn’t mean that Apple will do it ourselves, but we’ll be working with people, and we’ll be investing our money.

Thus far, I have not seen any acknowledgment that this move comes just two months after Lenovo made a similar announcement, that it was going to bring production of formerly IBM products back to Tim Cook’s old stomping grounds in IBM’s former production hub of North Carolina.

And so, perhaps predictably, the analysis of the move has been rather shallow. NBC first focuses on the jobs crisis here, and only later quotes Cook’s comments about skills (which echoes Steve Jobs’ old explanation for why Apple produced in China).

Given that, why doesn’t Apple leave China entirely and manufacture everything in the U.S.? “It’s not so much about price, it’s about the skills,” Cook told Williams.

Echoing a theme stated by many other companies, Cook said he believes the U.S. education system is failing to produce enough people with the skills needed for modern manufacturing processes. He added, however, that he hopes the new Mac project will help spur others to bring manufacturing back to the U.S.

“The consumer electronics world was really never here,” Cook said. “It’s a matter of starting it here.”

Businessweek also focuses on job creation (though Cook makes it clear that he doesn’t think Apple has to create manufacturing jobs, just jobs, which is consistent with his suggestion that someone else will be assembling the Mac in the US).

On that subject, it’s 2012. You’re a multinational. What are the obligations of an American company to be patriotic, and what do you think that means in a globalized era?
(Pause.) That’s a really good question. I do feel we have a responsibility to create jobs. I don’t think we have a responsibility to create a certain kind of job, but I think we do have a responsibility to create jobs.

Matt Yglesias purports to look for an explanation of Apple’s onshoring in this excellent Charles Fishman article on the trend. But with utterly typical cherry-picking from him, he finds the explanation in the 125 words that Fishman devotes to lower US wages rather than the remaining 5,375 words in the article, which describe how teamwork–teamwork including line workers–leads to innovation and higher quality.

Which is too bad, because Fishman’s article and Cook’s comments to Businessweek set up a pretty interesting dialogue about innovation.

Before I look at that, though, let me point to this other comment from Cook, which may provide a simpler explanation for the insourcing.

The PC space [market] is also large, but the market itself isn’t growing. However, our share of it is relatively low, so there’s a lot of headroom for us.

We know Lenovo is insourcing to better provide customized ThinkPads quickly. Here, Cook suggests he sees a way to pick up market share in the PC space. I would suggest it likely the Mac insourcing relates to this perceived market opportunity, and would further suggest that Apple’s reasons might mirror Lenovo’s own: to deliver better responsiveness to US-based customers, if not actual customization (though that would be news).

But that’s not what I find so interesting about the way the Fishman article and Cook interview dialogue.

Fishman’s article largely focuses on why GE has brought production back to its Appliance City in Louisville, KY. And while more docile unions and energy costs are two reasosn GE has made the move, the biggest benefit is that when entire teams–including line workers–focused on products, they could build better quality move innovative products more cheaply. Read more

Computer Returns

The Chinese computer company, Lenovo, which bought IBM’s PC division in 2004, has announced it will be opening a small production facility in North Carolina next year.

The world’s No. 2 personal-computer maker says the PC production line now being built at a facility in Whitsett, N.C., will allow the company to become more responsive to U.S. corporate clients’ demand for flexible supplies and product customization. Although the cost of U.S. production will be higher compared with overseas production, an added benefit will be to raise Lenovo’s profile in the U.S., where it ranks fourth in market share by shipment.

[snip]

Lenovo executives said the new production line isn’t a temporary publicity stunt. “I believe this is the first of many steps to increase our production capability,” Mr. Schmoock said. “I’m very, very bullish about what I can get out of this facility.”

Gerry Smith, Lenovo’s head of global supply chain, said the decision to set up a production site in the U.S. is in line with the company’s broader strategy of localizing its production in major markets as much as possible.

The move is interesting simply as a reflection of the way that more customized manufacturing–as Lenovo’s higher-end computers can be–is localizing.

But there’s also an irony here, given all the attention on Apple’s production in China, most recently with the Foxconn riots coinciding with the release of the iPhone 5.

But what it does is present an alternative strategy, with products Cook knows well, as a way to compete better against (among others) Cook’s current company.

If Cook can only get those Apple maps to work he might even return to the Southeast to see how this works!

Before Tim Cook became VP and ultimately CEO of Apple, he worked at IBM–what would become Lenovo’s US headquarters–in North Carolina on manufacturing logistics. And this move is effectively a return of ThinkPad production to IBM’s former stomping grounds.

Apple’s still not going to bring device assembly to the US anytime soon. They sell generic widgets, not customized machines as this plant will produce. And even as expensive as their products are within segments, most of what they sell is still much cheaper than a loaded laptop.