Posts

Coming Soon to Apple vs FBI: Live Witnesses and Dead Terrorists

/13 Comments/in /by

Screen Shot 2016-03-18 at 1.31.47 PMApple today revealed that the FBI intends to call two witnesses in the March 22 hearing regarding the All Writs Act order to help crack Syed Rizwan Farook’s phone: what I understand to be Privacy Manager Erik Neuenschwander and its Law Enforcement Compliance lawyer Lisa Olle. The tech company declined to say whether it will call the FBI personnel who made sworn statements in the case.

Things could get interesting fast, especially if Apple calls FBI’s forensics guy, Christopher Pluhar — or even better, FBI Director Jim Comey — as there’s an apparent discrepancy between their sworn testimony.

Here’s what Jim Comey had to say in response to a Jerry Nadler question in the March 1 House Judiciary Committee hearing.

As I understand from the experts, there was a mistake made in the, that 24 hours after the attack where the County at the FBI’s request took steps that made it hard later — impossible later to cause the phone to back up again to the iCloud. The experts have told me I’d still be sitting here, I was going to say unfortunately[?], I’m glad I’m here, but we would still be in litigation because — the experts tell me — there’s no way we would have gotten everything off the phone from a backup, I have to take them at their word.

Comey’s comments appear to conflict with this sworn declaration of FBI Christopher Pluhar.

To add further detail, on December 3, 2015, the same day the Subject Device was seized from the Lexus IS300, I supervised my Orange County Regional Computer Forensics Laboratory (“OCRCFL”) team who performed the initial triage of the Subject Device, and observed that the device was powered off, and had to be powered up, or booted, to conduct the triage.

[snip]

I learned from SBCDPH IT personnel that SBCDPH also owned the iCloud account associated with the Subject Device, that SBCDPH did not have the current user password associated with the iCloud account, but that SBCDPH did have the ability to reset the iCloud account password.

Without the Subject Device’s passcode to gain access to the data on the Subject Device, accessing the information stored in the iCloud account associated with the Subject Device was the best and most expedient option to obtain at least some data associated with the Subject Device. With control of the iCloud account, the iCloud back-ups of the Subject Device could be restored onto different, exemplar iPhones, which could then be processed and analyzed.

[snip]

After that conversation with Ms. Olle, and after discussions with my colleagues, on December 6, 2015, SBCDPH IT personnel, under my direction, changed the password to the iCloud account that had been linked to the Subject Device. Once that was complete, SBCDPH provided exemplar iPhones that were used as restore targets for two iCloud back-ups in the Subject Device’s iCloud account. Changing the iCloud password allowed the FBI and SBCDPH IT to restore the contents of the oldest and most recent back-ups of the Subject Device to the exemplar iPhones on December 6, 2015. Once back-ups were restored, OCRCFL examiners processed the exemplar iPhones and provided the extracted data to the investigative team. Because not all of the data on an iPhone is captured in an iCloud back-up (as discussed further below), the exemplar iPhones contained only that subset of data as previously backed-up from the Subject Device to the iCloud account, not all data that would be available by extracting data directly from the Subject Device (a “physical device extraction”).

That’s true for several reasons. First, as I understand it, once the phone was turned off, such a backup would no longer be possible, so it would have not been a mistake to change the password. And while Pluhar’s assertion that you can’t get everything from an iCloud backup is consistent with Comey’s claim (presumably Pluhar is one of the experts Comey relied on), Neuenschwander explained that that was false in his own supplemental declaration.

Note, this passage is also the first confirmation that the FBI had already told Apple this phone was part of the investigation by December 6, meaning it must have been one of the ones Apple provided metadata for on December 5.

There is just one way that Pluhar’s declaration and Comey’s statement (again, both were sworn) can be true: if the FBI turned off the phone themselves [update: or let it drain, h/t Some Guy]. That would also mean Comey’s claim that “a mistake was made in that 24 hours after the attack” would make more sense, as it would refer to the decision to turn off the phone, rather than FBI’s direction to San Bernardino County to change the password.

That said, I wonder whether FBI isn’t trying something else by calling Olle and Neuenschwander to testify.

As part of its reply, Apple had Senior Vice President for Software Engineering Craig Federighi submit a declaration to rebut government claims Apple has made special concessions to China. After making some absolute statements — such as that “Apple has also not provided any government with its proprietary iOS source code,” Federighi stated, “It is my understanding that Apple has never worked with any government agency from any country to create a “backdoor” in any of our products or services.”

I was struck at the time that the statement was not as absolute as the others. Federighi relies on what he knows, without, as elsewhere, making absolute assurances.

Which got me wondering. If any country had demanded a back door (or, for that matter, Apple’s source code) would Federighi really need to know? From Neuenschwander’s declaration, it sounded like a smallish team could make the back door the FBI is currently demanding, meaning he might be as high as such knowledge would rise.

So I wonder whether, in an attempt to be dickish, the government intends to ask Neuenschwander and Olle, who would be involved in such compliance issues, if they also back Federighi’s statement.

We shall see. For now, I just bet myself a quarter that Apple will call Comey.

“Noteworthy” Ron Wyden Interview on Apple vs FBI: Ask NSA, Ask NSA, Ask NSA

/9 Comments/in /by

This interview Ron Wyden did with Oregon Public Radio includes a lot of what you might expect from him, including an argument that weakening encryption makes us less safe, including possibly exposing kids (because their location gets identified) to pedophiles.

But the most interesting part of this interview are the three times Ron Wyden made it clear, in his inimitable fashion, that someone better ask NSA whether they can decrypt this phone. To me, the interview sounds like this:

Let me tell you what I think is noteworthy here. This is a fight between FBI and Apple. I think it’s noteworthy that nobody has heard from the NSA on this. [around 2:00]

And I want to come back to the fact that the NSA has not been heard from on this and I think that that is noteworthy. [before 7:25]

[After finally being asked what he had heard from NSA] I’m on the intelligence committee, so I’m bound, I take an oath, to not get into classified matters so I’m just going to, uh, leave that there with respect to the NSA. [at 8:30]

We’ve had experts like Susan Landau and Richard Clarke insist that NSA can get into this phone. Jim Comey, in testimony before HJC, sort of dodged by claiming that NSA doesn’t have the ability to get into a phone with this particular configuration.

But Ron Wyden sure seems to think the NSA might have more to say about that.

Golly, I can’t imagine what he thinks the NSA might have to offer about this phone.

In Exchange about Clinton Email Investigation, Lynch Forcefully Reminds She Is FBI’s Boss

/8 Comments/in /by

There’s one last exchange in Wednesday’s Senate Judiciary Committee hearing with Attorney General Loretta Lynch that deserves closer focus. It came during John Cornyn’s round of questioning.

He structured his questions quite interestingly. He started by using the example of the Apple All Writs Act order to emphasize that FBI can’t do anything without DOJ’s approval and involvement. “I just want to make sure people understand the respective roles of different agencies within the law enforcement community — the FBI and the DOJ.”

He then turned to an unrelated subject — mental health, particularly as it relates to gun crime — ending that topic with a hope he and Lynch could work together.

Then he came back to the respective roles of the FBI and DOJ. “So let me get back to the role of the FBI and the Department of Justice.”

He did so in the context of Hillary’s email scandal. He started by reminding that Hillary had deleted 30,000 emails rather than turning them over to State for FOIA review. Cornyn then raised reports that the government had offered Bryan Pagliano immunity (Chuck Grassley argued elsewhere in the hearing that that should make it easy for Congress to demand his testimony, as the WSJ has also argued). “It’s true, isn’t it, that immunity can’t be granted by the FBI alone, it requires the Department of Justice to approve that immunity.”

Lynch filibustered, talking about different types of immunities, ultimately ceding that lawyers must be involved. She refused to answer a question directly about whether they had approved that grant of immunity. Which is when Cornyn moved onto trying to get the Attorney General to admit that she would have the final decision on whether to charge anyone in the email scandal.

Cornyn: Let me give you a hypothetical. If the FBI were to make a referral to the Department of Justice to pursue a case by way of an indictment and to convene a grand jury for that purpose, the Department of Justice is not required to do so by law, are they?

Lynch: It would not be an operation of law, it would be an operation of our procedures, which is we work closely with our law enforcement partners–

Cornyn: Prosecutorial discretion–

Lynch: –it would also be consulting with the Agents on all relevant factors of the investigation, and coming to a conclusion.

Cornyn: But you would have to make to the decision, or someone else working under you in the Department of Justice?

Lynch: It’s done in conjunction with the Agents. It’s not something that we would want to cut them out of the process. That has not been an effective way of prosecuting in my experience.

Cornyn: Yeah, I’m not suggesting that you would cut them out. I’m just saying, as you said earlier, you and the FBI would do that together, correct? Just like the Apple case?

Lynch: We handle matters together of all types.

Cornyn: If the FBI were to make a referral to the Department of Justice to pursue criminal charges against Mr. Pagliano or anyone else who may have been involved in this affair, does the ultimate decision whether to proceed to court, to ask for the convening of a grand jury, and to seek an indictment, does that rest with you, or someone who works for you at the Department of Justice?

Lynch: So Senator with respect to Mr. Pagliani [sic] or anyone who has been identified as a potential witness in any case, I’m not able to comment on the specifics of that matter and so I’m not able to provide you–

Cornyn: I’m not asking you to comment on the specifics of the matter, I’m asking about what the standard operating procedure is, and it seems pretty straightforward. The FBI does a criminal investigation, but then refers the charges to the Department of Justice, including US Attorneys, perhaps in more celebrated cases goes higher up the food chain. But my simple question is doesn’t the buck stop with you, in terms of whether to proceed, to seek an indictment, to convene a grand jury, and to prosecute a case referred to you by the FBI?

Lynch: There’s many levels of review, at many stages of the case, and so I would not necessarily be involved in every decision as to every prosecutorial step to make.

Cornyn: It would be you or somebody who works for you, correct?

Lynch: Everyone in the Department of Justice works for me, including the FBI, sir.

Cornyn: I’m confident of that.

Grassley: Senator Schumer.

Schumer: Well done, Attorney General, well done.

I’m not entirely sure what to make of this: whether Cornyn was setting this up for the future, or whether he was trying to lay out Lynch’s responsibility for a decision already made. But given the reports that FBI Agents think someone should be charged (whether because of the evidence or because Hillary is Hillary), it sure felt like Cornyn was trying to pressure Lynch for her role in decisions already discussed. Indeed, I wonder whether Cornyn was responding to direct entreaties from someone at the FBI, possibly quite high up at the FBI, about Lynch’s role in this case.

Whatever he was trying to do, it may lead to some folks in the FBI getting a stern talking to from their boss, Loretta Lynch.

FBI Can’t Have Whistleblower Protection Because It Would Encourage Too Many Complaints

/4 Comments/in , /by

The Department of Justice is undercutting Chuck Grassley’s efforts to provide FBI employees whistleblower protection. That became clear in an exchange (2:42) on Wednesday.

The exchange disclosed two objections DOJ has raised to Grassley’s FBI Whistleblower Protect Act. First, as Attorney General Loretta Lynch revealed, DOJ is worried that permitting FBI Agents to report crimes or waste through their chain of command would risk exposing intelligence programs.

What I would say is that as we work through this issue, please know that, again, any concerns that the Department raises are not out of a disagreement with the point of view of the protection of whistleblowers but again, just making sure that the FBI’s intelligence are also protected at the same time.

I suspect (though am looking for guidance) that the problem may be that the bill permits whistleblowers to go to any member of Congress, rather than just ones on the Intelligence Committees. It’s also possible that DOJ worries whistleblowers will be able to go to someone senior to them, but not read into a given program.

Still, coming from an agency that doesn’t adequately report things like its National Security Letter usage to Congress, which has changed its reporting to the Intelligence Oversight Board so as to exempt more activities, and can’t even count its usage of other intelligence programs, it seems like a tremendous problem that DOJ doesn’t want FBI whistleblowers to have protection because it might expose what FBI is doing on intelligence.

That’s sort of the point!

Especially given Grassley’s other point: apparently, DOJ is opposed to the bill because it will elicit too many complaints.

One of the issues that your department has raised is that allowing FBI employees to report wrong-doing to their chain of command could lead to too many complaints. You know? What’s wrong with too many complaints? … Seems to me you’d invite every wrong doing to get reported to somebody so it could get corrected.

Apparently, DOJ knows there are so many problems FBI employees would like to complain about that things would grind to a halt if they were actually permitted to complain.

This is the FBI! Not only a bureau that has tremendous power over people, but also one with a well-documented history of abuse. It should be the first entity that has whistleblower protection, not the last!

Grassley raised two more points. First, in April 2014, DOJ promised to issue new guidelines on whistleblowing for FBI, clarifying who employees could go to. That hasn’t been done yet.

FBI has, however, created a video about whistleblowing which is, according to what Grassley said, pretty crappy. He’s asking for both those things as well.

On Jim Comey’s Attempts to Force Apple to Change Its Business Model

/4 Comments/in /by

As he has said repeatedly in Congressional testimony, FBI Director Jim Comey wants to change Apple’s business model.

The former General Counsel for defense contractor Lockheed and hedge fund Bridgewater Associates has never, that I’ve seen, explained what he thought Apple’s business model should be, or how much he wants to change it, or how the FBI Director put himself in charge of dictating what business models were good for America and what weren’t and why we’re even asking that in an age of multinational corporate structures.

It seems there are three possible business models Comey might have in mind for Apple:

  • The AT&T (or Lockheed) model, in which a provider treats federal business as a significant (in Lockheed’s case, the only meaningful) market, and therefore treats federal requests, even national security ones, as a primary market driver; in this case, the Feds are your customer
  • The Google model, in which a provider sees the user’s data as the product, rather than the user herself, and therefore builds all systems so as to capture and use the maximal amount of data
  • A different model, in which Apple can continue to sell what I call a walled garden to customers, still treating customers as the primary market, but with limits on how much of a walled garden it can offer

I raise these models, in part, because I got into a conversation on Twitter about what the value of encryption on handsets really is. The conversation suffered, I think, from presuming that iPhones and Android phones have the same business model, and therefore one could calculate the value of the encryption offered on an iPhone the same way one would calculate the value of encryption on an Android phone. They’re not.

Even aside from the current difference between Google’s business model (the data model at the software level, the licensing model at the handset level) versus Apple’s model, in Apple’s model, the customer is the customer, and she pays a premium for an idyllic walled garden that includes many features she may not use.

I learned this visiting recently with a blind friend of mine, whom I used to read for on research in college, who therefore introduced me to adaptive technologies circa 1990 (which were pretty cutting edge at the time). I asked her what adaptive technologies she currently uses, thinking that as happened with the 90s stuff the same technology might then be rolled out for a wider audience in a slightly different application. She said, the iPhone, the iPhone, and the iPhone. Not only are there a slew of apps available for iPhone that provide adaptive technologies. Not only does the iPhone offer the ability to access recorded versions of the news and the like. But all this comes standard in every iPhone (along with other adaptive technologies that wouldn’t be used by a blind person any more than most sighted ones). All iPhone users pay for those adaptive technologies as part of their walled garden, even though even fewer realize they’re there than they realize their phone has great encryption. But because they pay more for their phone, they’re effectively ensuring those who need adaptive technologies can have them, and on the market leader in handsets. Adaptive technologies, like online security, are part of the idyllic culture offered within Apple’s walled garden.

The notion that you can assign a value to Apple’s encryption, independent of the larger walled garden model, seems mistaken. Encryption is a part of having a walled garden, especially when the whole point of a walled garden is creating a space where it is safe and easy to live online.

Plus, it seems law enforcement in this country is absolutely obtuse that the walled garden does provide law enforcement access in the Cloud, and they ought to be thrilled that the best encryption product in the world entails making metadata — and for users using default settings, as even Syed Rizwan Farook seems to have been — content readily available to both PRISM and (Admiral Rogers made clear) USA Freedom Act. That is, Apple’s walled garden does not preclude law enforcement from patrolling parts of the garden. On the contrary, it happens to ensure that American officials have the easiest ability to do so, within limits that otherwise ensure the security of the walled garden in ways our national security elite have been both unwilling and even less able to do.

But there’s one more big problem with the fanciful notion you can build a business model that doesn’t allow for encryption: Signal is free. The best app for encrypted calls and texts, Signal, is available free of charge, and via open source software (so it could be made available overseas if Jim Comey decided it, too, needed to adopt a different business model). The attempt to measure in value what value encryption adds to a handset is limited, because someone can always add on top of it their own product, so any marginal value of encryption on a handset would have to make default encrypted device storage of additional marginal value over what is available for free (note, there is a clear distinction between encrypting data at rest and in motion, but the latter would be more important for anyone conducting nefarious actions with a phone).

Finally, there’s one other huge problem with Comey’s presumption that he should be able to dictate business models.

Even according to this year’s threat assessment, the threat from hacking is still a greater threat to the country than terrorism. Apple’s business model, both by collecting less unnecessary data on users and by aspiring to creating a safe walled garden, offers a far safer model to disincent attacks (indeed, by defaulting on encryption, Apple also made iPhone theft and identity via device theft far harder). Comey is, effectively, trying to squelch one of the market efforts doing the most to make end users more resilient to hackers.

The only model left–that could offer a safer default environment–would effectively be an AT&T model pushed to its limits: government ownership of telecoms, what much of the world had before Reagan pushed privatization (and in doing so, presumably made the rest of the world a lot easier for America to spy on). Not only would that devastate one of the brightest spots in America’s economy, but it would represents a pretty alarming move toward explicit total control (from what it tacit control now).

Is that what former Hedgie Jim Comey is really looking to do?

One final point. While I think it is hard to measure marginal value of encryption, the recent kerfuffle over Kindle makes clear that the market does assign value to it. Amazon dropped support for encryption on some of its devices last fall, which became clear as people were no longer able to upgrade. When they complained in response, it became clear they were using Kindles beyond what use Amazon envisioned for them. But by taking away encryption users had already had, Amazon not only made existing devices less usable, but raised real questions about the CIA contractor’s intent. Pretty quickly after the move got widespread attention, Amazon reversed course.

Even with a company as untrustworthy and data hungry as Amazon, removing encryption will elicit immediate distrust. Which apparently is not sustainable from a business perspective.

Husband of San Bernardino Victim Agrees: Farook’s Phone Unlikely to Yield Useful Information

/6 Comments/in /by

Even before the government obtained an All Writs Act ordering Apple to help back door Syed Rezwan Farook’s phone, it had arranged with a former judge to submit a brief on behalf of the victims of the attack, supporting the government’s demand. Yet not all victims agree. The husband of a woman shot three times in the attack, Salihin Kondoker, has submitted his own letter to the court in support of Apple’s stance. In it, he provides support for a point I was among the first to make: that the phone isn’t going to provide much information about the attack, in large part because it was a work phone Farook would have known was being surveilled.

In my opinion it is unlikely there is any valuable information on this phone. This was a work phone. My wife also had an iPhone issued by the County and she did not use it for any personal communication. San Bernardino is one of the largest Counties in the country. They can track the phone on GPS in case they needed to determine where people were. Second, both the iCloud account and carrier account were controlled by the county so they could track any communications. This was common knowledge among my wife and other employees. Why then would someone store vital contacts related to an attack on a phone they knew the county had access to? They destroyed their personal phones after the attack. And I believe they did that for a reason.

It’s a question no one asked Jim Comey earlier this week when he testified before the House Judiciary Committee.

Curiously, Kondoker (who explains he has attended briefings the FBI has held for victims) alludes to information the FBI is currently ignoring.

In the weeks and months since the attack I have been to the FBI briefings that were held for victims and their families. I have joined others in asking many questions about how this happened and why we don’t have more answers. I too have been frustrated there isn’t more information. But I don’t believe that a company is the reason for this.

[snip]

In the wake of this terrible attack, I believe strongly we need stronger gun laws. It was guns that killed innocent people, not technology. I also believe the FBI had and still has access to a lot of information which they have ignored and I’m very disappointed in the way they’ve handled this investigation.

I’m really curious what that is — and why Jim Comey, who promises he would never ignore a lead, isn’t ensuring it gets chased down?

James Orenstein’s Order Sets Up Congressional Hearing

/9 Comments/in /by

As Rayne noted this morning, yesterday James Orenstein released his order stating that the government can’t use the All Writs Act to force Apple to unlock the phone of a meth dealer, Jun Feng, who has already pled guilty. My favorite part of the order comes in the middle where he argues that those who passed the All Writs Act in 1789 were substantially the same people who wrote the Constitution guaranteeing Congress the right to legislate. He argued it would be unlikely that those same men would so quickly hand off that authority to the courts.

It is wholly implausible to suppose that with so many of the newly-adopted Constitution’s drafters and ratifiers in the legislature, the First Congress would so thoroughly trample on that document’s very first substantive mandate: “All legislative Powers herein granted shall be vested in a Congress of the United States[.]” U.S. Const. Art. I, § 1. And yet that is precisely the reading the government proposes when it insists that a court may empower the executive to exercise power that the legislature has considered yet declined to allow.

I’m sad that that argument, which is probably the first in a series of court rulings that will end up at SCOTUS, won’t have Scalia there to enjoy it.

Ultimately, though, Orenstein makes the very same argument he made back in October when he asked Apple to weigh in on this issue, updated with the point that I made — the same day the government asked for this order Jim Comey told Congress they don’t need legislation to get the same result.

It is also clear that the government has made the considered decision that it is better off securing such crypto-legislative authority from the courts (in proceedings that had always been, at thetime it filed the instant Application, shielded from public scrutiny) rather than taking the chance thatopen legislative debate might produce a result less to its liking. Indeed, on the very same day that thegovernment filed the ex parte Application in this case (as well as a similar application in the SouthernDistrict of New York, see DE 27 at 2), it made a public announcement that after months of discussionabout the need to update CALEA to provide the kind of authority it seeks here, it would not seek suchlegislation. See James B. Comey, “Statement Before the Senate Committee on Homeland Security andGovernmental Affairs,” (Oct. 8, 2015), https://www.fbi.gov/news/testimony/threats-to-the-homeland (“The United States government is actively engaged with private companies to ensure theyunderstand the public safety and national security risks that result from malicious actors’ use of theirencrypted products and services. However, the administration is not seeking legislation at this time.”).

Whether because it knew it would lose (and had lost), or because it wanted to pretend it respected encryption when in fact it did not, the Obama Administration adopted a strategy by which it told Congress it didn’t need new legislation, all while asking the courts to rewrite CALEA in secret.

Whether accidentally or not (I suspect it is no accident), Orenstein’s order comes at a particularly useful time, hours before the House Judiciary Committee will have what will be one of the more important hearings on this debate, featuring Jim Comey first, and then NY District Attorney Cy Vance, Apple’s General Counsel Bruce Sewell, and rock star academic Susan Landau. It is likely to be the one hearing to which Apple will willingly provide a witness, and the committee is made up of a mix of former US Attorneys, shills for law enforcement, but also defenders of privacy and online security.

In his testimony for the hearing, Sewell said much the same thing Orenstein did:

The American people deserve an honest conversation around the important questions stemming from the FBI’s current demand:

Do we want to put a limit on the technology that protects our data, and therefore our privacy and our safety, in the face of increasingly sophisticated cyber attacks? Should the FBI be allowed to stop Apple, or any company, from offering the American people the safest and most secure product it can make?

Should the FBI have the right to compel a company to produce a product it doesn’t already make, to the FBI’s exact specifications and for the FBI’s use?

We believe that each of these questions deserves a healthy discussion, and any decision should be made after a thoughtful and honest consideration of the facts.

Most importantly, the decisions should be made by you and your colleagues as representatives of the people, rather than through a warrant request based on a 220 year old-statute.

For years, the government has stopped short of demanding legislation, presumably because they knew they wouldn’t get what they wanted. They’re finally being called on it.

Why Did Apple “Object” to All Pending All Writs Orders on December 9?

/22 Comments/in /by

As I noted the other day, a document unsealed last week revealed that DOJ has been asking for similar such orders in other jurisdictions: two in Cincinnati, four in Chicago, two in Manhattan, one in Northern California (covering three phones), another one in Brooklyn (covering two phones), one in San Diego, and one in Boston.

According to Apple, it objected to at least five of these orders (covering eight phones) all on the same day: December 9 (note, FBI applied for two AWAs on October 8, the day in which Comey suggested the Administration didn’t need legislation, the other one being the Brooklyn docket in which this list was produced).

Screen Shot 2016-02-24 at 7.23.53 PM

The government disputes this timeline.

In its letter, Apple stated that it had “objected” to some of the orders. That is misleading. Apple did not file objections to any of the orders, seek an opportunity to be heard from the court, or otherwise seek judicial relief. The orders therefore remain in force and are not currently subject to litigation.

Whatever objection Apple made was — according to the government, anyway — made outside of the legal process.

But Apple maintains that it objected to everything already in the system on one day, December 9.

Why December 9? Why object — in whatever form they did object — all on the same day, effectively closing off cooperation under AWAs in all circumstances?

There are two possibilities I can think of, though they are both just guesses. The first is that Apple got an order, probably in an unrelated case or circumstance, in a surveillance context that raised the stakes of any cooperation on individual phones in a criminal context. I’ll review this at more length in a later post, but for now, recall that on a number of occasions, the FISA Court has taken notice of something magistrates or other Title III courts have done. For location data, FISC has adopted the standard of the highest common denominator, meaning it has adopted the warrant standard for location even though not all states or federal districts have done so. So the decisions that James Orenstein in Brooklyn and Sheri Pym in Riverside make may limit what FISC can do. It’s possible that Apple got a FISA request that raised the stakes on the magistrate requests we know about. By objecting across the board — and thereby objecting to requests pertaining to iOS 8 phones — Apple raised the odds that a magistrate ruling might help them out at FISA. And if there’s one lawyer in the country who probably knows that, it’s Apple lawyer Marc Zwillinger.

Aside the obvious reasons to wonder whether Apple got some kind of FISA request, in his interview with ABC the other day, Tim Cook described “other parts of government” asking for more and more cases (though that might refer to state and city governments asking, rather than FBI in a FISA context).

The software key — and of course, with other parts of the government asking for more and more cases and more and more cases, that software would stay living. And it would be turning the crank.

The other possibility is that by December 9, Apple had figured out that — a full day after Apple had started to help FBI access information related to the San Bernardino investigation, on December 6 — FBI took a step (changing Farook’s iCloud password) that would make it a lot harder to access the content on the phone without Apple’s help. Indeed, I’m particularly interested in what advice Apple gave the FBI in the November 16 case (involving two iOS 8 phones), given that it’s possible Apple was successfully recommending FBI pursue alternatives in that case which FBI then foreclosed in the San Bernardino case. In other words, it’s possible Apple recognized by December 9 that FBI was going to use the event of a terrorist attack to force Apple to back door its products, after which Apple started making a stronger legal stand than they might otherwise have done pursuant to secret discussions.

That action — FBI asking San Bernardino to change the password — is something Tim Cook mentioned several times in his interview with ABC the other night, at length here:

We gave significant advice to them, as a matter of fact one of the things that we suggested was “take the phone to a network that it would be familiar with, which is generally the home. Plug it in. Power it on. Leave it overnight–so that it would back-up, so that you’d have a current back-up. … You can think of it as making of making a picture of almost everything on the phone, not everything, but almost everything.

Did they do that?

Unfortunately, in the days, the early days of the investigation, an FBI–FBI directed the county to reset the iCloud password. When that is done, the phone will no longer back up to the Cloud. And so I wish they would have contacted us earlier so that that would not have been the case.

How crucial was that missed opportunity?

Assuming the cloud backup was still on — and there’s no reason to believe that it wasn’t — then it is very crucial.

And it’s something they harped on in their motion yesterday.

Unfortunately, the FBI, without consulting Apple or reviewing its public guidance regarding iOS, changed the iCloud password associated with one of the attacker’s accounts, foreclosing the possibility of the phone initiating an automatic iCloud back-up of its data to a known Wi-Fi network, see Hanna Decl. Ex. X [Apple Inc., iCloud: Back up your iOS device to iCloud], which could have obviated the need to unlock the phone and thus for the extraordinary order the government now seeks.21 Had the FBI consulted Apple first, this litigation may not have been necessary.

Plus, consider the oddness around this iCloud information. FBI would have gotten the most recent backup (dating to October 19) directly off Farook’s iCloud account on December 6.

But 47 days later, on January 22, they obtained a warrant for that same information. While they might get earlier backups, they would have received substantially the same information they had accessed directly back in December, all as they were prepping going after Apple to back door their product. It’s not clear why they would do this, especially since there’s little likelihood of this information being submitted at trial (and therefore requiring a parallel constructed certified Apple copy for evidentiary purposes).

There’s one last detail of note. Cook also suggested in that interview that things would have worked out differently — Apple might not have made the big principled stand they are making — if FBI had never gone public.

I can’t talk about the tactics of the FBI, they’ve chosen to do what they’ve done, they’ve chosen to do this out in public, for whatever reasons that they have.What we think at this point, given it is out in the public, is that we need to stand tall and stand tall on principle. Our job is to protect our customers.

Again, that suggests they might have taken a different tack with all the other AWA orders if they only could have done it quietly (which also suggests FBI is taking this approach to make it easier for other jurisdictions to get Apple content). But why would they have decided on December 9 that this thing was going to go public?

Update: This language, from the Motion to Compel, may explain why they both accessed the iCloud and obtained a warrant.

The FBI has been able to obtain several iCloud backups for the SUBJECT DEVICE, and executed a warrant to obtain all saved iCloud data associated with the SUBJECT DEVICE. Evidence in the iCloud account indicates that Farook was in communication with victims who were later killed during the shootings perpetrated by Farook on December 2, 2015, and toll records show that Farook communicated with Malik using the SUBJECT DEVICE. (17)

This passage suggests it obtained both “iCloud backups” and “all saved iCloud data,” which are actually the same thing (but would describe the two different ways the FBI obtained this information). Then, without noting a source, it says that “evidence in the iCloud account” shows Farook was communicating with his victims and “toll records” show he communicated with Malik. Remember too that the FBI got subscriber information from a bunch of accounts using (vaguely defined) “legal process,” which could include things like USA Freedom Act.

The “evidence in the iCloud account” would presumably be iMessages or Facetime. But the “toll records” could be too, given that Apple would have those (and could have turned them over in the earlier “legal process” step. That is, FBI may have done this to obscure what it can get at each stage (and, possibly, what kinds of other “legal process” it now serves on Apple).

October 8: Comey testifies that the government is not seeking legislation; FBI submits requests for two All Writs Act, one in Brooklyn, one in Manhattan; in former case, Magistrate Judge James Orenstein invites Apple response

October 30: FBI obtains another AWA in Manhattan

November 16: FBI obtains another AWA in Brooklyn pertaining to two phones, but running iOS 8.

November 18: FBI obtains AWA in Chicago

December 2: Syed Rezwan Farook and his wife killed 14 of Farook’s colleagues at holiday party

December 3: FBI seizes Farook’s iPhone from Lexus sitting in their garage

December 4: FBI obtains AWA in Northern California covering 3 phones, one running iOS 8 or higher

December 5, 2:46 AM: FBI first asks Apple for help, beginning period during which Apple provided 24/7 assistance to investigation from 3 staffers; FBI initially submits “legal process” for information regarding customer or subscriber name for three names and nine specific accounts; Apple responds same day

December 6: FBI works with San Bernardino county to reset iCloud password for Farook’s account; FBI submits warrant to Apple for account information, emails, and messages pertaining to three accounts; Apple responds same day

December 9: Apple “objects” to the pending AWA orders

December 10: Intelligence Community briefs Intelligence Committee members and does not affirmatively indicate any encryption is thwarting investigation

December 16: FBI submits “legal process” for customer or subscriber information regarding one name and seven specific accounts; Apple responds same day

January 22: FBI submits warrant for iCloud data pertaining to Farook’s work phone

January 29: FBI obtains extension on warrant for content for phone

February 14: US Attorney contacts Stephen Larson asking him to file brief representing victims in support of AWA request

February 16: After first alerting the press it will happen, FBI obtains AWA for Farook’s phone and only then informs Apple

Why Isn’t Jim Comey Crusading against This Tool Used to Hide Terrorist Secrets?

/11 Comments/in , , /by

Several times over the course of Jim Comey’s crusade against strong encryption, I have noted that, if Comey wants to eliminate the tools “bad guys” use to commit crimes, you might as well eliminate the corporation. After all, the corporate structure helped a bunch of banksters do trillions of dollars of damage to the US economy and effectively steal the homes from millions with near-impunity.

It’d be crazy to eliminate the corporation because it’s a tool “bad guys” sometimes use, but that’s the kind of crazy we see in the encryption debate.

Yesterday, Ron Wyden pointed to a more narrow example of the way “bad guys” abuse corporate structures to — among other things — commit terrorism: the shell corporation.

In a letter to Treasury Secretary Jack Lew, he laid out several cases where American shell companies had been used to launder money for crime — including terrorism, broadly defined.

Screen Shot 2016-02-26 at 9.51.49 AM

He then asked for answers about several issues. Summarizing:

  • The White House IRS-registration for beneficial information on corporations probably won’t work. Does Treasury have a better plan? Would the Senate and House proposals to have states or Treasury create such a registry provide the ability to track who really owns a corporation?
  • FinCen has proposed a rule that would not only be easily evaded, but might weaken the existing FATCA standard. Has anyone review this?
  • Does FinCen actually think its rule would identify the natural person behind shell companies?
  • Would requiring financial institutions to report balances held by foreigners help information sharing?

They’re good questions but point, generally, to something more telling. We’re not doing what we need to to prevent our own financial system from being used as a tool for terrorism. Unlike encryption, shell companies don’t have many real benefits to society. Worse, it sounds like Treasury is making the problem worse, not better.

Of course, the really powerful crooks have reasons to want to retain the status quo. And so FBI Director Jim Comey has launched no crusade about this much more obvious tool of crime.

FBI Waited 50 Days before Asking for Syed Rezwan Farook’s iCloud Data

/6 Comments/in /by

Apple’s motion to vacate the All Writs Act order requiring it to help FBI brute force Syed Rezwan Farook’s iPhone is a stupendous document worthy of the legal superstars who wrote it. To my mind, however, the most damning piece comes not from the lawyers who wrote the brief, but in a declaration from another lawyer: Lisa Olle, Apple’s Manager of Global Privacy and Law, the last 3 pages of the filing.

Olle provides an interesting timeline of FBI’s requests from Apple, some of which I’ll return to. The most damning details, however, are these.

First, FBI first contacted Apple in the middle of the night on December 5.
Screen Shot 2016-02-25 at 6.09.00 PM

That means FBI first contacted Apple the day before FBI (according to their own statement) asked San Bernardino County to reset Farook’s Apple password — a move that, FBI stated in the filing, would have made the AWA demand on Apple unnecessary.

Unfortunately, the FBI, without consulting Apple or reviewing its public guidance regarding iOS, changed the iCloud password associated with one of the attacker’s accounts, foreclosing the possibility of the phone initiating an automatic iCloud back-up of its data to a known Wi-Fi network, see Hanna Decl. Ex. X [Apple Inc., iCloud: Back up your iOS device to iCloud], which could have obviated the need to unlock the phone and thus for the extraordinary order the government now seeks.21 Had the FBI consulted Apple first, this litigation may not have been necessary.

In other words, Apple was fully engaged in this case, and yet FBI still didn’t ask their advice before taking action that eliminated the easiest solution to get this information.

And then they waited, and waited, and waited.

Screen Shot 2016-02-25 at 6.16.11 PM

FBI waited 50 days from the time they seized the phone on December 3 until they asked Apple for the iCloud information on January 22 (they had to renew the warrant on the phone itself on January 29).

50 days.

And yet the FBI wants us to believe they think this phone will have important information about the attack.