(Originally published on Information Week's Dark Reading)
The startling events over the last few weeks in the San Bernardino shooting case, which has come to be known as "the FBiOS case" in some circles, have left me incredibly conflicted. On the one hand, the surprise filing and discovery of a "capable third party" to unlock the iPhone used by one of the attackers in the San Bernardino shootings can be considered to be a rather ingenious tactic. It allows the FBI to back down from the controversial proceedings without derogation from its main arguments – a move that would maintain the current status quo and prevent the government from further encroaching on digital rights. This would be a
de facto win for privacy advocates and for Apple (at least for now), which, at least instinctively, is a good thing.
Who is the third party?
The fact that the FBI is using the services of an undisclosed third party to assist its efforts in overpowering the encryption ciphers of the San Bernardino shooting suspect's phone should be a troubling concept in its own right. At the very least, this issue raises a lot of questions regarding the compatibility of such assistance with the due process of law and the validity of any evidence obtained during the search. Recent publications in Israel seem to indicate that the FBI is aware of these questions, and is attempting to assuage concerns by enlisting the aid of Israeli digital forensics firm Cellebrite – a firm with a history of working together with law enforcement agencies worldwide. As of this writing, neither party has issued official confirmation of Cellebrite's involvement (nor have they denied it).
As little as we know about who the FBI will be contacting for assistance, we know even less about
how this assistance will be provided. A number of possibilities spring to mind. Computer forensics researcher
Jonathan Zdziarski has suggested, for example, that the phone may be unlocked using a chip cloning technique that would allow investigators to copy all of the information from the phone's memory chip and replicate it as needed. This would allow them to safely attempt to guess the suspect's password without fear of accidentally triggering the defensive mechanisms encoded in the chip and permanently wiping its information.
But another possibility is that some unknown party has approached the FBI with information regarding a previously unknown iOS weakness or exploit.
The disclosure dilemma
Issues of legal forensics and concerns about the validity of the evidence recovered through this potential avenue aside, if this is indeed the case, then law enforcement agencies will be faced with a new and equally difficult dilemma: Do they keep the knowledge about this new weakness or exploit to themselves, or do they relay the information to the manufacturer?
Failing to relay the information may afford these government agencies a continuing route to access this and other iPhones, and moot the entire court proceedings at the expense of the privacy of all users subject to the exploitation of this weakness. The FBI's decision to drop this case altogetherseem to indicate that this is indeed the case. But relaying the information may prompt Apple to fix the weakness, which would prevent future access by the government. This dilemma is difficult enough for technology companies and private individuals to answer; one can only imagine the difficulties a governmental agency, which is subject to more stringent oversight and obligations to operate in good faith, would face in defending its position in open court.
The filing also avoids stating why the pursuit of a capable third party was not attempted before trying to force Apple to open the iOS version through the use of a court order issued under the All Writs Act. On the other hand, we should be more than willing to give the US government credit that they were fully aware of the landmark nature of this case and not fault them for attempting to delineate the limits of the law in their favor.
Regardless of how this case develops, the current developments in these proceedings are apparently only a tactical withdrawal and do not seem to be a strategic shift. In my mind, an eventual challenge to the All Writs Act and its applicability to technology cases is inevitable. The decision to vacate this specific request will cause a delay on a much-needed ruling on the scope of power afforded to American law enforcement agencies. I am of the opinion that the question "Can the government force me to develop software against my will?" needs to be answered sooner rather than later.
Law students are often taught the legal maxim "hard cases make for bad law" in order to explain why the drafting of a new legal norm should be aimed at the most likely scenario instead of the most unusual one. Some judges take this maxim into consideration when applying a novel interpretation of an existing piece of legislation – not unlike the FBI's original request in this specific case. My overall impression of this delay is that the FBI is waiting until a very difficult case presents itself to establish a rule regarding the encryption of cellphones and other personal electronic appliances. You can infer from that what my gut tells me about the potential of the ruling that may emerge. It remains to be seen if the world will be better off for it.