How the FBI's Shadowy iPhone Hack is Putting Privacy (and Lives) at Risk
'We have a new danger,' warn digital rights experts, 'a classified bomb held by the FBI and unknown third-party hackers—but not by Apple, the one party capable of defusing it.'
Privacy advocates are warning that if the FBI does not let Apple know how it hacked into the San Bernardino shooter's iPhone, not only would the government be going against its own policy on such matters, it will be putting people's "lives at risk."
On Monday, the FBI backed down from its controversial legal battle to force Apple to develop a backdoor entry into the locked device of Syed Rizwan Farook—instead, breaking into the phone on its own, with the help of Israeli firm Cellebrite.
That box is now breached.
Citing forensics expert Jonathan Ździarski, two digital rights specialists wrote Tuesday that the creation of an iPhone backdoor is akin to "'a bomb on a leash'; a leash that can be undone, legally or otherwise."
With the emergence of the third-party hack, Julia Powles and Enrique Chaparro say, we now "have a new danger: a classified bomb held by the FBI and unknown third-party hackers—but not by Apple, the one party capable of defusing it."
Federal officials "have declined to specify the procedure used to open the iPhone," the New York Times reports, while at the same time Apple "cannot obtain the device to reverse-engineer the problem, the way it would in other hacking situations."
Fight for the Future, a digital and privacy rights group which helped lead opposition to the FBI case, issued a statement Wednesday arguing that if U.S. officials "really care about public safety, they must disclose the vulnerability they used to Apple to prevent criminals, hackers, and terrorists from exploiting the same security flaw and using it to do harm."
The statement continues:
Encryption protects our hospitals, airports, power plants, and water treatment facilities. Sensitive information about critical infrastructure is stored on phones, computers, and in the cloud. The only thing preventing it from falling into the wrong hands is strong security technology.
...And it goes without saying that hackers, other governments, and those wishing to exploit this security flaw to do harm to the public are already hard at work trying to figure it out. Worse, the FBI has a terrible track record of protecting it’s own data. Just recently they leaked personal information about more than 20,000 FBI agents. They’re clearly not capable of keeping this exploit from falling into the wrong hands.
At the same time, as Guardian columnist and Freedom of the Press Foundation co-founder Trevor Timm pointed out on Tuesday, the government is continuing to pursue similar, albeit lower-profile, legal fights. According to the American Civil Liberties Union, there are at least 63 similar cases pending across the country.
As Common Dreams previously reported, this case has never been about "one phone," but rather about setting a judicial precedent.
Timm references a Justice Department statement issued Monday, in which the agency stated it will continue to "pursue all available options [to ensure that law enforcement can obtain crucial digital information] including seeking the cooperation of manufacturers and relying upon the creativity of both the public and private sectors."
"'Pursue all available options' they will," Timm writes:
And their efforts will likely make the entire process even less democratic than it already is. Instead of attempting to ask Congress for a bill to ban the implementation of end-to-end encryption, which they probably know is a non-starter given public resistance, they may now be incentivized to take their fight even further into the shadows, using government secrecy to obscure their actions from the public...
Don’t be surprised if justice department instead attempts to keep future cases sealed from all but Apple’s lawyers, denying the public the right to even know that court battles are going on for as long as possible. Or perhaps they’ll go to the ultra-secret Foreign Intelligence Surveillance court and demand the same thing, where they’re even more likely to be able to argue with no opposing side present and will all but ensure the public won’t find out what happened for years.
Advocates, including the Electronic Frontier Foundation, are pointing to the U.S. government's official policy, known as the the Vulnerabilities Equities Process (VEP), for determining when to disclose a security vulnerability—such as the one Cellebrite supposedly just cracked.
"As a panel of experts hand-picked by the White House recognized, any decision to withhold a security vulnerability for intelligence or law enforcement purposes leaves ordinary users at risk from malicious third parties who also may use the vulnerability," the digital rights group stated on Tuesday.
"If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply," EFF continues, "meaning that there should be a very strong bias in favor of informing Apple of the vulnerability. That would allow Apple to fix the flaw and protect the security of all its users."