By Brian Taylor
It seems like every time there is a major tragedy in American history, there are several prevailing thoughts that permeate the public psyche. There is a visceral need for vengeance, a desire to determine what brought about the tragedy, and ultimately the resolution that we should not ever let events happen like this again.
It happened after Pearl Harbor, after the Kennedy assassination, after the Apollo 1 disaster and also occurred in the aftermath of the September 11 terrorist attacks in New York and Washington. The discussion around how far we’re willing to go to find out why, and to prevent another incident has brought our rights into the forefront many times, sometimes we as a public are willing to sacrifice those rights in the name of safety, sometimes we allow things to go too far.
During the investigation of the San Bernardino attack a new challenge to our constitutional rights was launched by the FBI, who is trying to convince Apple to create a mechanism to unlock or decrypt data that was stored on an encrypted iPhone device. In doing so they are attempting to open a Pandora’s Box that could never ever be closed again. Apple, to this point has declined to comply with the government request, and I would like to explain why I, for the first time in a long time, can say that I stand with Apple.
First I’d like to explain a bit what encryption is, how it works and why this is important to you. At a very general level you can think of encryption as a way of securing your files by scrambling them, and making it extremely difficult to figure out how to unscramble those files. This works by generating a set of “keys” with which to lock and unlock your data, these keys are extremely large semiprime numbers (the product of two large prime numbers) that can not be derived from the data that is encrypted. The strength of the encryption is related to just how long the end result number is.
According to the iOS security guide the keys are 256-bits in length and the master keys are generated based on the unique identifier (UID) and group identifier (GID). These keys are used for different purposes, for encryption the UID is the primary key responsible and this is physically burned into the encryption engine of the processor on your Apple device. This device specific and unique code is used along with a hardware random number generator in order to generate the necessary keys to decrypt data as it is stored on the device.
In order to even further enhance this security, every individual file is encrypted with it’s own unique key and this unique key is stored in an seperately encrypted section of the iPhone which can not be unlocked without both the hardware key and a key generated from the same encryption process but also using the user’s password as part of the scrambling process.
Without encryption, it is beyond trivial to retrieve data from a device. You do not require a password, or any major hardware investment to retrieve unencrypted data from a computer device. Even if you have a password, you can remove the storage from one device and place that storage into another device and then read the unencrypted data. Think of it as the difference between keeping your data in a locked filing cabinet versus keeping your data in a blast proof safe. The locked filing cabinet can be much more easily bypassed than the safe.
Encryption allows you to protect your data from loss, theft or in this case intercept from a third party by making it extremely difficult to access the underlying data. According to the EE Times, a trade publication for electrical engineers and computer scientists, there are trillions of trillions (1.1 * 10^77 to be precise) of possible combinations for this lock, and it would take billions and billions (3.31 * 10^56) of years to try every single possible combination to the lock in order to brute force the data protected by a single key. This estimate is actually extremely generous when you take into account the assumptions they are making about how many keys you can test in a single second.
The problem the FBI is running into in this case is that they are not able to decrypt the area of the phone that contains the list of keys to decrypt the file. There are additional measures in place on the CPU that lock out decryption if too many attempts to brute force the key are utilized. They are asking that Apple creates a specialized version of their operating system that will bypass the encryption on this store and allow them to access the decryption keys for all of the underlying data on this particular device.
While it may seem cut and dry in the case of the San Bernardino shooting, that we should clearly force Apple to decrypt the data, the issue is that this is not a one off process. In an open letter to the community Apple CEO Tim Cook stated, “The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
In other words, once Apple creates a way to bypass the encryption in place here, there would be no way to undo the knowledge that such a method can be done. Even if Apple does not (and they would not) release the modified iOS for the general public, and even if the FBI keeps to their word and only uses this modified software in this one-off case, the fact that it is even possible to bypass these features would lead to a concentrated effort to replicate the flaw in the security.
There is also legal precedent that states that the 5th Amendment protects you from being compelled to decrypt your data, but that this protection does not extend to unencrypted data being stored on a password protected device. This precedent came out of the United States Court of Appeals for the Eleventh Circuit in Northern Florida in the ruling of United States of America vs John Doe. Where the court ruled that an unnamed Florida man has his 5th Amendment rights violated when he was imprisoned for refusing to decrypt data that was stored on several electronic devices.
In a press release the Electronic Frontier Foundation (EFF), a legal aid group focused on civil rights in the digital age, who helped represent the unnamed man discussed the implications of the ruling. “The government’s attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent – having to choose between self-incrimination or risking contempt of court,” noted EFF Senior Staff Attorney Marcia Hofmann in the press release.
This may all be moot, the data on the phone may never be recoverable since it’s an extremely difficult process to decrypt data by brute force, and additionally all the documentation that Apple has provided on their phone security says that it is not possible. Unless there is already an undisclosed backdoor into this encryption method there is no realistic way to just disable the encryption and magically decrypt the underlying data.
We live in a time where there is unprecedented oversight over our digital lives, a time when our rights to privacy and to not self-incriminate are constantly weighed against the desire of society to prevent tragedy and suffering. While I believe that it is important to protect society, I do not believe that it is important enough that we should turn over the keys to our digital castle and open a door that can never be closed again. This is why I applaud the efforts of Tim Cook, Apple and the Electronic Frontier Foundation in their efforts to ensure that our freedoms and rights are preserved as we move forward into the digital age.