The Justice Department has dropped its legal effort to force Apple to unlock the iPhone used by one of the shooters in the San Bernardino terrorist attack after the government found another way to crack the phone — without the tech giant’s help.
With no legal precedent set in the case, the question of whether law enforcement can indeed compel tech companies to assist in unlocking such devices — and therefore potentially undermine their own security — remains up in the air. And although this particular battle has ended, the encryption debate and the overarching question of privacy vs. security is also far from resolved, experts and Cipher Brief network contributors say.
“Ultimately, it’s the overall idea of how much access government should have to data,” Elaine Lammert, a former Deputy General Counsel with the FBI and a Cipher Brief network contributor said. “And maybe it’s not just how much access, but how can they access it and under what kinds of protection and safeguards?”
Apple had refused to assist with unlocking the iPhone, saying that the FBI’s demand for a code would have created a “backdoor” that could potentially compromise security. But prosecutors on Monday wrote in a brief court filing that “the government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple.”
The device belonged to Syed Rizwan Farook, who along with his wife Tashfeen Malik, carried out the terrorist attack in San Bernardino, California that killed 14 people in December.
Brookings scholar Susan Hennessey told The Cipher Brief that while the government’s filing means the issue has been resolved for this specific phone, “it’s almost certainly not a resolution of the debate over the long-term.”
“Apple has already indicated that it intends to develop systems that make it impossible for Apple itself to provide any kind of technical assistance to the government. And the notion that Apple wouldn’t inadvertently or eventually design a system that the FBI couldn’t breach is relatively unlikely,” she said.
Add to that that the government has not revealed any information about the tool or method used to crack the phone, and there’s little resolution to be found in Monday’s filing. Scott Kessler, co-founder and partner at human intelligence-based cybersecurity services firm Secure Senses Inc, said it would appear this is only a hack for one phone. Encryption resides in the software on the particular phone in question, the iPhone 5c, but in later phones it’s a hardware encryption — which means it’s unlikely that whatever method was used would work for other devices.
“The issue obviously will come up again, with the iPhone 6 and whatever else they come out with,” Kessler, a Cipher Brief network contributor, said. “So I don’t think it really changes the terms of the debate. It’ll happen again.”
Last week, prosecutors announced that an “outside party” had offered a potential way to unlock the iPhone without Apple. No additional information about the identity of the group or the technique user has yet been released, and officials have not said whether they will disclose to Apple how it was done or what vulnerability was exploited. It has been reported that Cellebrite, a third-party, Israel-based cyber security firm, was involved, but this has not been confirmed.
The FBI is “currently reviewing the information on the phone, consistent with standard investigatory procedures,” Department of Justice spokesperson Melanie Newman said in a statement.
One thing this case has done is help break down the “myth of security,” according to Hennessey. “There’s no such thing as a perfectly secure system.”
“Apple has said, you know, a backdoor for the good guys is a backdoor for the bad guys; it would be backdoor for nation states to get into,” Hennessey added. “This I think proves a little bit of the government’s case as well, which is that they’re saying, well, there’s no reason to believe that other governments already don’t have access.”
But the tech community will also offer this situation up as proof that backdoors are unnecessary. The thinking among many in the tech world is that “law enforcement can get the job done through this sort of lawful hacking,” Hennessey said.
Apple, meanwhile, reiterated its stance that the FBI’s demand to build a backdoor into the iPhone was “wrong and would set a dangerous precedent.”
“As a result of the government's dismissal, neither of these occurred. This case should never have been brought,” Apple said in a statement on Monday, adding that “this case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.”
For those in the national security and law enforcement spheres, this case highlights the tension between terrorism and privacy, and what the United States’ response to terrorism should be beyond the realm of cybersecurity.
“That’s also a very worthwhile debate for us to have, about how we respond and how much we roll privacy back and how much of what we did after 9/11 should be a permanent part of our culture and our law — and how much of it shouldn’t be,” Kessler, a former senior operations officer in the CIA’s National Clandestine Service, said.
Mackenzie Weinger is a National Security Reporter at The Cipher Brief.