Craig Federighi argues against renewed push for law enforcement backdoor to iPhone
Apple's senior VP of software engineering maintained the company's hard line on encryption in response to a story saying the FBI and U.S. Department of Justice are renewing their pursuit of backdoors for searches by law enforcement.
"Proposals that involve giving the keys to customers' device data to anyone but the customer inject new and dangerous weaknesses into product security," Craig Federighi told the New York Times via a statement. "Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems."
As part of the backdoor push, the FBI and Justice Department have been meeting with security researchers on ways of enabling "extraordinary access" to encrypted devices, Times sources said. As a result, Justice Department officials are claimed to be convinced it's possible to enable a backdoor without fatally weakening device security -- the worry of companies like Apple.
The focus of at least some of the meetings has allegedly been on unlocking data on hardware, rather than intercepting encrypted cloud traffic. Specifically, one proposed concept is a special access key that would be generated whenever a device encrypts itself. This key would detour around passcodes, but only be stored locally in a separately encrypted space, much like the Secure Enclave on iPhones and iPads.
The demands of such a system could require a number of people at companies like Apple to have key access, however, which might pose the risk of leaks.
Law enforcement officials have reportedly revived talks in the U.S. executive branch about asking Congress to pass backdoor legislation. In February, the Trump administration is said to have circulated a memo among economic and security agencies, suggesting ways to think about solving the issue.
While Apple regularly provides access to iCloud data when served with legal orders, it has resisted efforts within the U.S. government to gain a backdoor into on-device encryption -- most famously battling the FBI and Justice Department over the iPhone of San Bernardino shooter Syed Rizwan Farook. The government relented, but only when it paid for a third-party workaround.
Apple CEO Tim Cook was recently spotted with Democrat Senator Mark Warner, the vice chairman of the Senate Intelligence Committee. He may have been discussing the possibility of a bipartisan commission that would address digital privacy.
"Proposals that involve giving the keys to customers' device data to anyone but the customer inject new and dangerous weaknesses into product security," Craig Federighi told the New York Times via a statement. "Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems."
As part of the backdoor push, the FBI and Justice Department have been meeting with security researchers on ways of enabling "extraordinary access" to encrypted devices, Times sources said. As a result, Justice Department officials are claimed to be convinced it's possible to enable a backdoor without fatally weakening device security -- the worry of companies like Apple.
The focus of at least some of the meetings has allegedly been on unlocking data on hardware, rather than intercepting encrypted cloud traffic. Specifically, one proposed concept is a special access key that would be generated whenever a device encrypts itself. This key would detour around passcodes, but only be stored locally in a separately encrypted space, much like the Secure Enclave on iPhones and iPads.
The demands of such a system could require a number of people at companies like Apple to have key access, however, which might pose the risk of leaks.
Law enforcement officials have reportedly revived talks in the U.S. executive branch about asking Congress to pass backdoor legislation. In February, the Trump administration is said to have circulated a memo among economic and security agencies, suggesting ways to think about solving the issue.
While Apple regularly provides access to iCloud data when served with legal orders, it has resisted efforts within the U.S. government to gain a backdoor into on-device encryption -- most famously battling the FBI and Justice Department over the iPhone of San Bernardino shooter Syed Rizwan Farook. The government relented, but only when it paid for a third-party workaround.
Apple CEO Tim Cook was recently spotted with Democrat Senator Mark Warner, the vice chairman of the Senate Intelligence Committee. He may have been discussing the possibility of a bipartisan commission that would address digital privacy.
Comments
however, which WILL leak.
That's more like it IMHO. Once one government gets access then the rest of the world will be demanding the same. If it isn't provided then Apple can say goodbye to selling any kit or services in that country from then on.
This isn't a political party decision, it’s the protection of people against a tyrannical government no matter which party is in control. As soon as we the people lose this fight, we no longer have a democracy, we have a dictatorship.
It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia. Apple still finds a way to do business in both despite having to "share". I believe there are calls in the EU too besides in the US which is the topic here. Somehow and fairly soon there's going to be a mandated solution that not everyone will be happy with. The consumer-facing companies using encryption can either partner with lawmakers to arrive at the least damaging solution or risk having one chosen for them. IMO it's going to happen anyway.
The most effective means of protecting private data is to design the system to be impenetrable to the best of your ability. Any deliberate weakness will be discovered and exploited.
Er … that’s a backdoor.
🤦🏾♂️
But basically, the China law does NOT require companies hand over encryption keys though it does require technical assistance. More disinformation?
Anyway, no encryption service is allowed within China that cannot be decrypted at the behest of Chinese authorities in order to protect their citizenry. Fact. Apple themselves makes it clear in their legal disclosure to affected Chinese customers that both they AND GCBD (yes specifically called out) have the same access to Chinese users iCloud data. Fact. I'm sure you read the statement. Wordplay doesn't make it less true.
Same holds true in Russia as Telegram now understands after losing their last-ditch legal effort to avoid it, and they were one of the last, if not the last holdouts. AFAIK Apple still operates secure "encrypted" services there. How can that be?
https://www.dailydot.com/layer8/encryption-backdoor-russia-fsb-bill-passes/
- Foreign intelligence agencies
- Sophisticated criminals
- Run-of-the-mill criminals
If there was a backdoor, targets 1 and 2 would simply adopt 3rd party encryption, if they don't already.That leaves group 3, which would need to be brought down by old-fashioned police work. That takes time, effort and the will to do so.
But the realist in us should understand there's a distinct possibility it's going to happen anyway. I have no doubt at all that even while fighting the good public fight Apple is working behind the scenes with the pertinent law enforcement and legislative folks to come to the best agreement they can on how to accomplish what the legislative folks in dozens of countries are going to mandate anyway.
Apple has given no indication of a willingness to walk away from a profitable market to avoid it, and they are not the only big tech that wouldn't. It's business.
https://www.wsj.com/articles/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383
https://www.theverge.com/2015/12/27/10670346/china-passes-law-to-access-encrypted-communications
Reading and critical thinking are not your strong suit, are they? Offering technical assistance does not mandate success.
The China security laws you should be looking at are from this past year and details of how it is to be put in place are left to the discretion of the Chinese Government. The specific rules are being made on the fly so to speak rather than being clearly defined in that old 2015 draft you're relying on. What was passed in 2017 is quite vague, and very open-ended with a lot of leeway on how China's leadership uses it.
http://www.cac.gov.cn/2017-05/02/c_1120904567.htm