Craig Federighi argues against renewed push for law enforcement backdoor to iPhone

Posted:
in General Discussion
Apple's senior VP of software engineering maintained the company's hard line on encryption in response to a story saying the FBI and U.S. Department of Justice are renewing their pursuit of backdoors for searches by law enforcement.




"Proposals that involve giving the keys to customers' device data to anyone but the customer inject new and dangerous weaknesses into product security," Craig Federighi told the New York Times via a statement. "Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems."

As part of the backdoor push, the FBI and Justice Department have been meeting with security researchers on ways of enabling "extraordinary access" to encrypted devices, Times sources said. As a result, Justice Department officials are claimed to be convinced it's possible to enable a backdoor without fatally weakening device security -- the worry of companies like Apple.

The focus of at least some of the meetings has allegedly been on unlocking data on hardware, rather than intercepting encrypted cloud traffic. Specifically, one proposed concept is a special access key that would be generated whenever a device encrypts itself. This key would detour around passcodes, but only be stored locally in a separately encrypted space, much like the Secure Enclave on iPhones and iPads.

The demands of such a system could require a number of people at companies like Apple to have key access, however, which might pose the risk of leaks.

Law enforcement officials have reportedly revived talks in the U.S. executive branch about asking Congress to pass backdoor legislation. In February, the Trump administration is said to have circulated a memo among economic and security agencies, suggesting ways to think about solving the issue.

While Apple regularly provides access to iCloud data when served with legal orders, it has resisted efforts within the U.S. government to gain a backdoor into on-device encryption -- most famously battling the FBI and Justice Department over the iPhone of San Bernardino shooter Syed Rizwan Farook. The government relented, but only when it paid for a third-party workaround.

Apple CEO Tim Cook was recently spotted with Democrat Senator Mark Warner, the vice chairman of the Senate Intelligence Committee. He may have been discussing the possibility of a bipartisan commission that would address digital privacy.
«13

Comments

  • Reply 1 of 42
    SpamSandwichSpamSandwich Posts: 31,486member
    It’s clear Apple must drastically increase its financial influence (aka: lobbying) of the Congresscritters. Both parties are influenced with money. That’s the game and Apple has to pay to play.
    brian green
  • Reply 2 of 42
    however, which might pose the risk of leaks.


    however, which WILL leak.

    That's more like it IMHO. Once one government gets access then the rest of the world will be demanding the same. If it isn't provided then Apple can say goodbye to selling any kit or services in that country from then on.
    bshankjbdragonbrian greengeorgie01watto_cobra
  • Reply 3 of 42
    rob53rob53 Posts: 2,099member
    I think these idiot officials need to go back to school to actually understand what encryption means as well as understanding how easy a backdoor becomes a front door for all systems, including government ones. It’s all or nothing, there’s no middle ground on the implementation of encryption. 

    This isn't a political party decision, it’s the protection of people against a tyrannical government no matter which party is in control. As soon as we the people lose this fight, we no longer have a democracy, we have a dictatorship. 
    propodbshankhorvaticmacxpresstzm41jbdragonStrangeDaysgeorgie01watto_cobrabakedbananas
  • Reply 4 of 42
    gatorguygatorguy Posts: 21,225member
    Perhaps that's the best solution to a bad situation. No backdoors per-se but a dedicated part of the secure enclave that can still be used to access a customer's device in the event of a security emergency or otherwise lawful order. 

    It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia. Apple still finds a way to do business in both despite having to "share". I believe there are calls in the EU too besides in the US which is the topic here. Somehow and fairly soon there's going to be a mandated solution that not everyone will be happy with. The consumer-facing companies using encryption can either partner with lawmakers to arrive at the least damaging solution or risk having one chosen for them. IMO it's going to happen anyway. 
    edited March 2018 watto_cobra
  • Reply 5 of 42
    rogifan_newrogifan_new Posts: 4,212member
    Does his statement apply to China too?
  • Reply 6 of 42
    Rayz2016Rayz2016 Posts: 4,781member
    Does his statement apply to China too?
    Yes it does. 
    watto_cobra
  • Reply 7 of 42
    78Bandit78Bandit Posts: 235member
    Even without an official backdoor the system has already been hacked by GrayKey.  Imagine how trivial it would be for some nefarious organization (like China or North Korea) to find a deliberate backdoor and exploit it.  This would be infinitely more dangerous than what GrayKey has done simply because Apple can change its code to block GrayKey at will.  OTOH, if the official backdoor was hacked Apple would be obligated to redesign the system, provide the official means of implementing it, and get updates out to law enforcement in a timely manner.  Naturally that would give ample opportunity for the backdoor to be hacked again.

    The most effective means of protecting private data is to design the system to be impenetrable to the best of your ability.  Any deliberate weakness will be discovered and exploited.
  • Reply 8 of 42
    Rayz2016Rayz2016 Posts: 4,781member

    gatorguy said:
    Perhaps that's the best solution to a bad situation. No backdoors per-se but a dedicated part of the secure enclave that can still be used to access a customer's device in the event of a security emergency or otherwise lawful order
    Er … that’s a backdoor. 

    🤦🏾‍♂️

    edited March 2018 tmaymike1horvaticsteven n.jbdragonbrian greenStrangeDaysgeorgie01watto_cobrabeowulfschmidt
  • Reply 9 of 42
    Overall, this is a good sign that Apple's security is becoming much harder to crack. I'm glad I asked Steve Jobs for high-grade security that exceeds military-grade before he died.
    horvaticSpamSandwichbrian greenwatto_cobra
  • Reply 10 of 42
    horvatichorvatic Posts: 132member
    Backdoors are for criminals, not security. You cannot keep data safe if you lock the front door and leave the backdoor open. 
    jbdragonbrian greenwatto_cobra
  • Reply 11 of 42
    steven n.steven n. Posts: 1,127member
    gatorguy said:
    Perhaps that's the best solution to a bad situation. No backdoors per-se but a dedicated part of the secure enclave that can still be used to access a customer's device in the event of a security emergency or otherwise lawful order. 

    It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia. Apple still finds a way to do business in both despite having to "share". I believe there are calls in the EU too besides in the US which is the topic here. Somehow and fairly soon there's going to be a mandated solution that not everyone will be happy with. The consumer-facing companies using encryption can either partner with lawmakers to arrive at the least damaging solution or risk having one chosen for them. IMO it's going to happen anyway. 
    So in other words, no on device protection.

    But basically, the China law does NOT require companies hand over encryption keys though it does require technical assistance. More disinformation?
    edited March 2018 jbdragonStrangeDaysRayz2016georgie01baconstangwatto_cobra
  • Reply 12 of 42
    mike54mike54 Posts: 348member
    For those who have Facebook on their phone its no problem, just go and ask Zuckerberg for it all.
    Anyway there already is a back door, just go ask companies or the gov in Israel.
    watto_cobrabakedbananas
  • Reply 13 of 42
    eightzeroeightzero Posts: 2,503member
    A possible outcome here is that if a backdoor access is not built-in, and provided to the US government, large tariffs will be imposed on import of iOS devices.


  • Reply 14 of 42
    linkmanlinkman Posts: 932member
    gatorguy said:
    It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia.
    China's and Russia's citizens have already lost the battles for human rights, freedom of the press, privacy, etc. Should the USA be next?
    jbdragonStrangeDaysbaconstangwatto_cobra
  • Reply 15 of 42
    gatorguygatorguy Posts: 21,225member
    Rayz2016 said:

    gatorguy said:
    Perhaps that's the best solution to a bad situation. No backdoors per-se but a dedicated part of the secure enclave that can still be used to access a customer's device in the event of a security emergency or otherwise lawful order
    Er … that’s a backdoor. 

    🤦🏾‍♂️

    Not if it's an integral part of the hardware requiring both direct access and Apple's assistance. I would call that a side door.
  • Reply 16 of 42
    gatorguygatorguy Posts: 21,225member
    steven n. said:
    gatorguy said:
    Perhaps that's the best solution to a bad situation. No backdoors per-se but a dedicated part of the secure enclave that can still be used to access a customer's device in the event of a security emergency or otherwise lawful order. 

    It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia. Apple still finds a way to do business in both despite having to "share". I believe there are calls in the EU too besides in the US which is the topic here. Somehow and fairly soon there's going to be a mandated solution that not everyone will be happy with. The consumer-facing companies using encryption can either partner with lawmakers to arrive at the least damaging solution or risk having one chosen for them. IMO it's going to happen anyway. 
    So in other words, no on device protection.

    But basically, the China law does NOT require companies hand over encryption keys though it does require technical assistance. More disinformation?
    You didn't read very carefully. The second sentence clearly says it's on-device, as does the AI article. 

    Anyway, no encryption service is allowed within China that cannot be decrypted at the behest of Chinese authorities in order to protect their citizenry. Fact. Apple themselves makes it clear in their legal disclosure to affected Chinese customers that both they AND GCBD (yes specifically called out) have the same access to Chinese users iCloud data. Fact. I'm sure you read the statement. Wordplay doesn't make it less true.

    Same holds true in Russia as Telegram now understands after losing their last-ditch legal effort to avoid it, and they were one of the last, if not the last holdouts. AFAIK Apple still operates secure "encrypted" services there. How can that be?
    https://www.dailydot.com/layer8/encryption-backdoor-russia-fsb-bill-passes/
    edited March 2018
  • Reply 17 of 42
    dkhaleydkhaley Posts: 43member
    The government has a legitimate interest in accessing the data
    1. Foreign intelligence agencies
    2. Sophisticated criminals
    3. Run-of-the-mill criminals
    If there was a backdoor, targets 1 and 2 would simply adopt 3rd party encryption, if they don't already.

    That leaves group 3, which would need to be brought down by old-fashioned police work. That takes time, effort and the will to do so.
    jbdragonRayz2016
  • Reply 18 of 42
    gatorguygatorguy Posts: 21,225member
    linkman said:
    gatorguy said:
    It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia.
    China's and Russia's citizens have already lost the battles for human rights, freedom of the press, privacy, etc. Should the USA be next?
    No they should not be next.

    But the realist in us should understand there's a distinct possibility it's going to happen anyway. I have no doubt at all that even while fighting the good public fight Apple is working behind the scenes with the pertinent law enforcement and legislative folks to come to the best agreement they can on how to accomplish what the legislative folks in dozens of countries are going to mandate anyway.

    Apple has given no indication of a willingness to walk away from a profitable market to avoid it, and they are not the only big tech that wouldn't. It's business.
    edited March 2018
  • Reply 19 of 42
    jwymanmjwymanm Posts: 1unconfirmed, member
    Remember guys. The fight isn't just for a backdoor. It's for a slippery slope effect where hey they gave us this inch, we'll "ask" (read: demand) for the rest of the mile later (in a year or two). The backdoor isn't even the entire problem. The law to require it is. Once you let laws in in one country it opens the floodgates in all countries and eventually it becomes cemented in UN or other guaranteed import/export rules. And then those rules slip and allow even more access to your info and then you get crap like CLOUD act which basically just ruins any privacy. What am I saying anyway.. we're screwed. Laws continue on slipping and no government wants less government of their people.
    jbdragonanton zuykovtallest skil
  • Reply 20 of 42
    steven n.steven n. Posts: 1,127member
    gatorguy said:
    steven n. said:
    gatorguy said:
    Perhaps that's the best solution to a bad situation. No backdoors per-se but a dedicated part of the secure enclave that can still be used to access a customer's device in the event of a security emergency or otherwise lawful order. 

    It's becoming pretty darn clear that denying access to those tasked with protecting the citizens of a country isn't going to last. China already demands the encryption keys as does Russia. Apple still finds a way to do business in both despite having to "share". I believe there are calls in the EU too besides in the US which is the topic here. Somehow and fairly soon there's going to be a mandated solution that not everyone will be happy with. The consumer-facing companies using encryption can either partner with lawmakers to arrive at the least damaging solution or risk having one chosen for them. IMO it's going to happen anyway. 
    So in other words, no on device protection.

    But basically, the China law does NOT require companies hand over encryption keys though it does require technical assistance. More disinformation?
    You didn't read very carefully. The second sentence clearly says it's on-device, as does the AI article. 

    Anyway, no encryption service is allowed within China that cannot be decrypted at the behest of Chinese authorities in order to protect their citizenry. Fact. Apple themselves makes it clear in their legal disclosure to affected Chinese customers that both they AND GCBD (yes specifically called out) have the same access to Chinese users iCloud data. Fact. I'm sure you read the statement. Wordplay doesn't make it less true.

    Same holds true in Russia as Telegram now understands after losing their last-ditch legal effort to avoid it, and they were one of the last, if not the last holdouts. AFAIK Apple still operates secure "encrypted" services there. How can that be?
    https://www.dailydot.com/layer8/encryption-backdoor-russia-fsb-bill-passes/
    You really should do some basic searches before spreading your FUD (maybe you are using a poor search engine like Google showing you only what it thinks you want to see VS an objective search). The proposed China law you are referring to was not the one rubber stamped.

    https://www.wsj.com/articles/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383
    https://www.theverge.com/2015/12/27/10670346/china-passes-law-to-access-encrypted-communications

    Reading and critical thinking are not your strong suit, are they? Offering technical assistance does not mandate success.
    StrangeDaysjcs2305
Sign In or Register to comment.