Today, after weeks of making its arguments in posts on its website and comments to the press, Apple presented its case for maintaining the strength of its encryption to an audience that may ultimately have the final say: Congress. But as the five hour-long hearing made clear, much of Congress has some homework to do before they’ll understand a key technical detail Apple keeps repeating—that helping the FBI unlock this iPhone will likely set a dangerous precedent for everyone’s cybersecurity.

In a hearing on the Hill, Apple’s general counsel Bruce Sewell, reading his opening statements off of an iPad Pro, argued many of the same points the company has made since its fight over a San Bernardino terrorist’s iPhone first began. The FBI wants Apple to write software that would help the FBI circumvent that iPhone’s security measures. Apple has counters that doing so would not only weaken the security of all of its products, but set a troubling precedent for the tech industry at large.

“Building that software tool would not affect just one iPhone,” Sewell said in his opening remarks. “It would weaken the security for all of them.”

Perhaps surprisingly, FBI Director James Comey, who himself gave three hours of testimony before the committee, agreed, at least in part. “Sure, potentially,” Comey agreed, when asked by Rep. Bob Goodlatte of Virginia whether this request would set a precedent for others in the future, from the FBI or another agency. “Any decision of a court about a matter is potentially useful to other courts.”

That’s a change of tack for the FBI, which had previously attempted to center the argument around “just one phone.” In general, Comey struck a reconciliatory tone, insisting that neither Apple nor the FBI was at fault. “There are no demons in this debate,” said Comey. “The companies are not evil. The government’s not evil. You have a whole lot of good people who see the world through different lenses, who all care about the same things. The companies care about public safety; the FBI cares about innovation and privacy.”

That dichotomy between safety and privacy—here inverted, in an attempt to show a common goal—is one that Comey has stressed repeatedly throughout this process. It’s one that was quickly shot down, though, both by more technologically competent members of the committee and by expert witness Susan Landau, a professor and former Google privacy analyst who co-authored a landmark paper on backdoors and security titled “Keys Under Doormats.”

“The tension isn’t between privacy versus security,” said Landau. “It’s about security versus security.”

Landau further made the point that the problem of precedent isn’t just that law enforcement may someday overreach. If this sort of request becomes commonplace, she said, it will inherently weaken Apple’s ability to protect all of its customers. “What happens is you develop a routine, and then it becomes a process that’s easy to subvert,” either by organized crime or a malicious nation-state.

Those risks seem heightened by Comey’s suggestion, throughout the hearings, that Apple is responsible for the safety of the code it creates. “I have a lot of faith in the company’s ability to secure their information,” Comey said, citing iCloud as an example of something Apple is able to secure, apparently forgetting his own agency’s current investigation into an iCloud breach that allowed for the wide release of images of several nude celebrities.

Comey did acknowledge one misstep on the part of government investigators. “As I understand from the experts, there was a mistake made in that 24 hours after the attack where the [San Bernardino] county, at the FBI’s request, took steps that made it hard—impossible—later to cause the phone to back up again to the iCloud,” he said. Had that not happened, Apple likely would have been able to recover the sought-after information, obviating the need for any legal action to begin with.

For his part, Sewell stress the importance of encryption overall, but also repeated the point that the company made in a brief, filed last week, that the courts should not be involved in this decision in the first place.

“The decisions [around encryption] should be made by you and your colleagues as representatives of the people, rather than through warrant request based on a 220 year-old-statute,” he said to the members of the House Judiciary committee. The statute he refers to, the All Writs Act of 1789, makes up much of the FBI’s legal argument. In a separate, but similar, iPhone unlocking case, this same argument was denied by a New York State judge on Monday.

Given that Apple’s position imparts more power to Congress, it’s perhaps not entirely surprising that the committee appears, to varying degrees, to support Apple. Rep. John Conyers was particularly outspoken, declaring the issue a matter wholly for Congress, and going so far as to imply that the FBI strategically picked the San Bernardino tragedy as the time to take a stand.

“I would be deeply disappointed if it turns out that the government is found to be exploiting a national tragedy to pursue a change in the law,” Conyers said.

Much of the hearing was devoted to Congress asking technical questions of Comey that he could not answer, or, at the other end of the spectrum, questions of Sewell and Landau that that betrayed a tenuous grasp on behalf of the lawmakers of the technological issues at hand.

Representative Darrell Issa, who has a professional background in security devices and has been an outspoken critic of the FBI, suggested a novel way to get information off of the iPhone that the agency perhaps hadn’t tried yet, and compared law enforcement’s requests of Apple to asking a paper-shredding company to put the paper back together. On the other end of the spectrum, Rep. Gowdy lamented the creation of “evidence-free zones” that would be created if Apple weren’t compelled to help unlock the iPhone, apparently unaware of the many encrypted apps and devices that are made outside of the United States, and therefore outside of Congress’s legislative purview.

In fact, Landau and Sewell both noted that making iPhones less secure would simply send terrorists and bad actors running toward options that the FBI and Congress had no control over. Compelling Apple to weaken its software would “weaken us, but not impact the bad guys,” said Landau.

“What you’re saying is that we’re debating something that’s undoable,” said Rep. Jerrold Nadler, referring to legislating encryption in any effective way.

“That’s right,” Landau replied.

View original article – 

Apple and FBI Take Their iPhone Hacking Fight to Congress