Washington: Devoted customers of Apple products these days worry about whether the new iPhone 6 will bend in their jean pockets. The National Security Agency and the nation’s law enforcement agencies have a different concern: that the smartphone is the first of a post-Snowden generation of equipment that will disrupt their investigative capabilities.
The phone encrypts emails, photos and contacts based on a complex mathematical algorithm that uses a code created by, and unique to, the phone’s user — and that Apple says it will not possess.
The result, the company is essentially saying, is that if Apple is sent a court order demanding the contents of an iPhone 6 be provided to intelligence agencies or law enforcement, it will turn over gibberish, along with a note saying that to decode the phone’s emails, contacts and photos, investigators will have to break the code or get the code from the phone’s owner.
Breaking the code, according to an Apple technical guide, could take “more than 5 1/2 years to try all combinations of a six-character alphanumeric passcode with lower case letters and numbers.” (Computer security experts question that figure, because Apple does not fully realise how quickly the NSA supercomputers can crack codes.)
Already the new phone has led to an eruption from the director of the FBI, James B. Comey. At a news conference Thursday devoted largely to combating terror threats from the Islamic State, Comey said, “What concerns me about this is companies marketing something expressly to allow people to hold themselves beyond the law.”
He cited kidnapping cases, in which exploiting the contents of a seized phone could lead to finding a victim, and predicted there would be moments when parents would come to him “with tears in their eyes, look at me and say, ‘What do you mean you can’t’” decode the contents of a phone.
“The notion that someone would market a closet that could never be opened — even if it involves a case involving a child kidnapper and a court order — to me does not make any sense.”
Apple declined to comment. But officials inside the intelligence agencies, while letting the FBI make the public protests, say they fear the company’s move is the first of several new technologies that are clearly designed to defeat not only the NSA, but any court orders to turn over information to intelligence agencies. They liken Apple’s move to the early days of Swiss banking, when secret accounts were set up precisely to allow national laws to be evaded.
“Terrorists will figure this out,” along with savvy criminals and paranoid dictators, one senior official predicted, and keep their data just on the iPhone 6. Another said, “It’s like taking out an ad that says, ‘Here’s how to avoid surveillance — even legal surveillance.’”
The move raises a critical issue, the intelligence officials say: Who decides what kind of data the government can access? Until now, those decisions have largely been a matter for Congress, which passed the Communications Assistance to for Law Enforcement Act in 1994, requiring telecommunications companies to build into their systems an ability to carry out a wiretap order if presented with one. But despite intense debate about whether it should be expanded to cover email and other content, it has not been updated, and it does not cover content contained in a smartphone.
Inside Apple and Google, company executives say the US government brought these changes on itself. The revelations by former NSA contractor Edward J. Snowden not only killed recent efforts to expand the law, it made nations around the world suspicious that every piece of American hardware and software — from phones to servers made by Cisco Systems — have “back doors” for U.S. intelligence agencies and law enforcement.
Surviving in the global marketplace — especially in places like China, Brazil and Germany — depends on convincing consumers that their data is secure.
Timothy D. Cook, Apple’s chief executive, has emphasised that Apple’s core business is to sell devices to people. That distinguishes Apple from companies that make a profit from collecting and selling users’ personal data to advertisers, he has said.
This month, just before releasing the iPhone 6 and iOS 8, Apple took steps to underscore its commitment to customer privacy, publishing a revised privacy policy on its website.
The policy described the encryption method used in iOS 8 as so deep that Apple could no longer comply with government warrants asking for customer information to be extracted from devices.
“Unlike our competitors, Apple cannot bypass your passcode, and therefore cannot access this data,” the company said.
Under the new encryption method, only entering the passcode can decrypt the device. (Hypothetically, Apple could create a tool to hack into the device, but legally the company is not required to do that.)
Jonathan Zdziarski, a security researcher who has taught forensics courses to law enforcement agencies on collecting data from iPhones, said to think of the encryption system as a series of lockers. In the older version of iOS, there was always at least one locker that was unlocked, which Apple could access to grab certain files like photos, call history and notes, in response to a legal warrant.
“Now what they’re saying is, ‘We stopped using that locker,’” Zdziarski said. “We’re using a locker that actually has a combination on it, and if you don’t know the combination, then you can’t get inside. Unless you take a sledgehammer to the locker, there’s no way we get to the files.”
The new security in iOS 8 protects information stored on the device itself, but not data stored on iCloud, Apple’s cloud service. So Apple will still be able to obtain some customer information stored on iCloud in response to government requests.
