Skip to main content

A man in Santa Monica, Calif. displays a protest message on his iPhone at a small rally in support of Apple's refusal to help the FBI access the cell phone of a gunman involved in the killings of 14 people in San Bernardino.Lucy Nicholson/Reuters

Even though the U.S. Department of Justice dropped its controversial case on Monday against Apple Inc. over encryption technology, the case may still mark the opening shot in a lengthy war of ideas about digital security.

The remarkable battle started last month when the Federal Bureau of Investigation publicly demanded Apple hand over software to break into a locked iPhone 5c that had been in the possession of accused San Bernardino shooter Syed Rizwan Farook, and ended with the Justice Department telling Apple not to bother because someone else was helping them do the job.

Essentially, the FBI's announcement that a third party had broken into the iPhone – using an unknown method that Apple said it had not invented – was the highest-profile case of a hack being used and then admitted to by the U.S. government.

Andrew Crocker, a staff lawyer with the digital rights group Electronic Frontier Foundation, is demanding the FBI hand over details of the flaw to Apple, citing a 2010 interagency U.S. government policy that is supposed to require the government to help private companies secure systems when security agencies have information about a flaw or vulnerability. The foundation has fought for years to get details of the policy, known as the vulnerabilities equities process, made public, though so far the government has kept large portions of it classified. The FBI has refused to tell Apple how it broke into the phone.

"Everyone involved agrees that it's better to patch vulnerabilities than to not patch them," Mr. Crocker said. "They should really prioritize disclosure. Here we have potentially a vulnerability of a device that's central to protecting lots and lots of data."

Because the FBI and its private contractor can hack potentially every iPhone like the 5c (and older models), the data on tens of millions of Apple devices could be more at risk than ever. Apple now has more than one billion active devices, the vast majority of which are iPhones.

"This case should never have been brought," said a statement released by Apple. "People in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk. We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated."

But even though the reckoning between state power and cleverly constructed technological systems has been postponed for now, the resolution in the Apple case proves that encryption is not an absolute guarantee of privacy.

That said, in some ways Apple is ahead of its competitors. Only about 6 per cent of Google's Android devices (which account for about 80 per cent of the total smartphone market) offer device encryption, to Apple's almost 95 per cent. BlackBerry, which built its reputation on its ability to encrypt data, sells relatively few smartphone devices these days.

In a moment of pure coincidence, researchers at Johns Hopkins University in Baltimore, Md., announced they had broken into Apple's messaging encryption just days before the FBI's scheduled court showdown on March 22. Apple's end-to-end encryption for text messages is a much-touted feature, something few other companies can match and a property that had been attacked by FBI director James Comey, who warned potential terrorist communications were "going dark." But according to the cryptography researchers at Johns Hopkins, iMessage has been vulnerable to interception – particularly when it comes to shared photos or videos – since it was introduced in 2011.

"Apple for the longest time wouldn't describe how iMessage worked, then it published an iOS security white paper [in 2014]. That description didn't go into huge amount of detail but it was enough," to point researchers in the right direction, said Ian Miers, a computer science PhD student who worked on the paper, titled "Dancing on the Lip of the Volcano," with Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute.

Mr. Miers compares building encryption systems to working with Lego: Even if the blocks are solid, as they were in Apple's case, "if you put them together in the wrong way, it will break. Crypto is very hard to do correctly. They got something slightly wrong." The team told Apple about the problem in November, 2015. It took Apple until March 21 to release a patch to correct the problem.

As Mr. Miers sees it, more device makers and software companies are going to follow Apple's lead and add encryption; Facebook already added secure encryption to WhatsApp, for instance. Next time, a friendly hacker might not be able to help the FBI out of a crypto-jam.

Report an error

Editorial code of conduct

Tickers mentioned in this story