When the FBI announced that it had found a way to crack the San Bernardino, California, gunman’s phone — a path forward that wouldn’t require conscripting Apple to produce custom software — the stage seemed set for a thaw. After weeks of rhetorical escalation, Justice Department lawyers began walking back their language, insisting to Judge Sheri Pym that the agency was “not saying anything nefarious about Apple.” Peace seemed possible.
But the Bureau’s next move was troubling. According to The Guardian, officials plan to classify the new method. While there could be a number of rationales — likely the FBI hopes to preserve the vulnerability for future use; maybe it wants to avoid revealing that the approach had already been suggested — the decision is a strategic misstep in any world. For the sake of both cybersecurity and intelligence, the FBI should share the flaw it says it has found.
The cybersecurity argument for sharing the method is clear. If the FBI’s solution is sufficiently powerful (if it’s applicable to a range of iPhone models, including those that run the latest operating system), then many Apple customers are now vulnerable. Counting on any flaw to remain a “nobody but us” advantage is shortsighted. Hackers, spies and crooks will eventually identify the security gap, if they haven’t done so already.
Of course, this sort of argument didn’t move the government in earlier rounds of the same debate; administration officials have an obligation to weigh this risk against other equities, and it’s understandable that cybersecurity will sometimes lose the argument.
For a moment, it at least seemed likely that the vulnerability was narrow — that the FBI’s key wasn’t all that golden. Forensic expert Jonathan ?dziarski sketched a plausible and widely reported answer to the FBI’s problem: copying data off the phone’s chip many times so the agency can try many passcodes, restoring from a duplicate each time the system wipes itself.
As ?dziarski wrote in a blog post: “This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying.” Cryptographer Matthew Green also endorsed the guess in comments to The Christian Science Monitor. Crucially, as both pointed out, that approach would not work on newer versions of the iPhone, a limit that could have reassured both Apple and the customers — American or not — who depend on its security.
But at a recent press conference, FBI Director James Comey seemed to nix that hope, saying, “I’ve heard that a lot. It doesn’t work.” As a result, anxieties have turned toward the possibility that the FBI’s “outside party” has obtained a previously unknown software vulnerability, one with broader reach and intelligence value. In that case, it’s no surprise that officials would be skittish about sharing, afraid they might lose a rare and powerful window into iPhones worldwide.
Such opportunities aren’t easy to come by; Zerodium, a private cybersecurity firm, said recently it had paid out $1 million in a bug bounty for iOS 9. But even in light of that rarity, taking a strategic view of U.S. intelligence needs, disclosure is the right move.
The dispute in San Bernardino sometimes obscured the fact that Apple already aids law enforcement, and it does so routinely. For instance, according to the company’s own transparency reports, Apple shared information on its user accounts with American authorities on hundreds of occasions in the first half of 2015. But because of the extent to which the FBI has antagonized the company, this kind of cooperation is now in jeopardy.
For now, for example, Apple retains the ability to decrypt any data that users back up to its storage service, iCloud. That information can offer a substantial window into a user’s digital life; as the company has repeatedly made clear, it provided this data in the San Bernardino case. But having lost faith in its rapport with Washington, reports suggest that Apple may move to a so-called zero knowledge setup, in which it would be unable to decrypt iCloud data. This would be rough on users who lose the keys to the account, but Apple may, given recent tensions, judge it worth the tradeoff. And this approach would also be, to use a term the Justice Department abused in its legal filings, “warrant-proof.”
This is just one way that Apple could make life harder for the authorities, and Apple is just one of many frustrated firms. Over the long run, Washington won’t win a cryptographic arms race with Silicon Valley — and in many respects shouldn’t want to. The American economy benefits from a strong tech sector, the American government benefits from its thoughtful cooperation, and American citizens benefit from its investments in security. If U.S. officials hope to maintain a decent working relationship, an olive branch is needed. If U.S. officials hope to maintain a decent working relationship with companies like Apple, an olive branch is needed. The ideal peace offering would be a new iPhone vulnerability.
The Bureau should share it now.