ACLU: You can kiss trust in software updates goodbye if Apple's forced to help the FBI
The friend-of-the-court brief set out multiple arguments why Apple should not be forced to assist the Federal Bureau of Investigation (FBI) in brute-forcing the passcode on an iPhone used by Syed Rizwan Farook. Farook and his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif. on Dec. 2, 2015, before they died in a shootout with police. Authorities later labeled it an act of terrorism.
Last month, a federal magistrate ordered Apple to help the FBI gain access to Farook's iPhone by creating a heavily modified version of iOS that would disable several security safeguards, then put the software on the device so authorities can bombard it with passcode guesses. The FBI has repeatedly said it believes there is unique information on Farook's iPhone that will help its investigation.
Apple is fighting that court order. And the ACLU was the first to file an amicus brief supporting the Cupertino, Calif. company in that battle.
"This case is not about a single phone -- it's about the government's authority to turn the tech companies against their users," Alex Abdo, an ACLU staff attorney, said in a Wednesday statement.
In the brief, the ACLU argued constitutional as well as case law, citing the Fifth Amendment, for example, and asserting that the All Writs Act -- a 1789 law that the Department of Justice (DOJ) used to compel Apple's assistance -- does not give the government the authority to force the firm's hand.
"The government seeks to compel an innocent third party into becoming an agent of the state, to conscript a private entity into a criminal investigation, and to require it to develop information for the government that is neither in its possession nor control," the ACLU stated in its brief. "This is a tactic foreign to free democracies."
But while many of the ACLU's arguments had been made by Apple in its motions before the same court, one had not.
"The burden imposed by the government's request extends far beyond Apple itself," the brief said. "If the government's interpretation of the law holds, not only could it force Apple to create the cryptographically signed software it seeks here, but it could force Apple to deliver similar signed software using Apple's automatic-update infrastructure. This would be devastating for cybersecurity, because it would cause individuals to legitimately fear and distrust the software update mechanisms built into their products."
In other words, if users lost their trust in software updates, they wouldn't apply them. Sans updates -- specifically, security updates that patch vulnerabilities -- everyone would be at greater risk from run-of-the-mill cybercriminals eager to hijack PCs, smartphones and tablets to harvest profitable information, from bank account passwords and intellectual property to government secrets and companies' research and development.
"What the government seeks here is an authority that would undermine American and global trust in software security updates, with catastrophic consequences for digital security and privacy," the ACLU said.
The organization has made that claim before.
Earlier this week, Christopher Soghoian, a prominent privacy researcher and activist who currently works for the ACLU as the principal technologist with its Speech, Privacy, and Technology Project, wrote a piece for the Washington Post in which he made the same case about software updates.
"If consumers fear that the software updates they receive from technology companies might secretly contain surveillance software from the FBI, many of them are likely to disable those automatic updates," Soghoian said.
Distrust of software updates waxes and wanes all on its own, particularly when a company's new code earns a reputation for crippling working devices. But the idea that the update process itself could be perverted has long been seen as the Holy Grail by hackers.
In 2012, security researchers discovered that Flame, sophisticated nation-state-grade cyber-espionage malware, had spoofed Microsoft's Windows Update service, and so could trick a PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.
Flame's creators were able to do that after leveraging a bug in a Microsoft service to generate digital signatures that were "signed" by the Redmond, Wash. company.
At the root of the government's demands on Apple is the fact that no one but Apple can convince a device that an incoming update is legitimate; only updates cryptographically "signed" by Apple are allowed. If the FBI, for instance, had Apple's signing certificate, it could write the software itself and put it on Farook's iPhone.
Because of the seriousness of Flame's ability to masquerade as Windows Update, Microsoft rushed out a fix to customers within days.
Others are expected to file amicus briefs this week, including the Electronic Frontier Foundation and Microsoft on behalf of Apple's position, and law enforcement agencies supporting the government's stance.
The ACLU's brief can be found on its website.