In spite of Apple having turned over the shooter’s iCloud backups in the case of the Pensacola, Florida mass shooting last month, the US government has been raking it over the coals for supposedly not helping law enforcement in investigations.
But according to a new allegation, Apple has been far more accommodating than the FBI has been willing to admit. Specifically, according to six sources – Reuters relied on the input of one current and three former FBI officials and one current and one former Apple employee – a few years ago, Apple, under pressure from the FBI, backed off of plans to let iPhones users have end-to-end encryption on their iCloud backups.
The bureau had griped that such encryption would gum up its investigations.
Last week, US Attorney General William Barr fumed at Apple over its refusal to break encryption per FBI request:
So far, Apple has not given any substantive assistance.
President Donald Trump piled on, tweeting that Apple refuses to unlock phones used by “killers, drug dealers and other violent criminal elements.”
But if the recent allegation proves true, it means that Apple has been far more accommodating to US law enforcement than headlines, politicians’ ire, and Apple’s marketing would indicate.
Its sources told Reuters that more than two years ago, Apple told the FBI that it planned to offer end-to-end encryption for iCloud backups, primarily as a way to thwart hackers. If it had gone through with the plan, it would have meant that Apple wouldn’t have a key to unlock encrypted data and would thus be unable to turn over content in readable form, even if served with a court order to do so.
The next year, in private talks with the FBI, the plan to fully encrypt iCloud backups had disappeared. Reuters couldn’t determine why, but without giving details, a former Apple employee said it wasn’t hard to fill in the blanks:
Legal killed it, for reasons you can imagine.
Reuters’ source said that Apple didn’t want to run the risk of “being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption.”
If that was indeed Apple’s intent, it hasn’t worked out all that well. The company has been excoriated on Capitol Hill for its refusal to put in a backdoor that would enable the government to read encrypted messages.
Last month, responding to Apple and Facebook reps who testified about the worth of intact encryption, Sen. Lindsey Graham had this to say about the government’s ongoing quest for a backdoor:
You’re going to find a way to do this or we’re going to do this for you.
Backdoors are a product-crippling move that Apple has declined to take in spite of the FBI’s many demands to do so since the case of the San Bernardino terrorists.
One of Reuters’ sources said that it was that 2016 court battle with the FBI that subsequently made Apple back down:
They decided they weren’t going to poke the bear anymore.
A former FBI official who wasn’t involved in the iCloud encryption talks said that during the fight over encryption of the San Bernardino shooter’s iPhone, the bureau had managed to convince Apple that evidence from iCloud backups had made a difference in thousands of cases.
It’s because Apple was convinced. Outside of that public spat over San Bernardino, Apple gets along with the federal government.
The allegation relies on hearsay. Reuters doesn’t have solid proof. But one former Apple employee suggested that the encryption project – variously code-named Plesio and KeyDrop – might have been abandoned for other reasons besides legal trepidation, such as the possibility that customers would get disgruntled over being locked out of their data more often. At any rate, as three of Reuters’ sources tell it, Apple pulled about 10 experts off the encryption project after deciding to dump it.
Apple has handed over iCloud backups in 1,568 cases, covering about 6,000 user accounts, Reuters reports. In fact, the company has turned over at least some data for 90% of the requests it’s received.
It’s much easier to get at the online backups than it is to crack an iPhone, for a number of reasons. It can be done secretly, for one. You don’t need to physically possess the device to get at its data if you can get access to its iCloud backups.
And even though investigators have access to tools to bypass the iOS lock screen – tools believed to be used by companies such as Grayshift and Cellebrite – the window of time to extract a device’s data sometimes runs out before a full extraction has been done.
One example came up in 2018, in a case concerning an investigation into a pedophile ring in the US state of Ohio.
With search warrant in hand, investigators searched a suspect’s house, demanding that he use Face ID to unlock the iPhone X that they found. He complied, which gave the FBI access to photos, videos, correspondence, emails, instant messages, chat logs, web cache information and more on the iPhone.
Or, at least, that’s what the search warrant authorized investigators to seize. However, they couldn’t get everything that they were after before the phone locked. A device can be unlocked by using Face ID, but unless you know the passcode, you can’t do a forensic extraction. The clock starts ticking down, and after an hour, the phone will require a passcode.
According to the suspect’s lawyer, the FBI wanted to use Cellebrite tools to get more data from his client’s phone, but they weren’t successful.
Neither Apple nor the FBI has responded to media requests for comment on the reported abandonment of iCloud encryption.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Europa
Most of these requests to restrict access to end to end encryption (for all of us) seem to be in connection with “shooter’s phones”. Wouldn’t it be easier to restrict access to other hardware that these “shooters” have?
Or is that a quaint old fashioned European idea?
Ron T.
Nobody needs encryption, why not just ban all encryption, problem solved. Unless you have something to hide why should you have access to it.
Raylund
Not something to “hide” but things to “protect”!
Ron T.
Raylund EXACTLY, I have something to protect as well which is my life and family thus the comment from Europa as to restricting access to “hardware” would remove that ability for me to protect something I value. That’s why banning things such as encryption or tools for protection would not be a viable solution in America. Apple should not be restricting customers ability to protect their information from all persons both governments or attackers.
Mahhn
The most often tool to kill people are automobiles. Good luck getting to work or food to your area without them.
Paul Ducklin
You can buy a LOT of cool bicycles for a LOT less than the cost of one car! (I have one for the road, one for the fields, and a third for the train that folds up. The bike, that is, not the train.)
Mahhn
My 30 min commute by car would take 3 hours by bike each way, if my leg was good. Then there is 4 months of snow, and no bikes allowed on the highway. no train/bus options either. but we’ve gone off track
Angela Fales
Hey Ron, could you please provide me with your full name, social security number, address, bank routing number, current credit card information and your medical history from the last 7 years? Looking forward to hearing back from you with the included information. Unless you have something to hide.
rtunchy@protonmail.com
Angela you missed the point, see my response above. I am against banning anything that helps me protect myself from all potential threats (both governments and people) no matter what the reason. Europa proposed banning guns, I use firearms to protect my family and myself from threats to my safety. Similarily, you and me both use encryption to protect ourselves from potential threats. Banning either because a criminal used them for bad would be remove our ability to protect ourselves.
TK
Privacy is not necessarily about protection or hiding, but is a social good in and of itself. Why do we have doors on bathrooms? Everyone knows what’s going on in there, and everyone does it, but we still like to have the door closed. And while bathroom stalls are used by some for unlawful activities (just as encryption is), I don’t hear anyone calling for universal surveillance of bathrooms.
Mahhn
like logging into your bank account? forgetaboutit, like to use a creditcard? forgetaboutit want to securely log into anything,,, yeah.
fury556
No, we definitely don’t need encryption on our corporate devices, so any old thief can simply pull sensitive data from them? Same applies to personal devices as well.