Topic: Telecom, Internet & Information Policy

FBI Discovers It Can Access That iPhone After All

Update:  The FBI is now explicitly denying that the method described in this post is the one they’re planning to employ—so apparently my suspicion was mistaken and they may well be employing a truly novel technique.  The more general point, I think, is still valid: The relative speed with which an outside firm was able to demo a solution once the case hit the headlines should raise legitimate questions about how serious an independent effort FBI made before claiming “necessity” and turning to compulsion to access the phone.  Manifestly someone out there has the capability, meaning this protracted and costly lawsuit could have been avoided—and the phone cracked weeks or months ago—had they only approached the right parties for assistance.  Original post follows.

In a third-act twist worthy of M. Night Shyamalan, the FBI has announced that it has just discovered a method, provided by an unnamed “third party,” of breaking into deceased San Bernardino shooting suspect Syed Farook’s iPhone without help from Apple. As a result, the hearing at which Apple and DOJ lawyers were scheduled to square off today has been postponed for at least two weeks while the Bureau tests out this “new” approach, potentially rendering the legal battle with Cupertino moot.

The scare quotes in the previous sentence are there to signal my skepticism that there is a genuinely novel technique in play here — which matters because the FBI has been consistently representing to the courts that Apple’s assistance, and an order to compel that assistance, was “necessary” to access the data — which is to say, that the FBI had no viable alternative methods to decrypt the contents of the phone. Yet from the beginning of the public debate over this case, the technical experts I talked with consistently pointed to two distinct approaches the Bureau might employ that wouldn’t require Apple to write or authenticate a line of code.

First, there are potential methods of extracting the phone’s UID — a secret master encryption key, unique to each device, physically embedded in its processor chip. With that key, which is designed to be difficult to read and unknown even to Apple, the FBI could crack the encryption protecting the iPhone data in a matter of minutes. Though cumbersome, time-consuming, and expensive, these methods would almost certainly still be cheaper than a protracted legal battle with a deep-pocketed tech titan — though they would also inherently carry some risk of destroying the key information, rendering the iPhone data permanently inaccessible.

The second and more plausible method was described in some detail weeks ago by ACLU technology fellow Daniel Kahn Gillmor, and even referenced by Rep. Darrell Issa at recent hearing with FBI director James Comey. Read Gillmor’s post for the details, but in essence it involves removing the phone’s “effaceable storage” to make a backup copy of the key material that is erased to render the phone’s data permanently inaccessible after too many incorrect passcode guesses. When FBI hits their guess limit, they “re-flash” the backed-up data to the phone and get another round of guesses. Security researcher Jonathan Zdziarski argues cogently that this is the most probable option.

If that’s the case, the Bureau ought to have some explaining to do, because this alternative surely should not have been unknown to FBI’s forensic experts. If we’re uncharitable, we might suspect the FBI of being less than forthcoming with the court about a range of feasible alternatives they should have been aware of. If we’re more charitable, then at least it seems as though they did not make a very serious effort to explore alternatives before pleading “necessity.” A high profile terrorist attack must have seemed like an ideal test case for the proposition that technology companies can be compelled, under existing law, to hack their own security on the government’s behalf — which might have sapped enthusiasm at Main Justice for abandoning it in favor of an attack that would give them this data, but be unlikely to work on newer model phones. Of course, that cost-benefit calculus might look different once it became clear that this would be a long legal slog, with Silicon Valley more generally lining up to back Apple — not a quick and easy PR win for the government. No doubt the FBI will plead reluctance to disclose too much about their “sources and methods” of accessing data on the phone, but they should at least be under some pressure to confirm, generally, whether they’re using some variant of an approach they ought to have known about well before this past weekend. If so, that ought to affect the credibility their representations of necessity are afforded by future courts in similar cases.

And, of course, there will be no shortage of similar such cases: There are a dozen underway already, and hundreds more locked iPhones in the hands of various law enforcement agencies. Since the method outlined above will (probably) not work on newer iPhones, the underlying legal questions raised by this case will still need to be resolved—though perhaps by courts that have learned to regard FBI’s technical affidavits with bit more skepticism.

Rights in the Balance

The right to swing my fist ends where the other man’s nose begins.

The saying, it turns out, has some of its pedigree in Prohibition, during which the right to serve drinks was said to interfere with the rights of the family. But misapplication to “group rights” aside, it’s a phrase that captures our system of rights well. You are (or should be) free to do whatever you wish, so long as you don’t injure others in their rights.

You can see society hammering out the dividing line between rights in a case that produced a jury verdict last Friday: Hulk Hogan vs. Gawker. The provocative website published a mid-2000 video of the former wrestler and TV personality having sex with a friend’s wife. Hogan sued and won a verdict of $115 million, which Gawker will appeal.

The argument on Hulk’s side is that public exposure of a person’s intimate moments and bodily functions violates a right to privacy. The free speech argument is that a person has a right to broadcast and discuss anything he or she pleases.

These are both important rights. The privacy right is a little younger, having developed since about 1890. The free speech right pre-existed its 1791 acknowledgement in the Bill of Rights, so speech has a stronger heritage. But the dividing line will never be decided once and for all. Common practices and common mores will set and reset the line between these rights through accretion and erosion, the way a winding river divides a plain. That way of producing rules is very special: common law courts deciding in real cases what serves justice best.

Building the Bitcoin Ecosystem: Privacy Edition

Many in the Bitcoin community seek increased financial privacy. As I wrote in a 2014 study of the Bitcoin ecosystem, “Bitcoin can facilitate more private transactions, which, when legal in the jurisdictions where they occur, are the business of nobody but the parties to them.” That study identified “algorithmic monitoring of Bitcoin transactions” as a rather likely and somewhat consequential threat to the goal of financial privacy (pg. 18). It was part of a cluster of similar threats.

Good news: The Bitcoin community is doing something about it.

The Open Bitcoin Privacy Project recently issued the second edition of its Bitcoin Wallet Privacy Rating Report. It’s a systematic, comparative study of the privacy qualities of Bitcoin wallets. The report is based on a detailed threat model and published criteria for measuring the “privacy strength” of wallets. (I’ve not studied either in detail, but the look of them is well-thought-out.)

Reports like this are an essential, ecosystem-building market function. The OBPP is at once informing Bitcoin users about the quality of various wallets out there, and at the same time challenging wallet providers to up their privacy game. It’s notable that the wallet with the highest number of users, Blockchain, is 17th in the rankings, and one of the most prominent U.S. providers of exchange, payment processing, and wallet services, Coinbase, is 20th. Those kinds of numbers should be a welcome spur to improvement and change. Blockchain is updating its wallet apps. Coinbase, which has offended some users with intensive scrutiny of their financial behavior, appears wisely to be turning away from wallet services.

Bitcoin guru Andreas Antonopolis rightly advises transferring bitcoins to a wallet you control so that you don’t have to trust a Bitcoin company not to lose it. The folks at the Open Bitcoin Privacy Project are working to make wallets more privacy protective. Kudos, OBPP.

There’s more to do, of course, and if there is a recommendation I’d offer for the next OBPP report, it’s to explain in a more newbie-friendly way what the privacy threats are and how to perceive and weigh them. Another threat to the financial privacy outcome goal—ranked slightly more likely and somewhat more consequential than algorithmic monitoring—was: “Users don’t understand how Bitcoin transactions affect privacy.”

President Obama Needn’t Go to SXSW…

In his weekly address last Saturday, President Obama touted the importance of technology and innovation, and his plans to visit the popular South by Southwest festival in Austin, Texas. He said he would ask for “ideas and technologies that could help update our government and our democracy.” He doesn’t need to go to Texas. Simple technical ideas with revolutionary potential continue to await action in Washington, D.C.

Last fall, the White House’s Third Open Government National Action Plan for the United States of America included a commitment to develop and publish a machine-readable government organization chart. It’s a simple, but brilliant step forward, and the plan spoke of executing on it in a matter of months.

Having access to data that represents the organizational units of government is essential to effective computer-aided oversight and effective internal management. Presently, there is no authoritative list of what entities make up the federal government, much less one that could be used by computers. Differing versions of what the government is appear in different PDF documents scattered around Washington, D.C.’s bureaucracies. Opacity in the organization of government is nothing if not a barrier to outsiders that preserves the power of insiders—at a huge cost in efficiency.

One of the most important ideas and technologies that could help update our government and democracy is already a White House promise. In fact, it’s essentially required by law.

Uber Not to Blame for Kalamazoo Shooting

By Alexander Torrenegra from Secaucus, NJ (New York Metro), United States - On my first @Uber ride in Bogota heading to a Startup Weekend. Priceless easiness and safety. I love disruptive innovation., CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=37982760An Uber driver is accused of killing six people and wounding two others in a shooting rampage that took place in Kalamazoo, Michigan on Saturday. The victims seem to have been picked at random and were shot at three different locations. An unnamed source told CNN that the suspected killer, Jason Dalton, completed rides in between the shootings, which took place over a seven-hour period. It might be tempting to think in the wake of the Kalamazoo shooting that Uber should reform its background check system, but this would be an overreaction to a problem a different background check process wouldn’t have solved. 

Uber screens its drivers by checking county, state, and federal criminal records. As I explained in my Cato Institute paper on ridesharing safety, Uber is oftentimes stricter than taxi companies in major American cities when it comes to preventing felons and those with a recent history of dangerous driving from using its platform. And Dalton did pass Uber’s background check.

However, it’s important to keep in mind a disturbing detail: according to Kalamazoo Public Safety Chief Jeff Hadley, the suspected shooter did not have a criminal record and was not known to the authorities. In fact, Dalton, a married father of two, does not seem to have prompted many concerns from anyone. The Washington Post reports that Dalton’s neighbors noticed “nothing unusual” about him, although the son of one neighbor did say that he was sometimes a “hothead.”

That an apparently normal man with no criminal history can murder six people is troubling, but it’s hard to blame Uber for this. It’s not clear what changes Uber could make to its background check system in order to prevent incidents like the Kalamazoo shooting. What county court record, fingerprint scan, or criminal database would have been able to tell Uber that a man with no criminal record would one day go on a shooting rampage?

The Kalamazoo shooting is a tragedy, but it shouldn’t distract from the fact that Uber and other ridesharing companies like Lyft have features such as driver and passenger ratings as well as ETA (estimated time of arrival) sharing that make their rides safer than those offered by traditional competitors.

With the information we have it looks like Dalton could have passed a background check to have been a taxi driver or a teacher. While perhaps an unnerving fact, criminal background checks cannot predict the future, whether they are used to screen potential school bus drivers, police officers, or rideshare drivers. 

States Optimistic About Economic Futures Are More Economically Free

New data from Gallup suggests that residents in US states with freer markets are more optimistic about their state’s economic prospects. In their 50-State Poll, Gallup asked Americans what they thought about the current economic conditions in their own state as well as their economic expectations for the future. North Dakota (92%), Utah (84%), and Texas (82%) top the list as states with the highest share of residents who rate their current economic conditions as excellent or good.  In stark contrast, only 18% of Rhode Island residents, 23% of Illinois residents, and 28% of West Virginians rate their state’s economic conditions as excellent or good. Similarly Americans most optimistic about their state’s economic futures include Utah (83%) and Texas (77%) while states at the bottom include Illinois (34%) and West Virginia (36%).

What explains these stark differences in economic evaluations and expectations across US states? Could differences across states in economic freedom, such as government regulations on business, tax rates, government spending, and property rights protection, be part of the story?

Figure 1: Relationship Between State Economic Freedom Scores
and Residents’ Evaluations of Current Economic Conditions

 

 Source: Economic Freedom Index 2011, Freedom in the 50 States; Gallup 50-State Poll 2015

Bitcoin Governance as Competition

A few weeks ago, in a post entitled, “The Politics of Non-Political Money,” I talked about the Bitcoin blocksize debate as surfacing “politics” in the Bitcoin ecosystem. Important protocol and software development projects require people of disparate views and plans to come together over common standards and code. My thesis in that post was simply that good behavior is good politics because it builds credibility. Some differ, and many—it should be no surprise—aren’t taking my advice. But the precedents set in the blocksize debate are important for the future of Bitcoin, for other cryptocurrencies, and for similar projects that may offer alternatives to governmental monetary and administrative systems.

The politics are intense, there are ways that Bitcoin governance is like government, and proposals to fork the software are kind of like constitutional amendments. But I’m increasingly comfortable thinking of Bitcoin governance as a market phenomenon. Specifically, groups with differing visions are competing to win the favor of Bitcoin miners and nodes, so that their vision, if it prevails, can carry the Bitcoin project forward.