Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple fears gov’t overreach, Cothority offers co. help

An Apple company executive said Tuesday he feared government demands wouldn't stop with Apple's providing a way to get around an iPhone 5c's auto-erase security feature even as a software project said its decentralized witness cosigning process could keep the government from surreptitiously forcing Apple and others like it from providing a backdoors into their products.

Apple Senior Vice President of Internet Software and Service Eddy Cue told Univision that there would be nothing to stop the government from demanding the company provide access to a phone's microphone or camera. "Some day, someone will be able to turn on a phone's microphone. This should not happen in this country,"  he said, contending that the requests won't just apply to terrorism investigations, as in the San Bernardino, Calif. shootings, but rather “are going to be all sorts of cases."

The Cothority project's Bryan Ford would like to make that more difficult, if not impossible, saying that by using a decentralized witness signing process “a software maker imprints their devices and software update systems with a digital certificate corresponding not just to their own secret key but also to secret keys held by a group of independent witnesses,” which might include groups like the Electronic Frontier Foundation (EFF), American Civil Liberties Union (ACLU) as well as software companies, corporate customers and even other governments who would like “not just verbal but also technological assurances of the software maker's commitment to transparency,” Ford wrote in a blog post.

Under this process “before accepting any software image the device's update system verifies that it has been signed not only by the software maker but also by a threshold number of the designated witnesses,” Ford wrote. “ In essence, the device does not accept any software image unless it arrives with a cryptographic “proof” that this particular software image has been publicly observed by – and thereby placed under the scrutiny of – a decentralized group of independent parties scattered around the world in different jurisdictions.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.