Confirming what security pros and privacy advocates have been saying all along, the Justice Department told a California court late Monday that it might not need Apple's help after all in cracking an iPhone 5c used by one of the San Bernardino shooters, prompting Judge Sheri Pym in a teleconference to postpone a hearing scheduled for March 22 to April 5 and stay her previous order compelling Apple to assist the Federal Bureau of Investigation (FBI).
"With the FBI backing down on this case, this is at least a short-term win for Apple," Lisa Hayes, vice president of programs and strategy at the Center for Democracy & Technology (CDT) said in a statement emailed to SCMagazine.com, noting that “it is not uncommon” for such civil hearings to be postponed without much notice.
That the phone may be crackable without Apple's help came as no surprise. "For many in the security community, there was little question that the iPhone could be compromised at any time via highly competent government level assets typically used for national security scenarios," Philip Lieberman, president and CEO of Lieberman Software, said in comments emailed to SCMagazine.com. "The representations of Apple about their unbreakable security were very endearing, but naïve."
Court documents filed by the Justice Department show that an unnamed third party has offered a way to break the phone, leading to federal prosecutors' request for a postponement so it can “determine whether it is a viable method that will not compromise data” on the phone and averting, at least temporarily, a showdown with Apple, which has thus far spurned the government's advances.
"For a long time information security experts have said that if you have physical access to the asset, all bets are off," Ben Johnson, co-founder and chief security strategist at Carbon Black, said in comments emailed to SCMagazine.com, noting that "the degree of difficulty" to crack an iPhone is higher than that of a traditional desktop or laptop. "Having said that, if the FBI has managed to find a vulnerability to unlock it, or a way to copy the drive to other phones or virtual machines to attempt to unlock it, none of us would be surprised."
And indeed in the Monday filing, the Justice Department confirmed that “if the method [offered by the outside source] is viable, it should eliminate the need for the assistance from Apple."
That should come as good news to the Cupertino, Calif.-based tech giant, which dug its heels in, refusing to comply with Pym's earlier order to aid the government by building what the company said was a backdoor into the phone. While the government insisted that the request was a one-off, Apple contended that it was anything but and would give government the go-ahead to overreach its authority.
"This has always been a case about the government attempting to mandate technological backdoors that would make all Americans less secure. We're glad to see the court take this step,” said CDT's Hayes.
“This case was never about a phone. It was a grab for power,” Evan Greer, campaign director of Fight for the Future said in a release sent to SCMagazine.com. “The FBI already had the capability to hack this phone using forensic tools, but they thought this case would be a slam dunk––a way for them to set a dangerous precedent that they've wanted for years.”
And Chenxi Wang, chief strategy officer for Twistlock agreed that "from the beginning, this case was about setting a legal precedent – not about gaining access to data." In comments sent to SCMagazine.com, Wang said, "Subsequently, the FBI is dropping the case on the ground that they probably won't be able to establish the legal precedent that they initially had hoped to achieve," going so far as to say that “it's unlikely that a third-party will be stepping in to assist the FBI."
The Justice Department's pressure on Apple drew criticism and sparked concern among other tech companies, privacy advocates and consumers and may have prompted the government to rethink its position. “It appears they're running away with their tail between their legs, trying to save face while they go,” said Greer, whose organization still plans on holding protests outside the California courthouse Tuesday. “They knew they were going to lose, both in the court of law and the court of public opinion.”
In a Monday blog, Cindy Cohn, executive director of the Electronic Frontier Foundation, said, "It's very clear that public engagement on this issue was key to helping move this from a fight just between Apple and the government to one where all of us know that our security is at stake."
Greer's colleague Jeff Lyon, chief technology officer (CTO) at the organization, said of its decision to gather although the hearing has been postponed that “the FBI might be running away from their own hearing, but we're not.”
He vowed to “still be outside the courthouse to make sure those people's voices are heard, because this fight is far from over.” Lyon noted that everything from to water treatment plants to hospitals and airports protected by that encryption. “The government's continued effort to weaken encryption is not just an attack on our civil liberties–it's a threat to our national security.”
While some Apple proponents see the judge's action as a victory of sorts and Apple told reporters a third party's aid would render Pym's order moot, the reprieve will likely be short-lived. "But remember: this isn't over," Cohn cautioned. "The FBI could come back to the court in a few weeks and try again to force Apple to write software that breaks the security on our iPhones."
And American Civil Liberties Union (ACLU) lawyer Alex Abdo was quoted by the New York Times as saying the retreat “will only delay an inevitable fight over whether the government can force Apple to break the security of its devices."
Regardless of the outcome of the Apple case, tech pros and privacy advocates would like to see the courts set more definitive boundaries for government authority. "Overall, it seems a shame to not get some clarity in the courts over what the government can and can't request when it comes to privacy and security, and if this case does not reach a conclusion you can bet we'll be back in this same spot soon," Johnson said.
Cohn said given the FBI's nearly constant "decrying what they see as a 'going dark' problem" and attempts to undermine encryption, it could be possible that the bureau "will look for another test case it can use to create a legal precedent."
But the proving ground might just be in Congress. "Several members of Congress, led by Senators Dianne Feinstein and Richard Burr, continue to threaten to rush through legislation that would mandate backdoors in our technology or otherwise force tech companies to ensure FBI's access to everyone's communications," Cohn wrote. "We're also gearing up for a major battle over backdoor legislation in states like California and are worried about pressure that other technology companies may be facing, like WhatsApp."
The Tor Project, which has had a firm no backdoors policy in place, said in a Tuesday blog penned by Mike Perry, lead developer on Tor browser, that "regardless of the outcome of the Apple decision" it is looking at other "ways to eliminate single points of failure, so that even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue."
UPDATE: This story has been updated to add comments and analysis from EFF Executive Director Cindy Cohn, Carbon Black Co-founder and Chief Security Strategist Ben Johnson, Lieberman Software President and CEO Philip Lieberman, Twistlock Chief Strategy Officer Chenxi Wang and the Tor Project's lead developer on Tor browser, Mike Perry.