Cell phone privacy

By way of full disclosure:

• I own a smart phone
• I store some data on the phone
• I do not store highly sensitive data on the phone
• The phone unlock is secured by fingerprint and long relatively secure password
• The data on the phone is encrypted
• I am a very senior technologist very familiar with the related technologies.

Now lets consider privacy.

If my phone is lost or stolen do I need my data secured? Not really, but then I do not store highly sensitive data on the phone.

In my particular case there is some inconvenience and marginal risk but it is really rather minimal.

It is significant that I'm a technologies and know technology actually works and have considerable experience with the way technology companies really behave.  I have made an informed decision that neither the technology or the companies that provide it may be trusted to keep sensitive data secure. That being the case I rationally choose to limit my exposure.  Others might want to think about that as well.

So am I willing to unlock my phone and have my data exposed if the phone is lost or stolen?  No. My concerns are twofold.

First, I believe in personal privacy generally.  I believe that each of us should get to decide for ourselves what to share, when to share, and who to share with.  If I take a photo at a family gathering, there is really no harm in the entire world seeing it, but that doesn't make it the business of the whole world.  If I do not choose to share no one else should have a right to see it.  It is a matter of principal. So if by some mischance I loose possession of my phone I do not want others to have access to data on the phone.

Second, knowing the way phones and billing actually work, I really, really, really do not want someone else to be able to use my phone to create bills attributable to me.  It is actually this matter that I am most concerned about, not the actual data on the phone.

What about people who actually store sensitive data on their phone?  I believe that such people are stunningly naive.  But, I acknowledge that cell phones are remarkably useful, more or less ubiquitous, and many people think it is OK to store sensitive data on their cell phone.

Should the data of people who actually store sensitive data on their phone be protected?  Yes. As a society we frequently require that we be protected from our own mistakes and bad decisions.  So while storing sensitive data on your phone is, in my view, a bad decision, I do think it should be protected.

Should that protection be absolute?  No.  Privacy rights in the US derive largely from the Fourth Amendment.  That protection immunizes data from search unless there is a valid warrant.

This is one of the central issues at the core of the current Apple v. FBI controversy.  Notwithstanding all that has been said or written there is simply no absolute right to privacy in law. Indeed, claims that cell phone data should have an absolute privacy right are novel and unprecedented in that no other data storage mechanism or device, save a corporal human, possesses such rights.

Much that has been said or written effectively asserts just such a right but it does not exist, nor, in my view should it.  The Fourth Amendment expresses two essentials of privacy.  The first principal is that by default our person and writings, and by extension our data, is private and not subject to government scrutiny.  The second is that notwithstanding the first principal there are circumstance where there is a legitimate government interest that overrides the first principal.  That is what a warrant is.

Should an exemption to warrant search be created for cell phones? No.

While there are exceptions to warrant search, such exceptions are rooted in profound social relationships such as marriage or religion. While many may have a strong personal attachment to their cell phones there is simply no underlying social relationship.

It is important to realize that cell phones that store data are simply small computing devices able to connect to various networks for various purposes including making actual phone calls. The principal distinguishing characteristic from other computers is their size.  Indeed, everything I can so on my cell phone, I can do on my laptop or on my desktop even though I can not put either of these in my pocket.

Other computing devices do not have warrant exceptions.  Indeed, such devices are routinely subject to search under court order.

Common sense

• Cell phones should support privacy
• It should not be immune to warrant search

Apple v FBI: What does the judge's order actually say

The specifics of this order are very important and have been widely distorted and misrepresented. This post attempts to state the essential elements of the order in a simple non-technical manner so that others may better understand the issues.

The order itself can be found here. There was some subsequent alteration of the original order (link needed).  In summary it requires the following:

• the creation of software that bypasses the delay and destruction features associated with unlocking the phone
• keying the software to this specific phone
• provide mechanisms that allow the FBI to access the phone to conduct a brute-force unlock

The order further provides:

• The phone may be in Apple's possession during the unlock process and work performed at an Apple facility
• Apple need not provide the software in any form to the FBI
• Apple is free to dispose of the software as it wishes
• Apple is compensated for their work supporting the FBI

Note: if this summary of the order is in any way factually incorrect or biased please let me know.

Apple v FBI: To what degree is encryption actually involved

In forming an informed opinion about this mater it is important to understand some of the technical matters involved particularly as they relate to encryption.

Locking and encryption on the phone

Briefly user data on the phone is encrypted with a key that is unique to the phone. The encryption technique used is strong and Apple does not have this key nor can it be accessed without unlocking the phone.

As a convenience to users Apple's design provides that once the phone is unlocked the key used to encrypt the user data is automatically available and users may conveniently access their data without encryption interference.  Note that this is a conscious explicit design choice made by Apple.

To protect the phone locking scheme Apple uses two features. One imposes an increasingly long delay between successive failed login attempts. This is a common technique to thwart brute-force attacks by making them take so long as to be impracticable. Another, if enabled (I believe this is optional and am unsure of the default setting), provides that user data on the device is destroyed if there are excessive successive login failures. This is another common technique to insure that even if someone is willing to take the time to execute a brute-force attack, the data will be destroyed before the attack can succeed.

The San Bernardino order

The San Bernardino order requires Apple to disable the delay and destruction features so that the FBI can execute a brute-force attack, unlock the phone, and access the encrypted user data on the phone. Technically, it is an exploit of the consumer convenience feature designed into the phone.

The specifics of this order are very important.  The order itself can be found here.  In summary it requires the following:

• the creation of software that bypasses the delay and destruction features,
• keying the software to this specific phone,
• providing mechanisms that allow the FBI to access the phone to conduct a brute-force unlock

The order further provides:

• the phone may be in Apple's possession during the unlock process,
• Apple need not provide the software to the FBI,
• Apple is free to dispose of the software as it wishes,
• Apple is compensated for their work supporting the FBI.

Does this work involve encryption?

The short answer, contrary to what many believe, have said, and argued is NO.  

To understand this consider a slightly different phone.  This phone is such that the only way to access the data is to unlock the phone and the underlying storage mechanism does not involve encryption and is immune to physical attack. The unlock features remain the same.

Would the users data protection on this imagined phone be more, less, or unchanged?

I believe that the answer is unchanged.  Any attempt to unlock this phone would almost certainly result in destruction of the data in just the same way as the actual San Bernardino phone.  Once the phone is unlocked the data would be available in precisely the same degree as the San Bernardino phone.  There is simply no effective difference in the data protection.

That illustrates an import element of the San Bernardino case in that encryption of the user data is not actually at issue with respect to the work required by the judge's order.  Rather it is a side effect of the work being ordered that exploits a designed in feature, many would argue weakness, of the phone.

However, there is an element related to encryption that is involved.  The design of the actual San Bernardino phone requires that the software to disable the login delay and delete features that protect unlocking be signed with Apple's authorization key.  This is not strictly an encryption key but is, in some ways, related.  It prevents some software not authorized by Apple from being loaded onto the phone.  Without this key the phone will reject the modified software and the login delay and delete features may not be subverted.

To what degree is encryption actually involved?

Actually none.  Security is certainly involved but not encryption proper.

Apple v FBI - Much ado about a routine court order

Consider the following situation:

There is something in a safe deposit box in a bank vault.  The box requires two keys to unlock.  The customer holds one.  The bank holds the other.  When the customer wants to access the box they must show the bank that they are entitle to access the box and present their key.  The bank will unlock the vault, allow the customer to enter the vault, insert the bank's key into the box locks and allow the customer to use the customer's key to unlock the box so that the contents may be accessed.

Now suppose the FBI wants to access the contents of this safe deposit box.  The FBI must ask a judge to issue an order to the bank.  The judge listens to the FBI's arguments and if the judge finds they have sufficient merit, the judge will issue an order that requires the bank to  open the safe deposit box.  To do so the bank must unlock the bank's vault, provide the bank's key to the safe deposit box, and allow the FBI to drill the customer's lock causing damage to the bank's box.

This situation occurs with surprisingly regularity.  It is well established law that the bank is obliged to obey the judge's order and cooperate with the FBI to open the safe deposit box at issue.

The fact pattern surrounding the current controversy over the San Bernardino cell phone almost perfectly parallels the fact pattern above.  The cell phone is equivalent to the safe deposit box.  Apple is the bank.  Apple's software is the vault.  Apple's IOS signing key is the bank's safe deposit key.  Once that key is turned the FBI may execute a brute force attack equivalent to drilling the user's lock.

It is significant that the fact pattern in the Apple controversy is not new nor unique in any way.  It is significant that the law is well established for dealing with this sort of issue.

  

The real issues and Apple v. FBI

So there is much ado over a judge's order in the San Bernardino terrorist shooting.  It's now gotten to that special place where facts and reason are trumped by emotion and PR.  That is more than just unfortunate since there are some real and very important issues that really should be examined.

Some background

Briefly, on December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California.  A description of the events and aftermath can be found on Wikipedia.

As part of an ongoing investigation into the original events the FBI ask Apple to assist in unlocking one of the terrorist phones.  This led to the issuance of a court order to compel Apple to assist and considerable public controversy .  A description  of the order events and the some of the subsequent controversy can be found in Wikipedia entries.

Much of the public controversy has centered on privacy and encryption in the context of cell phones.  Among the claims made are

• customer data stored on cell phones is private and should not be subject to government examination
• the court order is an attempt by government to gain universal access to all cell phones
• the court order is an attempt to weaken encryption and provide the government with a key that can subvert encryption
• the court order is an attempt by the government to in appropriately force Apple into government service

Briefly what is wrong with the current controversy

Consider the following:

• Is individual data on a cell phone immune to warrants for its recovery?  The short answer is no.  Such data is fundamentally no different from other data stored elsewhere and is no more or less subject to warrant search.
• Is the court order an attempt to secure a back door to gain universal to all cell phones?  The short answer is no.  Here the details of the order and the technology involved are significant.  Specifically the order provides that Apple assist the FBI to unlock this specific phone by modifying the login delay and excessive login failure delete feature of IOS in a fashion that is unique to this specific phone, that the phone may be under Apple's control during this process, that Apple need not provide the software to accomplish this to the FBI, and that Apple is free to dispose of the software after the phone is unlocked.  The net consequence  of this is that no universal method ever exist to unlock all cell phones and that the limited ability to unlock a specific phone may be destroyed after the phone is unlocked.
• Does the court order weaken encryption?  The short answer is no.  Rather the court order seeks Apple's assistance in exploiting a specific design characteristic (weakness) of Apple's product on this and other Apple cell phones (though not all).  While the details are somewhat technical, Apple's design provides that once the phone is unlocked the encryption key for Apple provided encryption of user data on this specific phone is available and encrypted data on the phone may then be accessed.  Unlock protection for the phone is provided by the two features the judge's order requires Apple to bypass.  
• Is Apple being inappropriately forced into government service?  The short answer is no.  It is well established law that companies and individuals are subject to judicial orders that require them to do something.  Apple is entitled for compensation for its work.  The law and order provide for such compensation.

What is significant here is that there is little to nothing that is unique, exceptional, or fundamentally controversial about the order or its effect.  The design defect in Apple's products is doubtless embarrassing to Apple given their market positioning but the legal and technical issues are actually narrow and clear.

Real issues and why they matter

Notwithstanding all the controversy, almost all of it misses the most important issues.

• Is there a legitimate societal interest in the data at issue? In user data on cell phones generally?
• Should some data be immune to warrants?  Should cell phone data specifically?  
• Do users have a reasonable expectation of data protection and privacy on cell phones?
• Should manufacturers be compelled to use weak encryption?
• Should manufacturers be subject to court orders that subvert manufacturer provides electronic locking (not encryption) when the technical mechanism to do so exist? 

There are doubtless other real issues.

If we allow ourselves to be distracted from real issues they do not get addressed.  If they do not get addressed we end up with unsolved problems and bad laws.  It's really rather simple.

An open letter to voters, particularly young voters

I'm 73. I've voted in every presidential election I've been eligible to vote in and all but 2 other national elections. In my entire adult life, that's 50 plus years for those arithmetically challenged, I have voted for a political party candidate for president I actually thought well qualified and reasonably honest exactly ... once. Other than that I've held my nose and chosen the lesser of two unqualified opportunistic choices.

In my life some presidents have accomplished some good.  Others have been so destructive as to make me wonder what we as a people were thinking.  Most have ultimately been dishonest.  We have had some congresses that worked in the interest of the electorate at least some of the time.  In recent years we have had congresses that by any metric serve only moneyed interest.

A significant majority of Americans are just fed up and have adopted 'a pox on both your houses' attitude with this business as usual. That's why we have Mr Trump and Mr Sanders.

As a nation we are at something of a crossroads.  We can choose business as usual, a continuation of dishonest and ultimately evil candidates for president and (this part is important) congress.  We can also choose something different.

If you are a voter, if you want change, if you want honesty, if you want principled representation you need to get involved.  You need to be part of the primary process.  You need to be part of the actual election.

If you do, there is some hope for change.  If you don't you can be certain that governance will continue as usual.  If you don't you can be certain that the problems that inflict US society will continue and get worse.

Get involved.  Get informed about the candidates for president and just as importantly congress.  Vote.

It's just that simple.