Apple Says iPhone Tech the U.S. Wants Will Be Slow and Costly to Buildby and
Argues that FBI request goes beyond `reasonable' assistance
Building new OS would require up to 10 engineers, four weeks
Ten engineers and a month of work -- that’s what it could take for Apple Inc. to write the program the FBI says it needs to crack the San Bernardino terrorist’s iPhone.
In a court filing responding to a government request that it help break into the device, Apple said the order that it provide “reasonable technical assistance” doesn’t take into full account what that assistance would entail -- and that it won’t be fast or easy.
One part of its argument that the order be dismissed depends on convincing the court that, as a third party to the investigation, it shouldn’t be required to expend time and resources that would create something that undercuts its own products. While Apple -- the world’s biggest company by market value, with more than $200 billion in cash and equivalents on its books and thousands of engineers -- has the ability and resources to comply with the request, focusing on the technical burden underpins its broader argument that doing so would pose a larger threat to its business by putting its customers at risk.
“The compromised operating system that the government demands would require significant resources and effort to develop,” Apple wrote in a brief filed with the court Thursday. “The order violates both requirements by conscripting Apple to develop software that does not exist and that Apple has a compelling interest in not creating.”
Apple weighed in with its legal arguments a little more than a week after federal investigators asked a judge to compel the company to create a new version of its iOS mobile operating system that would disable existing security features and allow the FBI to more easily crack the phone’s password. The current software requires manual password entry, and limits the number of incorrect guesses.
In addition to the six to 10 engineers and as long as four weeks of work to create new code in a “hypersecure isolation room,” the company said it would require multiple stages of testing, quality assurance, potentially re-coding, documentation -- then deploying the new operating system on the device at an Apple facility and supervising the Federal Bureau of Investigation’s use of the system.
Jason Syversen, chief executive officer of cybersecurity firm Siege Technologies, said Apple’s estimate was “conservative, but not unrealistic.”
The company’s filing included declarations from two Apple employees, one a privacy engineering manager and one a lawyer, who would be among those involved with planning and overseeing the project, to attest to the cumbersome nature of the undertaking. The FBI is asking Apple to develop software to be used on this one phone that would allow it to try every possible password until it hit on the correct one, overriding protections Apple has to prevent hackers from using exactly this strategy to break into a phone.
There’s no easy way for Apple to remove the limits on repeatedly guessing passwords, said Erik Neuenschwander, Apple’s manager of user privacy. Because the FBI doesn’t want to modify the operating system on the phone itself, the new version of iOS -- which he dubs GovtOS -- would have to run on the device’s random access memory, which would require it to be much smaller and simpler than Apple’s existing phone software.
“Apple’s ecosystem is incredibly complicated,” Neuenschwander argued in a declaration included in the filing. “Changing one feature of an operating system often has ancillary or unanticipated consequences.” In the worst case scenario, GovtOS could inadvertently erase the data the FBI is after, Apple said.
Then there’s the question of what would happen with the software once it has been used. Apple would have a choice: destroy the code and be ready to re-create it -- at a similar expense of resources and time -- in the event of similar investigations in the future, or hold onto it and defend the highly sensitive code against potential attacks from hackers or governments. Neither option is attractive. And by Apple’s account, the destruction of the code would be nearly impossible, especially given that it would have to preserve some documentation of its creation for use in any future legal proceedings.
“Once an engineer has gone through the steps of designing and building a certain kind of machine, there is always tons of leftover know-how that never disappears,” said Dan Guido, founder and CEO of cybersecurity company Trail of Bits Inc. “Legally, Apple is claiming they would be obligated to preserve most of it since they would have to testify on the government’s behalf that it functioned.”
The company is spelling out the technical effort involved because the All Writs Act, the 1789 statute under which the U.S. is making its request, only allows the government to demand a reasonable level of assistance, said Alex Abdo, staff attorney for the American Civil Liberties Union, which plans to join the case in support of Apple.
“The All Writs Act is a modest authority and it doesn’t allow the government to impose significant burdens on the third party whose assistance it is requiring,” he said. “Apple is arguing that what the government is asking for is unlawful because it goes beyond the very modest levels of assistance allowed under that statute.”
In addition to the technical work, the Apple law enforcement compliance team would also see “significant additional burdens,” said Lisa Olle, who oversees Apple’s response to legal requests for customer data, in her declaration.
Complying with the order could open the door to many more, Apple said, citing concern that this is just the first of many similarly onerous and time-consuming requests. For each device requested, a team member would have to oversee the movement of the device to engineers, maintaining and logging the chain of custody of a key piece of evidence while it’s in the company’s possession. Apple would probably have to create one or two secure facilities where work could take place and the devices could be stored.
The last thing Apple wants is a continuing commitment to law enforcement-related software engineering, which it claims this order would force upon the company.
“Responding to these demands would effectively require Apple to create full-time positions in a new ‘hacking’ department to service government requests and to develop new versions of the back door software every time iOS changes, and it would require Apple engineers to testify about this back door as government witnesses at trial,” Apple wrote in its filing.