Apple vs. FBI is over, but the encryption battle rages on

Encryption is once again the bogeyman after this week's attacks in Belgium, and the lessons of the FBI’s abandoned case against Apple could be lost

The abrupt end to the FBI's legal battle with Apple this week resolved none of the underlying disputes. Now important lessons from that case are in danger of being obscured and discourse on encryption and security derailed by emotionalism in the wake of the Brussels attacks.

After asserting repeatedly that only Apple was capable of breaking into the San Bernardino terrorist's work iPhone, the FBI issued a "nevermind" straight out of "SNL." For all its bluster, could it be that the agency was (gasp) lying all along?

"This case was never about a phone. It was a grab for power," said Evan Greer, campaign director of Fight for the Future. "The FBI already had the capability to hack this phone using forensic tools, but they thought this case would be a slam-dunk -- a way for them to set a dangerous precedent that they've wanted for years."

The FBI and DOJ publicly claimed at least 19 times that there was no way to open the iPhone without Apple's help -- a core tenet of their case using the All Writs Act. But it turns out the DOJ was already in talks in February with Israeli security firm Cellebrite about hacking an iPhone 6 for a drug case.

"The DOJ never mentioned Cellebrite as an alternative possibility in its filings with the court. In this case, that omission essentially amounts to lying," Greer said. "They consistently claimed that there was simply no other way to break into the phone without Apple's help, even though they knew there was another very plausible possibility."

Multiple security experts have cast serious doubt on the FBI's truthfulness as well, citing fraudulent claims in the case and laying out known techniques for unlocking the phone. Court filings gave no indication the FBI tried consulting experts from the government intelligence community -- particularly the NSA -- bolstering the theory that the NSA was excluded on purpose so that the FBI could create a test case.

Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States, told NPR:

The Justice Department and the FBI are on their own here. You know, the Secretary of Defense has said how important encryption is when asked about this case. The National Security Agency director and three past National Security Agency directors, a former CIA director, a former Homeland Security secretary have all said that they're much more sympathetic with Apple in this case. You really have to understand that the FBI director is exaggerating the need for this and is trying to build it up as an emotional case…They're not as interested in solving the problem as they are in getting a legal precedent.

The FBI, it turns out, wants to break into lots of phones, most of which have no connection to national security. San Bernardino became the test case precisely to exploit the emotionalism stirred up in the wake of a terrorist attack on American soil. Politicians -- from Donald Trump throwing a tantrum and raging against Apple ("Who do they think they are?") to John Kasich's misleading statements ("There is a big problem, it's called encryption") -- were quick to throw fuel on the fire and condemn without evidence.

This week was no different, with Rep. Adam Schiff, ranking member of the House Permanent Select Committee on Intelligence, saying, "We do not know yet what role, if any, encrypted communications played in [the Brussels] attacks." Nonetheless, he added, "we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks." In other words, we should still worry about encryption.

The official postmortem on last year's attacks in Paris, a 55-page report put together by French antiterrorism police, had no evidence encryption was to blame for intelligence lapses. Instead, "French investigators came face to face with the reality that they had missed earlier signs that the Islamic State was building the machinery to mount sustained terrorist strikes in Europe," according to a New York Times report last weekend.  

Regardless, "the thing that stood out for me [about the article] was the desperate need of the NY Times reporters to insist that there must be encryption used by the attackers, despite the near total lack of evidence of any such use," TechDirt wrote.

According to the police report and interviews with officials, "none of the attackers' emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown," the Times reported.

But that's not how encryption works! "If they're using encrypted emails, the emails don't disappear," TechDirt countered. "You still can see that they exist, and the metadata of who sent messages to whom remains. It's just that you can't read the contents of the emails. This is bogeyman thinking about encryption, where people think it does something it doesn't actually do."

Later in the article, the Times recounted how "one of the terrorists pulled out a laptop, propping it open against the wall, said a 40-year-old woman. When the laptop powered on, she saw a line of gibberish across the screen: 'It was bizarre -- he was looking at a bunch of lines, like lines of code. There was no image, no Internet,' she said. Her description matches the look of certain encryption software, which ISIS claims to have used during the Paris attacks," the Times wrote.

TechDirt savaged that logic as well:

OH MY! 'A bunch of lines, like lines of code'?!?!?! Must be encryption! Or, you know, Linux. Or some other system that doesn't start with a graphical user interface. And even if it was encryption, then he wouldn't be looking at it in encrypted form. To read encrypted messages you decrypt them first. Nothing in this paragraph above makes any sense at all as 'proof' of encryption. It just seems like proof of the reporters' technology ignorance.

This kind of ignorance is likely to sway public opinion further against encryption after the attacks in Belgium. The FBI "will use this [latest] terrorist attack to advance its case," Avivah Litan, a vice president at market researcher Gartner, told USA Today. "The public reacts very strongly to these types of incidents and insists the government needs to do what is necessary to get the bad guys."

But according to Fight for the Future's Greer, events in Belgium could as easily be seen to underscore the need for encryption, as security codes and details about staff and critical infrastructure are stored in the cloud and encrypted at most major airports. "If the FBI had its way weakening encryption with Apple, it makes most airports that much more vulnerable to these attacks, not less," Greer said.

Gartner's Litan also feels the FBI's witch hunt against encryption is misplaced and ill-timed. "The cat is already out of the bag with all of the advancements in encryption software," she wrote in a blog. "Even if Apple or Google were to make it possible for the government to unlock an iPhone or Android phone and read their encrypted communications, there are other encryption applications terrorists and criminals could use on most smartphones that Apple and Google could not help the government crack."

These independent encryption programs -- such as Open Whisper, which Edward Snowden recommends using -- live inside an application and are not dependent on a smartphone's operating system.

"It doesn't make any sense to put so much pressure on Apple or Google when in the end, they don't control all the keys to the kingdom, even for apps on their smartphones," Litan added. "There's plenty of [meta] data out there for the FBI to work with. I wish they would stop bullying Apple and the technology industry around and spend their time and energy instead on figuring out how to rise to the challenge." 

In a briefing this week, Amnesty International's Deputy Director for Global Issues Sherif Elsayed-Ali warned: "Encryption is a basic prerequisite for privacy and free speech in the digital age. Banning encryption is like banning envelopes and curtains. It takes away a basic tool for keeping your private life private."

Not to mention securing your financial data and personal information, maintaining the privacy of your medical records, and the guaranteeing the confidentiality of businesses' clients and trade secrets. It seems like a lot to throw under the bus to assuage the FBI's insatiable itch for access.

Copyright © 2016 IDG Communications, Inc.