To avoid helping the FBI search the San Bernardino terrorist’s phone, Apple and its CEO, Tim Cook, are going to spend weeks in court, and probably on Capitol Hill. That means that for the first time the government will have a chance to use subpoenas and discovery to judge the truth of the claims that the famously secretive Silicon Valley company and its allies have been making. This should be fun.
Apple's story is that helping the FBI would require an “unprecedented and unreasonably burdensome” code-writing exercise and that once the code is written, authoritarian regimes like China's will demand that Apple use the code to help them spy on their citizens.
Okay, then. Now that narrative can be tested against the facts. So here in the form of an open letter are some of the questions I’d ask Tim Cook if I had him under oath.
Dear Tim Cook,
In court, you’ve said that it would take two to four weeks to write the code the FBI wants, using a small team of 6-10 Apple employees. This is too much work, your lawyers told the court, especially since it might end up helping repressive regimes surveil their own people.
What I’d like to know is just how much work you’ve already done for repressive regimes surveilling their own people:
One repressive regime in particular, actually. China's.
1. In 2014, you moved your Chinese users’ iCloud backup to China. You didn't announce it in advance. In fact, you didn't acknowledge the move until it was leaked, at which point you said only this: "Apple takes user security and privacy very seriously. We have added China Telecom to our list of data center providers to increase bandwidth and improve performance for our customers in mainland China. All data stored with our providers is encrypted, China Telecom does not have access to the content."
Well, that's really good news about your taking privacy and security seriously. But your statement raises more questions than it answers. Just because the data is encrypted and not available to the owner of the data center doesn’t mean it is not available to the Chinese government on request. So:
- Is iCloud data stored in China available to the Chinese government upon request under Chinese law?
- Did moving the data to China make it more easily available to China by eliminating oversight from the government of the country where the data used to be stored? ("Well, duh," is an acceptable answer here.)
- Did you write a long brave public letter to your customers explaining the privacy dangers of this move and calling it a “back door” for the Chinese government? (If so, I missed it; maybe you can provide the link?)
- Speaking of which, have you ever explained whose data is stored in China? Mine? Jim Comey’s? What about users in Hong Kong, Singapore, and Taiwan, or Americans who might have bought an iPhone in China? (Maybe that was covered in your open letter to Chinese customers; but it seems to have gone astray.)
- Also, other tech companies like Google have refused to store their users’ data in China. Is that because they care more about their customers’ privacy than Apple does? (Hey, Tim, maybe you could use that as a market differentiator: "Remember, when you buy a Chinese iPhone, you are the product.")
- Oh, and could you please compare the cost incurred by Apple in moving its iCloud storage to China for the convenience of the Chinese security apparatus to the cost of complying with that “unreasonably burdensome” FBI request? Did you spend more than two weeks and use more than six employees to move and store all that data? (If you haven't got "Well, duh" programmed into CTRL-C yet, this might be a good time. We aren't close to done.)
- While we’re at it, how many times have Chinese authorities accessed the data that you moved? Or do they have the key to that cloud encryption you bragged about in your public statement?
2. Not long after you moved your iCloud storage to China, the government allowed Apple to start selling the iPhone 6, though only after weeks of negotiations with China over “security issues.” (Just as an aside, that was a coincidence, wasn’t it? I mean, the Chinese government wouldn’t play hardball like that, and if they did, the Tim Cook I know would have written a bold libertarian letter to Apple customers loudly rejecting any such linkage, right? Maybe we should just subpoena your internal email on that topic to be sure, hmmnh?)
3. But the Chinese government still wasn't done with you, were they? As soon as the iPhone 6 went on sale in China, the Chinese government launched a man-in-the-middle attack on communications between new phones and Apple’s iCloud. According to human rights campaigners at greatfire.org, the Chinese government used a fake Apple certificate to steal the logon credentials and passwords of every Chinese iPhone 6 user who clicked through the warning notice to connect to the iCloud. Apple issued a statement explaining that users shouldn’t click through such warnings. Here’s how it begins:
"Apple is deeply committed to protecting our customers’ privacy and security. We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser."
Well, phew! What a relief. You're committed to privacy and security (still!), and there's something intermittent happening but it doesn't compromise and it doesn't impact. Somehow, though, the statement never gets around to mentioning the Chinese government’s role in the attacks or the terrible precedent of letting a government use fake certificates as a “back door.” Did that get left on the cutting room floor? Just for comparison purposes, here's how your letter to customers about the FBI court order begins:
The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.
So, pretty much the same, huh, except for all the righteous thunder and finger pointing and threatening and demanding and opposing. Maybe your internal emails about that incident, and the edits the statement went through on its way to publication would help us understand why an indiscriminate attack on all iPhone users in China didn’t require that you give China’s Minister of Public Security the full Jim Comey treatment.
4. Actually, that wasn’t Apple’s first compromise with China’s security agencies, was it? The Apple 4S, introduced two years earlier, was modified for sale in China: Apple added a special chip that supported a very special Chinese version of wifi, called WAPI. WAPI, it turns out, has its own, different brand of encryption. How different? Who knows? The Chinese government refused to reveal which encryption algorithms it was adding to WAPI, claiming that they must remain state secrets.
Outside of Apple, WAPI didn't earn much enthusiasm in tech circles. When China tried to make WAPI a standard, engineers revolted, arguing that “almost no commercial market will trust or accept unknown ciphers.” Others said plainly that “without WAPI being fully published for examination, there's no way to determine the strength and integrity of the protocol--including whether backdoors are part of the standard.” The United States government fought against WAPI, and China eventually agreed to abandon its efforts to make this suspect protocol a national or international standard.
But you built it in anyway. (Good old Apple! you've been defying the US government on security issues for years, haven't you? And not even asking for any credit!)
- So, maybe you can explain why a secret encryption system that everyone suspects of having a real back door is good enough for Apple’s customers in China? Also, when the FBI wants a court order, you apparently have no difficulty calling it a back door. So what exactly did you call the back door in WAPI? (I’m still looking for the link to your courageous letter to Chinese customers on that topic.)
- Was Jim Comey’s problem that he didn’t ask you to adopt a secret NSA encryption algorithm that you could build into all your phones here? (There's still time to fix that!)
- Oh, and maybe you could compare the two to four weeks of effort that the FBI wants from a small team of Apple employees to the amount of effort that Apple spent writing code to support the Chinese government’s secret WAPI encryption chip for Apple's Chinese products.
- And could you also explain why you seem to think the Chinese are waiting with bated breath to find out what precedent Judge Pym will set on the FBI's request to defeat a single security feature on a single phone? 'Cause if they've already gotten you to install a fully backdoored WAPI encryption system on every Chinese iPhone, what do the Chinese need with the code you plan to write for the FBI if and when the President actually declares martial law and occupies Cupertino?
- Finally, for extra credit, can you confirm or rebut claims that the mysterious WAPI chips you built into the iPhone have been designed to receive signals on undisclosed frequencies, and that this opens up the possibility that they are being used by the Chinese government to carry out surreptitious two-way communications with any Chinese iPhone of interest as soon as it is turned on? (I mean, you're such privacy-loving techies and all. I'm sure you devoted as much engineer time to getting to the bottom of that as you did to your briefs opposing the FBI. Being as how they're your phones and all.)
Anyway, all the best, and many thanks, Tim.
I’m really, really looking forward to your testimony.
Yours truly,
Stewart Baker
See also Export Controls on Encryption: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States
Yay Apple/China hit piece. You had to figure that *this* would be one of the first articles critical of Apple seeing as they really didn't have a choice about putting their iCloud servers in China as a requirement for doing business there.
Hey Stewart, care to petition the government to drop export controls on the encryption we enjoy here in the US (or prove that the ones the BIS approves are _not_ also backdoored)?
...didn't think so.
Posted by: cryptographrix | Mar 01, 2016 at 11:44 AM