Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Communications Encryption Government The Courts United States Apple Your Rights Online

Apple To FBI: Encryption Rules Out Handing Over iMessage Data In Real Time 306

Mark Wilson writes that Apple has balked at a court order to provide the FBI with the contents of text messages among users of its iMessage service, claiming that the encryption it uses to protect these messages makes handing over the messages themselves impossible. From the article: The Justice Department obtained a court order that required Apple to provide real time access to text messages sent between suspects in an investigation involving guns and drugs. Apple has responded by saying that the fact iMessage is encrypted means that it is simply not able to comply with the order. The stand-off between the US government and Apple could last for some time as neither side is willing — or possibly able — to back down.
This discussion has been archived. No new comments can be posted.

Apple To FBI: Encryption Rules Out Handing Over iMessage Data In Real Time

Comments Filter:
  • Why not ... (Score:5, Insightful)

    by zeugma-amp ( 139862 ) on Tuesday September 08, 2015 @10:57AM (#50479011) Homepage
    ... give them what they are asking for? Just hand over the encrypted data and say "good luck with that".
    • Re:Why not ... (Score:5, Insightful)

      by MasseKid ( 1294554 ) on Tuesday September 08, 2015 @11:02AM (#50479039)
      Exactly. This is the data apple has, it's the data being requested, the fact that neither apple nor the FBI can do anything useful with it should be of no legal concern to apple.
    • Re:Why not ... (Score:5, Interesting)

      by Daniel_Staal ( 609844 ) <DStaal@usa.net> on Tuesday September 08, 2015 @11:06AM (#50479067)

      Because the FBI will argue that's not the contents of the messages - it is something else. So Apple would be resisting the court order anyway.

      In fact, Apple may well be doing that, and this is how it's being reported.

      • Re:Why not ... (Score:5, Interesting)

        by Anonymous Coward on Tuesday September 08, 2015 @01:12PM (#50480479)

        Because the FBI will argue that's not the contents of the messages - it is something else. So Apple would be resisting the court order anyway.

        They will never, ever, ever argue that in court. Because if the judge agrees, that would be precedent that would pave the way for a solid Fifth Amendment defense against surrendering encryption keys. As much as the FBI would like a ruling on that -- it's currently a legal grey area, as there's not been a good test case -- they *really* don't want to set precedent that key surrender would be testifying against one's self... which, if they argue that encrypted data is fundamentally different from the desired decrypted data, they will have done. (If encrypted data is fundamentally different (and is not simply a "locked" version of the data, as the FBI would prefer people to mis-understand it...), then forcing people to decrypt their data is forcing them to create evidence against themselves.)

        • Re:Why not ... (Score:4, Insightful)

          by ihtoit ( 3393327 ) on Tuesday September 08, 2015 @03:19PM (#50481771)

          why would Apple have the keys anyway? This is what they're basically trying to say, they might have the algorithm but without the salt (key) which only the USERS will have, and to each one totally unique, it's fucking useless.

    • Re:Why not ... (Score:5, Insightful)

      by FlyHelicopters ( 1540845 ) on Tuesday September 08, 2015 @11:06AM (#50479071)

      Apple will end up doing that I imagine, but they also want the publicity of "not handing over iMessage data to the FBI" before they do it.

      • Re:Why not ... (Score:4, Insightful)

        by macs4all ( 973270 ) on Tuesday September 08, 2015 @11:15AM (#50479159)

        Apple will end up doing that I imagine, but they also want the publicity of "not handing over iMessage data to the FBI" before they do it.

        Or, maybe, just maybe, they don't want to force the Court into finding Apple in Contempt, with possible sanctions of who-knows-how-much per day until they "comply" with an Order with which they really can't comply (because they really don't have a "master key").

        Or even worse, the DoJ gets some fascist Judge to Order Apple to install a backdoor, and it turns into a REALLY ugly (and expensive) fight.

        BTW, this really should shut up all the slashtards that say that Apple secretly colludes with the Gummint; but it won't.

        • Re:Why not ... (Score:4, Insightful)

          by dunkindave ( 1801608 ) on Tuesday September 08, 2015 @11:24AM (#50479247)

          BTW, this really should shut up all the slashtards that say that Apple secretly colludes with the Gummint; but it won't.

          I think your faith in a human's ability to logically think past their biases is overblown. They will just claim it is a PR stunt to fool people into believing Apple can't read the messages while they secretly handing over all the data. Never try to argue with a conspiracist since, no matter how sound your evidence, you will never win them over. As the saying goes, never argue with a fool, lest you are brought down to his level.

        • Or even worse, the DoJ gets some fascist Judge to Order Apple to install a backdoor, and it turns into a REALLY ugly (and expensive) fight.

          This fight has already happened. The Clipper Chip [wikipedia.org] fiasco of the 1990s clearly showed that the American public is not willing to tolerate either the loss of privacy or the loss of tens of thousands of jobs that would result. The government would have no greater ability to monitor us, because we would switch to equipment manufactured outside America.

    • Re: (Score:3, Insightful)

      by Gr8Apes ( 679165 )
      This exactly, if there is a warrant hand over the information you have. I don't believe safe makers have to open safes subject to a warrant. So why is this any different? (The FBI could always contract Apple to attempt to crack the message, similar to a safe company being hired to attempt to break into a safe, but that's different than the "real time" access asked for)
      • Safe makers will open safes for the police, with a court order. Assuming the owner is not present to do so. This is different from a safe though, there's no master key, there's no mechanical vulnerability. There's just brute force decryption. Apple could just say "Sure, we'll provide you with the contents. We'll require X number of days per message at $Y/day to operate a dedicated server farm for the task"

        • Safe makers will open safes for the police, with a court order. Assuming the owner is not present to do so. This is different from a safe though, there's no master key, there's no mechanical vulnerability. There's just brute force decryption. Apple could just say "Sure, we'll provide you with the contents. We'll require X number of days per message at $Y/day to operate a dedicated server farm for the task"

          Yes, and safe makers (or more realistic, locksmiths) will open safes using brute force... for a fee...

          The problem with the latter suggestion is there is no way to decrypt heavily encrypted information, short of a flaw in the encryption system...

          No amount of servers or days would ever matter, it is not possible in the remaining life of the universe to try even half the encryption keys in a 256-bit encrypted message.

      • This exactly, if there is a warrant hand over the information you have. I don't believe safe makers have to open safes subject to a warrant. So why is this any different? (The FBI could always contract Apple to attempt to crack the message, similar to a safe company being hired to attempt to break into a safe, but that's different than the "real time" access asked for)

        They don't have to, but for a fee, they will.

        This is the problem with encryption, unlike safes, which can all be broken into, encryption cannot.

    • by cdrudge ( 68377 )

      Because ultimately they'd still end up in court fighting over how to do something that technically (and hopefully) isn't possible. Might as well do that from the beginning instead of going through the hassles and expense of setting up some type of monitoring infrastructure to receive useless data in the end anyways.

    • Because unless the users generated their own encryption certificates, Apple can easily keep a copy of the private key and not tell you.

      • by grahammm ( 9083 )

        If the encryption uses Perfect Forward Secrecy (eg an ECDHE or DHE cipher suite) then even having the private key to the certificate will not enable anyone to discover the ephemeral session key needed to decrypt the message.

        • I don't think anyone but Apple can verify what effective type of encryption is used. It might be flawed or insecure, who knows? The end-to-end is controlled by Apple and closed-source.

    • It might be because knowing the plaintext and other data Apple might have as the originator in this case might be a crucial step towards figuring out their cypher scheme.

    • Just because the FBI says they cannot crack it . . . doesn't mean that our feathered friends in the NSA can't crack it. Or, maybe the FBI *can* crack it . . . but don't want it generally know, that they can crack it.

      When you crack an enemy's code . . . you don't want to let it known. Otherwise, they will switch to a stronger code.

      Other "Wet Work" methods could be used in this case: the FBI could bribe or blackmail the right Apple sysadmin.

      • by gtall ( 79522 )

        "the FBI could bribe or blackmail the right Apple sysadmin.", sure and hand Apple all the ammo they'd need to beat the snot out of the FBI in court. Stop watching TV.

      • Just because the FBI says they cannot crack it . . . doesn't mean that our feathered friends in the NSA can't crack it.

        They can crack it, if Apple has a master backdoor key. But Apple would be pretty stupid to do that, if it exists, someone will find it sooner or later.

        Private things tend not to stay private forever and Apple is a business that needs a product to sell.

        • by jo_ham ( 604554 )

          Apple have stated in the past that one of the features of iMessage is that they can't decrypt them and the fact that this court case exists seems to suggest they weren't just saying that (also, if they're caught in that lie, assuming it is one, the PR fallout would be enormous).

          I'm not sure how they can't decrypt them, since iMessages are synced quickly and easily across all devices that share the same Apple ID (if you want them to), so you'd just assume that since Apple knows your ID it would be able to de

          • I'm not sure how they can't decrypt them, since iMessages are synced quickly and easily across all devices that share the same Apple ID (if you want them to), so you'd just assume that since Apple knows your ID it would be able to decrypt the messages themselves that clearly pass through their servers.

            Since you can sync PGP-encrypted emails across devices, they didn't need to invent anything new.

            Even PFS has been around for a while, so each message could be encrypted with a different session key if they implemented that.

            Encrypting text messages is no different than emails---you're just sending the message to a phone# or Apple ID instead of an email address.

          • Apple have stated in the past that one of the features of iMessage is that they can't decrypt them and the fact that this court case exists seems to suggest they weren't just saying that (also, if they're caught in that lie, assuming it is one, the PR fallout would be enormous).

            Right, so at the end of the day, the only thing you have to go on is how much you trust Apple.

            That being said, I actually didn't know that is how it worked on the iPhone (bloody too many things to keep up with these days), so this was all news to me.

            But then I don't care that much, nothing I'm sending via message on my phone is actually private, if the FBI or NSA was reading them, they'd be bored.

            If I cared, I'd learn more about it and probably not trust Apple anyway, finding something else.

      • doesn't mean that our feathered friends in the NSA can't crack it.

        Last I checked, people who work there don't have feathers. You may be thinking of the spokesbirds for the Bay Bridge though.

    • Just hand over the encrypted data and say "good luck with that".

      Because Apple has a team of lawyers that will inform that stupid stunts like that will get an obstruction charge. A polite response may get them a new request for the encrypted data, or not.

      See also, Lavabit, which tried to be clever.

      Also, compare to that polite letter about how it's a TOR exit node recently posted on slashdot..

      FBI agents are people. They're going to demand that their requests are either given the replies they expect from th

  • for the BFI
  • by xxxJonBoyxxx ( 565205 ) on Tuesday September 08, 2015 @11:07AM (#50479079)

    As I understand the iMessage, Apple hides some of the key selection process from end users. (This is considered a good thing - without it, fewer people would use it because it would be like using PGP.) If Apple was compelled, they could also encrypt outgoing messages with one of the FBI's public keys and either send the same message across the wire (where the FBI could pick it up) or send a second message encrypted just for the FBI to the FBI. Either method would be discoverable, but Apple could paper over that issue in its interface because it controls the software. (Apple could also limit the discoverability of such a "feature" by using its phone home key request to request the FBI's key for and encrypt only certain monitored people's communications - that way most security experts WOULDN'T see a change.)

    Long story short, Apple COULD provide real-time access to encrypted messages, but it would take a little work to sneak that in, and eventually someone would find it.

    • Re: (Score:3, Insightful)

      by Gr8Apes ( 679165 )
      This would be akin to backdooring a safe. Not something Apple wants to do. It's not that it cannot be done, it's that doing so violates the security and integrity promises made to customers, and then those customers would go elsewhere, effectively ruining the business.
    • Re: (Score:3, Insightful)

      by macs4all ( 973270 )

      Long story short, Apple COULD provide real-time access to encrypted messages, but it would take a little work to sneak that in, and eventually someone would find it.

      Or maybe, just maybe, Apple really doesn't like what the Gummint is doing, and is doing everything in its power to passively-resist.

      Did you ever ONCE stop to consider that possibility?

      • by Nidi62 ( 1525137 )

        Long story short, Apple COULD provide real-time access to encrypted messages, but it would take a little work to sneak that in, and eventually someone would find it.

        Or maybe, just maybe, Apple really doesn't like what the Gummint is doing, and is doing everything in its power to passively-resist. Did you ever ONCE stop to consider that possibility?

        Or maybe, just maybe, Apple really doesn't like the Gummint trying to force it to do something that could hurt profits.

        • by gtall ( 79522 )

          Yes, I know it is hard for you to fathom, companies are generally in the business of making money.

        • Or maybe, just maybe, Apple really doesn't like the Gummint trying to force it to do something that could hurt profits.

          Which is the absolute best possible reason for a company to want to support its users. "Don't Be Evil" is only good until it starts costing shareholder value, and then investors revolt. You want it to be in a corporation's best financial interests to act in your best personal interests.

      • The key is to strike some sort of balance. If the FBI has a court-issued warrant saying they can eavesdrop in real-time on a text conversation between two people's phones, then there's really not much room for one to argue that their privacy rights should override the warrant. Being able to eavesdrop in on conversations over a communications network after a warrant has been granted has been a well-established legal process for close to a century.

        What you don't want is the FBI slurping up everything the
    • Exactly. iMessages are encrypted on the sending device for each receiving device. If I'm sending an iMessage from my iPhone to my friend who has an iPad, a Mac, and an iPhone, all of which are registered to receive iMessages, my iPhone (if my memory serves; glossing over some details):
      1) Asks Apple's iCloud for each of the public keys associated with my friend's Apple account
      2) Gets back public keys, one each for the iPad, Mac, and iPhone
      3) Encrypts the message for each device (symmetric key locked behind t

    • Apple could also push out software updates that record all activity on all Apple devices, and forward all of that data to the FBI. It would probably be detected, but they COULD do that.

      But that would just be blatantly unethical. And they're not Microsoft, so I don't expect them to do that anytime soon.

  • by BoRegardless ( 721219 ) on Tuesday September 08, 2015 @11:07AM (#50479083)

    Pretty well defines what is good.

    Once the industrialized countries outlaw encryption, I don't know how the banking system can survive.

    But, of course, the US govt. will continue using encryption for their docs.

    • by Opportunist ( 166417 ) on Tuesday September 08, 2015 @11:13AM (#50479143)

      There's an easy solution for this. You simply apply to your government to use encryption. And of course deposit the master key with them. Then you may encrypt as you please.

      You do trust your government, don't you?

      • Forget trusting the government to not abuse it, they won't be able to secure it. Once a random hacker grabs the keys, open season on all of banking.
    • Pretty well defines what is good.

      Once the industrialized countries outlaw encryption, I don't know how the banking system can survive.

      But, of course, the US govt. will continue using encryption for their docs.

      The Gummint doesn't have to ask for Android messages, because they have already embedded keyloggers into thousands of Android Apps.

      Hey, if slashtards can engage in wild speculation about Apple colluding with the Gummint, why would they not believe it about Android Apps?

      • thousands of Android Apps.

        Apps cannot (CANNOT) keylog without you having rooted your OS intentionally (its not something that can be sneakily done as it generally involves wiping your phone).

        Lets not let ignorance cloud the discussion.

        • thousands of Android Apps.

          Apps cannot (CANNOT) keylog without you having rooted your OS intentionally (its not something that can be sneakily done as it generally involves wiping your phone).

          Lets not let ignorance cloud the discussion.

          Oh yes, let's not let ignorance cloud the discussion. After all, it's impossible to find any app available online that natively contains data gathering capabilities or remote logging.

          Yes, you heard me right. That cannot (CANNOT) ever happen.

          It's as inconceivable as the concept of sarcasm.

        • umm just so you know.

          ANY keyboard app. can key log with root. All you have to do is install it. It even pops a warning telling you that could exactly happen.

        • by DrVxD ( 184537 )

          Lets not let ignorance cloud the discussion.

          You do realise this is slashdot, right?

    • by Luthair ( 847766 )
      Perhaps they just haven't asked yet, these rulings aren't preemptive.
    • by Solandri ( 704621 ) on Tuesday September 08, 2015 @11:30AM (#50479295)
      Android uses regular SMS for texts, which was never encrypted on any OS. The FBI would be asking the carriers for copies of those, unless it's over the Google Hangouts app using a Google Voice number, in which case they'd have to ask Google.

      Apple runs the iPhone texts over their own iMessage service, which has a gateway to SMS for messages sent to non-iPhone users. (Which is also a problem since if you used to have an iPhone but switched to any other phone, Apple keeps iMessage texts sent to you within iMessage and blackholes them to a non-existant iPhone, instead of forwarding them over the SMS gateway to your new phone. Part of their user lock-in strategy. They're actually fighting in court for the right to keep doing this, instead of not being dicks and fixing it.)
      • Part of their user lock-in strategy.

        It's a piss-poor strategy, considering they host a webpage for deregistering your iMessage account [apple.com].

        They're actually fighting in court for the right to keep doing this, instead of not being dicks and fixing it.

        Citation needed: that's an extraordinary claim, and one that's utterly failed to make headlines.

      • by jo_ham ( 604554 )

        Android uses regular SMS for texts, which was never encrypted on any OS. The FBI would be asking the carriers for copies of those, unless it's over the Google Hangouts app using a Google Voice number, in which case they'd have to ask Google.

        Apple runs the iPhone texts over their own iMessage service, which has a gateway to SMS for messages sent to non-iPhone users. (Which is also a problem since if you used to have an iPhone but switched to any other phone, Apple keeps iMessage texts sent to you within iMessage and blackholes them to a non-existant iPhone, instead of forwarding them over the SMS gateway to your new phone. Part of their user lock-in strategy. They're actually fighting in court for the right to keep doing this, instead of not being dicks and fixing it.)

        No they're not - they have a website you can go to that will de-register your number and fix the problem of vanishing SMS messages if you move to a non-iOS phone if you don't switch off the iMessage system on that number before changing phone.

        It takes about 5 minutes and you receive a text message when it completes.

        The official method to shut off iMessage is to do it before you stop using the iPhone, and that used to be the only way (leaving people stuck, since it's easy to forget to do it), but the website

    • Any attempt to ban encryption would be met with huge pushback from many sectors, and there's a very good case to be made that encryption == speech anyway, so a ban likely wouldn't stand up to a Constitutional test.

  • We'll finally get to see what "impossible" really means if said by a software company. As in "It is impossible to unbundle IE from Windows".

    Anyone holding a bet that this impossible mission will be made possible?

    • by jo_ham ( 604554 )

      Well, they can reset your Apple ID password to something they know and then get the data, so it's not "impossible", but if they do that then you'll know it has happened.

      Bar that, however, I think they set it up so that they couldn't decrypt the data any other way, even when pressed with a court order.

  • ... from Apple ? Making all Android-based vendors look like bad guys, while making themselves look like good guys. Maybe it will help sales as well.

    • by gtall ( 79522 )

      No, that isn't it, Apple coerced the government into making these demands so they could make all the Android-based vendors look bad. Anything is possible if you use your imagination.

  • by xxxJonBoyxxx ( 565205 ) on Tuesday September 08, 2015 @11:15AM (#50479161)

    Also, "Black-box" testing uncovers several ways the NSA could tap iMessage (from 2013)
    http://arstechnica.com/securit... [arstechnica.com]

  • ...is if court decides to sanction Apple. After all, there's a lot of money in Apple's coffers which the court could use to incentivise Apple do doing its bidding or risk losing. Of course, Apple will appeal any such sanction but it could have a massive impact on the stock price in the mean time...and could cause Apple to rethink its cash reserves.

    Just saying...
  • According to the article:

    Despite a court order instructing the company to hand over text conversations between iMessage accounts to the FBI,

    How was the court order to do this obtained? Is the FBI investigating someone? Is there some other case in progress?

    • The answer is in the second sentence of the article: The Justice Department obtained a court order that required Apple to provide real time access to text messages sent between suspects in an investigation involving guns and drugs.
  • The FBI needs to start hiring smarter people who understand how technology works.

  • by epyT-R ( 613989 ) on Tuesday September 08, 2015 @11:25AM (#50479257)

    If the FBI really wants access, they could get an NSL issued, forcing apple to comply by compromising their own system..and they couldn't tell their customers about it.

    Until this is fixed, there's no way in hell I will believe any grandstanding on the part of any vendor.

    • An NSL cannot force a company to modify their hardware or software, only to grant access to what they already have. It is just a special kind of subpoena, one that the head of the FBI can issue without going to a court (which is why I think it would fail if brought to the Supreme Court), and can require the recipient not to divulge that it occurred. It only grants access to existing information, and cannot compel them to perform actions beyond pulling stored data or attaching a wire tap. Forcing a compan
      • by epyT-R ( 613989 )

        I'm fairly sure an NSL can compel them to break future updates of hardware and software so that a wiretap is workable, and the gag order will prevent them from telling anyone about the new compromise.

        • I'm fairly sure an NSL can compel them to break future updates of hardware and software so that a wiretap is workable, and the gag order will prevent them from telling anyone about the new compromise.

          Well, the people doing the biggest attacks against NSLs, the EFF,has this to say:

          "While NSLs are unconstitutional, even the government admits that they can only be used to obtain limited information, which does not include forcing anyone to backdoor a product."

          Do you believe the EFF doesn't know what it is talking about?

    • I've seen an NSL, it is a piece of paper... nothing more or less.

      First response is to nicely tell the FBI agent that I'm happy to comply once I speak to my lawyer and he shows up with a warrant from a judge.

      Said, "very nicely" since you never want to piss off a government agent. But at the end of the day, it is just paper.

  • Disinformation? (Score:3, Interesting)

    by dszd0g ( 127522 ) on Tuesday September 08, 2015 @12:00PM (#50479569) Homepage

    I wonder if these fights are just disinformation to try to convince criminals/terrorists that they can use iMessage. The government lets a criminal get away with it in a case they don't really care about or can convict them without it anyways and makes a lot of press, and then has access to it in all the cases they do care about.

    iMessage is designed with warrants in mind if you read over the protocol documentation. Each device has its own key and is tied to your Apple Id. If you have a iPhone, a Macbook, and an iPad each device has its own encryption key. When someone sends you an iMessage, Apples sends them the public key for each of the 3 devices and then the encrypted message is sent to each device which uses its private key to decrypt the message.

    When a warrant is issued, all Apple has to do is add a 4th, "FBI device" to your Apple Id and anyone sending you an iMessage also gets encrypted with that key.

    As Apple controls the user interface and they provide no way to view how many keys an iMessage is being encrypted with, there is no easy way to see if an extra key for ease-dropping is being used. There may be ways if one monitored the size of the traffic, but I am not aware of that work being done. Anyone who had the need to make sure they weren't being spied on by the government, wouldn't use iMessage.

    • by guruevi ( 827432 )

      But then you would be able to 'see' that device on your list of devices or at least see the extra traffic. Additionally you can't just add an extra device to your list without entering a pin number or password which acts as access to your private key.

      There is no way of hiding the extra device with such public key exchanges (your device needs to encrypt an extra message) and even when Apple can do that, someone will find out the functionality and then nobody will trust anything Apple ever says again.

      You can'

  • Apple *is* able to hand over the messages, but is legally obliged to maintain appearances toward the public that it can't though a theatrical court process ?

    This is paranoid, but is there any way to disprove this theory ?
    • by bledri ( 1283728 )

      Apple *is* able to hand over the messages, but is legally obliged to maintain appearances toward the public that it can't though a theatrical court process ? This is paranoid, but is there any way to disprove this theory ?

      Or they believe it's in their best interest to support their customer's right to privacy. One nice thing about Apple is that they make their money selling devices and taking a cut of App sales rather than selling Ads and data about their customers.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...