Saturday, March 5, 2016

FBI v. Apple and My Own Uncrackable Authentication Code

Recently, the FBI moved for an ex-parte order to force Apple to create and digitally sign operating system code that Apple did not want to create.  "Ex-parte" means that they wanted to be granted the judicial order without letting Apple fight it in court.  Sort of a "shoot first and sort everything else out later" approach under the "All Writs Act," its application said to be unprecedented in the present context.  Once the FBI had its hands on the program Apple would create under the threat of force, all the court proceedings in the world couldn't prevent them from using it on any phone they chose.  So Apple sued to vacate the order the FBI had obtained ex parte.  Only then did the FBI change their  petition such that Apple would maintain control of the phone while they performed the breaking in remotely.

We may as well assume that the motives of the FBI for proceeding this way were pure: they just wanted to crack the phone used by a mass murderer around the time the evil deeds were done, to discover all of the mass murderer's collaborators, among other things.  They did not consider the request to be onerous, and were baffled and frustrated by Apple's refusal to do as requested.  They were not intentionally trying to pull a fast one before their opponents could react, or if they were, it was only because they were ignorant of the full impact of the order they sought.  Let's just assume the FBI investigators and lawyers had good intentions, and not get into imagining darker conspiracy theories.

A number of amicus briefs have been filed in the case, on the side of Apple.  There is a list of them over here. The briefs I have read argue on grounds of misuse of the All Writs Act, and on First Amendment grounds.  The brief by the Electronic Frontier Foundation (EFF) and "46 technologists, researchers and cryptographers" is based entirely on the First Amendment.  It argues that forcing Apple to write code and digitally sign it is equivalent to forcing them to write a letter saying things they don't want to say, and then signing it.  Worse, actually, because digital signatures are more secure than ink scribbles, so their forced misuse is more dangerous.

The program the FBI wants would disable the iPhone's operating system so that it will accept automatic password guesses.  Once normal security precautions are disabled, the passwords can be guessed using a brute force algorithm, which is likely to achieve results in a relatively short time.  Any police force, spy agency, criminal or hacker would very much like to have such a tool, which could be used to unlock any iPhone sharing the same operating system.  It is the association of Apple's digital signature with the code that would make the tool effective.  Without Apple's signal to authenticate the program, every iPhone would refuse to install the code, so it would be useless.

There may be things that Apple could do to lessen the security risk of having such a highly sought after phone-cracking program laying about in an authenticated state.  For example, it could cause the phone screen to flash a prominent warning if the program is installed.  After using it once, it could blacklist the phone-cracking program using a regular operating system update so that iPhones in general would refuse to install it in the future.  And probably other things that I cannot imagine.

Whether or not such safeguards can eliminate the risk of creating the phone-cracking code is unknowable, even by the security experts at Apple.  One security threat is slightly unobvious, but severe.  This threat will arise socially, from the inevitability of future requests for the phone-cracker.  If the FBI's request is granted this time, similar requests will certainly be made in the future.  Apple will receive thousands of requests for the program from powerful agencies all around the world, each of them positioned to cause Apple and its customers serious problems if refused.  To comply with all these requests, Apple will have to keep the program in a "weaponized" state ready for use.  Apple (and every other smartphone supplier) will have to hire a team to maintain and secure the phone-cracking program, to service all of the requests, and to release timely and complete blacklists or other security features after each request is completed.  The team will have to operate absolutely error-free in a high-pressure environment, under constant pressure from police, spy agencies, foreign governments, and hackers.  Every member of the team must resist the temptation for enormous payouts from stealing the code and selling it.  How long do you suppose such a team could operate, before the security of the iPhone is seriously compromised, either intentionally, or by mistake?  What will be the cost to the smartphone industry, and to our society, when that happens?   If, as seems probable, the phone-cracking program cannot be safely secured once created, the FBI request is self-destructive bureaucratic incompetence at its most farcical, akin to ordering a company to produce weaponized, self-replicating anthrax, and release it into the air conditioning system of FBI headquarters. 

Suppose, for the sake of argument, that the phone-cracking program can be secured.  Then the legal issues are more nuanced and interesting.  For the sake of considering those arguments, let's indulge in that fantasy for a little while.  If the phone-cracker can be safely secured, then the remaining objection on First Amendment grounds is that writing code is a form of protected speech that the federal government cannot compel, regardless of security concerns.  The EFF brief does a good job of making this argument and pointing out the legal precedent for it.   Apple cannot be compelled to write code that compromises its beliefs and property interests, any more than it could be compelled to advertise or publish natural-language statements that it fundamentally disagrees with or that will do it harm.

A counterargument may be that the FBI just wants a particular phone unlocked and does not really care how it is done.  So the request is more like requiring a locksmith to make a key -- no compelled speech is involved.  The locksmith-key analogy should fail in the context of this case.  Although my bias is against allowing any compulsion, the EFF has the better argument.  If the court ultimately rules that coding cannot be compelled from a citizen even when the compulsion does not create great security risks or economic harm, that will be a step forward towards building a freer society.  So in a sense, the more the FBI argues that no great security risk is involved in cracking the iPhone, the more it sets up the legal landscape for a broader standard protecting software as free speech.

Bear with me as I only seem to change the subject abruptly.  I know of an uncrackable sort of signature, although it's not digital.  In a manner of speaking, it's based on quantum effects.  I am my own uncrackable authentication code.  My own unique genetic code, combined with the unique environment in which the genetic code ran its programming, created a unique personality as a sort of emergent mind/body combo that functions both as an autonomous person and a secure authentication code for that person.  At the same time, I am totally unsigned: no key is required to decrypt me.  That's some hard core coding.  So forgive me for feeling there might be a kick-ass coder behind all that . . . but we'll save that discussion for another day.

My authentication code couldn't be duplicated exactly, and even it it could, it wouldn't be worth the effort for somebody to make an exact, or even close, copy.  The hacker would just end up with a copy of me, an autonomous person.  What would be use of that, when natural persons can be supplied more simply by breeding?  Assuming you believe that copying humans for the purpose of stealing their identities is not practically attainable, you can rest assured that my personal presence in the flesh cannot convincingly be faked for long.  Whatever it is I am, it is me that is really there, and not some close copy.  All you need to do is pay attention and make sure.  Put together a group of people like me, who can authenticate each others' identities, empathize with each other, and communicate regarding abstractions such as tomorrow, yesterday, and love, and you've got yourself the basis for a society based on trust.  Each person is their own avatar.

In some environments, the identity of the avatar cannot be relied on.  Consider, for example, an online community in which each member is known by their avatar.  Suppose some of these members have cracked the system so that they can assume the avatar of any other member.  We'll call these members the "shape shifters." Let's consider what sorts of things could happen.

Can this group that includes highly capable shape shifters form a society based on trust?  Suppose only some of the people in the group are capable and willing to shape shift, and those who cannot shape shift do not know that anyone else can.  The non-shifters will then be manipulated by the shifters, if not to the point of social breakdown, than at least to the point of exploitation, meaning causing the non-shifters to behave as they would not unless fooled by false identities assumed by the shifters. 

If every member of the group indulges in undetectable shape shifting, the group cannot form a society.  If the members know that all, or an indeterminate number of others can shape shift, they will not trust anyone, unless every member of the group is always trustworthy.  In the general case, not everyone will be trustworthy, because society is precisely how a group of people can build trust among themselves.  Society is the chicken for the egg of trust; or the egg for the chicken of trust, whichever you prefer.  Where trust has not already been established, it will necessarily be lacking.  Not knowing who is trustworthy, members will avoid being in any position of vulnerability, and so lose out on opportunities to build trust.  They will treat everyone as complete strangers because they cannot tell who is strange and who is familiar; they never know whether or not the avatar they are dealing with is real.  They will avoid social intimacy with others, or strive to dominate and control them. 

If some of them do not know others can shape shift, and still indulge themselves in shape shifting, then the whole of their interactions will be at best a confused, self-deluding muddle; at worst a murderous cage match.  It is interesting to speculate about different outcomes, but it would be unethical to run such experiments without constraints that would contaminate the results.  The point is, the ability to accurately identify others is fundamental to trust, and trust is essential to positive social interaction.  The more complex the society, the more important accurate identification by and of every member of the society is.

Unless and until online identities are as secure as our identities in the flesh, online societies cannot develop the same level of trust as societies that operate at critical times in the flesh.  This is why it's important to get out to meet your neighbors, to attend meetings of like-minded people interested in mutual aid, and to engage in old fashioned politics.  These in-person interactions should be used enable those who participate to get to know one another, to interact in positive ways, and gradually build up trust.

Surveillance, phone-cracking, undercover police stings, the use of informants, and other acts of subterfuge are akin to shape shifting.   They are fundamentally anti-social activities that operate by undermining trust within groups.   That is part of their purpose, to disrupt socialization within competing groups.  The attack on the iPhone, whatever its motive, if it succeeds will have the effect of disrupting socialization within the group of everybody that uses smartphones without secure operating systems.  If the FBI gets what it originally asked for, soon that group will be everybody who uses any kind of smartphone, including the FBI and all of its employees and contractors.

For all the controversy over the FBI request, it is heartening to see so many rallying to the defense of Apple.  It means that the executives of the supporting companies, and the thought leaders in the application of computer science to meet social needs, understand the importance of personal security on personal terminal devices, whatever their motives.  Some of those same people also have an interest is gathering as much metadata as they can about all of us, and do indeed possess vast troves of this data.  There have been and will continue to be battles about who owns this metadata: the people who collect it, or the people who the data is about.  There is a border between the two that needs to be better defined, and there will always be territory on both sides of that border.  So the information barons of the present age resist the intrusion of the federal police monopoly upon their turf.  It matters not that defense of their information empires is not rooted in altruism.  It is behind the barons' security walls that online communities will build trust-based social networks.  And it will be the resistance of the people and their public representatives to the barons' pushing the border of public metadata too close to our private lives that will prevent those security walls from becoming prisons.

* * *
Photo credit
"Bleeding Braeburn" by Earl
Some Rights Reserved under