Government hints it may demand iOS source code, signing key

Not-so-subtle threat that if Apple won't comply with court order, there's a Plan B … which could be a Lavabit-like ultimatum

The government yesterday hinted that it may demand that Apple hand over the iOS source code and the encryption key the Cupertino, Calif. company uses to sign updates if it won't comply with a court order to help authorities unlock an iPhone.

In a footnote in a Thursday brief, the Department of Justice (DOJ) said it would be happy to have Apple's source code and digital signing key.

"For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and Apple's private electronic signature," the footnote read. "The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."

Yesterday's brief was the latest volley by the DOJ in its efforts to force Apple to help the Federal Bureau of Investigation (FBI) access information stored on an iPhone used by Syed Rizwan Farook. Along with his wife, Tafsheen Malik, Farook killed 14 in San Bernardino, Calif. on Dec. 2, 2015. The two died in a shootout with police later that day.

The government has labeled the attack an act of terrorism.

A February court order required Apple to help the FBI by building a customized version of iOS that would disable several security safeguards, then put the software on the device so authorities can bombard it with passcode guesses. Only Apple can place the reworked iOS on Farook's phone, as the only updates that an iPhone will accept are those Apple "signs" using its own cryptographic key.

Apple has contested the order, objecting on legal and constitutional grounds, as well as because the work would be a burden on the company that it should not be asked to accept. The last was what the DOJ referenced in the footnote when it said, "[handing over iOS source code and the key] may provide an alternative that requires less labor by Apple programmers."

Because Apple would hardly give authorities its source code and key without a fight, the implication was that, failing compliance of the current order, the government may demand them.

That was made clear by additional language in the footnote, which reminded the judge -- and obviously Apple -- that another court has applied contempt sanctions in the case that involved Lavabit, an encrypted email service whose founder shuttered his company in 2013, shortly after being forced to give the government the firm's private encryption key.

Lavabit had reportedly been used by former National Security Agency (NSA) contractor Edward Snowden to alert the media of an upcoming press conference.

Before Lavabit founder Ladar Levison complied and gave the government his SSL/TSL (Secure Socket Layer/Transport Layer Security) encryption key, he was being fined $5,000 a day for not complying.

"See In re Under Seal, 749 F.3d 276, 281-83 (4th Cir. 2014) (affirming contempt sanctions imposed for failure to comply with order requiring the company to assist law enforcement with effecting a pen register on encrypted e-mail content which included producing private SSL encryption key)," the DOJ's brief stated.

The case cited was Lavabit's.

Lavabit was one of several companies and organizations that last week filed "friends-of-the-court" briefs -- called amicus briefs -- supporting Apple in its battle with the DOJ over Farook's iPhone. In that brief, Lavabit argued that, as in its battle with the government, Apple was being forced to give "extraordinary assistance" to law enforcement.

"In simpler terms, this attempted use of the All Writs Act is a blatant and unabashed attempt to circumvent Congress, and pass a heaping pile of bovine feces off as edible," Levison said in a statement last week about the amicus brief and the 1789 law, the All Writs Act, that the government has used to obtain the federal court order compelling Apple to help crack Farook's phone. "In fact, the FBI is using a hard case in an attempt to force bad law on the American people. We were all horrified by the attack in San Bernardino. The American people, however, should not have to sacrifice their rights to privacy and digital security as a result."

Oddly, elsewhere in the DOJ's brief, government lawyers argued that, even if the FBI had the iOS source and Apple's signing key, it would still demand that Apple cooperate further.

"Even if the Court ordered Apple to provide the government with Apple's cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it 'would have insufficient knowledge of Apple's software and design protocols to be effective,'" the brief stated.

A hearing on Apple's objections and the government's response is slated for March 22 before a federal magistrate.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags Apple

More about AppleApple.Apple ComputerDepartment of JusticeDOJFBIFederal Bureau of InvestigationInc.National Security AgencyNSASocketTransport

Show Comments