Apple Lawyer Pressed On Encryption Stance In Congressional Hearing

Apple’s lead attorney, Bruce Sewell, appeared before a House committee Tuesday to explain why the company is resisting a court order to help the FBI break into the phone of San Bernardino shooter Syed Farook.

A California federal court ordered Apple to write a custom piece of firmware that could be uploaded to Farook’s iPhone, enabling the FBI to quickly try thousands of passcodes to log in to the phone. Apple worked with the FBI on the case for 75 days, but refused to write the custom software.

Sewell disagreed with FBI director James Comey’s assertion from earlier in the hearing that the custom firmware Apple is being asked to create could be used only on the iPhone 5c used by Farook.

“The tool we’re being asked to create could be used on any iPhone in use today,” Sewell said.

Another panelist, professor Susan Landau of Worcester Polytechnic Institute, agreed with Sewell that a custom OS created by Apple could eventually be exposed to hackers and used to break into other phones.

Apple also fears that complying with the order would create a dangerous precedent, and may open the floodgates for more court orders directing Apple to assist in breaking into iPhones.

Apple’s Sewell: If we honor the request from the FBI in the San Bernardino case, “it will be a hot minute before we start getting those requests from other places.”

Sewell cited a statement by FBI director James Comey that his agency would likely use this precedent in other cases involving other phones.

And he cited a statement by New York district attorney Cyrus Vance Jr. (also on the panel) saying that his office would “absolutely” like to use Apple’s software to break into the 175 iPhones now in its possession. Actually, Vance says, the number has gone up to 205 since he made the statement.

Rep. Trey Gowday (R-South Carolina) pressed Sewell to provide a circumstance where Apple would agree to build a custom OS that could be used to break into an iPhone.

Rep. Cedric Richmond (D-Louisiana) put the question in another way: “What if a terrorist put the location of an atomic bomb on an iPhone and then dies,” would you then create the software needed to open the phone?

Sewell never really answered the question. He merely said Apple would first explore all other options, then moved onto the subject of how Apple has worked with law enforcement in the past.

Sewell said Apple would like to participate in a public debate that would eventually produce the correct terms for an encryption law. The law would need to strike a careful balance between the need of law enforcement to investigate crimes or terrorist threats, and technology companies’ need to ensure that their customers’ data is safe.

Rep. Gowdy and Jim Sensenbrenner (R-Wisconsin) pressed Sewell for some guidance on what a new piece of legislation would need to contain to please Apple.

Here again, Sewell declined, saying he was not prepared to offer an opinion. “We don’t have a piece of legislation to propose today,” Sewell said.

District attorney Vance says a single tech company is calling the shots when it comes to the privacy-security balance. “Apple has now decided that balance, they now have decided what the rules are,” Vance said. “That upsets the balance that existed previously and that now has been decided unilaterally.”

Vance believes the real and immediate needs of law enforcement are being balanced against Apple’s “speculative risk to privacy.”

Vance said Apple has not been specific about what’s really at stake if Apple were to write the custom OS needed to hack into Farook’s phone.

“Don’t just tell us ‘millions of phones will be affected’,” Vance said.

The Worcester Polytechnic Institute’s Landau answered the question this way: “The risk is that some person will come into Apple and provide a false certificate to get the code.”

But Vance still wasn’t satisfied.

“The professor has not answered the question of what about the rights of the victims of these cases that are being put aside while we have this academic discussion.”

Committee member Rep. Bob Goodlatte (R-Virginia) asked Sewell to comment on the Department of Justice’s suggestion in a recent court motion that Apple’s refusal to build the custom OS is motivated by its marketing goals and not on respect for security.

“This is not a marketing issue,” Sewell said, characterizing the DOJ’s assertion as “a way of demeaning our side of the argument.”

“We don’t advertise, we don’t put up billboards advertising our security,” Sewell said.

FBI director Comey also faced some tough questions during the hearing.

Rep. John Conyers (D-Michigan) suggested that if even if the FBI forces Apple to provide an encryption key (or backdoor) to all iPhones, “terrorists will simply resort to other tools that are far outside the reach of law enforcement.”

Comey could not disagree with the assertion.

Conyers also asked Comey why the FBI has chosen to go to the courts to compel Apple to provide access to its devices, instead of working with Congress on the matter.

Comey said he believes the courts are useful to decide the appropriateness of the FBI’s demands on Apple, while Congress should make decisions on the wider issue of whether or not tech companies should be systematically required to provide encryption keys to law enforcement.

“I don’t see how the courts can work out the tension between privacy and security that we’re all feeling,” Comey said.

Conyers also wondered why the FBI had chosen the San Bernardino investigation to ask for an unsealed court order to conscript Apple to help. Some believe that the government chose the San Bernardino case because the public might be more sympathetic to its mission to require tech companies to provide backdoors to encrypted data.

Conyers pointed to a Washington Post article from last September quoting a law enforcement lawyer saying that a terrorist event might be used to turn Congress’s opinion on backdoors in law enforcement’s favor.

From the Washington Post article:

Privately, law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August email, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement. There is value, he said, in “keeping our options open for such a situation.”

“I’m deeply concerned that the federal government is exploiting a national tragedy to bring about a change in the law,” Conyers said.