It has been a spectacular month since my last post about the court battle between Apple and the FBI – a fight in which one of the world’s most respected technology companies squared off against one of the most powerful agencies of the United States government. The case erupted over a court order requiring Apple to provide assistance to the FBI in the search of Syed Rizwan Farook’s work iPhone that was seized under a search warrant following the shootings in San Bernardino, California.

In my post titled Apple v. FBI: The Court Record So Far dated February 26, 2016, I ended with Apple’s motion to vacate an order granted by Magistrate Judge Sheri Pym, in the District Court for the Central District of California, under the All Writs Act, 28 USC s 1651. Apple’s motion was scheduled for March 22, 2016. But, the day before the hearing, Judge Pym granted the US Justice Department’s request for a postponement. The government said it received help from an “outside party” that demonstrated a way to possibly unlock the iPhone which would eliminate the need for Apple’s help. A status report would be filed by April 5, 2016. It has been reported that Cellebrite, an Israeli data forensics firm, is the mysterious third party. These reports have not been confirmed by the FBI or Cellebrite. (See: Katie Benner and Matt Apuzzo. U.S. Says It May Not Need Apple’s Help to Unlock iPhone. The New York Times. March 21, 2016; and, Mikey Campbell. Cellebrite again rumoured to have accessed San Bernardino iPhone 5c for FBI. AppleInsider. April 1, 2016)

In an article titled FBI may have found way to unlock San Bernardino shooter’s iPhone without Apple published in The Guardian edition dated March 22, 2016, Spencer Ackerman and Danny Yadron asked this question about the government’s potential solution: “[I]f investigators figure out a way to hack into the device without Apple’s help, are they obligated to show Apple the security flaw they used to get inside?” That is the core of where we are and the heart of the question I have asked: Where to now? Ackerman and Yadron reported that the attorneys for Apple, which would certainly patch such a flaw, said they would demand disclosure from the government of the method used to crack the phone.

And, in a post titled Apple v. FBI: What Just Happened dated March 22, 2016, Alex Abdo, a staff attorney with the American Civil Liberties Union, asked: What does this mean for the fight over whether the government can force Apple to write new software to help the FBI break into an iPhone? Mr. Abdo made two points:

“First and foremost, it makes it hard to trust the technical expertise of the FBI. The FBI had previously claimed in filings with the court and in a hearing before the House Judiciary Committee that it couldn’t get into the San Bernardino iPhone on its own. It insisted that the only way to break into the phone was to force Apple to write new software weakening the security protections on the device.

Second, the legal fight is far from over. Even if the FBI gets access to the San Bernardino phone using the new method it is exploring, it is inevitable that the FBI will come knocking again. We know of a dozen or so other apparently pending requests that Apple has received from the government for technical assistance – including a case in New York, in which the government recently appealed a ruling against it.”

The standoff ended when the U.S. Justice Department announced that a way had been found to unlock the iPhone without help from Apple. The two-paragraph status report filed on March 28, 2016, stated: “The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016.” But the fight is not over. Esha Bhandari, also a staff attorney with the American Civil Liberties Union, was reported as noting that the U.S. government generally reviews security flaws in deciding whether to disclose information about vulnerabilities so that manufacturers can patch them. “I would hope they would give that information to Apple so that it can patch any weaknesses, ” she said, “but if the government classifies the tool, that suggests it may not.” (See: Katie Benner and Eric Lichtblau. U.S. Says It Has Unlocked iPhone Without Apple. The New York Times. March 28, 2016; and, Mikey Campbell. DOJ confirms successful iPhone data extraction, withdraws excryption case against Apple. AppleInsider. March 28, 2016)

The same disclosure question was asked by Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, in a post to its blog titled FBI Breaks into iPhone. We Have Some Questions dated March 28, 2016, where he wrote:

“…[T]his new method  of accessing the phone raises questions about the government’s apparent use of security vulnerabilities in iOS and whether it will inform Apple about these vulnerabilities. As a panel of experts hand-picked by the White House recognized, any decision to withhold a security vulnerability for intelligence or law enforcement purposes leaves ordinary users at risk from malicious third parties who also may use the vulnerability. Thanks to a lawsuit by EFF, the government has released its official policy for determining when to disclose security vulnerabilities, the Vulnerabilities Equities Process (VEP).

If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply, meaning that there should be a very strong bias in favour of informing Apple of the vulnerability. That would allow Apple to fix the flaw and protect the security of all its users. We look forward to seeing more transparency on this issue as well.”

So the questions persist. Who is the third party? What was the method used to crack Farook’s iPhone? Which iPhone models does the method apply to? These questions were asked by Bruce Schneier, a fellow at the Berkman Centre for Internet & Society at Harvard Law School, in an article titled Your iPhone just got less secure. Blame the FBI published in The Washington Post edition of March 29, 2016. Mr. Schneier went on to identify the sword or shield problem if the answers are classified:

“Compare this iPhone vulnerability with another, one that was made public on the same day the FBI said it might have found its own way into the San Barnardino phone. Researchers at Johns Hopkins University announced last week that they had found a significant vulnerability in the iMessage protocol. They disclosed the vulnerability to Apple in the fall, and last Monday, Apple released an updated version of its operating system that fixed the vulnerability. (That’s iOS 9.3 – you should download and install it right now.) The Hopkins team didn’t publish its findings until Apple’s patch was available, so devices could be updated to protect them from attacks using the researchers’ discovery.

This is how vulnerability research is supposed to work. Vulnerabilities are found, fixed, then published. The entire security community is able to learn from the research, and – more important – everyone is more secure as a result of the work. The FBI is doing the exact opposite. It has been given whatever vulnerability it used to get into the San Bernardino phone in secret, and it is keeping it secret. All of our iPhones remain vulnerable to this exploit. This includes the iPhones used by elected officials and federal workers and the phones used by people who protect our nation’s critical infrastructure and carry out other law enforcement duties, including lots of FBI agents.

This is the trade-off we have to consider: Do we prioritize security over surveillance, or do we sacrifice security for surveillance? The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies. And it can be used by anyone who knows it, be they the FBI, a gang of cyber criminals, the intelligence agency of another country…anyone. And once a vulnerability is found, it can be used for attack – like the FBI is doing – or for defence, as in the Johns Hopkins example.”

The next day the FBI agreed to help an Arkansas prosecutor unlock an iPhone and iPod belonging to two teenagers accused in the killing of a Conway couple thirty miles north of Little Rock. The trial of Hunter Drexler and Justin Staton was therefore adjourned to June 27, 2016. The FBI has said that it will share the tool consistent with its legal and policy constraints. That increases the risk of exposure as a result of prying defence lawyers or by court order. And there is always the potential for a leak. These things tend to get around. Jonathan Zdziarski, an independent forensic scientist and author for O’Reilly Media, was reported by Reuters as suggesting that the security flaw would only be exploited for a few months. “It would be a temporary Vegas jackpot,” he said, “that would quickly get squandered on the case backlog.” (See: James Queally and Richard Winton. FBI agrees to help Arkansas prosecutors open iPhone after hack of San Bernardino device. Los Angeles Times. March 30, 2016; and, Joseph Menn. FBI trick for breaking into iPhone likely to leak, limiting its use. Reuters. April 2, 2016)