Privacy advocates are warning that if the FBI does not let Apple know how it hacked into the San Bernardino shooter’s iPhone, not only would the government be going against its own policy on such matters, it will be putting people’s “lives at risk.”
On Monday, the FBI backed down from its controversial legal battle to force Apple to develop a backdoor entry into the locked device of Syed Rizwan Farook—instead, breaking into the phone on its own, with the help of Israeli firm Cellebrite.
Apple, along with numerous privacy and rights advocates, argued that the creation of such a tool would open a “Pandora’s box,” rendering all user-set security features moot.
That box is now breached.
Citing forensics expert Jonathan Ździarski, two digital rights specialists wrote Tuesday that the creation of an iPhone backdoor is akin to “‘a bomb on a leash’; a leash that can be undone, legally or otherwise.”
With the emergence of the third-party hack, Julia Powles and Enrique Chaparro say, we now “have a new danger: a classified bomb held by the FBI and unknown third-party hackers—but not by Apple, the one party capable of defusing it.”
Federal officials “have declined to specify the procedure used to open the iPhone,” the New York Times reports, while at the same time Apple “cannot obtain the device to reverse-engineer the problem, the way it would in other hacking situations.”
Fight for the Future, a digital and privacy rights group which helped lead opposition to the FBI case, issued a statement Wednesday arguing that if U.S. officials “really care about public safety, they must disclose the vulnerability they used to Apple to prevent criminals, hackers, and terrorists from exploiting the same security flaw and using it to do harm.”
The statement continues:
At the same time, as Guardian columnist and Freedom of the Press Foundation co-founder Trevor Timm pointed out on Tuesday, the government is continuing to pursue similar, albeit lower-profile, legal fights. According to the American Civil Liberties Union, there are at least 63 similar cases pending across the country.
As Common Dreams previously reported, this case has never been about “one phone,” but rather about setting a judicial precedent.
Timm references a Justice Department statement issued Monday, in which the agency stated it will continue to “pursue all available options [to ensure that law enforcement can obtain crucial digital information] including seeking the cooperation of manufacturers and relying upon the creativity of both the public and private sectors.”
“‘Pursue all available options’ they will,” Timm writes:
Advocates, including the Electronic Frontier Foundation, are pointing to the U.S. government’s official policy, known as the the Vulnerabilities Equities Process (VEP), for determining when to disclose a security vulnerability—such as the one Cellebrite supposedly just cracked.
“As a panel of experts hand-picked by the White House recognized, any decision to withhold a security vulnerability for intelligence or law enforcement purposes leaves ordinary users at risk from malicious third parties who also may use the vulnerability,” the digital rights group stated on Tuesday.
“If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply,” EFF continues, “meaning that there should be a very strong bias in favor of informing Apple of the vulnerability. That would allow Apple to fix the flaw and protect the security of all its users.”