Apple spells out what it would take to comply with government's iPhone order

Cites 'undue burden' as it estimates 6 to 10 employees working 2 to 4 weeks on creating new OS

Apple last week argued that assisting the FBI in the agency's attempt to access an iPhone used by one of the San Bernardino killers would be an undue burden that would require a staff of between six and ten people who would have to dedicate two to four weeks of their time to the task.

In a motion filed Friday with a California court, Apple ticked off several constitutional arguments against helping the FBI break into the iPhone used by Syed Rizwan Farook, who along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif., on Dec. 2, 2015, before they died in a shootout with police.

But it also directly addressed the concept of "undue burden."

Case law has established that the All Writs Act -- the 1789 legislation cited by the government for forcing Apple to comply -- can be used only when an order does "not adversely affect the basic interests of the third party or impose an undue burden." Apple seized on that language to describe what it would take to assist the FBI.

"No operating system currently exists that can accomplish what the government wants, and any effort to create one will require that Apple write new code, not just disable existing code functionality," Apple said in its motion. "Experienced Apple engineers would have to design, create, test, and validate the compromised operating system, using a hyper-secure isolation room within which to do it, and then deploy and supervise its operation by the FBI to brute force crack the phone's passcode."

That task -- creating a specialized version of iOS that would run only in the target iPhone's RAM -- would be a chore, Apple said as it estimated what it would take to complete.

"I would estimate that the design, creation, validation, and deployment of GovtOS would necessitate between six and ten Apple engineers and employees dedicating a very substantial portion of their time for two weeks at a minimum, and likely as many as four weeks," said Erik Neuenschwander, Apple's manager of privacy, in a declaration filed alongside his firm's motion. Neuenschwander would be the one in charge of planning the project if it were required.

"GovtOS" was the moniker Neuenschwander stuck on the one-of-a-kind modified iOS that would be produced.

In his declaration, Neuenschwander gave a glimpse of Apple's usual development process, which he said would be followed for GovtOS to ensure it worked properly and didn't disturb any of the data currently on the iPhone. All work would have to be logged, recorded and preserved, he said, in case Apple's methodology was later questioned in court.

"Once GovtOS is created, Apple will need to set up a secure, isolated physical facility where the FBI's passcode testing can be conducted without interfering with the investigation or disrupting Apple's operations," added Neuenschwander.

Some of Neuenschwander's declaration was devoted to commentary about not only this instance, but the potential of repeated demands by the government if the order was granted and then cited in subsequent cases. That commentary was similar to arguments Apple had made previously, and in the Friday motion, that although the FBI has characterized the assistance as a one-time deal, Apple will probably have to comply with scores, even hundreds, of similar orders related to other cases, most of them involving not terrorism, but run-of-the-mill criminal investigations of drug dealers, purveyors of child pornography, and the like.

The government has demanded Apple's assistance in at least 12 cases since September, but court records show that many more, some of them languishing for over a year, have been submitted.

In one of the latter cases, an agent with the Department of Homeland Security working in Sioux Falls, SD, asserted that Apple already has a logjam of requests. "I know based on my experience that Apple has a backlog of 9 to 12 months for password bypasses," said Special Agent Craig Scherer in a Feb. 16 deposition in a case involving trafficking in methamphetamine.

"If this order is permitted to stand, it will only be a matter of days before some other prosecutor, in some other important case, before some other judge, seeks a similar order using this case as precedent," Apple's lawyers wrote in their Friday motion. "Once the floodgates open, they cannot be closed, and the device security that Apple has worked so tirelessly to achieve will be unwound without so much as a congressional vote."

Neuenschwander echoed that.

"Given the complexity of designing, creating, validating, deploying, and eradicating a bespoke operating system such as the government demands, the burden on Apple will increase significantly as the number of requests to Apple increase," he said. "Each such commissioned operating system will need to be tailored to the specific combination of hardware and operating system running on the relevant device."

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple

More about AppleFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts