Apple argues stronger encryption will thwart criminals in letter to Australian government
Apple has long been a proponent for strong on-device encryption, most notably for its iPhones and the iOS operating system. This has often frustrated law enforcement agencies both in the US and overseas, many of which claim the company's encryption tools and policies are letting criminals avoid capture by masking communications and securing data from the hands of investigators.
Now, in a letter to the Australian government, Apple says it thinks encryption is in fact a benefit and public good that will only strength our protections against cyberattacks and terrorism. In Apple's eyes, encryption makes everyone's devices harder to hack and less vulnerable to take-overs, viruses, and other malicious attacks that could undermine personal and corporate security, as well as public infrastructure and services. Apple is specifically responding to the Australian Parliament's Assistance and Access Bill, which was introduced late last month and is designed to help the government more easily access the devices and data of criminals during active investigations.
Letter here (#53), or at Scribd and DocumentCloud.
Also at Ars Technica, Engadget, 9to5Mac, and AppleInsider.
Police told to avoid looking at recent iPhones to avoid lockouts
Police have yet to completely wrap their heads around modern iPhones like the X and XS, and that's clearer than ever thanks to a leak. Motherboard has obtained a presentation slide from forensics company Elcomsoft telling law enforcement to avoid looking at iPhones with Face ID. If they gaze at it too many times (five), the company said, they risk being locked out much like Apple's Craig Federighi was during the iPhone X launch event. They'd then have to enter a passcode that they likely can't obtain under the US Constitution's Fifth Amendment, which protects suspects from having to provide self-incriminating testimony.
Also at 9to5Mac.
Related:
California Lawmaker Tries Hand at Banning Encryption
New York Judge Sides with Apple Rather than FBI in Dispute over a Locked iPhone
FBI Chief Calls for National Talk Over Encryption vs. Safety
Hacker Decrypts Apple's Secure Enclave Processor (SEP) Firmware
Federal Court Rules That the FBI Does Not Have to Disclose Name of iPhone Hacking Vendor
Law Enforcement Agencies Increasingly Cracking iPhones Using "GrayKey"
Australian Government Pursues "Golden Key" for Encryption
When's A Backdoor Not A Backdoor? When The Oz Government Says It Isn't
Five Eyes Governments Get Even Tougher on Encryption
FBI Used Cooperative Suspect's Face to Unlock His iPhone
(Score: 2) by bzipitidoo on Sunday October 14 2018, @01:13PM (10 children)
I really do not like the practice of locking an account or device after a mere 10 or 5 attempts. It shouldn't be done at all. Slow it down, sure, maybe add a 3 second delay between attempts, but don't completely lock the user out. Or, if they must have lock out, make the trigger a minimum of 100 attempts. Seen too many legit users locked out by this so called security measure. It's a great attack point for a Denial of Service attempt.
Lock out implies a lack of confidence in the verification method. Is it so easy for the wrong face to gain access the phone? It shouldn't be.
(Score: 4, Insightful) by sjames on Sunday October 14 2018, @01:42PM (7 children)
It's not a total lockout, it just requires the password rather than the face ID. No authentication scheme can withstand infinite tries. There has to be a lockout at some point.
Of course, all of this is only confusion because the courts are using sophistry in an attempt to get around the fifth. If police can't force you to grant access to your phone with a password, there is no rational argument that they should be allowed to force you to use fingerprint or face id either.
(Score: 0, Redundant) by c0lo on Sunday October 14 2018, @02:51PM
There's no such thing as infinite tries.
A few tens for the exponent of base 10 as the number of configurations to try usually does the trick in practical terms - considering that the age of Universe is about 4.34e+26 nanoseconds.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Insightful) by BK on Sunday October 14 2018, @05:33PM (5 children)
Nonsense. For so many reasons. But one of those is force.
The constitutional principle is that you cannot force a person to reveal the information that incriminates them. A password is a piece of information that (in theory) only the owner of the phone knows. Forcing them to disclose it is a clear violation of the principle that does not require logical constructs or analogies to relate to 18th century technology.
Fingerprints, by contrast, are a fact about you. Your face and its appearance is a fact about you. Fundamentally different.
Don't like it? Don't want your cat videos revealed so easily?
Turn. Biometric. ID. OFF.
...but you HAVE heard of me.
(Score: 2) by sjames on Monday October 15 2018, @01:34AM (4 children)
But to use your face or fingerprint, they need some sort of action from you. Effectively conscripting you to perform some action for them that grants them access to your papers and effects.
(Score: 3, Informative) by BK on Monday October 15 2018, @04:02AM (3 children)
They need you to exist. I'm not sure that's an action.
They need you to be present with your device. They'll bring the device to you; no action needed.
They may need you to look at the device. Or they can move it to wherever you prefer to gaze.
It sure seems like your *presence* is something that they can reasonably seek a warrant for. That's what they do for DNA now. And fingerprints.
...but you HAVE heard of me.
(Score: 2) by sjames on Monday October 15 2018, @03:01PM (2 children)
(Score: 2) by BK on Monday October 15 2018, @04:21PM (1 child)
I guess we've exhausted this one?
...but you HAVE heard of me.
(Score: 2) by sjames on Monday October 15 2018, @04:35PM
So if I close my eyes and the face ID wants them open, they're cool with that?
Seems that what we need is Face ID where if you wink, it does a secure delete.
(Score: 2) by takyon on Sunday October 14 2018, @03:06PM (1 child)
The users should have a pen and paper backup of their contacts and important notes, and then be able to survive having to do a full reset of the phone. Or just not use security features at all if they don't "need" them.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Sunday October 14 2018, @08:36PM
If all your important stuff is out in the cloud, all you need to remember is one password... after you safely leave with your erased phone, set it up again.