Fundamentally, if the Supreme Court took that position I can see how it makes sense. It is unreasonable to sue someone to go on a fishing expedition to see what they might have done wrong.
Realistically, the constitution lost most of its staying power a long time ago. The judiciary can't actually stop the rest of the government if it is united on launching a mass surveillance program - and the evidence suggests there is bipartisan support for it both between parties and between the executive and legislative branches.
I totally disagree. The Supreme Court has it within their power to determine that Amnesty or the ACLU is likely enough representing an effected party and therefore grant them standing.
There is some popular idea that everything the court does is abstract or must be categorical and that's simply not true. They make decisions all the time in which they draw a line through a gray area. They have been using the standing to avoid ruling on these 4th amendment issues because the issues are thorny and frankly because they believe, as they have made it clear in many other cases, that they believe in the national security state apparatus but aren't quite sure how to justify it.
Edit: There are other possibilities too. If the court isn't comfortable imposing a remedy for 4th amendment violations they can mandate the legislature to do so and fine the administration until the legislature acts. This often happens in state governments.
The later is contingent upon the former. You have to know how they might be breaking into your phone to assertain the evidence that they are so you can sue for relief.
i.e. you must be able to show harm to sue for relief.
I'd think that getting them to confirm what methods they're using would shorted the shelf-life of those methods a fair bit. Which I suppose fits with them pushing back as hard as they can.
well they don't know if it's legal because the FBI wont tell them what they're doing - that's the whole point here.
Citizen oversight of government is an important thing in a real democracy, the FOIA is an important part of that. Remember the FBI must not only act legally but also be seen to be acting legally in order to be trusted by the citizens.
If the FBI has a warrant to search your phone, does it matter if its unlocked, or if you have 0000 as a PIN or if they identify develop and exploit in AES to do so?
Similarly, if the FBI has a warrant to search your home, it doesn't matter if you leave the door unlocked, if they have a locksmith come and pick the lock, or if they break the door down.
This situation is a bit more complex because it's contested (up to 11th circuit court of appeals) that "the decryption and production would be tantamount to testimony by [the suspect] of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files." - and if it's testimony it's covered under 5th Amendment protections.
What would be the argument that the FBI's decryption of the files, with the suspect being uninvolved, would amount to an act of testimony by the suspect?
If the FBI is doing the decryption itself, the 4th amendment is the relevant one, not the 5th.
Please correct me, but I don't think this applies if the suspect is un-involved in the decryption process. I think this was meant to prevent a suspect from being forced to give up their passwords.
>If they’re not suing to stop it, that means it’s likely legal.
Pre-9/11, I would totally agree with you. The last 20 years, all that is necessary is the law enforcement agency needs a lawyer that has a somewhat convincing argument or technicality that they could argue is legal. Think "enhanced interrogation techniques," which has been argued is not torture, which would be illegal.
It helps if there is a technique that keeps it out of courts altogether, like civil forfeiture which charges the property with a crime and not the person. To get back property, the owner must prove their innocence rather than the state proving their guilt.
9-11 taught us many things. One of which was that we don't need to crack all encryption on the planet. The "suspects" who did this were exactly that. Previously been identified as potential baddies, with the intent to do bad things. Authorities knew them/about them. Authorities failed to track/monitor/<other verbs> them, and 9-11 happened (and it was a horrible horrible event).
Now, for the solution. Get authorities to get their shit straight, remove their heads from their asses, operate properly.
The solution that "if nothing is a secret we would have prevented that".. imho doesn't stand. One shouldn't go about messing up with EVERYONE's privacy (and defined rights) because 100/1000 people in the world are baddies. The world shouldn't create next one Stasi in every country because of 9-11 or Bataclan or London Bridge.
And lack of transparency is a pure characteristic of a "Stasi".
Anyone with power, funding, combined with no transparency or accountability will become a dictator in their own domain.
Humanity is not yet mature 'enough' ('enough' varies - eye of the beholder thingie)(btw this is not a threat, it's dissapointment/acceptance).
It's supposed to be us via the people who represent us in the government. The news is supposed to inform us of what the government is doing that they don't want us to know. That's how the system is supposed to work and was designed. That entire system has broken down or been coopted by the very people we are supposed to be watching at multiple levels.
Could someone ELI5 how this is even conceptually possible? I suppose that is exactly what the ACLU was trying to find out, but I thought something like AES-256 should be impossible in principle to break.
So what type of thing is most likely happening? Are hardware vendors secretly installing back doors? is there some sort of software encryption standard that's compromised? Or some kind of secret breakthrough in computation theory that easily "solves" encryption? Or maybe, bolstered by NSA surveillance, they just know passwords and unlock codes to devices?
Again, I understand that that is the exact mystery here, but I would appreciate knowing if one or more of the possibilities is conceptually more likely than the others.
Usually the weakest link in any crypto system is the code surounding it. AES-256 is very solid, but using it correctly can be hard. Apple knows what they are doing but they are still human.
For example if this is a lock screen bypass (and not a bypass of say the start up process before the key is entered), maybe some memory corruption issue allows you to bypass the password check. Or another example, many people use short numeric pins to encrypt their phones. Apple then does a lot of complex stuff to take that and turn it into a high entropy key. Maybe this is an exploit in that part, allowing for a bruteforce attack.
These are all just wild gueses, i have no idea what these capabilities are or for that matter, i dont really know very much about how iphone FDE works.
Yes, what their doing is basically using a randomly generated key per device combined with the user generated key. So, it becomes a question of extracting the hidden key from the device or using the phone to brute force the decryption.
However, without that key an attacker is stuck trying to brute force Apples high entropy key, which causes some confusion.
* The hdd in a phone that is not powered off is mounted. It takes an exploit in OS to pass the Lock Screen or read the RAM.
* The vast majority of people don’t have long alphanumerical passwords. The short pins can be broken.
* Some manufacturing companies don’t handle encryption keys properly. Synology NAS stores the keys next to the encrypted data for automatic access upon boot (unless you change the default and store the keys on an encrypted USB or enter keys manually upon boot).
* There are sometimes bugs in algorithm implementations, especially if a company roles its own crypto with closed source software.
* Sometimes encryption keys are not properly generated. Bad RNGs were a thing for a long time.
* And of course there could be back doors for law enforcement.
If you are referring to upper limits on password trials enforced by chips such as TPM, T2 or those in Yubikeys, these are software and hardware — but not fundamental algorithmic — limits.
I wouldn't say an HSM such as a Yubikey is secure against a government agency. But apart from that, you can take out the hard drive and deal directly with random blubs, bypassing software limits.
Of course these measures are effective against the majority of the attackers, but we are talking about FBI here.
Use an easily memorable personalized passphrase. One that's easy for you to remember and impossible for anyone else. Repeat it in your mind like a mantra for days and it will stay with you decades later.
Personally I started doing this ~2000. I still remember my first one that I gave up meanwhile because I told it to my GF at the time and we broke up meanwhile.
You can easily top 100 characters this way. Though this is not something you want to do on a touchscreen device, it's a pain there with fat fingers.
Yeah I already have a passphrase for my desktop, but for mobile I'm on GrapheneOS and it asks my password frequently enough that I don't want something too painful to enter.
They are likely using GreyShift or Cellbrites UFED or similar products. Most of them leverage exploits in the phone that are usable on the lock screen to either enable you to bypass the lock screen or to allow you to have unlimited password guesses then brute force the password.
According to this[1] Twitter thread, it's a matter of convenience outweighing security. Phones keep the encryption keys used for most apps in memory so the apps can do background work while the phone is locked.
Most PINs or passwords are so short that they would be easy to brute-force but phones have anti-brute-force mechanisms. So maybe there's a tool that does that.
In my opinion, if they want a few shortcuts and hints they need to first talk to the wireless switch engineers and ask them if they've directly received any gag orders from the feds, or indirectly threats from their management. Back in the 90's, we used to update the firmware over the air. We could rewrite anything anywhere on the phone. Officially we did not do this, not because of any secrets or conspiracy... The fear was that if customers found out we could do this, it would be a support nightmare and not cost sustainable. We made the business decision to not update the phones over the air to avoid the risk of bricking any of them. This was only done for really bad firmware bugs and only to specific phones. As a result the phones would become out of date and people would eventually buy new ones. The reason I mention this is that if you can rewrite the firmware and reboot the phone, then you can intercept anything related to encryption, keys, passwords, etc... I have no idea what capabilities are in place now, but I would be very surprised if they regressed from what we could do in the 90's.
There are rumors of recent-model iPhones receiving "carrier setting" updates not documented on the carrier's website (they should be), occasionally followed by instability (crash, refusal to boot, refusal to reboot on battery power alone).
This was the case for every phone prior to the iPhone and is certainly the case for Android, as past bugs were patched by some wireless carriers and not by others. Getting an answer to this may prove difficult, as Apple are very litigious and people know this. If engineers received a gag order, I suspect they probably won't risk violating it.
Fallacy of encryption: the algorithms are secure, it is the random numbers that are backdoored, but you cannot ever prove that.
--> How? The random numbers that servers use are chosen from a list if you will as opposed to true zener diode type shit.
You cannot prove this, but this is how I would do it if asked, and I am pretty sure RSA does this if not mistaken.
Yes, but this leads to corporate "contractors" and the secrets become intellectual property/trade secrets and there is nothing under the sun to FOIA those, even if that corporation has more 11 star generals than call of duty
In the last 10-15 years ACLU has moved away from being politically neutral (and has publicly stated so), so one might easily see this action as an attempt to undermine the government's capabilities rather than to legitimately protect the freedoms of Americans.
Believing that americans should have freedom is not a politically neutral position.
Y'all literally fought a war over that very question back in the 1700s.
Hell, is there any question less political than to what extent individual freedoms should be trumped by the state and the collective "good"? That, in its various forms, is the fundamental political question from which all other political questions follow.
The ACLU was always a staunch defender of free-speech rights, but that is no longer the case. They now only defend the free speech rights of people on the left side of the political spectrum. For example, they will not defend religious speech, the accused in title IX cases, pro-life groups, etc.
The ACLU has lost a great deal of moral clarity once they began taking on political positions. They no longer have the clout they once had, in the eyes of many.
Limiting the governments capabilities is the very essence of what it means to protect freedom of private citizens. Throughout history there is no case of continual government expansion which leads to more freedom of its citizens.
Consumer privacy has been politicized as it entered the public consciousness. Parties have taken sides.
I don't see another choice for them. The populist authoritarian streak taking hold in many country's right wing parties goes against much of what the ACLU stands for.
When you have one party relentlessly gerrymandering districts to take away voting rights (mostly from minorities) and putting immigrants in cages separated from their parents, it's hard to support both sides. One side is violating basic rights as a matter of mainstream policy.
IMO populism is anti human rights. I think that's the reason ACLU is no longer neutral. They were totally fine with traditional conservative principles for many decades.
If law enforcement has a valid search warrant to access the data stored on a device then the "how" is irrelevant. It doesn't matter how they bypass the encryption, self created forensic tools or vodoo encantation, the action is legal. The lawsuit will go nowhere and they know it. It is a fundraising ploy.
What the ACLU should be demanding is "show us the warrants".
According to the article, they are suing related to FOIA record requests. Whether or not the fbi is doing something illegal with encryption sounds pretty unrelated to whether their response to the foia request was legal.
I don't see how that has any legal merit. There's a FOIA exemption for "Information compiled for law enforcement purposes that . . . Would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law".
> What the ACLU should be demanding is "show us the warrants".
Before the ACLU can ask that, they need to see that the FBI are breaking encryption. This is shown in some court documents (where there are warrants).
So the ACLU asked the FBI, hey, are you breaking into phones, as these court documents say? (probably so they can ask the follow up, "show us the warrants").
The FBI then responded. I'm not saying a damn thing! not gonna even confirm whether we've broken into anything. NOPE.
At which point, how can the ACLU ask to see warrants. The fbi need to say that they are breaking into phones (as court documents state) which they won't even do, so the ACLU are suing to say "hey that's not fair, you definitely are doing that, don't deny it."
How I expect this will go.
ACLU: I want to sue because the government is surveiling my clients.
Supreme Court: How do you know they are doing this?
ACLU: We know they are doing it but not specifically how they do it to our clients that's what we're suing to find out.
Supreme Court: But without a specific complaint you don't have standing.
ACLU: The methods are secret so we don't have specifics.
Supreme Court: Come back when you do.
ACLU: But we can't find out without knowing more about how they are doing it which is what we are suing for.
Supreme Court: Yeah but you don't have standing.
ACLU: So 4th amendment rights are at stake but there is no constitutional remedy because of bureaucracy?
Supreme Court: shrugs