FBI could demand Apple source code and keys if iPhone backdoor too 'burdensome'

The founder of the encrypted email service hit by a similar order two years ago argued that the FBI could create "ghost" iPhone updates that imitate legitimate Apple software.
Written by Zack Whittaker, Contributor

(Image: file photo/CNET, CBS Interactive)

The FBI could demand that Apple turns over its source code and private key to the iPhone's operating system, the Justice Dept. implied in its latest filing against the tech giant.

The government's response aims to target a critical argument made by Apple -- that compelling the company to rewrite its iOS software to remove security features in order to allow federal agents to bypass the passcode on the San Bernardino shooter's phone would be overly "burdensome."

"The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple," said federal prosecutors in a footnote in its March 10 filing. "If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."

Some case watchers saw the citation as more indicative of a threat than a technological suggestion.

A Justice Dept. spokesperson said the agency will "let the filing speak for itself," but added the citation in question was an alternative, rather than a position taken.

By its own admission, the Justice Dept. set this precedent in its 2013 case against Lavabit, the encrypted email provider said to have been used by whistleblower Edward Snowden.

"I think [the government] is setting up the possibility of demanding the key and the source code," said Lavabit founder Ladar Levison, speaking on the phone.

Levison drew parallels between his case and the fight that Apple currently has on its hands.

He too was compelled by the government to provide "technical assistance" to help the FBI install a pen register device to obtain metadata on an Lavabit account -- thought to be Snowden's but that was never formally confirmed as the case remains under seal. Levison forcibly shut down his encrypted email service after federal agents later demanded that he turn over his master encryption key, which he said would give agents access to every one of his customers' data.

"It's rather disturbing that the government is relying on the authority they obtained by railroading a small business in a secret court proceeding to justify demanding the key from Apple now," he said.

Levison said the feds demanded his source code and private key in order to build a "ghost" Lavabit, allowing the government to "pretend to be Lavabit on the internet" all while intercepting, decrypting, and inspecting data between Lavabit's servers and the outside world.


It wouldn't be the first time the US government has compelled a company to turn over its source code or private keys. (Image: file photo)

Similarly, acquiring Apple's source code and private key would allow the government to sign its own versions of iOS, making it possible to build as many custom versions of iOS as it wants. Demanding Apple's source code or signing key would undermine the government's own claim that it was only after the one iPhone that was used by the San Bernardino shooter.

Private keys are often used to prove that the item is what it says it is, and ensures that it's from the true source. But he argued that if a person cryptographically signs something, they can no longer deny that they're responsible for making it.

"It's the equivalent of putting a notarized signature on an affidavit. Because it has your signature, it's in effect your speech -- and there's no way to deny it," said Levison.

Levison argued that if Apple lost overall control of its key, the government could create "ghost" software that imitate legitimate Apple updates, a sentiment he echoed in his amicus brief submitted earlier this month in support of Apple.

If the government succeeded, he said, the public would "no longer be able to differentiate between Apple's true speech and their compelled speech," if both Apple's software is signed by its own key, and a key taken by the FBI.

Apple is expected to respond to the government's response by Tuesday. A court hearing on Apple's objections is set for March 22.

Editorial standards