A Security Practitioner’s Summary and Analysis of Apple & the FBI
.ref { vertical-align: super; font-size: 80%; }
As I mention from time to time, I work in information security. Encryption is one of my areas of specialty. In addition, I'm a board member of the FBI Knoxville Citizens Academy Alumni Association, well acquainted with not only the mission and challenges of federal law enforcement but also the people who carry it out. So it's with great professional and personal interest that I've been following the #AppleVsFBI case.
A colleague of mine wondered out loud at my take on the situation and I happily promised to do what I could to shine a light on this issue, what's at stake, and to peel back some layers of rhetoric.
This is a complicated matter, so I'm sorry to say this won't be a succinct or perhaps even a satisfying read. Anyone who boils this down to a pithy bon mot (or "tweet" as I understand the kids call them nowadays) is, of course, simplifying the matter greatly. They're showing you a shiny coin -- small in value, and you can only admire the one side. It is my modest hope that I can impart some real understanding of the matter to you, reader, and do justice to describe the intense desires of both the law enforcement and info security communities on either side.
Before diving into what anything in this whole case means, let's revisit the hard facts. If you feel you are already acquainted with the scenario, then I encourage you to skip down to my analysis.
The Attack & the Investigation
On 2 December 2015, Syed Rizwan Farook and his wife Tashfeen Malik attacked the Inland Regional Center in San Bernardino, California. This attack resulted in 14 civilian deaths, 24 other casualties, and the deaths of both Farook and Malik[1].
In the ensuing investigation, Farook's iPhone was collected into evidence by law enforcement.
Farook was an employee of the San Bernardino County Department of Public Health (SBCDPH)[2].
The iPhone seized in the investigation was provided by his employer, and was therefore owned by San Bernardino County.
After the iPhone was seized, SBCDPH performed a remote password reset of Farook's iCloud account in a botched attempt to get at its contents[3]. This process was performed in cooperation with FBI investigators, and not by SBCDPH independently[4].
Farook's phone is an iPhone 5c running a version of Apple iOS 9 installed.
On 16 February 2016, the Department of Justice filed an Order Compelling Apple Inc. to Assist Agents In Search.
On 19 February 2016, the Department of Justice filed a Motion to Compel Apple Inc. to Comply with this Court's February 16, 2016 Order Compelling Apple To Assist Agents In Its Search.
On 25 February 2016, Apple filed a Motion to Vacate the Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to the Government's Motion to Compel Assistance.
On 10 March 2016, the Department of Justice issued the Government's Reply In Support Of Motion To Compel And Opposition To Apple Inc.'s Motion To Vacate Order.
Understanding the Court Order
First and foremost, it's important to understand exactly what assistance the court is trying to compel from Apple. The request is often oversimplified as a backdoor, and that's not untrue strictly speaking. What the FBI wants here is for Apple to produce a special version of the iOS operating system specifically for this phone that will bypass two security features in the unlock routines: the time delay introduced by successive incorrect passcode guesses, and the automatic data wipe after a given number of incorrect passcode guesses.
The existence of devices that brute force guess passcodes for different phones is well established. These fall into what you might describe as a grey market; they can be used by law enforcement to unlock a device in evidence, but they can also be used by phone thieves for ignoble purposes.
And, in fact, Apple has provided assistance doing just this for law enforcement agencies across the country up to this point[5]. So what's different? What changed? Why fight the court order?
The difference is the operating system itself. Many of these passcode bypases and brute force systems leverage known vulnerabilities or other weaknesses discovered in the iOS operating system. The natural order of software development is to improve, and in the interest of better protecting their customers' data from unauthorized parties Apple made improvements in iOS 8 that keenly frustrated the ability to bypass the screen lock. Apple, who indeed had been cooperating with law enforcement to unlock phones in evidence, has told the courts that it would be impossible for the company to unlock devices running iOS 8 and higher[6].
What the FBI wants, then, is for Apple not to merely unlock the phone but to build a custom version of the operating system that will bypass the security features that render a rudimentary brute force (i.e. guessing 0000, 0001, 0002, etc.) feasible. We in the infosec community have been referring to this notional iOS variant as "FBiOS".
The scope of the court order is to load FBiOS onto this one device, perform the brute force of the passcode, and that would be the end of it. The order volunteers that Apple can maintain possession of FBiOS completely and could even code it so that it works only on that specific phone[7].
The short form of the resistance from the tech community is that FBiOS is a bad idea. (The long form is usually, "It's a really bad idea.") Why?
Before you read further into the analysis and commentary I have to offer on the legal briefings, prudence requires that I disclose that I am not a lawyer. Nothing here is intended as legal advice or expert opinion with respect to the law or judiciary proceedings, and it should not be interpreted as such.
The All Writs Act of 1789
One of the issues this case brings to light is that the Department of Justice is using the All Writs Act (AWA) of 1789. That is not a typo. DOJ is using a 230 year old law to influence encryption issues, but is that a bad thing? The text of the act is brief enough to reproduce here in full.
(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction.
Legal precedent outlines four requirements for issuing extraordinary writs under AWA[8]:
there are no other judicial avenues for achieving the desired result,
the writ does not create additional jurisdiction of the government,
the writ must be necessary to case at hand,
and the writ must be agreeable to the usage and principles of law (i.e. not illegal).
Indeed, one must concede that there's nothing in the DNA of this judicial tool that makes it inadequate to the task the DOJ is trying to accomplish here. The age of the act makes little difference; we elect people to the executive and legislative branches according to formulas prescribed in another document from 1789.
If the question is, "Could the Government issue this order on the grounds of the AWA?" then the answer is... maybe. Apple's argument in the Motion to Vacate targets the second requirement. They assert that this writ is, essentially, legislating from the bench. Congress has not granted the government the authority to compel the risks associated with the request, and so the writ is therefore over-reaching.
They provide further argument against the fourth requirement, citing the Communication Assistance for Law Enforcement Act (CALEA). 47 U.S.C. § 1002(b)(1) states the following:
This chapter does not authorize any law enforcement agency or officer--
(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or
(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
Apple maintains that it is, certainly, an "electronic communication service." The DOJ doesn't challenge this but rather responds that CALEA does not address this scenario. To my reading, this seems a fairly clever trap in the Apple brief. If the limitation laid out in CALEA does not apply, then that would seem to lend credence to Apple's argument that this is new jurisdiction. Either way, Apple's argument that the writ is inappropriate has some weight and should not be dismissed.
A better question, however, is whether the government should stand by this writ. Apple is a multinational corporation. Look on the back of an iPhone and you'll see printed at the bottom, "Designed by Apple in California. Assembled in China." If I were to fly across the Atlantic and buy an iPhone from a store in London, it's going to be the same thing I get if I pop in my local Verizon store.
So consider: if the American government is able to compel Apple to action based on American authority, what happens when China tries to compel Apple to action based on Chinese authority? On what grounds can Apple resist if the action they compel is precedented in Apple's home country? China and Russia are watching what happens in this case closely. That should make you quite uncomfortable with compliance.
Applying United States v. New York Telephone (1977) in All Writs Act Case Law
The first known bit of case law we get legal precedent about the use of the All Writs Act with respect to programming is 1977's United States v. New York Telephone, which I'll not recount in detail here. What we seem to get from that case are some standards dealing with where it is and isn't appropriate to use AWA to compel programming. The three most relevant to the arguments in this case are:
Is the recipient of the writ removed from the controversy?
Is the burden imposed by the writ excessive?
Is the third party's assistance imperative?
Reading that over, you might imagine there's no black-and-white answers to be had here.
Removed From The Controversy
Apple argues that they are sufficiently far removed from the controversy of the San Bernardino attack. They hold that they sold Farook the phone and whatever he did with it from there they had no bearing on. I rather love the analogy they use in their Motion to Vacate: "Apple is no more connected to this phone than General Motors is to a company car used by a fraudster on his daily commute."[9]
The DOJ in their response points out that since iOS software needs to be signed by Apple and because the phone contacts Apple's servers periodically (e.g. when the software checks for updates). For those reasons, they argue, Apple is not disentangled from the controversy.
If this argument holds water, the implications for future application of AWA in the realm of technology are troubling. The court could use this precedent to order any technology platform that phones home for automatic updates to do anything: record audio or video, prohibit certain programs from running, install surveillance malware... Kind of like a wire tap, but much more invasive.
This is troubling to me because software vendors like Apple and Microsoft aren't public utilities like phone lines. Auto-update isn't a vain feature of these systems, it's a public security mechanism not unlike vaccinations. To the tech community, this is nothing short of poisoning the well.
Here's where we start to get into some of the really deep legal waters, talking about burden.
On the one hand, Apple's asserted what anyone working in IT knows offhand: that complying with the order and building FBiOS will take a team of engineers several weeks to complete. That's an extremely expensive task. The DOJ, in what I feel to be a stunningly arrogant argument, dismisses Apple's claim on the premise that they have available capital. It seems almost magnanimous when they offer to work something out with Apple in a financial regard if they are unwilling to accept that burden on their own.
Moreover the burden described by Apple is not so much financial, but the fundamental undermining of the security features they have implemented to protect customers. To phrase it differently: the burden is not merely that Apple does not wish to perform the ordered task, it is that it is important to Apple that they do not perform it. To that end, the court is not simply ordering that a feature be disabled, as that is not possible; the order requires the creation of new code.
Third is the question of whether Apple's assistance is imperative and necessary for the DOJ to collect the evidence it wants. In the case of New York Telephone, it was; without the change in the switch programming, the DOJ would have been incapable of executing its legitimately authorized wire tap. To the end of producing FBiOS to bypass the passcode security features, certainly Apple's assistance would be required.
Apple contends that the object of interest to the DOJ isn't FBiOS (at least, not as far as the case is concerned), but instead the data on Farook's phone. They argue further that Apple's assistance would not be required, had the FBI and San Bernardino county followed published advice on how to proceed with respect to Farook's phone and his iCloud account. They did not, rendering that evidence inaccessible to them without extraordinary measures.
The government response was that losing the iCloud backup was, in all actuality, a small loss accounting to the fact that Farook had himself changed his iCloud password since the last backup. The data that they really wanted to get at was on the phone itself, which had already been powered off and couldn't be forced to restore from an iCloud backup until it had been unlocked.
Further Notes on United States vs. New York Telephone
There's lots of discussion to this point on how the New York Telephone case provides precedent for the government compelling programming, but there's an important linguistic disconnect that needs to be considered. For NYT, the act of programming a phone switch was something akin to what we would today describe instead as "configuring" or even as "routing". The desired result was to produce a path by which the FBI could install their authorized wire tap. That is an altogether different activity from what we today describe as "programming". Programming is the act of authoring program code which is compiled down into binary language computers can understand. So by using this case as precedent, the two sides aren't speaking in the same language.
The First Amendment Arguments
Apple brings out a parade of well-settled case law that firmly establishes that computer code is tantamount to speech in consideration of the First Amendment. The analogy fits especially well here - given corporate personhood - because if the code in question is the iOS operating system, it must also be signed by Apple to be of any value.
The order is therefore compelling Apple to create and sign protected speech, and case law establishes narrow criteria under which the government is permitted to do this. Apple argues that the DOJ has not satisfied this critera, that they are merely speculating the phone contains any concrete evidence of value. The brief quotes FBI Director Comey, "Maybe the phone holds the clue to finding more terrorists. Maybe it doesn't."[10] San Bernardino Police Chief Jarrod Burguan has said, "I think there is a reasonably good chance that there is nothing of any value on the phone."[11].
The DOJ's response does little to address the criteria around the order to compel speech beyond the fact that the intended audience of said speech is, effectively, no one. The audience of FBiOS, as requested, would be a dead man's phone. The execution of this speech would be done in private, within Apple's control. Therefore, they argue, the ramifications of compelled speech are null.
Curiously, the government response spends a few paragraphs questioning whether computer code should be considered speech at all. They cite a few cases here to support their argument, but I can't see this particular tactic gaining much traction.
As I stated before, I am not a lawyer, but there's an interesting point and counterpoint here that I believe is likely to endure up to the Supreme Court. If code is speech, and my understanding of the law is that it is, then surely the order is to compel speech. But there is legal precedent for compelled speech, and this might be powerfully persuasive within the judicial system particularly under the banner of national security.
The Fifth Amendment Arguments
Anyone who's ever seen a TV show or a movie about lawyers (and that's everyone) understands the most common invocation of the Fifth Amendment. It's the right to not incriminate yourself. It is also the right to due process, and Apple invokes that aspect in their Motion to Vacate.
Apple's arguments here echo their earlier arguments about undue burden with respect to the All Writs Act. They encapsulate all of that here and summarize it as arbitrary action by the government.
The DOJ's counterargument is especially thin here, dismissing the Fifth Amendment argument by saying an entity has no due process right not to develop source code. Again they dismiss Apple's investment into encryption as consumer protection as a mere marketing strategy, and under this dysphemism argue that the there's no legal protection to it.
The creation of FBiOS has been likened to opening a Pandora's Box. Why? Let's explore that further.
This case has brought one phrase in particular to the forefront of the debate: Going Dark. Director Comey has been speaking about this phenomenon - about the trail of investigation going cold when frustrated by encryption technology - since his confirmation as Director of the FBI in 2013.
I had an opportunity to ask the Director about this personally at a Citizens Academy Alumni event. I had asked if he was concerned that he was aligning the Bureau against the interests of very people he was trying hard to recruit following sequestration[12]. His response was that he hoped it would be a barrier, and he underscored the fundamental desire that the advancement of technology not create warrant-proof zones.
Indeed, the use of encryption does frustrate the collection of digital evidence in investigations of all sorts of crimes, from terrorism to drug dealing, corporate espionage to child pornography. What the DOJ's position misses, however, is that encryption is also a fundamental technology that protects the country's interests as well.
In mid-March, the Associated Press reported that Iran claims to have recovered "thousands of pages" of information from the devices of sailors who were briefly detained in January after drifting too far into Iranian waters[13]. While the devices in this instance were laptops instead of iPhones, the technology that protects the latter is the same as what should be protecting the former.
It became clear to many that addressing the Going Dark problem was about to become a priority for the Department of Justice from Director Comey's remarks to the Senate Select Committee on Intelligence on 8 July 2015. "Changing forms of Internet communication are quickly outpacing laws and technology designed to allow for the lawful intercept of communication content," he said. "This real and growing gap the FBI refers to as Going Dark is the source of continuing focus for the FBI, it must be urgently addressed as the risks associated with Going Dark are grave both in traditional criminal matters as well as in national security matters. We are striving to ensure appropriate, lawful collection remains available."[14]
The director's comments sparked a period of public debate in which well-meaning patriots in the press and otherwise pointed the finger at Silicon Valley for not trying hard enough to design warrant-accessible encryption methods[15]. All this debate managed to accomplish was to highlight the essential knowledge gap on the subject of encryption: any system that supports "golden key" accessibility is both mathematically flawed and operationally susceptible to multiple avenues of attack. To understand this principle, it helps to learn about how master keys work and how they weaken security. To this end, I turn to my friend Schuyler Towne to explain.
Similarly, the use of a master key in encryption schemes increases the number of electronic attacks that are viable against the system. What's more, the master key can also be stolen from those who keep it. The consequences of using such a system would be disastrous to individuals' and corporations' security if and when the system is inevitably broken by adversaries. If this happens to a building using mastered locks, all the locks need to be replaced. If this happens to a cryptosystem using a golden key override, it will cost businesses time and money to replace systems.
The most glaring flaw comes from a tautology of symmetric cryptosystems, the sort used to protect data at rest: any entity encrypting data must know the key or keys that can decrypt it. Consequently, anyone working on program code that would implement a warrant-ready golden key cryptosystem must have access to that golden key. Unless programmers all had top-secret clearance and were licensed, which is an altogether untenable proposal, it would be totally impossible to keep the golden key a secret. The system would be compromised before it were ever used.
The rhetoric coming out of the FBI and the DOJ has been consistent on one point: that the court order is for just one phone - Syed Farook's - and does not order any sort of global backdoor or skeleton key be created. Indeed, the court order is that specific, referring repeatedly to the "SUBJECT DEVICE" recovered from Farook. Directory Comey states in a press release that, "The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve."[16]
The reality of this "narrow request" rhetoric is that it altogether ignores the direct consequences of the order being upheld.
Let us consider what it means, if the courts should deny Apple's motion to vacate. That would mean the court finds that using a writ to compel Apple to create custom code to disable consumer security features is appropriate. Specifically, it means the court does not believe this is an undue burden.
Pundits supporting the FBI's position have said (and I'm paraphrasing here for lack of a direct source) that since the order is for only one phone, Apple could tear up the source code and throw it in a fireplace afterwards. But if the justification for the limited, one-phone order is legitimate, then it is not only reasonable to believe but irresponsible not to assume that there will be additional limited single-phone court orders to follow that use the exact same reasoning. Manhattan District Attorney Cyrus Vance has said it's "absolutely right," that he would seek access to more than 175 iPhones in investigations should the government prevail in the Farook case[17].
Given the investment of time and resources that Apple has officially stated the creation of FBiOS would require, it would make no sense for them to destroy it afterwards. Knowing that additional requests will be forthcoming, it would be a reckless waste of those resources to repeat the same engineering effort every time.
Furthermore, the act of destroying FBiOS after its creation is no trivial matter. Provided it would take weeks of effort by a team of engineers and developers, the use of a source code repository would be necessary. Is Apple to create parallel repositories on separate burn-after-using servers to support this effort? And what of backups? The services supporting this effort would need to be completely segregated from normal operations if Apple were to have any reasonable hope of destroying the work after its application in the court order. This adds a great deal of additional cost - both capital and operational - to the financial burden imposed.
Unless, of course, Apple were to decide not to destroy FBiOS afterwards, to keep it "locked away" for reuse. Now we create a different scenario entirely. Now there is, in fact, a skeleton key for iPhones. This would be one of the highest valued targets for attackers in existence.
If Apple keeps it, they would then have the burden of needing to secure it. The DOJ, in their response to Apple's motion to vacate, at least acknowledges this. The brief states blithely that, "If Apple can guard [the iOS source and code signing certificates], it can guard this."[18] There is a vast difference between theft of source code or even a signing certificate and a completed iOS package. The latter is immediately useful while either of the former requires additional work to derive value. And a precompiled package that can defeat security features is much more readily redistributed.
Threat actors from all corners of the world would have great interest in this artifact because the application of FBiOS as an espionage tool is incredible valuable. Apple would need to staff additional information security personnel, spend additional capital to insulate and protect this asset, and repel continuous attack by malactors who desparately want to get this.
If all of this additional burden seems too much, then I'm sure DOJ would happily volunteer to take possession of a persistent FBiOS from Apple. But the federal government has demonstrated repeatedly that the public cannot trust it to secure sensitive materials. The Office of Personnel Management, which retains all the data collected from people in clearance assessments, was rather famously hacked in 2014 resulting in the loss of more than 21 million people's data[19].
The geniuses @TSA require us to use luggage locks for which they have master keys. Now we all have those keys. pic.twitter.com/cdT487Elxj
— Johnny Xmas (@J0hnnyXm4s) September 10, 2015
TSA-approved locks are a physical world analog of this very principle -- locks designed such that the government has a master key. The theory being that TSA agents are able to unlock your bags to carry out any legitimate inspections, but your luggage is secure from non-government agents. Unfortunately, the Department of Homeland Security allowed the Washington Post to publish high resolution images of the master keys to all the TSA lock types in a story[20], without realizing that the image was all anyone needed to reproduce those keys at home[21]. The TSA is distressingly cavalier about the incident. TSA official Ken Lauterstein says, "The reported availability of keys to unauthorized persons causes no loss of physical security to bags while they are under TSA control."[22] In other words, the personal security of your luggage once it hits the baggage carousel is not their problem.
It would be truer to say that this issue is not about one iPhone, but is a categorical issue with iPhones that will be addressed, as the FBI does with Title III wiretaps, one warrant at a time. And what then of the golden egg, FBiOS? Does Apple incur the expense of destroying and recreating it for each writ? Will Apple shoulder the burden of keeping and securing a universal skeleton key from threat actors who desire it? Or will they surrender it to a government with a proven track record of being unprepared or unqualified to protect vital secrets of this nature? This is the proverbial rock and a hard place, and Apple is stuck in the middle.
Counter-terrorism has been at the top of the FBI's list of priorities since the September 11, so the vigorous prosecution of this court order comes as no surprise. This case goes far to demonstrate the confused execution of those aims. In the Farook case, the FBI hopes to use information on the phone to establish links to ISIS operators, to learn more about how Farook transitioned from productive member of Western society to radicalized killer. But if such links exist, then ought these have been discovered already by the monolithic surveillance apparatus helmed by the NSA? The FBI, at least nominally, is privy to this manner of intelligence - particularly where domestic subjects are concerned - through the Joint Terrorism Task Force. So if signals-based intelligence is ineffective at its primary goal, why do we do it? How much information do we as private citizens need to submit to the federal government in the interests of public safety?
Moreover, the Department of Justice is engaging in rhetorical pedantry by insisting this case is just about one iPhone. In the sense that the court order targets one device, this is true. One must willfully ignore the DOJ's prior history of using the All Writs Act to compel Apple's assistance with iPhones to believe that this is an exceptional scenario. The government dismisses the grave technical security concerns in the creation and keeping of what they desire based solely on Apple's vast resources, but if we have learned nothing from the parade of data breaches and hacks in the last several years we must accept that a critical breach of this resource can (and certainly will) happen. We can look to Edward Snowden as demonstrative proof of an organization well accustomed and practiced in the art of secret-keeping failing.
The most deeply concerning side effect of this case is the social impact. Those who have aligned themselves with the FBI's position in this matter have seen fit to portray dissent as unpatriotic, further trumpeting the soiled notion of national security before all else. This emotional appeal has inspired a witch hunt, as seen in David W. Jolly's H.R. 4663 - the No Taxpayer Support for Apple - bill introduced last week into the House of Representatives. The bill, if adopted into law, would prohibit federal agencies from purchasing Apple products until the courts certify Apple has complied fully with this writ. I ask you, reasonably, why in the world anyone would want to deprive federal employees of devices proven to frustrate efforts to yield Top Secret information to America's adversaries?
For many years, those of us involved in the practice of information security have operated under a dim light. The public understands little of what we do and our failures are made much more public than our successes. Even amongst our own field, cryptography is indelibly branded by its challenges: "Crypto is hard, don't mess with it casually." And yet it is so, so important to keeping information secure. Now that it comes to a public debate, it's clear that we need to do more to inform the general public about this subject. After all, Senator Lindsay Graham initially spoke unwaveringly in favor of the FBI in this matter but changed his tune in a recent oversight hearing of the Senate Judiciary Committee. "It's just not that simple," he admitted. "I thought it was that simple."[23]
[1] 2015 San Bernardino attack, Wikipedia.
[2] Suspect ID'd in San Bernardino Massacre as Syed Farook, The Daily Beast, 2 Dec 2015
[3] San Bernardino Shooter's iCloud Password Changed While iPhone was in Government Possession, ABCNews, 19 Feb 2016
[4] Tweet by @CountyWire, Twitter, 29 Feb 2016
[5] Government's Reply In Support Of Motion To Compel And Opposition To Apple Inc.'s Motion To Vacate Order, page 27 line 23 through page 28 line 8.
[6] Apple Opposes Judge's Order To Help FBI Unlock San Bernardino Shooter's Phone, NPR, 17 Feb 2016
[7] Order Compelling Apple Inc. to Assist Agents In Search, page 19 line 19 through page 20 line 25.
[8] Resorting to Extraordinary Writs, New York University Law Review, 19 Mar 2008.
[9] Motion to Vacate the Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to the Government's Motion to Compel Assistance, page 22 lines 21-22.
[10] Motion to Vacate the Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to the Government's Motion to Compel Assistance, page 33 lines 6-8.
[11]San Bernardino Police Chief Sees Chance Nothing Of Value On Shooter's iPhone, NPR, 26 Feb 2016.
[12] FBI Seeking Tech Experts to Become Cyber Special Agents, FBI.gov, 28 Dec 2014.
[13] Iran says it recovered information from Navy sailors' devices, Navy Times, 15 Mar 2016.
[14] Statement Before the Senate Select Committee on Intelligence, FBI.gov, 8 Jul 2015.
[15] Putting the digital keys to unlock data out of reach of authorities, Washington Post, 18 Jul 2015.
[16] FBI Director Comments on San Bernadino Matter, FBI press release, 21 Feb 2016.
[17] Narrow Focus May Aid F.B.I. in Apple Case, New York Times, 22 Feb 2016.
[18] Government's Reply In Support Of Motion To Compel And Opposition To Apple Inc.'s Motion To Vacate Order, page 24, lines 19 & 20.
[19] Office of Personnel Management data breach, Wikipedia.
[20] The secret life of baggage: Where does your luggage go at the airport?, Washington Post, 24 Nov 2014.
[21] Tweet by @J0hnnyXm4s, Twitter, 10 Sep 2015.
[22] TSA Doesn't Care That Its Luggage Locks Have Been Hacked, The Intercept, 17 Sep 2015.
[23] D.O.J. Loses Lindsey Graham in Encryption Fight, District Sentinel, 9 Mar 2016.
Updated Monday 21 Mar 2016 9:15am Eastern: Technical clarification under "Going Dark" that I was referring specifically to symmetric cryptosystems when speaking of a tautology.
