Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 26, 2015

Software Vendors: You have been Pwned by the DoJ!

Filed under: Cybersecurity,Security — Patrick Durusau @ 1:40 pm

DoJ to Apple: your software is licensed, not sold, so we can force you to decrypt by Cory Doctorow.

Cory summarizes the latest diseased imaginings from the minds at the DoJ in their effort to compel Apple to assist in bypassing the security of an iPhone.

The basis for pwning every software vendor with a “license” EULA has been posed by the Department of Justice in IN RE ORDER REQUIRING APPLE INC. TO ASSIST IN THE EXECUTION OF A SEARCH WARRANT ISSUED BY THE COURT No. 15-MC-1902 (JO)

From the brief:

First, Apple is not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.” Apple designed, manufactured, and sold the Target Phone that is the subject of the search warrant. But that is only the beginning of Apple’s relationship to the phone and to this matter. Apple wrote and owns the software that runs the phone, and this software is thwarting the execution of the warrant. Apple’s software licensing agreement specifies that iOS 7 software is “licensed, not sold” and that users are merely granted “a limited non-exclusive license to use the iOS Software.” See “Notices from Apple,” Apple iOS Software License Agreement ¶¶ B(1)-(2), attached hereto as Exhibit C. Apple also restricts users’ rights to sell or lease the iOS Software: although users may make a “one-time permanent transfer of all” license rights, they may not otherwise “rent, lease, lend, sell, redistribute, or sublicense the iOS Software.” Ex. C, ¶ B(3). Apple cannot reap the legal benefits of licensing its software in this manner and then later disclaim any ownership or obligation to assist law enforcement when that same software plays a critical role in thwarting execution of a search warrant.

Apple does not dispute that the iPhone’s passcode mechanism is in part software-based; Apple notes that each device “includes both hardware and software security features.” Apple Br. at 2. Apple’s software impedes the execution of the search warrant in at least two ways. First, it includes the passcode feature that locks the Target Phone and prevents government access to stored information without further assistance from Apple. Second, Apple’s software includes an “erase data” feature which, if enabled by the user, will render the data on the iPhone inaccessible after multiple failed passcode attempts. See “Use a passcode with your iPhone, iPad, or iPod touch,” Apple, https://support.apple.com/en-us/HT204060 (last visited Oct. 22, 2015), attached hereto as Exhibit D. This feature effectively prevents the government from attempting to execute the search warrant without Apple’s assistance. In addition, through the iOS software, Apple provides other ongoing services to device owners, including one that may be used to thwart the execution of a search warrant: “erase your device” which allows a user to send a command remotely to erase data on an iPhone. See “iCloud: Erase your device,” https://support.apple.com/kb/PH2701 (last visited Oct. 22, 2015), attached hereto as Exhibit E. As described above, in this case, someone sent an erase command to the Target Phone after the government seized the phone. Had the phone obtained a network connection while agents examined it, that erase command could have resulted in the data on the phone becoming permanently inaccessible. Given the role Apple’s software plays in thwarting execution of the warrant, by preventing access and permitting post-seizure deletion of data, Apple is not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.”

Vendor licensing of software leaves them connected to it enough to compel them to assist the DoJ.

How’s that for unexpected liability from a licensing agreement? I wonder if it is now legal malpractice to recommend licensing agreements to vendors for software? If not, it will be soon enough.

Bear in mind this argument would extend to the Internet of Things.

Tell me, how does it feel to be at the beck and call of the DoJ?

If that weren’t bad enough news, the government’s brief summarizes all the times Apple has cheerfully helped law enforcement to invade the privacy of its users.

Apple has an established track record of assisting law enforcement agents by extracting data from passcode-locked iPhones pursuant to court orders issued under the All Writs Act. The government has confirmed that Apple has done so in numerous federal criminal cases around the nation, and the vast majority of these cases have been resolved without any need for Apple to testify. In the course of handling these requests, Apple has, on multiple occasions, informed the government that it can extract data from a passcode-locked device and provided the government with the specific language it seeks in the form of a court order to do so.

You must comply with lawful court orders, or face contempt but no where are you required to volunteer or assist law enforcement beyond the confines of a valid court order.

Every request should be rebuffed until accompanied by a valid court order. No exceptions, no helping.

The privacy that is protected may well be your own.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress