Unfortunately, only if that strong crypto also includes strong key storage.
Trouble is, humans are unbelievably lousy(barring a few exceptional cases) for storing suitably large cryptographic keys. So the key actually used to encrypt the device’s storage is generally stored on the device, encrypted with something derived from the user’s password/pin/unlock pattern/etc.
If the device operates as intended, this is only a moderate risk: just have the device zeroize after a certain number of failed password attempts; high enough to avoid user accident, low enough to make brute-force vanishingly unlikely to work.
The ugly possibility here is that, since the device still trusts Apple, Apple should be able to send it a correctly signed and valid update that disables any of the safeties protecting the encryption key from brute force attacks and (depending on how the keystore was implemented) possibly even remotely pulling the key(still encrypted with the user-provided password) off the device for more convenient attack.
Brute forcing the actual crypto key should be effectively impossible; but if the phone allowed you to throw unlock PINs at it as fast as its CPU could handle them, without any attempt to mitigate brute force attacks, most users’ passwords would fall within hours; and the cost per hour of attacking them would be extremely low.
Presumably this is the sort of ‘cooperation’ the non-idiot feds actually want from Apple. I’m sure that some of the dumb ones still think that Apple has a magic password jar stored somewhere in their headquarters that allows them to unlock any device they’ve ever sold at will; but unless Apple has been running a very quiet key escrow program, that is nonsense. However, unless iDevices absolutely will not accept any updates whatsoever without prior user authorization, Apple is very much in a position to make a specific device a lot more friendly to brute force attacks on the (usually pitiful) user password.
What would be interesting to see is the reaction if the court decides that Apple is indeed the owner, since they didn’t sell the software; but Apple has, or does in the future, implement things so that they can’t update a ‘licensee’ unless they first unlock their device and approve the update. That might leave Apple with a duty to assist so far as they can; but also a fairly strong argument that they can’t do anything useful without the guy unlocking his phone, which is what the cops have been unable to get him to do, so all possible assistance is nothing.
Here’s a finer point from the other direction. It’s a liability for Apple to claim in any way that they have the desire or ability to enter into a person’s device and retrieve information. Imagine the corporations who rely on iPhones and secure communications on those devices. If the EULA implied those companies’ secrets are open to Apple to come and get anytime, you can bet they’d dump their iPhones in a big pile, douse it with gasoline then toss in a lit match. Apple came to the realization that security was important through a long and tortured hassle.
BlackBerry Limited and its subsidiary companies and affiliates (“BlackBerry”) are committed to and have a long-standing policy of maintaining the privacy and security of your personal information which is information about an identifiable individual (as defined by applicable privacy or data protection laws).
And they touted a secure Business Enterprise Server that protected user data from the rest of the hardware within a walled garden on the device that communicated securely with a piece of middleware that stood between the user’s email server back at corporate IT and their mobile device. Blackberry’s secure corporate communication was a huge selling point.
Back then, Apple had no such thing. Apple had a very hard start with the iPhone’s security. The original iOS was basically a version of the desktop software with much of the security and permissions stuff removed to make it lightweight enough for the old, too-hot-to-touch Samsung RISC processor. And no special business enterprise software available to corporate customers for YEARS. I couldn’t even get a CISCO VPN on iOS for several years. Basically, iPhones went for about 5 years before security was a real concern.
They did wise up. For them to now be pushed back into a corner that as license holder they can be compelled to dip into user information would be a mega-sized reversal and probably won’t happen. They took quite a while to get where they are now with security, and it’s the DOJ who is behind the times.
I don’t think so - the company would simply state “it’s the law, just go along with it”. And as all companies can be forced to open the devices the consumer can either accept it or don’t use any electronic devices.
Here’s a finer point from the other direction. It’s a liability for Apple to claim in any way that they have the desire or ability to enter into a person’s device and retrieve information.
That’s explicitly what Apple is arguing in it’s brief when it claims that following the writ would damage the company’s reputation and goodwill.
Blackberry’s secure corporate communication was a huge selling point.
Still is for national security types, which is why Obama uses one.
They did wise up. For them to now be pushed back into a corner that as license holder they can be compelled to dip into user information would be a mega-sized reversal and probably won’t happen. They took quite a while to get where they are now with security, and it’s the DOJ who is behind the times.
A big part of the DoJ’s beef looks to be that Apple changed their policy on cooperation somewhere between the time DoJ first approached them about the case and the time they served the writ.
I’d put it at close to two centuries, with Dartmouth College v. Woodward being the key precedent. It’s not all bad, since corporations being people is what lets you sue them in court, and it gives protections to corporations like the Electronic Frontier Foundation and the American Civil Liberties Union Foundation.
In that vein, with recent advances in machine vision and text processing it will likely be possible to have a computer pass a bar exam within the relatively near future.
It seems like a lot of inconvenient having-your-phone-seized-and-searched could be avoided if your phone and other complex personal electronics were also members of your legal staff. Anyone know if you have to be human to be a lawyer?
Sometimes the practice of law consists of understanding when analogies are appropriate, and when statutory interpretations makes them inappropriate. But consider a bluray player. Most discs are encrypted with various schemes, and a player that understands how to decrypt the content is given the job of enforcing the publisher’s terms and conditions. A player that does not, or cannot enforce these, theoretically can no longer decrypt and thus playback the content.
I am not a Buffy fan, but one gag I liked was how, after they’ve defeated all the vampires, all the demons, all the other transdimensional brain-sucking monsters, the worst of the worst, the final enemy, was the lawyers.
They don’t need to study it, they can just make some new law to fix all the wrong laws those medieval ingrates made up that got us in this pickle, I mean King John didn’t go to Harvard and he managed to sign the Magna Carta so how hard can it be?
But if you leave that photo on my camera, then it’s in a shared space between us (the camera’s memory), and I would legally be allowed to provide access to it for law enforcement. If Apple owns the software, then the user’s data is in an area shared by Apple and the user (the phone memory which is controlled by Apple’s software); the data legally belongs to the user, but Apple’s software legally has access to it as well, and can therefore turn it over to law enforcement.
I was remarking on the weird disparity on your comment where you seemed to advocate for the option with “vast drawbacks” despite the fact that the benefit was limited to “maybe an incentive for less abusive contracts”.
I don’t have much to say about the object-level debate, just that prima facie your comparison of drawbacks and benefits didn’t make your advocated option seem like a good deal.
Well, as @fuzzyfungus explains, they wouldn’t really need to do that. All they’d really need to do is open a lock to allow brute force password attempts, which would allow access trivially. This is much more analogous to a landlord unlocking the door and the government doing the search (your password, in this case, being equivalent to hiding drugs between the mattress and the box spring).
Corporations being people is a convenient legal fiction for things like allowing them to own and transfer property, sue and be sued, etc. What is absurd is saying that they have human rights.