
Sundar Pichai Responds to Apple and the FBI Hacking Request - cryptoz
https://twitter.com/sundarpichai/status/700104298600886272
======
tomp
> We know that law enforcement and intelligence agencies face significant
> challenges in protecting the public against crime and terrorism.

Do we? Crime rate has been falling. Terrorism is a statistical bleep. The
majority of "crime" is government's own invention (non-violent drug-related
offenses, prostitution, civil forfeiture, arresting people because they don't
pay their student loans [1] _[edit: not actually true, as tzs pointed out
below]_ , cop murders).

Personally, I believe that even without _any_ ability to access any digital
communication/stored data, law enforcement wouldn't be in a worse position
compared to 30 years ago.

[1] [http://finance.yahoo.com/news/paul-aker-us-marshal-
student-l...](http://finance.yahoo.com/news/paul-aker-us-marshal-student-loan-
debt-arrest-212047386.html)

~~~
rayiner
The majority of crime is not government invented. The majority of prisoners in
prison are not there for any of the crimes you list:
[http://felonvoting.procon.org/view.resource.php?resourceID=0...](http://felonvoting.procon.org/view.resource.php?resourceID=004339)

Besides that, the crime rate has been falling during a period coincident with
aggressive policing, more incarceration, and more legal measures (RICO) to
fight organized crime. While people have alternative theories for that
decrease (e.g. banning leaded gasoline), aggressive policing cannot be ruled
out as a reason for the decrease in crime.

Finally, tape recordings and wire taps are the backbone of investigations of
sophisticated crime. It's disingenuous to pretend that pervasive encrypted
communications doesn't dramatically change the landscape law enforcement is
dealing with.

I happen to think the privacy benefits of encryption outweigh the cost to law
enforcement, but I think it's ridiculous to pretend like there isn't real
crime out there or that encryption doesn't make it harder to fight it.

~~~
nickik
First many of those crime cartels could not exist without the banning of
drugs, prostitution and gambling. The same goes for violent crimes in general.
Large numbers of violent crimes are done by people involved in drug dealing or
consuming. If drugs were legal you would not put so many people in these
situations.

Falling crime rates is happing all over the first world. Most countries have
know-where near the policy infrastructure that the US has. So thats probably
not a very good expiation.

Nobody says that their is no real crime. In all the speech by the state its
sounds as if we are getting rolled over by a totally new wave of terror and
crime while in reality its the exact opposite. What bother so many is that
they underline all their arguments with this false impression.

~~~
rayiner
> First many of those crime cartels could not exist without the banning of
> drugs, prostitution and gambling.

That doesn't mean that it's an "invented crime." It's undeniable that drugs,
gambling, and prostitution have real social costs and harms. The people are
entitled to regulate _commerce_ in their society generally, but trade in
harmful things especially. When people uses organized violence to circumvent
that regulation, in the pursuit of profit, that is actual crime, not invented
crime.

> Large numbers of violent crimes are done by people involved in drug dealing
> or consuming.

You're presupposing a direction of causation here. Your average street gang
does not exist because of drug dealing or consumption (and indeed, violent
street gangs long predate any restrictions on drugs or alcohol). They deal in
drugs because it's easy money, but arise for other reasons.

~~~
tomp
> It's undeniable that drugs, gambling, and prostitution have real social
> costs and harms

So does banking and the police. Or firearms and alcohol. Both are regulated,
but not outlawed.

~~~
JoeAltmaier
Heck so does "pursuing happiness". Skiing accidents. Bankruptcy when your art
studio goes under. Smoking. Pretty much anything fun.

As a country, the USA is actually _constituted_ to allow these things.
Because, individual freedoms. And inalienable rights. I hear somebody want to
crack down on something, I think "There goes somebody who forgot what it means
to be American"

~~~
jljljl
Being pedantic: pursuit of happiness and inalienable rights are in the
Declaration of Independence, not the constitution. The right to regulate
interstate commerce (and thus put restrictions on a lot of the fun things) is
enumerated.

~~~
JoeAltmaier
Being pedantic right back: the US Supreme Court refers to the Declaration as
source material for the Constitution, to illuminate its intent.

~~~
jljljl
There is a ruling where they refer to it as providing intent and color, but
not law. And cases can only be decided based on law.

I don't think you can make a decision based solely on the "pursuit of
happiness" phrase from the Declaration of Independence, but you could use it
as a supporting argument for your claim.

------
tbrock
Twitter doesn't seem like an appropriate medium for a response to this issue
from a CEO of a major tech company.

Hello! This isn't a picture of the burger you had for lunch or a pithy remark
fest, it's the most important thing affecting your users today.

Take some time and write a god damn letter with your company's stance.

~~~
bcook
Are we (HN), the intended demographic though?

I personally get twitchy whenever I see a facebook or twitter link, but I also
know that the times are changing, so I withhold my angry rants.

~~~
JustSomeNobody
But if we don't rant, they won't know we don't think it's appropriate and
stop.

------
citizensixteen
This is the most concise summary I have found on the legal issues/possible
ramifications concerning this case. The worry in this case is the troubling
precedent it would set.

[https://lawfareblog.com/not-slippery-slope-jump-
cliff](https://lawfareblog.com/not-slippery-slope-jump-cliff)

Quotation from, Not a Slippery Slope, but a Jump off the Cliff By Nicholas
Weaver.

The request to Apple is accurately paraphrased as "Create malcode designed to
subvert security protections, with additional forensic protections, customized
for a particular target's phone, cryptographically sign that malcode so the
target's phone accepts it as legitimate, and run that customized version
through the update mechanism". (I speak of malcode in the technical sense of
"code designed to subvert a security protection or compromise the device", not
in intent.)

The same logic behind what the FBI seeks could just as easily apply to a
mandate forcing Microsoft, Google, Apple, and others to push malicious code to
a device through automatic updates when the device isn't yet in law
enforcement's hand. So the precedent the FBI seeks doesn't represent just
"create and install malcode for this device in Law Enforcement possession" but
rather "create and install malcode for this device".

Let us assume that the FBI wins in court and gains this precedent. This does
indeed solve the "going dark" problem as now the FBI can go to Apple, Cisco,
Microsoft, or Google with a warrant and say "push out an update to this
target". Once the target's device starts running the FBI's update then
encryption no longer matters, even the much stronger security present in the
latest Apple devices. So as long as the FBI identifies the target's devices
before arrest there is no problem with any encryption. But at what cost?

~~~
nindalf
This is precisely why I think the San Bernardino case is ideal for the FBI to
establish this precedent. If they actually wanted access to the device they
could have served Apple a National Security Letter and had it done on the sly.
But they're taking the public route on this one because of how bad Apple would
look if they refused to unlock the phone of a known terrorist. That's probably
why Apple had to go out of their way in the letter to say that they don't want
to aid or abet terrorists in any way (something that's fairly obvious to us).

~~~
nl
_they could have served Apple a National Security Letter and had it done on
the sly_

NSL's don't work like that.

 _A national security letter (NSL) is an administrative subpoena issued by the
United States federal government to gather information for national security
purposes... By law, NSLs can request only non-content information, for
example, transactional records and phone numbers dialed, but never the content
of telephone calls or e-mails._ [1]

Apple would challenge a NSL on three grounds:

1) The subject of this investigation in this is dead. The secrecy requirements
are unrequired.

2) What the FBI wants here is not information, it is to force Apple to do
work. That's why they've had to try the Writs act - it's a pretty
unprecedented thing to try

3) The information requested is not "non-content"

I'd say Apple would have a good case on any of these grounds, and the FBI
knows it.

[1]
[https://en.wikipedia.org/wiki/National_security_letter](https://en.wikipedia.org/wiki/National_security_letter)

------
cryptoz
There is full 'tweetstorm' that follows (this is 1/5), but I don't know how to
link to that. Is it possible to link to a series of tweets?

2:
[https://twitter.com/sundarpichai/status/700104342720761856](https://twitter.com/sundarpichai/status/700104342720761856)

3:
[https://twitter.com/sundarpichai/status/700104383762026496](https://twitter.com/sundarpichai/status/700104383762026496)

4:
[https://twitter.com/sundarpichai/status/700104433183502336](https://twitter.com/sundarpichai/status/700104433183502336)

5:
[https://twitter.com/sundarpichai/status/700104478360342528](https://twitter.com/sundarpichai/status/700104478360342528)

Or we can read an article by The Verge:
[http://www.theverge.com/2016/2/17/11040266/google-ceo-
sundar...](http://www.theverge.com/2016/2/17/11040266/google-ceo-sundar-
pichai-sides-with-apple-encryption)

Another Edit, OT: Twitter is really, really, really hard to use. Stop worrying
about onboarding new users, please make twitter usable for existing users.

~~~
Fuzzwah
Storyify does a good job of making these readable:

[https://storify.com/fuzzywah/sundar-pichai-responds-to-
apple...](https://storify.com/fuzzywah/sundar-pichai-responds-to-apple-and-
the-fbi-hackin)

~~~
rhizome
...once you get over the learning curve.

------
lemming
This is a pretty lame response. _Could be_ a troubling precedent? Really?

Tweeting it also seems to massively trivialise it.

------
justinv
Not quite as hard hitting as I would've hoped.

Gruber's take: [http://daringfireball.net/linked/2016/02/17/pichai-apple-
fbi](http://daringfireball.net/linked/2016/02/17/pichai-apple-fbi)

~~~
hotcool
Gruber's response is lukewarm too. Pot calling the kettle black.

~~~
k-mcgrady
He's a blogger, why does his response matter? It's the response of the tech
companies that matters.

------
draw_down
I'm not sure I understand the distinction he's making. G will comply with
"valid legal orders"; what is not "valid" about the order Apple got? Why is
granting law enforcement different from hacking devices, the point of which is
to gain access to data?

~~~
joycey
I believe the difference is that Apple/Google are okay with turning over user
data on a case-by-case basis provided there's a proper subpoena from a judge,
but not okay with building a tool for the FBI that will allow them to look at
any user's data. The former is equivalent to allowing the government to open
your mail and wander around your house provided that they've obtained a search
warrant. The latter is equivalent to building a tool that would allow the
government to open anyone's mail and wander around anyone's house without a
search warrant.

~~~
icebraining
I don't think Apple has been asked to build a tool, just to help unlock a
single device.

I think Pichai is making a distinction between handing over data they already
own (eg. a Gmail account) and data stored on user-controlled devices, which
must be hacked to access.

Which is interesting, since he's essentially admitting that their push to send
everything to "the cloud" makes their users less safe from governmental
snooping (justified or not). Of course, we already knew that, but it's curious
to see Google's own CEO say it.

~~~
rhizome
_I don 't think Apple has been asked to build a tool, just to help unlock a
single device_

Aside from the non-sequitur, what Apple has been asked for is a custom build
of iOS.

~~~
icebraining
Fine, but it's custom build locked to that particular device and which Apple
can install itself, without providing it to the FBI. It's certainly not "a
tool for the FBI that will allow them to look at any user's data".

[https://assets.documentcloud.org/documents/2714001/SB-
Shoote...](https://assets.documentcloud.org/documents/2714001/SB-Shooter-
Order-Compelling-Apple-Asst-iPhone.pdf)

~~~
tobylane
Once they made it, locked for that device, the FBI knows Apple can make it
again, locked for another device. The tool is for any user's data, via a court
order on Apple.

~~~
DanBC
But Apple would still need to have the court orders for each user.

Some people are suggesting that Apple would create this back-doored code, and
hand it to the FBI, who would then use it to access any data they want without
bothering with court orders. That doesn't seem to be what the FBI are asking
for.

~~~
sangnoir
> But Apple would still need to have the court orders for each user.

Yes, and Apple doesn't want this as a precedent. It does away with one of
their go-to selling points these days: security/privacy.

If device security can be surreptitiously undone by an OTA upgrade, what's
really the point? I'm sure the brilliant legal minds at the DoJ can come up
with creative interpretations to enable the next stage, which would be to do
this in bulk as a special point-release.

------
musha68k
Lame but not unexpected comments from a company living off their users' data -
it's quasi by definition that privacy isn't something GOOG is particularly
interested in at all as the lack of it is at the very core of their own creepy
business model.

Each of us info-tech "professionals" downplaying this reality by falling for
GOOG marketing are not merely cattle but _sheep_. Cool open-source projects
count as successful opinion manipulation ("marketing") as well btw (Angular,
Kubernetes, etc).

I admit it, I'm a sheep _meeeeeehmeeeeeehmeehmeh_ but it might be about time
to _finally_ change that _meehmeehmeh_.

~~~
zaphar
So Google undoubtedly know a lot about you. This knowledge also powers a large
number of highly useful features.

e.g.

* Remind me that it's time to leave for my meeting. Taking traffic and preferred method of travel into account.

* Alert me about that breaking news story that I'm really interested in following.

* Tell me what the weather is going to be like when my plane lands.

All of these are things I value and they are only possible _if_ Google knows
enough things about me to answer those questions. A phone can't power it you
need software running in a datacenter somewhere. People want these features
which is why Google is able to make money.

Everytime this topic comes up people rant about how Google is creepy but it's
disingenuous because the tradeoff is Incredibly useful features vs user
privacy.

It's a perfectly valid position to want governmental protections for one's
data to provide some recourse for violations of your privacy while still
enabling those same useful features.

------
shiftoutbox
Was this a complete thought ? Also if the user posts something like this on
facebook does it carry less gravitas then Twitter . Can we stop giving Twitter
comments some mystical value .

~~~
yoz-y
Comments from Google CEO on an extremely pressing issue have value regardless
of the medium where they are posted. Twitter just happens to be the place
where such discussions often happen.

------
csrm123
Is there literally no other way that the FBI could get the data off the phone?

I'm sure they could download the memory, stick it all in some kind of iOS VM
and try every 4-digit PIN in no time, all without worrying that the phone
would self-destruct.

Couldn't they?

~~~
weinzierl
No. Flash memory is encrypted with a key that is derived not only from the PIN
but also an ID that is fused into the device when it is manufactured. If we
exclude the possibility of a backdoor there is no way to retrieve this ID
expect from the silicon itself.

Encryption keys are stored unencrypted in RAM, but only as long as the device
is active. RAM loses it's content quickly when it is not refreshed every few
micro seconds. Moreover the RAM in the iPhone is a package on package design
which makes it hard to connect to it.

------
j1vms
To be fair, the way Cook went to media with this is not at all an order of
magnitude better than the way Pichai did.

Consider that if Cook had wanted to make the statement more official and tie
his company to this stance, he could have very easily ordered investor-level
press release and then linked it from the homepage for general public
awareness. That would cause a much bigger shockwave.

------
uptown
How long would it take, given the immense computing capabilities of the
government, to try every possible permutation of Apple's signing keys in order
for them to be able to sign their own home-grown version of iOS? With over a
billion devices at stake, isn't that what intelligence agencies would actively
be targeting?

~~~
jeff_marshall
Using brute force (i.e. "immense computing capabilities") for properly sized
keys is unlikely to ever be practical with classical computers. With quantum
computers, many currently deployed key lengths that would be impractical to
brute force with classical computers would become vulnerable to attack, but
nobody is currently known to have quantum computers of sufficient power. See
Wikipedia for basic details[1].

IMO, an intelligence agency would be more likely to invest in other methods
(algorithm implementation weaknesses, software bugs, insider access, etc), due
to the higher liklihood of sucess.

That said, it's interesting to note that the NSA is moving towards "post-
quantum" cryptography[2], under the assumption that suitably powerful quantum
computers will be, or have been, built. Whether the NSA already has such
suitably powerful quantum computers is anybodys guess.

[1]
[https://en.wikipedia.org/wiki/Key_size#Brute_force_attack](https://en.wikipedia.org/wiki/Key_size#Brute_force_attack)
[2]
[https://www.nsa.gov/ia/programs/suiteb_cryptography/](https://www.nsa.gov/ia/programs/suiteb_cryptography/)

~~~
alanwatts
Very interesting. I wonder how one feasibly could test "quantum resistant
algorithms" without having a quantum computer to test it against.

~~~
periodontal
The same way we create and vet conventional cryptography: withstanding public
scrutiny of experts until we are reasonably confident that there are no major
issues. Most attacks are theoretical and require only novel analysis and a new
bound on computational difficulty, not a proof of concept (i.e., algorithms
are abandoned by cryptographers long before attacks become feasible).

Post quantum algorithms are simply algorithms designed and analyzed against a
stronger threat model. Some of the attacks and techniques are still being
developed, so no one knows if new quantum algorithms will be invented tomorrow
that trivialize certain problems but the same danger is present to some extent
for conventional cryptography today.

------
JustSomeNobody
I would much rather he wrote something more formal and stopped with the weak
sounding 'could'.

------
awinter-py
This would have more force if G didn't have a history of siding with tech
giants on moral issues. 2 CEOs ago, apple asked G to collude in a hiring scam
and G replied with an emoticon.

If the device were truly secure we wouldn't be having this conversation.
Alternatively, if law enforcement wanted to get into a dead guy's filing
cabinet on suspicion of conspiracy murder, with a valid court order, there
wouldn't be any outrage.

We're being bamboozled by a PR campaign in favor of closed-source software. If
the guy was still alive apple could just push him an IOS update containing
backdoors galore. This is not a secure device!

------
known
Apple complies with Chinese authorities and not US?

~~~
xyzzy4
Maybe the Chinese authorities have broader power in China than the FBI has in
the US.

~~~
aioprisan
Apple never complied to this type of request to Chinese authorities. Source?

------
yuhong
I really wish the restrictions can be reduced or removed so @pmarca etc can
tweet more on the companies of which they are the directors of. Same for the
CEOs itself, and CEOs and other executives should be allowed to tweet at board
of directors and vice versa.

~~~
tobylane
Google owns blogpost. Google has several blogs there. Surely it'd be a vote of
confidence for him to use it?

~~~
yoz-y
But then nobody would read it. Go where your public is.

~~~
aljones
This is why we invented links. Something can be posted on twitter without
twitter being the primary source.

