1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 THEODORE J. BOUTROUS JR., SBN 132099 tboutrous@gibsondunn.com NICOLA T. HANNA, SBN 130694 nhanna@gibsondunn.com ERIC D. VANDEVELDE, SBN 240699 evandevelde@gibsondunn.com GIBSON, DUNN & CRUTCHER LLP 333 South Grand Avenue Los Angeles, CA 90071-3197 Telephone: 213.229.7000 Facsimile: 213.229.7520 THEODORE B. OLSON, SBN 38137 tolson@gibsondunn.com 1050 Connecticut Avenue, N.W. Washington, DC 20036-5306 Telephone: 202.955.8500 Facsimile: 202.467.0539 MARC J. ZWILLINGER* marc@zwillgen.com JEFFREY G. LANDIS* jeff@zwillgen.com ZWILLGEN PLLC 1900 M Street N.W., Suite 250 Washington, D.C. 20036 Telephone: 202.706.5202 Facsimile: 202.706.5298 *Admitted Pro Hac Vice UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA EASTERN DIVISION IN THE MATTER OF THE SEARCH OF AN APPLE IPHONE SEIZED DURING THE EXECUTION OF A SEARCH WARRANT ON A BLACK LEXUS IS300, CALIFORNIA LICENSE PLATE 35KGD203 23 24 26 27 Gibson, Dunn & Crutcher LLP SUPPLEMENTAL DECLARATION OF ERIK NEUENSCHWANDER IN SUPPORT OF APPLE INC.’S REPLY IN SUPPORT OF MOTION TO VACATE ORDER COMPELLING APPLE INC. TO ASSIST AGENTS IN SEARCH Hearing: Date: Time: Place: Judge: 25 28 ED No. CM 16-10 (SP) I, Erik Neuenschwander, declare: March 22, 2016 1:00 p.m. Courtroom 3 or 4 Hon. Sheri Pym 1 1. I have personal knowledge of the facts set forth below. If called as a 2 witness, I would and could testify to the statements and facts contained herein, all of 3 which are true and accurate to the best of my knowledge and belief. 4 2. I have reviewed the Government’s Reply in Support of Motion to Compel 5 and Opposition to Apple Inc.’s Motion to Vacate Order, as well as the Declaration of 6 Stacey Perino (“Perino Declaration”) and Supplemental Declaration of Christopher 7 Pluhar (“Supplemental Pluhar Declaration”) submitted therewith. 8 9 3. In this declaration I offer responses to certain statements and assertions made in those materials. 10 4. Paragraphs 13 through 17 of the Perino Declaration purport to describe 11 Apple’s use of key encryption on its devices, relying primarily on language from 12 Apple’s iOS Security White Paper. This includes Apple’s “Chain of Trust,” a process 13 Apple uses to make sure that when a device is powered on, each step of the boot 14 process is checked for any changes that could indicate that the device was tampered 15 with. 16 5. Mr. Perino notes that as part of this “Chain of Trust” process Apple has 17 created its own certificate authority and public/private key pair used on its devices, and 18 that because only Apple possesses the private key, only Apple can sign system 19 software that can be loaded on its devices during the secure boot process. 20 6. The fundamental basis of the process Mr. Perino describes is a well- 21 accepted security best-practice. It is sometimes referred to as “Root of Trusts,” or 22 “RoTs.” The National Institute of Standards and Technology (“NIST”) endorsed RoTs 23 as a best practice in its October 2012 Guidelines on Hardware Rooted Security in 24 Mobile Devices, NIST SP 800-164 (Draft) (the “October 2012 NIST Report”). NIST 25 is the entity responsible for developing information security standards and guidelines, 26 including minimum requirements for Federal information systems. 27 28 7. The October 2012 NIST Report defined RoTs as “security components” that “provide a set of trusted, security-critical functions,” and identified them as “the Gibson, Dunn & Crutcher LLP 2 1 foundation of assurance of the trustworthiness of a mobile device.” NIST further 2 noted that it “expect[ed] mobile operating systems to utilize the capabilities provided 3 by the RoTs to create and protect device integrity reports, verify and measure firmware 4 and software, and protected locally stored cryptographic keys, authentication 5 credentials, and other sensitive data.” 6 8. The October 2012 NIST Report also cautioned that “[m]any mobile 7 devices are not capable of providing strong security assurances” because they “lack the 8 hardware-based roots of trust that are increasingly built into laptops and other types of 9 hosts.” 10 9. Similarly, the SANS Institute, a major provider of information security 11 and cybersecurity training, noted in its June 2013 Whitepaper “Implementing 12 Hardware Roots of Trust: The Trusted Platform Module Comes of Age,” that this 13 hardware-based process better “protect[s] secrets and data that are worth money to 14 cybercriminals (for example, intellectual property and personal financial 15 information),” compared to software-based security, which “is regularly defeated.” 16 SANS also wrote in its 2013 Whitepaper that the use of Trusted Platform Modules was 17 “indicative of a strong push coming from defense and intelligence agencies.” 18 10. Many other companies have followed these best practices and 19 recommendations and rely on “chains of trust,” “roots of trust,” or similar hardware- 20 based programs to provide enhanced security on their devices. Apple is by no means 21 unique in that regard. 22 11. For example, the organization that develops the Trusted Platform Module 23 (“TPM”)—a specific type of hardware-based RoTs—has noted that there are more 24 than a billion PCs, servers, embedded systems, network devices and other devices with 25 TPM or similar functionality embedded in them. (“Trusted Platform Module: A 26 Delayed Reaction?” SC Magazine, Feb. 20, 2013, http://www.scmagazineuk.com/ 27 trusted-platform-module-a-delayed-reaction/article/281085/.) Neil Kittelson of the 28 National Security Agency (which has invested heavily in using TPM on its high- Gibson, Dunn & Crutcher LLP 3 1 assurance platform), stated that “TPM capabilities represent a shift against today's 2 attackers who are embedding rootkits beneath the notice of software-based security 3 solutions.” (Id.) 4 12. Similarly, Microsoft is now including a TPM chip in all of its handheld 5 devices. (“Secure is the New Black: The Evolution of Secure Mobile Technology for 6 Government Agencies,” Federal Technology Insider, Jun. 5, 2014, 7 http://www.federaltechnologyinsider.com/secure-new-black-evolution-secure-mobile- 8 technology-government-agencies/.) Even aerospace and defense contractor Boeing has 9 announced an Android-based, high-security mobile device specifically for government 10 agencies, which incorporates “trusted computing architecture,” “a TPM chip for 11 securely storing encryption keys,” “Secure Boot to maintain the device image 12 integrity,” “Hardware Root of Trust [to] ensure[] software authenticity,” and a 13 “Hardware Crypto Engine to protect both stored and transmitted data.” (Id.) While 14 Apple does not use TPM specifically, the Apple security measures discussed in the 15 Perino Declaration provide similar functionality as TPM. 16 13. The current Protection Profile for Mobile Device Fundamentals 17 (“MDFPP”)—a set of security requirements for mobile devices published by the US 18 National Information Assurance Partnership (“NIAP”) with the involvement of 19 multiple U.S. government agencies, industry participants, and other organizations as 20 part of the Common Criteria certification program—also encourages hardware secure 21 key storage for a device’s Root Encryption Key (“REK”), and protecting sensitive data 22 using a key derived from the REK and a passcode. (See “Protection Profile for Mobile 23 Device Fundamentals” at 55, 57, NIAP, Sept. 17, 2014, https://www.niap-ccevs.org 24 /pp/pp_md_v2.0.pdf.) Both of these have been implemented for iOS devices, resulting 25 in certification of iOS 9.2 as MDFPP-compliant. (See “Compliant Product – Apple 26 iOS 9,” NIAP, https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10695.) 27 28 14. Digitally signed software, another key component of Apple’s iOS chain of trust anchored by the RoTs described by NIST, are similarly common. As a recent Gibson, Dunn & Crutcher LLP 4 1 example, car manufacturer Tesla said that when building a secure connected car, “[t]he 2 first precaution is to ensure that any software updates to the vehicle are authorized by 3 the manufacturer. This can be achieved by using industry standard cryptography 4 technology called ‘signing’. Tesla employs this technology. This technology ensures 5 that only Tesla authorized software is applied to the vehicles, even if someone is trying 6 to tamper with the software inappropriately as the software signal transits the 7 network.” (See “Tesla Motors 4-Point Plan to Build Secure Connected Cars,” 8 Evannex, Nov. 19, 2015, http://evannex.com/blogs/news/68988613-tesla-motors-4- 9 point-plan-to-build-secure-connected-cars?rfsn=3664.9c8.) 10 15. The same practice is common among software developers generally. For 11 instance, Microsoft notes that software “downloaded from the Internet to users’ 12 computers can contain programs such as viruses and Trojan horses that are designed to 13 cause malicious damage or provide clandestine network access to intruders,” and thus 14 advises Windows software developers to “counter this growing threat” by “digitally 15 sign[ing] the software that you distribute on your intranets or the Internet to ensure its 16 integrity and to assure others that the software can be trusted.” (Microsoft TechNet: 17 Digitally Signed Software, https://technet.microsoft.com/en-us/library/cc962053.aspx). 18 Digital signature-based authentication also has a long legacy. For instance, code 19 signing capability for software written in the Java language was added to the official 20 JDK development platform in early 1997. See Gary McGraw & Edward W. Felten, 21 Securing Java (2d ed., 1999) (available at http://www.securingjava.com/chapter- 22 three/). 23 16. Paragraphs 18 through 24 of the Perino Declaration purport to describe 24 the process by which Apple signs its operating systems. In describing that process, 25 Mr. Perino claims that Apple creates operating systems that “will work only on one 26 specific Apple device.” Mr. Perino’s inference appears to be that creating GovtOS 27 (which Mr. Perino refers to as the “SIF”) would therefore not pose any security risk 28 because it can only be used on the subject device. Gibson, Dunn & Crutcher LLP 5 1 17. Mr. Perino’s characterization of Apple’s process, however, is inaccurate. 2 Apple does not create hundreds of millions of operating systems each tailored to an 3 individual device. Each time Apple releases a new operating system, that operating 4 system is the same for every device of a given model. The operating system then gets 5 a personalized signature specific to each device. This personalization occurs as part of 6 the installation process after the iOS is created. 7 18. Once GovtOS is created, personalizing it to a new device becomes a 8 simple process. If Apple were forced to create GovtOS for installation on the device at 9 issue in this case, it would likely take only minutes for Apple, or a malicious actor with 10 sufficient access, to perform the necessary engineering work to install it on another 11 device of the same model. 12 19. Thus, as noted in my initial declaration (ECF No. 16-33), the initial 13 creation of GovtOS itself creates serious ongoing burdens and risks. This includes the 14 risk that if the ability to install GovtOS got into the wrong hands, it would open a 15 significant new avenue of attack, undermining the security protections that Apple has 16 spent years developing to protect its customers. 17 20. There would also be a burden on the Apple employees responsible for 18 designing and implementing GovtOS. Those employees, if identified, could 19 themselves become targets of retaliation, coercion, or similar threats by bad actors 20 seeking to obtain and use GovtOS for nefarious purposes. I understand that such risks 21 are why intelligence agencies often classify the names and employment of individuals 22 with access to highly sensitive data and information, like GovtOS. The government’s 23 dismissive view of the burdens on Apple and its employees seems to ignore these and 24 other practical implications of creating GovtOS. 25 21. Paragraphs 25 through 28 of the Perino Declaration describe supposedly 26 already existing software that Mr. Perino suggests Apple use as a starting point to 27 create GovtOS. For example, Mr. Perino points to a security exploit that supposedly 28 allowed an iPhone to load a minimal operating system in RAM that had not been Gibson, Dunn & Crutcher LLP 6 1 signed by Apple, which is what the government is requesting here. Similarly, Mr. 2 Perino points to a hacking tool the FBI created that supposedly allowed it to brute 3 force the device passcode on older iPhones. 4 22. These descriptions show that the FBI, along with its partners, currently 5 have, and have had in the past, the capability to develop the types of code that Apple is 6 being asked to create. 7 23. Mr. Perino is incorrect, however, in his suggestion that Apple can use 8 these third-party items, add Apple’s signature, and load the finished product on to the 9 subject device to accomplish the result that the government seeks with less effort than 10 11 what I described in my initial declaration. 24. Using the allegedly already existing software code that Mr. Perino 12 identifies would not be an appropriate way to accomplish what the government wants. 13 Setting aside the legal question of whether Apple can incorporate a software tool 14 created by some other party (such as the Cellebrite UFED tool Mr. Perino identifies) 15 for this purpose, Apple would not save time and effort by incorporating unfamiliar 16 third-party code that has never been used and deployed by Apple before, and it would 17 introduce a host of new issues and potential risks that would need to be addressed. 18 25. Before Apple utilized any unknown third-party created code, Apple would 19 need to fully audit and inspect that code to understand how it functions (including to 20 ensure it is not malware), how it would need to be modified, and how it would need to 21 interact with the Apple-created code necessary to accomplish the task. Apple would 22 also need to modify each separate component piece of software to combine it into a 23 single operating system (the new GovtOS). 24 26. Once the operating system is created it would still need to go through 25 Apple’s quality assurance and security testing process as described in paragraphs 30- 26 34 of my initial declaration. Indeed, this process would be even more critical if Apple 27 were relying on software created by third parties that Apple had never deployed on its 28 devices. Once the new GovtOS is quality assured and security tested, it will then need Gibson, Dunn & Crutcher LLP 7 1 to be deployed on the subject device as described in paragraphs 35-38 of my initial 2 declaration. This endeavor would save neither time nor effort, even if possible. 3 27. The engineering efforts involved in these development, quality assurance 4 and security testing processes can only be performed by a limited set of Apple 5 employees with the appropriate expertise, who will necessarily be diverted from 6 contributing to their normal work of developing and securing iOS. The overwhelming 7 majority of Apple’s employees could not perform this task. 8 28. More importantly, the historical security vulnerabilities and jailbreak 9 incidents Mr. Perino identifies underscore the constant battle Apple is engaged in to 10 identify and close off security vulnerabilities. I believe that Apple’s iOS platform is 11 the most-attacked software platform in existence. Each time Apple closes one 12 vulnerability, attackers work to find another. This is a constant and never-ending 13 battle. Mr. Perino’s description of third-party efforts to circumvent Apple’s security 14 demonstrates this point. And the protections that the government now asks Apple to 15 compromise are the most security-critical software component of the iPhone—any 16 vulnerability or back door, whether introduced intentionally or unintentionally, can 17 represent a risk to all users of Apple devices simultaneously. 18 29. This evolution of attack technology described in Mr. Perino’s declaration 19 is a vivid illustration of why Apple is always striving to increase the security of its 20 devices. Mr. Perino makes clear that third parties have already come close to 21 developing a tool that would defeat part of iOS’s present security capabilities. 22 30. Mr. Perino also asserts in Paragraph 28(d) of his declaration that recent 23 publicly available jailbreaks of Apple phones have been applied from within the 24 iPhone user interface, after a device has been unlocked. Mr. Perino’s inference is that 25 an iPhone cannot be jail broken from the lock screen. However, particularly given the 26 past exploits that have bypassed the lock screen and the present-day reality of 27 innumerable security firms, malicious actors, cybercriminals and potential adversaries 28 of the United States constantly seeking vulnerabilities to exploit in a dominant Gibson, Dunn & Crutcher LLP 8 1 software platform, it is not reasonable to draw such a conclusion based solely on 2 publicly revealed exploits. Additionally, new jailbreaks for iOS versions after 9.0.2 3 continue to be created. (See “Pangu Releases a Jailbreak for iOS 9.1,” 9To5Mac, Mar. 4 11, 2016, http://9to5mac.com/2016/03/11/pangu-ios-9-1-jailbreak-released/.) 5 31. Paragraphs 30 through 35 of the Perino Declaration discuss the role that 6 the Unique ID (“UID”) plays in the data protection process. Mr. Perino calls the UID 7 “unknowable” and because of this concludes that any encrypted data on the subject 8 device must be decrypted on the subject device itself (as opposed to being extracted in 9 encrypted form and decrypted elsewhere). I would not characterize the UID as 10 “unknowable.” While it is designed not to be known, it is certainly not impossible for 11 someone to determine the UID. 12 32. Paragraphs 37 through 39 of the Perino Declaration discuss the potential 13 for the government to have obtained more recent data from the subject device through 14 an iCloud backup had the FBI not instructed the San Bernardino County Public Health 15 Department (“SBCPHD”) to change the iCloud password associated with the account. 16 Mr. Perino asserts that even if the device did perform an iCloud backup “the user data 17 would still be encrypted with the encryption key formed from the 256 bit UID and the 18 user’s passcode.” 19 33. The statement that even if the device did perform an iCloud backup “the 20 user data would still be encrypted with the encryption key formed from the 256 bit 21 UID and the user’s passcode” is incorrect. Data backed up to iCloud is not encrypted 22 with a user’s passcode. 23 34. As noted above, I also reviewed the Supplemental Pluhar Declaration. I 24 believe that declaration contains several mistakes. For example, in paragraph 10(a), 25 Agent Pluhar claims that the device’s keyboard cache would not backup to iCloud and 26 that such keyboard cache “contains a list of keystrokes typed by the user on the 27 touchscreen.” This is false. The keyboard cache in iOS 9 does not contain a list of 28 keystrokes typed by the user, or anything similar. Gibson, Dunn & Crutcher LLP 9 35. Agent Pluhar also makes incorrect claims in paragraph 10(b). Agent Pluhar claims that exemplar iPhones that were used as restore targets for the iCloud backups on the subject device ?showed that . . . iCloud back?ups for ?Mail,? ?Photos,? and ?Notes? were all turned off on the subject device.? This is false because it is not U143wa possible. Agent Pluhar was likely looking at the wrong screen on the device. Speci?cally, he was not looking at the settings that govern the iCloud backups. It is the iCloud backup screen that governs what is backed up to iCloud. That screen has no ?on? and ?off? options for ?Mail,? ?Photos,? or ?Notes.?l 36. In fact, users cannot exclude individual Apple apps on a one-by?one basis from backing up to iCloud, except that a user can choose to have their photos stored in their iCloud Photo Library instead of in their iCloud backup, or not stored at all. Once iCloud backup is enabled, all other Apple apps will backup with no con?gurable settings for the user. Thus, contacts, calendar events, reminders, notes, device settings, call history, home screen and app organization, iMessage, text (SMS), and MMS messages all would have been available from Apple had iCloud backup been enabled. I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed this 15th day of March 2016 in Washington, D.C. By: Erik Manager of User Privacy Apple Inc. I The screen Agent Pluhar may have been referringjto pertains to functions that allow certain App data to be across mu tiples devices connected to the same 1Cloud account. Gibson. Dunn E- Crulcher LLP 10