Delhi chief minister Arvind Kejriwal who has been in custody for over a week now has refused to share his phone’s password with the Enforcement Directorate (ED) officials, according to reports. So, the investigating officers of ED have reportedly reached out to Apple to help gain access to his iPhone.
According to an Indian Express report, the phone manufacturing company has told the officials that a password was necessary for retrieving any data.
But, does Apple grant such access to the governments?
It is noteworthy that in several cases in the past, Apple has refused to share details of a user’s phone. Back in 2016, Apple had been ordered to help the FBI circumvent security software on San Bernardino gunman Syed Rizwan Farook’s iPhone.
In response, Apple chief executive Tim Cook had said, "The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand."
According to Cook, the backdoor procedure would require writing new software that would be “a master key, capable of opening hundreds of millions of locks”. His contention was that granting the FBI access to this particular iPhone would set a precedent, potentially opening the door for similar requests targeting numerous other devices.
In 2019, the tech giant refused to yield to a similar request by the US law enforcement agency for unlocking the password-protected iPhones used by the shooting suspect at a Navy base in Pensacola, Florida.
Apple, in its statement, had said, “Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly that encryption is vital to protecting our country and our users’ data.”
How does Apple’s encryption work?
The data on Apple devices - such as text messages and photographs - have been encrypted by default since 2014. What it means is that if a device is locked, the user's passcode is required to access the data. If one enters incorrect data 10 times, it will automatically erase the phone's data, if this option has been enabled.
Apple has said repeatedly that even its own staff cannot access the data.
After several court cases, the FBI gave up on Apple and said it had unlocked the iPhone with the third party's help.
Some news outlets, citing anonymous sources, identified the third party as an Israeli company. However, The Washington Post reported that, according to anonymous "people familiar with the matter", the FBI had instead paid "professional hackers" who used a zero-day vulnerability in the iPhone's software to bypass its ten-try limitation.
The Washington Post later reported that the Australian company Azimuth Security, a white hat hacking firm, had been the one to help the FBI.
Apple received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789 through 2015 and 2016. Most of these orders sought to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones in order to assist in criminal investigations and prosecutions”.
So, will Apple comply with ED’s orders?
Speaking to BOOM, tech policy expert Prasanto K Roy, said that it is very unlikely that Apple would comply with ED’s request. He said, “If the company complies, it will open a pandora box where all the governments in the world will demand access to the iPhones of any suspect.”
According to Roy, the company will not want to set a precedent for such cases as it would have enormous implications. “Imagine how the FBI or USA government would react if Apple, which rebuffed the FBI on its 2016 demand, caters to a demand of a government agency in India -- for investigating a political opponent of the incumbent party,” he added.
Adding on to it, Jayendra Sinh, CEO of Bluefire Redteam, a cybersecurity firm, said that Apple follows their legal policy regarding user data very strictly. “If something is life threatening or related to national security, or there is a court order to provide information then only they follow their due procedure to provide any government agency with permissible information. However, the Kejriwal case does not tick those boxes.”
Nevertheless, certain experts argue that although Apple establishes high standards in hardware and occasionally software security, there remains room for improvement in safeguarding user data from being accessed by law enforcement and other authorities.
While the tech giant may refrain from granting government agencies direct access to its users' devices, it does receive numerous law enforcement requests for user data annually, and complies with them in many cases, as indicated by its transparency reports.
In the 2016 case, when Apple declined to fulfill the FBI request to develop a backdoor for unlocking the culprit’s encrypted iPhone, it stated that the potential exploitation of such a security loophole could be utilised not only by law enforcement but also by hackers in subsequent incidents.
However, the company stated in legal documents that had the FBI refrained from altering the iPhone's iCloud password, there would have been no necessity for a backdoor creation. This is because all the data would have been automatically backed up and accessible via a summon.
Furthermore, every data on iCloud is not necessarily encrypted, as the Apple Support page states. Alluding to this, Sinh said, “Non-encrypted is very easy to access via unethical ways, even in iPhones, as opposed to encrypted data which is very hard to access. Encryption works in a way that if someone tries to bypass forcefully, it is triggered to make the access harder.”
Notably, in 2022, Apple had introduced Advanced Data Protection for iCloud, wherein, the user will have “sole access to the encryption keys for the majority of your iCloud data” and not Apple data centres. This means, if an individual agrees to this opt-in feature, Apple will be not able to decrypt that data.
However, as pointed out by Roy, the ED may not even require Apple’s aid in getting to the encrypted data if they have the handset and they manage to coerce Kejriwal’s biometric on it or are able to access similar technology to what the FBI did in 2016.
“Everything will then be accessible to them,” he said.
Roy concluded that Apple complying with the ED request even if backed by legal demands is most unlikely, “even though India is a growing market for them, albeit still a small percentage of global revenue”. He added, “In fact, for a similar reason Google's Gmail decided to exit China despite the country being a huge market.”