"Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will."
The way this was worded is so plain and to the point, it's refreshing. I sincerely hope it's true! Great job on Apple and Tim Cook for laying it all out there.
So when the NSA's internal Top Secret slides say that Apple was added to the PRISM program as a "provider" in October 2012, that provides "Email, chat, videos, photos, stored data, VOIP, file transfers, video conferencing, logins, online social networking details" to the NSA, how then should we reconcile these statements?
Is the NSA lying in its internal slides to itself?
Is Tim Cook lying in his statement to the external world?
Is Tim Cook splitting hairs in some fashion? For instance, is he defining "backdoor" to mean "illegal backdoor", which therefore excludes everything done with the FBI/NSA under a veneer of legality?
People really want to make something out of this, but it's very simple: the NSA found the "goto fail" bug and exploited it. (We know they also exploited heartbleed.)
We know they have active programs looking for holes in open source code and fuzzing commercial services looking for vulnerabilities. How is that so hard to believe?
Based on the public reporting, PRISM collects data via FISA-authorized requests to companies. So Apple is probably covering it in their short paragraph about "National Security Orders from the U.S. government."
You'll see similar wording from Yahoo, Google, and Microsoft. The way it works is they deny providing access to their servers but then push out the data to the NSA's servers and are compensated for the cost of doing so. Access to the servers owned by the corporations is not what's important, it's availability of your data. None of these corporations say "we do not provide access to your data" they say "we do not provide access to our servers". As we all know data can easily be copied from one entity to another. Who needs backdoors when all the data is shipped out directly to NSA?
A backdoor is a mechanism for someone to be given access to an internal system, or internal data. In the case of data being "pushed", it most certainly could be done so, and the same statement would remain true.
If your comment was true, you would also assume data handed directly to authorities in criminal cases where subpoena's are issued would also be ruled out, but we know that information is handed out to authorities as required by law under subpoena.
Well, like GP said, it depends what is meant by "backdoor." Laws requiring data to be turned over to governmental parties, and in some cases gagging anyone from saying it happened, seems like exactly the function of "backdoor" even if it doesn't take the form of a master password the NSA has or something.
So long as a company can be compelled to do this in secrecy, their assurances about "no backdoor", "no direct access", "we process every request ourselves" are basically meaningless, since not even they have control over their customers' privacy (if they comply with law.)
To me it seems that these statements are needlessly specific. They remain technically truthful if:
- The back door was created by a third party. Apple didn't create it.
- Apple created a backdoor without working with a government agency.
- Apple provides a "frontdoor". Some sort of bulk access to the data that is not considered a "backdoor."
- many variations on the same theme.
Same thing with allowing access to their servers. They may provide access to some other part of their infrastructure. The government agency may provide their own servers that are a mirror of Apple's in a way that does not require direct access to Apple's servers. And so on...
Tim Cook should have said something like "We do not provide bulk data to any third party."
Tim Cook should have said something like "We do not provide bulk data to any third party."
In a strict sense that's probably not true, they may have to provide some form of bulk data to outside parties for accounting purpose for example. Trying to craft a statement to include those exceptions would just invite more hyper-parsing of the language.
The way this was worded is so plain and to the point, it's refreshing. I sincerely hope it's true! Great job on Apple and Tim Cook for laying it all out there.