Apple, iPhone, and the NSA: A Tale of Sorry Journalism

on December 31, 2013

Copy of NSA document from Der Spiegel

Watching CNN on New Year’s Eve, I learned that the National Security Agency was able to snoop on everything I did or said on my iPhone. Actually, I had been reading this for a couple of days on an assortment of web sites, whose idea of reporting seems to consist pretty much entirely of reading and borrowing from other web sites, with, or more likely without, attribution.

If you dig back through the sources here, you find a fascinating dump of documents in Der Spiegel (German original) about the NSA’s Tailored Access Operations including a 50-page catalog of snooping devices worthy of MI-6’s fictional Q. One, called DROPOUTJEEP, claimed the ability to compromise an iPhone by replacing altering its built-in software. “The initial release of DROPOUTJEEP will focus on installing the implant via close access methods,” the 2008 document said. “A remote capability will be pursued in a future release.” In other words, before any snooping took place, the NSA first needed to get its hands on your iPhone and replace its software ((It shouldn’t come as a surprise that a device that falls into the hands of an adversary can be compromised in this way. The ability to jailbreak iPhones is as old as the iPhone itself, and once you can modify the firmware, you can make it do pretty much whatever you want.)) .

This extremely important qualification quickly disappeared from subsequent reports. For example, an Associated Press story (which appeared on the Huffington Post under the headline “The NSA Can Use Your iPhone To Spy On You, Expert Says”) said: “One of the slides described how the NSA can plant malicious software onto Apple Inc.’s iPhone, giving American intelligence agents the ability to turn the popular smartphone into a pocket-sized spy.” reported: “The NSA Reportedly Has Total Access to the Apple iPhone.”

Part of the problem is that Jacob Appelbaum, an independent journalist allied with Wikileaks and a co-author of the Spiegel article, went well beyond the cautious printed piece in a speech to the Chaos Computer Club in Heidelberg, Germany. Unlike more circumspect accounts of NSA disclosures such as those by Bart Gelman in The Washington Post ((Very interestingly, the Spiegel articles made no mention of Edward Snowden, the source of the recent flood of NSA revelations.)) , Appelbaum was quite willing to speculate far beyond what was supported by his texts. As quoted by the Daily Dot, he said in his CCC speech: “Either [the NSA] have a huge collection of exploits that work against Apple products, meaning they are hoarding information about critical systems that American companies produce, and sabotaging them, or Apple sabotaged it themselves.”

Apple was typically slow to respond to the charges. In a statement released Dec. 31, after the story has been percolating for a couple of days, it said:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

I’m not sure how upset we should be about NSA’s Tailored Access Operations, of which DROPOUTJEEP was a part. A lot of this is the stuff of spy movies and is the sort of thing intelligence agencies are expected to do. ((One thing not quite clear from the Spiegel story is whether the NSA was designing the exploits and leaving them to others, such as the FBI, to execute,  or whether NSA was running its own “black bag” operations. The latter would be disturbing, as it appears to be outside the NSA’s charter.)) One the whole, I agree with University of Pennsylvania security expert Matt Blaze, who tweeted:  “Given a choice, I’d rather force NSA to do expensive TAO stuff to selected targets than let them weaken the infrastructure for all of us.”

But I have no doubts at all about the quality of much of the journalism. The idea that the government can tap into any iPhone anywhere, anytime, makes great clickbait, but sorry reporting. Too many writers, it seems, couldn’t be bothered to track the story back to the original sources or even read the NSA document that many plastered on their sites. There’s no excuse for this.