The government’s most recent filing in the ongoing San Bernardino iPhone case was vitriolic in the extreme and contained a potent threat. In it, the Department of Justice noted that it could’ve compelled Apple to release its iOS source code and electronic signature, but that it had avoided doing this because it felt other solutions would be “more palatable” to Apple.
We already know about one public instance in which the government took this tack: Lavabit. In 2013, the DOJ demanded that Lavabit, a secure email provider, hand over its source code and private keys, and Lavabit shut down rather than comply. Most companies are unwilling to admit if they have ever turned over source code to the United States government, for obvious reasons: It could cripple and destroy customer relationships in sensitive businesses and would give both hackers and foreign governments additional ammunition when demanding equivalent access.
Sources have confirmed to ZDNet that this threat isn’t one the government makes idly, or the first time it’s happened. While ZDNet can’t name their source, for obvious reasons, they note: “The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet.”
More troubling, according to that same source, “With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing “most of the time.”
The orders that require a company to release this information typically come from the FISA court, and are sent directly to the company’s general counsel. These letters are so classified, acknowledging the receipt of a letter related to any specific order is illegal (companies have won the right to state how many inquiries they receive per year, but nothing else).
Apple’s software chief, Craig Federighi, would probably know if the company had received such a letter prior to the San Bernardino case, but CEOs and board members might not. And many of the backdoors found in high-end hardware, including equipment from Juniper Networks, Dell, and Cisco, may have been placed there deliberately. Kaspersky Labs reported last year that the NSA had obtained source code to hard drive firmware to engineer its own eavesdropping software.
ZDNet runs through the responses it got from a number of Fortune 500 companies, and at least one, Apple, is on the legal record as stating that it has never turned over source code to the US government. Unfortunately, even company executives might not be aware if code had actually been given to the DOJ.