Earlier this week Apple CEO Tim Cook announced to Apple customers that the company would oppose a federal court order (the “Order”) issued on February 16, 2016 because the company believes the Order “threatens the security of our customers.” In response to Apple’s public criticism of the Order, the federal government preemptively filed a Motion to Compel on Friday, February 19, seeking another Order to require Apple to comply with the original Order – even though the allotted time for Apple to file an objection to the Order had not yet expired.
The original Order, issued by a United States Magistrate Judge from the Central District of California, essentially requires Apple to build a new software tool to allow the FBI to bypass specific security protections in the iPhone software designed to protect customer data. The Order was sought by the United States government as part of its national security investigation into the mass shooting in San Bernardino, California last December. The iPhone 5c in question was used by one of the suspected terrorists involved in the shooting, and the federal government wants to access the data stored on it.
The All Writs Act of 1789
While personal privacy vs national security considerations are at the forefront of this discussion, there is also a fascinating legal issue, as the Court’s order is based, at least in part, on an 18th century law, the All Writs Act of 1789, now codified at 28 U.S. Code § 1651. That 227 year-old law was a part of the Judiciary Act of 1789, adopted during the first session of the very first United States Congress and signed into law by our first President, George Washington. It contains few words, but has a very broad effect:
- The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
As argued by the government in its Ex Parte Application for the Order, the All Writs Act empowers the Court “in aid of a valid warrant, to order a third party [in this case, Apple] to provide non-burdensome technical assistance to law enforcement officers.” The government contends that pursuant to the All Writs Act, other courts have issued orders that require a manufacturer to assist in accessing a cell phone’s files so that a warrant may be executed. Because the Order involving the iPhone was issued by the Court without first hearing from Apple, the Company’s legal response to the government’s legal arguments has not yet been filed.
Why the FBI Needs Apple’s Help
Many have commented that a clash between the Department of Justice and Apple over iPhone data access has been building since 2014. Apple revised the operating system for the iPhone in 2014 to encrypt the data files by a combination of two components – a user-defined passcode and a unique 256-bit encryption key, which is built into the phone itself during manufacture. As described by the government in its Ex Parte Application for the Order, “both passcode components are required in combination for the operating system to decrypt the phone’s data files….” When the correct passcode is entered, the data is decrypted and the user can access it on the phone.
Because the suspected terrorist and iPhone user is dead, the government does not have the passcode for the iPhone at issue. Given enough time, it would be possible to enter all of the possible combinations of letters and numbers to unlock the code. But as many iPhone owners anxiously know, if you enter the wrong passcode 10 consecutive times, the phone will instantly and irrecoverably erase all of the encryption keys necessary for accessing stored data, rendering whatever data is on the phone forever inaccessible. Apple contends that the software on the phone prevents even it from disabling this “auto erase” function once it has been enabled.
Therein lies the government’s dilemma. If the auto erase function has been enabled (and the government suspects that it has been), then after just 10 wrong passcode attempts, whatever data that is on the phone will become forever inaccessible. Poof!
In addition to the auto erase security feature, iPhones also contain another security/ nuisance feature that invokes time delays before another passcode entry can be made after repeated, unsuccessful passcode entries – up to a 1 hour delay after the ninth failed attempt.
What the Court Order Requires from Apple
To overcome these data access safeguards (or obstacles, depending on your viewpoint), the government sought, and obtained, a Court Order that requires Apple to provide “reasonable technical assistance” to assist law enforcement agents in obtaining access to the data on the subject device. The Order further specifies that “Apple’s reasonable technical assistance shall accomplish the following three important functions:
- it will bypass or disable the auto-erase function whether or not it has been enabled;
- it will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the subject device; and
- it will ensure that when the FBI submits passcodes to the subject device, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond is incurred by Apple hardware.
This presumably will require creating a new “backdoor” program, to be installed on the subject iPhone so that the FBI may “submit passcodes” to the device until it unlocks (sometimes called a ‘brute force approach”).
Apple refuses to do so, calling such a measure “building a backdoor” to “hack our own users and undermine decades of security advancements that protect our customers,” potentially exposing all iPhones to the “hackers and criminals” that the encryption is intended to block.
The Order further directs Apple to advise the government of the reasonable cost of providing the assistance. It also provides Apple with an avenue to object to the terms of the Order: “To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.” Apple is expected to seek such relief.
Reactions to the Order and Apple’s Response
The Order, and Apple’s response, have evoked strong responses from a number of interested agencies and businesses, both in favor and against. A number of tech companies, including Twitter, Facebook and Google have reportedly expressed support for Apple’s position regarding the iPhone Court Order. Others have raised concerns at what they deem to be government overreach. For instance, the Electronic Frontier Foundation wrote in favor of Apple’s stance, noting that “the government is doing more than simply asking for Apple’s assistance,” and is instead “asking Apple to create a master key” that the government can ask for “again and again.” The EFF further warns of “the myriad ways this new authority could be abused” by the US government or others.
Others have spoken out in favor of the Order. At a press briefing, White House Press Secretary Josh Earnest defended the Department of Justice’s efforts, arguing that “they’re simply asking for something that would have an impact on this one device.” Although the White House recognizes that “there is an intense debate right now about how to balance the need for encryption and cyber security and protecting privacy, and the need to protect the national-security of the United States,” Earnest observed that “the question in this instance is much more narrow,” and would affect only the one iPhone.
Additionally, for some time now the FBI has been warning about what it calls the “going dark issue”:
- Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but it often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called the “Going Dark” problem….Director James Comey has said, “Armed with lawful authority, we increasingly find ourselves simply unable to do that which the courts have authorized us to do, and that is to collect information being transmitted by terrorists, by criminals, by pedophiles, by bad people of all sorts.” And as for a perceived conflict between keeping people safe and protecting their privacy, “it isn’t a question of conflict,” according to Comey. “We must care deeply about protecting liberty through due process of law, while also safeguarding the citizens we serve—in every investigation.”
Congress is reportedly getting involved in the dispute as well. Apple officials reportedly have been invited to testify before the House Judiciary Committee at a March 1 hearing on obstacles law enforcement agencies face in gaining access to encrypted communications.
Implications for Businesses
The long-term business implications of this Order and Apple’s response to it are yet to be seen. Regardless of how this case plays out (Apple plans to appeal, and the EFF has promised to write an amicus brief in support of Apple’s appeal), however, it may serve as a reminder to businesses to be cognizant of what private information is stored on employer-provided devices and how that information is protected.
Recently, both the FBI and Apple have posted competing messages on the internet, appealing directly to the court of public opinion. First, on Sunday, February 21, FBI Director James Comey posted a message, stating:
The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message. It is about the victims and justice. Fourteen people were slaughtered and many more had their lives and bodies ruined. We owe them a thorough and professional investigation under law. That’s what this is. The American people should expect nothing less from the FBI.
The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land. I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead.
Apple has also provided additional information about its position, via a “Answers to Your Questions About Apple and Security” page on its website. Among other things, Apple CEO Tim Cook further explained Apple’s objections to the FBI’s request:
The government asked a court to order Apple to create a unique version of iOS that would bypass security protections on the iPhone Lock screen. It would also add a completely new capability so that passcode tries could be entered electronically.
This has two important and dangerous implications:
First, the government would have us write an entirely new operating system for their use. They are asking Apple to remove security features and add a new ability to the operating system to attack iPhone encryption, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
We built strong security into the iPhone because people carry so much personal information on our phones today, and there are new data breaches every week affecting individuals, companies and governments. The passcode lock and requirement for manual entry of the passcode are at the heart of the safeguards we have built in to iOS. It would be wrong to intentionally weaken our products with a government-ordered backdoor. If we lose control of our data, we put both our privacy and our safety at risk.
Second, the order would set a legal precedent that would expand the powers of the government and we simply don’t know where that would lead us. Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent.
Apple is expected to file its formal objections to the Court Order on Friday February 26. Stay tuned for further developments.