downloadsource.fr/Flickr
The tech-policy community is still buzzing about a recent court order compelling Apple to craft a technical tool that would allow FBI investigators to bypass security measures on the iPhone used by San Bernardino shooter Syed Rizwan Farook.
The government's legal argument rests largely on the archaic All Writs Act of 1789, a short law establishing that U.S. courts may "issue all writs [legal orders] necessary and appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law." Straightforward enough. As traditionally interpreted, this law merely allowed the judiciary a bit of flexibility to facilitate lawful legal procedures when the precise means needed were not already on the books. For example, a court might invoke this law to enlist a telephone company's assistance in setting up a special kind of warranted wiretap that Congress had not specifically addressed in legislation. But there are supposed to be limits. For instance, the Act could not compel someone who is "far removed" from the situation to act, nor could it impose an "unreasonable burden" on a third party or "adversely affect" that party's "basic interests."
But in recent years, the Justice Department has strained this 227-year-old provision beyond the reasonable bounds of interpretation in an effort to get around strong security technologies that it sees as hindering investigations. In 2014, reports from the The Wall Street Journal and Ars Technica revealed that courts in New York and California had invoked this obscure law to compel Apple and at least one other unknown device manufacturer to provide "technical assistance" to unlock password-protected phones. This most recent order to Apple has drawn these creative modern applications of a centuries-old law into strong public scrutiny.
Technology companies and civil-liberties activists oppose the order for the respective threats it would deal to security and privacy online. The FBI, on the other hand, has long sought a way to get around strong security and encryption techniques such as those found on newer versions of the iPhone. Regardless of the considerable technical vulnerabilities that these workarounds—often referred to as a "backdoor" or "secure golden key"—may generate, the FBI could end up getting its way either through judicial precedent or legislative action.
If it does, Apple engineers would be enlisted as unwilling iPhone hackers for the feds. Specifically, the FBI wants to force Apple engineers to build custom software that can disable an iPhone's "auto-erase" security function, allow agents to electronically guess the PIN, and remove the time delay in between PIN guesses so that they can access data on Farook's work iPhone.
Apple filed a 65-page motion to vacate the order late last month, handily addressing the DOJ's questionable use of the All Writs Act and brings in extra constitutional muscle to defend its dissent.
Much of the document reiterates and expands on the points first sketched by Apple CEO Tim Cook in his initial rallying cry to the public: the FBI's order amounts to little more than a government "backdoor" into secure technologies, an outrageous overreach of power, and a dangerous precedent that lacks proper congressional input. The filing at times reads more like a colonial-era broadside against the abuses of the crown than a staid legal motion. (By the second sentence, Apple has already positioned its case as integral to the "basic security and privacy interests of hundreds of millions of individuals around the globe.") But there's a lot of new legal firepower packed in as well.
Here are Apple's key arguments:
The All Writs Act is not a magic catch-all for the FBI's whims.
Apple's first major legal argument is that the government's use of the All Writs Act far exceeds the limits of the law. Invoking a Supreme Court ruling that the Act does not authorize courts to "issue ad hoc writs whenever compliance with statutory procedures appears inconvenient or less appropriate," Apple's attorneys point out that the remedy to the issue of encrypted communications is one that must be addressed by Congress, not willed into existence by the courts.
In fact, Congress has previously weighed in on the issue of law enforcement's authorities and limitations on procuring evidence from telecommunications providers in the Communications Assistance for Law Enforcement Act of 1994 (CALEA). This law outlined the procedures and boundaries that law enforcement must follow to gather data from third-party technology companies in the course of an investigation, and expressly states that the government cannot "dictate to providers of electronic communications services of manufacturers of telecommunications equipment any specific equipment design or software configuration." Because the FBI order to Apple outlined the specific schematics of the program it is demanding be created, Apple attorneys argue that the agency is in violation of the law.
Furthermore, because Apple would be considered an "information service provider" under the CALEA, Apple is actually exempt from the burden of mandatory assistance to law enforcement. But even if Apple wasn't exempt from mandatory assistance, CALEA explicitly states that third-party service providers—even those subject to mandatory reporting—cannot be compelled to "decrypt, or ensure the government's ability to decrypt, any communication encrypted by a subscriber or customer unless the encryption was provided by the carrier and the carrier possess the information necessary to decrypt the communication." Apple does not possess the encryption key necessary to decrypt the Farook's iPhone.
The FBI order places an undue burden on Apple.
Apple argues that the FBI order would violate the stipulations of the All Writs Act even if it could be applied in the manner that the FBI attempted. In its ex parte application for the order against Apple, the government's attorneys argued that asking Apple to "writ[e] a program that turns off non-encryption features" is not an undue burden under the All Writs Act and requires only minimal effort on the tech giant's part. Apple disagrees.
In its motion, Apple argues that the kind of program that the FBI so flippantly ordered would require "significant resources and effort"—somewhere in the ballpark of six to ten Apple engineers toiling for upwards of a month to break the very system they spent so long securing. Then the program would need to be tested, re-coded, and tested again until the engineers found the software to be reasonably functional and secure.
According to iOS forensic scientist Jonathan Zdziarski, such an instrument would likely be subject to further layers of testing by the courts, adding even more to the final cost. After the software is approved by all parties, it would need to be loaded and operated on Apple facilities. Then its engineers might also be tasked with destroying the device and program in such a manner that it can never be intentionally or unintentionally leaked into the wrong hands—a tall order in a world of constant corporate espionage and insecure systems. This is before considering the substantial costs in liability and diminished customer trust that would likely accrue.
Compromising iPhone security adversely affects Apple's basic interests.
In futher violation of the All Writs Act, the FBI court order would "adversely affects" Apple's basic interests, the company argues. It's easy to see why. Unlike many other technology companies that monetize their free services through data brokerage and advertising, Apple makes money by offering high-quality, secure devices that their customers trust. In recent years, Apple's commitment to customer security drew the company to implement strong encryption techniques on popular devices. In 2013, Apple began encrypting all external data stored on devices running iOS 7 by default. By the next year, iOS 8 boasted beefed up security features that were so airtight that Apple itself could not access much customer data. In this version of the software, data stored on iPhones was encrypted in such a way that only the customer could unlock their device to retrieve their information—thereby earning the ire of law enforcement groups like the FBI.
But while the fuzz only focused on the new challenges to their traditional warrant process that these security measures imposed, Apple clearly has a compelling company interest in providing the most secure and reliable products that they can for customers. The FBI is essentially ordering a company to destroy a key trade advantage that the company had "spent years building," Apple argues. If the All Writs Act can indeed be applied in a manner that destroys the core profitability of a U.S. company, other firms abroad would likely sell similar security features to their customers—and the problems for law enforcement would continue.
Code is First Amendment-protected speech.
One of the more interesting arguments put forth by Apple's attorneys is that the court order actually violates Apple's First Amendment rights. The argument's central premise—that code is First Amendment-protected speech—was the subject of endless debates during the first Crypto Wars in the 1990s. In 1991, a programmer named Phil Zimmerman rocked the computer science and intelligence communities by releasing an email encryption technology to the public called "Pretty Good Privacy" (PGP). The symmetric-key algorithm at the heart of PGP was before then mostly only employed by researchers and agents of the state. By publishing the PGP source code on the Internet for anyone to access and apply, Zimmermann challenged the existing legal infrastructure that criminalized exporting encryption use, which was categorized as a "strong munition."
The U.S. government dropped the criminal investigation against Zimmermann, but the question was again raised in 1995, when a graduate student named Daniel Bernstein published a paper containing the source code for his encryption technique called Snuffle. In publishing the code, Bernstein, like Zimmermann, was targeted by the U.S. government for violating munitions regulations. In Bernstein v. United States (1999), the Ninth Circuit Court of Appeals ruled that the munitions export controls invoked by the government to stop the spread of encryption constituted an impermissible prior restraint on speech and violated the First Amendment.
The Ninth Circuit stopped short of holding that "all software is expressive." Still, Apple's attorneys cite Bernstein v. United States and other rulings holding that certain kinds of computer code are protected by the First Amendment in its defense.
Building on precedents establishing First Amendment protections for computer code, Apple argues that the FBI is impermissibly compelling the company to speak by developing a tool to decrypt Farook's phone. The program that the FBI is demanding would require Apple engineers to write speech (code) under duress and compel engineers to issue a digital signature used only by Apple employees. This, according to Apple's attorneys, is equivalent to having someone sign a document with which they disagree at gunpoint.
The government cannot force its citizens to speak in ways that they do not want, nor can it force scientists to create and sign off on programs beyond their own wills. Therefore, Apple argues, the FBI order violates Apple's First Amendment rights. (Ironically, this line of argumentation forces groups that have traditionally opposed the Citizens United ruling to invoke it.)
Silicon Valley Versus Washington
Apple friends in Silicon Valley have called in their own litigative cavalry to back Apple's motion to dismiss the FBI order. An amicus brief filed by a group of tech titans including Amazon, Dropbox, Cisco, Facebook, Google, Microsoft, and Mozilla emphasizes the catastrophic harms to strong digital security that such orders would engender. Another brief, this one produced by a consortium including Reddit, Medium, LinkedIn, Twitter, and GitHub argues that the order is an "extraordinary and unprecedented effort to compel a private company to become the government's investigative arm" with "no legal basis." And a brief filed by superstar information security experts—many of the same ones that released a highly-influential paper criticizing government backdoors last summer—highlights how measures to assist law enforcement by undermining security will ironically generate extreme harms to public safety.
In the FBI's corner, meanwhile, are briefs filed by other law-enforcement groups and some of the victims of the San Bernardino attack. These briefs respectively reiterate the need for strong investigative practices and justice for the victims of terrorism.
All of these briefs share a common concern for public safety and understanding of the need for law enforcement to have all of the legal tools necessary to protect the public and promote justice. At the same time, it's important to have a data-driven understanding of the scope of the problem. Before the horrific San Bernardino attacks, much of the public discussion about criminals "going dark" through encryption was mostly hypothetical. Indeed, internal emails leaked to the press show the intelligence community outright exasperated by the virtual lack of any terrorist act that could be used to justify a curtailment of strong encryption.
Last month, I dug into reports produced by the Administrative Office of the U.S. Courts to see just how prevalent the problem of encrypted communications has been for law enforcement. The numbers are pretty surprising: from 2001 to 2014, only 147 of the 32,539 domestic wiretaps reported by the courts encountered any kind of encryption at all. That's less than 0.45 percent of the total. And much of the encryption is quite weak anyway. Law enforcement officials were able to crack and decipher the vast majority of these communications. A measly fifteen of them—or 0.046 percent of the total—were encrypted and unable to be deciphered.
So, according to the best public information available, over 99.5 percent of criminals investigations have no problems with criminals "going dark" at all. Surely there are better ways that we can improve criminal investigations without undermining the digital security of our entire nation?
Comments