[Digest Note] Decrypting Apple: Making Technology Companies the Referees of Law Enforcement on Privacy

Introduction

On February 16, 2016, United States magistrate judge Sheri Pym of United States District Court for the Central District of California ordered Apple Inc. (“Apple”) to create software enabling the Federal Bureau of Investigation (‘FBI”) to bypass the security encryption of an iPhone belonging to Syed Farook, the San Bernardino shooter. The FBI did not clearly state what information it sought, but presumably it expected to find leads related to Farook’s crime, insight on his motivations, or details about a possible terrorist network. Apple refused to comply with Judge Pym’s order (“Order”), which she issued under the All Writs Act of 1789, 28 U.S.C. § 1658, and instead objected to the Order.[1] In response to Apple, the government asked Judge Pym to compel Apple’s compliance because, according to the Department of Justice (“DOJ”), the FBI could not access the phone’s information without Apple’s assistance.[2] Before Judge Pym could rule on the motions, the DOJ dropped its motion as the FBI found another company to provide the software it needed.[3] The matter thus reached a judicial dead end. Yet, over year later, there is little assurance that this case is the last time the government will ask courts to compel commercial companies to aid law enforcement in investigating and building cases against alleged terrorists.

The San Bernardino Apple case above both illustrates how law enforcement has used the fight on terror to compel private companies to cooperate with expansive search warrants, and raises questions about how far private companies can legally be obliged to commit resources to fulfil public functions, such as investigating crimes, when those functions risk undermining their reputation. Currently, courts must balance these interests. This article argues that the issues are too complex and fundamental to be left to the judiciary. Until Congress adopts legislation clearly stating where the balance lies, both citizens’ expectations of the protection of their Fourth Amendment rights and companies’ abilities to make commercial promises to their customers will be left compromised.

The San Bernardino Shooting and Subsequent Search Warrant

On December 2, 2015, Syed Farook and his wife Tashfeen Malik shot and killed fourteen individuals at the Inland Regional Center in San Bernardino. The couple was subsequently killed in a shootout with the police. Amongst their belongings was an undetonated bomb device that, along with other information, supported the FBI’s later assertion that the attack was intended as an act of terrorism.[4]

Before their deaths, the couple destroyed their personal cellular telephones, but Farook failed to destroy his work-issued iPhone 5C. In early February, the DOJ obtained a warrant to search the phone as it “may contain critical communications and data prior to and around the time of shooting that, thus far: (1) has not been accessed, (2) may reside solely on the phone, and (3) cannot be accessed by any other means known to either the government or Apple.”[5] San Bernardino County’s District Attorney, Michael R. Ramos, argued that accessing the phone could reveal whether a third person was involved in the attack,[6] and that unlocking the phone would prevent releasing a “dormant cyber pathogen” into the county’s computer infrastructure.[7] Both claims have since been challenged.

When law enforcement investigators found that they could not bypass the phone’s security system, they asked Judge Pym to order Apple “to assist in enabling the search of [the] cellular telephone.” She did so. Essentially, the Order would force Apple to create new software that disables the iPhone’s auto-erase function, which destroys encrypted data after more than ten incorrect passcodes are entered to unlock the phone.[8] The Order suggested that Apple could comply by “providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File that can be loaded onto” the phone.[9] Indeed, it required Apple to create software that disables the security features the company installed. Apple refused, resulting in what was hailed as “the most high-profile [case] in which a federal court has ordered Silicon Valley to help the US government get around new security measures added since the Edward Snowden leaks.”[10] The government seemingly had tried to step over a forbidden threshold.

The Legal Approval of Search Warrants and Their Limitations

Apple did not contest the government’s authority to search the phone.[11] Indeed, the technology company agreed that the government had a right to conduct the search. While citizens are protected from an unreasonable search and seizure, law enforcement only needs a warrant to satisfy the Fourth Amendment’s right to privacy. Once a judge approves a warrant, a suspect has no privacy rights against government intrusion into the affairs encompassed in the warrant. Thus, Apple did not oppose the FBI’s right to a legal search of the phone with a warrant: instead, the company objected to the court forcing it to reverse engineer its encryption. Doing so would impose a substantial burden on the company. Apple would need to create a new technical solution that would violate its products and its consumer promise of privacy, thereby seriously threatening its position in the market.

If the law had already been settled in this area, courts could balance the burden imposed on the technology giant with the FBI’s interest in discovering potential critical communications. With no greater specification by the Bureau, and no warning of an imminent threat, the court may have found in favour of the phone manufacturer. However, the court might also have decided that Apple’s objections based on a customer promise and market position would seem like a small price to pay in the face of an attack on national security. Additionally, a court might dislike that Apple deliberately set out to erect an encryption wall that could not be scaled even with a legitimate and legal search warrant. Prior to the Snowden revelations, Apple complied with similar Orders often.[12] After the leaks, Apple announced that it would install encryption software on its iPhones so that content could not be accessed, “even if faced with a court order.”[13] Despite its own potential loss in adopting that technology, Apple decided to make its privacy practices a competitive advantage by tapping into a general disquiet the American public has with the government’s power to intrude into the private sphere. [14]  It was a sales pitch that signalled that Apple had heard and understood its customers mistrust of the government and its law enforcement and spy agencies.

A Legislative Lacuna

Enacted in 1789 by the First Session of the First Congress, the All Writs Act, 28 U.S.C. § 1651(a), states that “[t]he Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Two weeks after Judge Pym issued the Order, another U.S. magistrate judge, James Orenstein in United States District Court, Eastern District of New York, denied a near identical request based on very different reasoning.[15]

Judge Orenstein held that the writ cannot be used in this manner, as it cannot close a gap that Congress had chosen not to fill.[16] At issue was how to interpret the Communications Assistance for Law Enforcement Act of 1994 (“CALEA”), 47 U.S.C. § 1002(b), which did not compel private companies to assist law enforcement agencies. The DOJ argued that the silence was merely an incidental silence in the legal text; Apple argued that the silence was deliberate, and thus, it was an affirmative expression of legislative intent.[17] Judge Orenstein agreed with Apple, and thus concluded that an order issued under the All Writs Act would create law where there was none, which does not fulfil the criteria of “agreeable to the usages and principles of law.”[18]

Furthermore, Orenstein noted that even if the All Writs Act could be used in this scenario, the Writ should not be issued because Apple was too far removed from the criminality, as it had no ownership interest in the phone in question, and the many repeated law enforcement requests for writs cumulatively imposed an unreasonable burden on a private company.[19] In contesting Judge Pym’s order, Apple incorporated magistrate Orenstein’s reasoning in its notice of objections.

Reputational Damage

This was far from the first time Apple had been asked to assist the FBI with similar decryption requests.[20] Indeed, Judge Orenstein maintained that the Apple’s repeated efforts to comply with similar orders, and the reputational damage it would incur from being known to violate its customers’ expectation of data privacy might extend beyond the permission of the law.

Civil society agreed that this dispute was about opening more than one phone.[21] Apple argued that the issue is not about whether this software is used only once, but about the potential for greater reputational harm if consumers became aware that Apple had the capacity to break into its customers’ phones, thereby threatening its consumer promise of privacy.[22] However, Apple would not let the issue in California be about solely the company’s commercial reputation. By soliciting supporting statements from technology companies, human rights organizations, and United Nations bodies, Apple attempted to launch a wider debate about the role of privacy and technology companies’ uncomfortable relationship with law enforcement.[23]

Outsourcing of Law Enforcement Functions

The All Writs Act enables law enforcement officials to outsource their functions. Many commentators have frowned on this practice; in the words of the American Civil Liberties Union, “[l]aw enforcement may not commandeer innocent third parties into becoming its undercover agents, its spies, [and] its hackers.”[24] Indeed, several commentators have noted a general trend of governments outsourcing law enforcing and policing functions onto technology companies and internet providers. Ronald J. Deibert, director of the Citizen Lab, explains that “[b]ecause much of what constitutes [the internet] is in private sector hands, [to] secure cyberspace governments must enlist or otherwise compel the private sector to police the data and networks they control within their territorial jurisdictions. These pressures have led to a gradual downloading of policing responsibilities to the private sector.”[25] In his opinion, Magistrate judge Orenstein stressed that unlike in the leading case on the All Writs Act, a case which involved compelling a New York telephone company to install a pet register on its phones, United States v. New York Telephone Co., Apple was under no duty to perform a public service.[26]

According to David Lyon, “the governmental and the corporate have always worked closely together in modern times. But the idea that they inhibit essentially different spheres, with different mandates, is currently unravelling.”[27]

By demanding that companies facilitate the intrusion into the private sphere, law enforcement indirectly outsources a key policing function to private corporations. In his public letter, Tim Cook painted the FBI as a renegade agency by claiming that “the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create.”[28] Tim Cook concluded that “the government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers – including tens of millions of American citizens – from sophisticated hackers and cybercriminals.”[29]

An International Human Rights Issue

As the case attracted considerable media attention, the Senate Judicial Committee was warned that the new software could be employed by foreign governments to contravene human rights.[30] The question facing the government was a version of the nuclear bomb question: once the technology exists, it can be used for nefarious purposes; thus, should that technology still be developed? By asking Apple to engineer software that could violate consumer privacy, the government also asked Apple to create a tool that allows others to trample on privacy rights, regardless of international legal protection. Those actors might be foreign governments, organizations, or corporations.

The United Nations’ High Commissioner for Human Rights, Zeid Ra’ad Al Hussein, went further and warned the U.S. government about the “potentially negative ramifications for the human rights of people all over the world.”[31] In a press release, he wrote that “to address a [national] security-related issue related to encryption in one case, the authorities risk unlocking a Pandora’s Box [that] could have extremely damaging implications for the human rights of many millions of people, including their physical and financial security.”[32] Similarly, the United Nations’ Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, intimated that the Order may very well violate Article 19 of the International Covenant on Civil and Political Rights, to which the United States is a signatory.[33] He suggested that the Order was not necessary “for the protection of national security or public order” given that, in his opinion, the government could pursue other avenues to achieve the same outcome.[34] Indeed, the DOJ later acknowledged they had done so.[35]

The United Nations representatives’ concern touched on issues more fundamental than Apple’s promise of customer privacy, which was critical to Orenstein’s reasoning. This divergence marks discord between the U.S. courts and the international community. Whereas U.S. courts focus on commercial reputations, the international community attends to threats to individual liberty. Rather than focusing solely on data security, human rights commentators have remarked that the Order, and those like it, might have a chilling effect on related human rights, such as freedom of expression and political thought.[36] Cook argued that “if the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data.”[37] He predicts that the government may use courts to access cellular telephones and extend create a post-9/11 surveillance state.[38] If correct, Tim Cook's warning means the orders issued under the All Writs Act would open the floodgates of law enforcement agencies demanding that technology companies break their products’ security features.[39] Cook even speculates that in the extreme, law enforcement agencies may use these capabilities to surreptitiously activate device functions such as a video camera or microphone.[40] These technical capabilities exist, making the need for legal clarity of how far the government and law enforcement can demand cooperation from technology manufacturers, security companies, and cryptographers in their quests to unlock the secrets we keep on the devices in our lives.[41]

Conclusion

Former FBI director, James Comey, told the House Judiciary Committee that the world is “moving to a place where there are warrant-proof places in our life…. That’s a world we’ve never lived in before in the United States.”[42] Yet, legal scholar Woodrow Hartzog points out that this claim is not true, as most conversations disappeared into thin air.[43] Increasingly our lives will be available for scrutiny for those who possess the right technological tool. Yet, it is still difficult to see how the balance between all the different interests in an increasingly technologically and politically complex world can be struck on a case-by-case basis.

The rights that are compromised, the safety that is at stake, the trust in the private sector, and the commitments to the human rights standard in the international community all indicate that this is a matter that can only be resolved by the legislature. That such a simple thing as decrypting a phone can cause so much confusion, legal wrangling, and debate demonstrates that the lacuna in the law—the deafening silence on the matter in CALEA and related legislation—is not a tenable state for a modern democratic society. As commercial interests and share prices may be dependent on the technology companies’ ability to protect their customers’ privacy from cybercriminals and police enforcement agents alike, it is becoming increasingly urgent for the legislators, not the courts, to decide on where the legal balance should be struck.

Ann Kristin is a PhD Candidate at the University of Cambridge Faculty of Law, and a Teaching Associate in the Masters of Cyber Security program at Brown University.

[1] See generally Notice of Objections to February 16, 2016 Order Compelling Apple Inc. to Assist Agents In Search, In the Matter of the Search Warrant of an Apple Iphone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 16-10 (C.D. Cal. filed March 1, 2016) [hereinafter “Notice of Objections”].

[2] Government’s Motion to Compel Apple Inc. to Comply With This Court’s February 16, 2016 Order Compelling Assistance in Search at 16–18, In the Matter of the Search Warrant of an Apple Iphone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 16-10 (C.D. Cal. filed March 19, 2016) [hereinafter “Motion to Compel”].

[3] Danny Yadron, San Bernardino Iphone: US Ends Apple Case After Accessing Data Without Assistance, The Guardian (March 29, 2016), www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone [https://perma.cc/3A2E-ZC2B].

[4] Motion to Compel at 4.

[5] Id.

[6] San Bernardino County District Attorney’s Application to Participate as Amicus Curiae at 3–4, In the Matter of the Search Warrant of an Apple Iphone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 16-10 (C.D. Cal. filed March3 3, 2016).

[7] Jason Murdock, Apple Vs FBI: San Bernardino DA Michael Ramos Admits ‘Dormant Cyber Pathogen’ Remark Was Nonsense, Int’l Bus. Times (Mar. 7, 2016), www.ibtimes.co.uk/apple-vs-fbi-san-bernardino-da-michael-ramos-admits-dormant-cyber-pathogen-remark-was-nonsense-1548060 [https://perma.cc/2RH8-9FE2].

[8] See generally, Order Compelling Apple, Inc. to Assist in Search, In the Matter of the Search Warrant of an Apple Iphone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 15-0451M (C.D. Cal. filed February 16, 2016) [hereinafter “the Order”].

[9] Id. at 2.

[10] Danny Yadron, Apple Ordered To Decrypt Iphone Of San Bernardino Shooter For FBI, The Guardian (Feb. 17, 2016), www.theguardian.com/us-news/2016/feb/17/apple-ordered-to-hack-iphone-of-san-bernardino-shooter-for-fbi [http://perma.cc/XGR7-83ZF].

[11] Tim Cook, A Message To Our Customers, Apple (Feb. 16, 2016), www.apple.com/customer-letter/ [https://perma.cc/MCZ2-JWGR].

[12] Memorandum and Order at 3, In Re Order Requiring Apple, Inc. to Assist in the Execution of a Search Warrant Issued by This Court, 15-MC-1902 (E.D.N.Y. issued Feb. 29, 2016) [hereinafter “Orenstein Order”].

[13]Yadron, Apple Ordered To Decrypt, n.10.

[14] Cook, A Message To Our Customers, n.11.

[15] Orenstein Order at 11.

[16] Id. at 26.

[17] Id. at 15.

[18] Id. at 26.

[19] Id. at 42.

[20] In fact, there had been more than seventy over a the last few years. Id. at 3.

[21] Deputy executive director of the Electronic Frontier Foundation, Kurt Opsahl, has said that “the government is asking Apple to create a master key so that it can open a single phone. And once that master key is created, we’re certain our government will ask for it again and again…” Stuart Dredge and Danny Yadron, Apple Challenges ‘Chilling’ Demand To Decrypt San Bernardino Shooter’s Iphone, The Guardian (Feb, 17, 2016), https://www.theguardian.com/technology/2016/feb/17/apple-challenges-chilling-demand-decrypt-san-bernadino-iphone [https://perma.cc/78MG-DU3C].

[22] Cook, A Message To Our Customers (“Once the floodgate open, they cannot be closed, and the device security that Apple has worked so tirelessly to achieve will be unwound without so much as a congressional burden.”).

[23] Id.

[24] Richard K. De Atley, San Bernardino Shooting: Apple Files New Court Documents In FBI Case, The Press Enterprise (Mar. 2, 2016), http://www.pe.com/2016/03/02/san-bernardino-shooting-apple-files-new-court-documents-in-fbi-case/ [https://perma.cc/6JN8-LL37].

[25]Ronald J. Deibert, Black Code: Surveillance, Privacy, And The Dark Side Of The Internet 108 (2013).

[26]United States v. New York Telephone Co., 434 U.S. 159 (1977).

[27]David Lyon, Surveillance After Snowden 31 (2015).

[28] Cook, A Message To Our Customers.

[29] Id.

[30] Spencer Ackerman, Apple Encryption Case Risks Influencing Russia And China, Privacy Experts Say, The Guardian (Feb. 17, 2016), www.theguardian.com/technology/2016/feb/17/apple-fbi-encryption-san-bernardino-russia-china [https://perma.cc/FX39-5BML].

[31]Apple-FBI Case Could Have Serious Global Ramifications For Human Rights: Zeid, U.N. Off. of the High Commissioner for Hum. Rts. (Mar. 4, 2016), http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=17138&LangID=E [https://perma.cc/T7AE-6MBX].

[32] Id.

[33]David Kaye, Re: In The Matter Of The Search Of An Apple Iphone Seized During The Execution Of A Search Warrant On A Black Lexus IS300, California License Plate 35KGD203 ED No. 16-10 (SP), U.N. Off. of the High Commissioner for Hum. Rts. 2–3 (Mar. 2, 2016), https://web.archive.org/web/20161201122546/https://www.apple.com/pr/pdf/Letter_from_David_Kaye_UN_Special_Rapporteur_on_the_promotion_and_protection_of_the_right_to_freedom_of_opinion_and_expression.pdf [https://perma.cc/9M2N-TR75].

[34] Id.

[35] John Naughton, Apple’s FBI Row Was An Opportunity Missed, The Guardian (May 8, 2016), www.theguardian.com/commentisfree/2016/may/08/apples-row-with-fbi-opportunity-missed-encryption [https://perma.cc/DV26-V2DJ].

[36] David Kaye, Search Of An Apple Iphone.

[37] Dredge and Yadron, Apple Challenges ‘Chilling’ Demand.

[38] Cook, A Message To Our Customers; see also Mark Skilton and Irene Ng, What The Apple Versus FBI Debacle Taught US, Sci. Am. (May 20, 2016), https://blogs.scientificamerican.com/guest-blog/what-the-apple-versus-fbi-debacle-taught-us/ [https://perma.cc/R9J9-9D6Z].

[39] For example, ITPRO reported in May 2016 that the FBI has been asked to use the new software to unlock the phone of a shooter in Louisiana, which was seemingly unrelated to any terrorist suspicion. Jane McCallion et al., Apple Vs. FBI: NSA Reveals Why It Couldn’t Hack San Bernardino Iphone!, ITPRO (Jun. 13, 2016), http://www.itpro.co.uk/public-sector/26057/apple-vs-fbi-nsa-reveals-why-it-couldnt-hack-san-bernardino-iphone [https://perma.cc/LNA6-AQGQ].

[40] Cook, A Message To Our Customers.

[41] Adam Greenfield, Rise Of The Machines: Who Is The ‘Internet Of Things’ Good For?, The Guardian (June 6, 2017), www.theguardian.com/technology/2017/jun/06/internet-of-things-smart-home-smart-city [https://perma.cc/ZY8R-F5H2].

[42]Woodrow Hartzog, The Feds Are Wrong To Warn Of “Warrant-Proof” Phone, MIT Tech. Rev. (Mar.17, 2016), https://www.technologyreview.com/s/601044/the-feds-are-wrong-to-warn-of-warrant-proof-phones/ [https://perma.cc/6DHC-XUWD].

[43] Id.