Does A 1789 Law Really Force Apple To Write Encryption-Cracking Code Today?
Apple has vowed to fight a judge’s order under an 18th century law scholars have described as “gap-filling” and “caulk” to provide high-tech assistance to the government for cracking the iPhone used by one of the San Bernardino shooters.
Apple Chief Tim Cook, in a letter to customers, warns against the “unprecedented use of the All Writs Act of 1789” to force the company to provide investigators with a a”software image file” that will defeat the encryption on the phone.
He’s right about the threat: Cooperating in this case could eventually open all devices to government snooping. The order by U.S, Magistrate Judge Sheri Pym tries to strike a balance between user privacy and the needs of government investigators. But that line will be hard for judges to draw in the cases that are sure to follow, said Stephen Vladeck, a professor at American University’s Washington College of Law who studies how federal courts handle cybersecurity issues.
“If a judge can order a third-party company to write code, to create a functionality that didn’t exist before, what can’t he do?” Vladeck said.
The government is pushing the limits of its authority under the All Writs Act, a two-sentence law authorizing judges to issue “all writs necessary” to further a case. The law is generally interpreted as allowing judges to fill in the gaps between statutes, especially criminal laws, but Apple and privacy advocates say it doesn’t allow them to issue orders on matters already covered by existing laws.
The government used the Act to win a 2014 court ruling, mysteriously dubbed in re XXX Inc., in which U.S. District Judge Gabriel Gorenstein ordered a company widely believed to be Apple to help the police unlock a digital phone.
Two other judges are known to have refused the government’s requests, however, and a third judge in New York has been sitting on an order that might undermine the use of the act entirely. In that case, involving a suspected criminal’s iPhone running iOS 7, U.S. District Judge James Orenstein refused to order Apple to help the government unlock the phone. His ruling lays out the competing public interests as well as the difficulties of using a vaguely written 1789 law to achieve the sweeping goal of opening a new generation of communications devices to government inspection.
To support its use of the All Writs Act, the government relies on the U.S. Supreme Court’s 1977 decision U.S. v. New York Telephone, which held the phone company could be required to install call-tracing equipment because there was “no feasible way” for the government to monitor a criminal ring otherwise. But the court also justified the ruling by citing federal wiretap law and the “meager assistance” the phone company had to provide.
The Apple case is different, Judge Orenstein noted. The government doesn’t want access to a phone company’s switching equipment, he wrote, but the personal phone of an Apple customer. Further, the government could use the threat of criminal contempt to try and force the user himself to unlock the phone, not Apple (an option not available in the case of the San Bernardino shooters).
Finally, the judge said Congress had written a law requiring New York Telephone to do what the police wanted it to do, while Congress has so far refused to write a law requiring companies like Apple to provide backdoors into their devices.
“The real question is, is this basically a back door into backdoors?” Vladeck said. “Where the All Writs Act becomes this ubiquitous mechanism for obtaining back doors at a retail level that the government can’t obtain wholesale?”
Congress did pass the Communications Assistance for Law Enforcement Act in 1994, requiring common carriers to provide equipment capable of intercepting calls in real time. It expanded CALEA in 2006 to apply to broadband Internet and VOIP providers. But draft legislation to further expand CALEA to technology companies like Apple never made it to a vote and Congress has considered bills that would do the exact opposite, prohibiting the government from forcing private entities to cooperate.
So while “there may not be a statute at hand,” the judge wrote in last year’s Apple case, that’s not because Congress has failed to study and debate the issue. “This case falls in the murkier area in which Congress is plainly aware of the lack of statutory authority and has thus far failed either to create or reject it,” he wrote, making it “far from obvious” the All Writs Act applies.
Using an aggressive interpretation of that statute’s scope to short-circuit public debate on this controversy seems fundamentally inconsistent with the proposition that such important policy issues should be determined in the first instance by the legislative branch after public debate– as opposed to having them decided by the judiciary in sealed, ex parte proceedings.
Tim Cook argues a similar line in his customer letter, saying “we are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.”
The government argues in both cases it isn’t imposing a big burden on Apple, and U.S, Magistrate Judge Sheri Pym agreed in the San Bernardino case, saying Apple must comply with the government’s detailed instructions for bypassing encryption if it is technically possible (Apple says it is impossible).
Judge Orenstein in the earlier New York case also left an out for the government if its request wasn’t unreasonably burdensome. But the judge thought it might be. Providing secure encryption might have been a well-considered business decision. “I cannot assume that forcing it to modify that decision would not impose an unreasonable burden,” he said, but he needed to hear from Apple on that point before rejecting the government’s request entirely.
In its response, Apple said “the government’s order would be substantially burdensome, as it would be impossible to perform.” On devices running iOS 8 or higher, Apple said, the phone has a Unique ID that isn’t accessible to other parts of the phone and isn’t even known to Apple. When the user sets up an ID it effectively locks the phone’s data from anybody else.
As of last week, Orenstein still hadn’t issued his final order. Apple pressed for a decision, even though the case might appear to be moot because the defendant pled guilty, saying it would be more efficient to issue a ruling in this case than wait for it to come up again. Which it did, of course, just a few days after Apple wrote the judge.
Apple and privacy advocates say this is too important a matter to leave to judges. But the government may think it is playing a strong hand with this case, involving a terrorist act where the privacy concerns of the iPhone owner evaporated when a bullet entered his skull.
“If ever there was a case they want to litigate, this is the case,” said Vladeck. “This is not exactly a petty street crime.”
Unless Congress gets involved, however, courts could set troubling precedents for the future. The Second Circuit Court of Appeals in New York is considering the government’s demand Microsoft turn over details of e-mails stored on its servers in Ireland. A ruling for the government could incite courts in other nations to issue similar orders for data on U.S. servers, Vladeck told me.
“Does the mere fact a company does business in New York give the U.S. government the right to search a server in Ireland?” he said. “Plenty of companies do business in China, too.”
This article was written by Daniel Fisher from Forbes and was legally licensed through the NewsCred publisher network.
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.