Among the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino.  On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society.  Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute.

Background.  Federal prosecutors in the San Bernardino case have requested that Apple create software to perform three specific acts:

  • Bypass or disable the auto-erase function whether or not it has been enabled.  The iPhone 5C has an option that the device will erase its contents if ten (10) consecutive incorrect personal identification numbers (“PINs”).
  • Enable the FBI to submit passcodes to the iPhone for testing electronically via any protocol available to the device.  This request forecloses the possibility of paying someone to manually enter all possible PINs until the correct one is found.
  • Ensure that after the introduction of incorrect passcodes to the iPhone, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond those incurred by Apple hardware.  Currently, iOS imposes increasing delays after each incorrect PIN entered.

Interestingly, in the words of Director Comey, the FBI is not asking Apple to “pick the lock” of the iPhone in question but rather to remove “the vicious guard dog” of the security features outlined above so the FBI can make its own efforts to access the device.  Apple has represented that software with the features requested does not exist and that it would have to create the software.

Apple has refused to comply with the federal government’s request.  In response, federal prosecutors in California have filed a motion with the Federal District Court seeking an order under the All Writs Act (the “AWA”) to compel Apple to create software with the requested features.  Apple has challenged the use of the AWA as the basis of the authority to produce such an order.  This challenge is the basis of the recent headlines.

Meanwhile, on February 29, 2016 in Brooklyn, New York, a federal judge in the Eastern District of New York, Magistrate Judge Orenstein, issued an order denying a similar request by federal prosecutors for an order under the AWA to compel Apple to bypass the passcode security on an Apple device.  Judge Orenstein denied that motion.

Judge Orenstein’s memorandum and order analyzed the context and application of the AWA to the circumstances before him and found the government’s reliance on the AWA to be inappropriate.  The All Writs Act was part of the Judiciary Act of 1789, a bill passed in the First Session of the First Congress.  As Judge Orenstein noted, former Supreme Court Justice Sandra Day O’Connor has identified the Judiciary Act of 1789 as “the last great event in our Nation’s founding” and part of “the triad of founding documents, along with Declaration of Independence and the Constitution itself.”  The AWA, part of this foundational act, functioned as a gap-filler for a new nation embarking on the creation of its own body of law.  The statute is little changed from its original enactment except for a modernization of its language.  It reads as follows:

“The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”

The AWA’s role has not changed in the two plus centuries of its existence.  The Act makes it unnecessary for Congress to explicitly define every sort of writ (or order) that a federal court may issue.  Instead, a court has considerable latitude to fashion an order so long as the order would be “in aid of” the court’s jurisdiction, the order is “necessary or appropriate” and the order is agreeable to the “usages and principles” of law.

Judge Orenstein agreed that issuing the order would be “in aid of” the court’s jurisdiction and that it was “necessary or appropriate”.  His analysis turned on whether the order would be agreeable to the “usages and principles” of law.  He found that it was not.

To reach this conclusion, Judge Orenstein looked to the Communication Assistance for Law Enforcement Act (“CALEA”).  CALEA is a statute enacted in the early 1990s “to preserve the government’s ability, pursuant to court order or other lawful authorization, to intercept communications involving technologies such asdigital or wireless transmission modes, or features and services such as call forwarding, spped dialing and conference calling, while protecting the privacy of communications and without impeding the introduction of new technologies, featuers, and services.”.  Generally, the law requires private entities to assist law enforcement in the execution of court orders authorizing different forms of electronic surveillance.  This general requirement comes with certain limitations expected to ensure that CALEA would not frustrate overall technological progress.  The law limited the ability of law enforcement to prevent private companies from offering certain services, equipment and systems to customers.  It also exempted wholly certain types of businesses from the requirements of the law.  Finally, and most applicable to the present debate, the law explicitly did not require that businesses help government agents bypass any encryption that might shield communications from surveillance.

The government’s argument is that CALEA applies only to “data in motion” and not to “data at rest” as is the case of the iPhone in San Bernardino.  Therefore, according to the government, CALEA does not apply and any inferences drawn from that statute do not apply to the issue at hand, making any order issued under the AWA agreeable to the “usages and principles” of law.

Apple’s argument—adopted by Judge Orenstein—is that CALEA is part of a larger, comprehensive statutory scheme governing both data in motion and data at rest.  Within that framework exists the fact that Congress considered putting an affirmative obligation on companies in Apple’s position to assist the government and that Congress rejected such an affirmative obligation.  This Congressional rejection serves as a sufficient basis to conclude that now ordering Apple to affirmatively assist a government criminal investigation would be in contravention of Congress’ action or, to put it in the words of the AWA, that such an order would not be agreeable to the “principles and usages” of law.  Accordingly, Judge Orenstein refused to issue an order compelling it to assist the federal government in unlocking the iPhone in that case.

To be sure, Judge Orenstein and Apple’s position is by no means impregnable.  Statutory interpretation and evidence of congressional inaction are not the strongest pillars upon which to rest a decision balancing the underlying values of security and privacy brought into conflict by the circumstances presented in the Brooklyn case.  It is a well-reasoned decision that is the first to address the interaction of private encryption and the government’s interest in security.

The hearing.  It was in this atmosphere that the House Judiciary Committee held its hearing.  From the discussion among the members of the committee and the panel members, several themes emerged.  As recognized by Director Comey, a real tension exists between the ideal of privacy enshrined in our Constitution and our interest in security from those who would do us harm, whether collectively as a nation or individually as citizens.  Director Comey urged, as had Judge Orenstein in his memorandum and order, that the issue was for Congress alone to decide and not the courts.  Complicating the striking of this balance is Apple’s assertion that compromising security in any way, but especially in the manner requested by the government, places everyone who relies on these devices at greater risk of harm than if no compromise were to take place.

Mr. Sewell repeatedly stated that Apple would comply with any lawful order but that an order under the AWA was not the appropriate vehicle for the type of assistance the government is requesting.  Members of the Committee, aware of Judge’s Orenstein’s decision, seemed to agree, or at least accept barring any alternative decision by another judge, Judge Orenstein’s conclusion that the AWA did not authorize the order requested by the government.  In asking what legislation potentially resolving this issue would look like, they struck upon the anomaly that frustrates an elegant and simple solution to this problem:  Never before has the government acting under the lawful authority of a warrant been incapable of access to information that an individual wishes to keep private.  Safes can be broken, papers can be read and houses can be searched but iPhone encryption and its attendant security measures are the first time the basic mainstream capabilities of individuals to ensure their privacy are effective against even the government’s ability to search them.

Director Comey and members of the Committee brought up a valid point:  does the Constitution envision a space where not even a warrant can penetrate?  The history of the warrant requirement would suggest that the Founders did not consider such a possibility.  Brought into being as a direct response to general warrants of the colonial period, called writs of assistance, the Fourth Amendment warrant requirement ensured that a search could only occur after a neutral magistrate had authorized the search upon a showing of probable cause.  It did not ensure that a search could never occur.

The current controversy is that an otherwise valid search cannot occur because it is beyond the capabilities of government without  further assistance and searches of even more advanced devices will be yet further beyond those unassisted capabilities.  Accordingly, the breadth of data outside the reach of government’s legitimate desire to search in the name of criminal investigation and national security would only expand over time rendering government increasingly helpless of fulfilling its most basic promise of individual safety.  More than one member of Congress charged that Apple, a private company, had made the public policy decision that privacy was more important in this context by refusing to comply with the government’s request.

Mr. Sewell and Professor Landau pointed out the increasing necessity of these secure spaces.  Professor Landau cited the increasingly central role handheld devices are playing in our lives.  These devices hold personal information including health information and pictures.  Additionally, these devices function as wallets, giving access to our funds.  Mr. Sewell stated unequivocally that it was the recognition of the role smartphones and similar devices play in our lives and our increasing vulnerability to their breach that drove Apple’s decision to proceed with encryption and other protective measures.

Professor Landau further attempted to demonstrate that compromise of the security features of a device such as the iPhone, even if only for a singular occurrence, would  serve only to ensure that eventually the ability to enter a phone at will would be available to anyone able to gain possession of the knowledge, namely other nation-states, terrorist organizations or cybercriminals.  She pointed to the attack on the Ukraine’s power system as an example of the potential ramifications of lax security procedures.  In her view, making an iPhone generally secure but allowing certain parties to bypass the security was no security at all.

Takeaways.  Almost every speaker in the hearing agreed that a national debate on these issues was necessary and that Congress was the appropriate forum in which to have it.  Apple, in opposing the application for an order under the AWA, has staked out the position that the current framework of law is an insufficient expression of a national consensus on this topic.  Others characterized Apple’s action as having predetermined that striking of the balance in favor of total privacy.  Whatever the truth of this characterization, as it stands, the federal government cannot access iPhones utilizing these security features whatever its authority to do so.  Technologists such as Professor Landau would argue that such a lack of capability is necessary protection against myriad third parties and that granting the government’s desired access would fatally undermine that protection.  The resolution of these seemingly intractably opposed values remains subject to further debate but look for affirmative action by Congress in this matter.