A high-stakes dispute is playing out between two federal district courts on opposite coasts, the outcome of which could affect U.S. companies and citizens for years to come. We are, of course, talking about the much discussed showdown between Apple Inc. and the U.S. Government over iPhone encryption access. In short: many Apple devices now contain encryption technology so secure and entwined with the hardware that no “backdoor” exists and, unlike earlier versions, Apple cannot unlock devices it has sold. Whether the encryption was driven by public expectations, Snowden, security guidelines or other reasons, the result is the Department of Justice and FBI claim to be incapable of accessing any data on locked-devices for which a search warrant is issued. And so, they expect courts to do something novel: compel a private company to create something not already done in its normal course of business, or turn over its entire source code to the government for the same purpose. But is this legal?
Background: A Tale of Two Courts
Significant attention has been paid to the February 16, 2016 Order by U.S. District Court, District of Central California (J. Sheri Pym) mandating Apple create decryption software to unlock the employer-owned iPhone 5c of the San Bernardino terrorist (“CA Order”). Apple (supported by amicibriefs from goods and service providers, think-tanks, and others) moved to vacate the CA Order. The FBI, DOJ, and their supporters took to airwaves and appeared before Congress with an emotional argument about their, understandable, frustration over an inability to reach into a terrorist’s iPhone, and concern that terrorists and criminals will benefit from this now seemingly unassailable area in technology. The DOJ filed its Opposition on March 10, 2016, stating that because Apple deliberately created barriers to the investigation it can be compelled to take them down, even if this means Apple turns over its entire source code and key. On March 15, 2016, Apple filed its Reply, empathizing with the tragic circumstances underpinning the investigation and the well meaning intentions of law enforcement, but expressing alarm that the methods for which the Government advocates are contrary to the rule of law, the democratic process, and the rights of the American people. Oral Argument is March 22, 2016.
Meanwhile, an ongoing battle in the U.S. District Court, Eastern District of New York, believed Apple’s first objection to these types of orders, came to a head. On February 29, 2016, the EDNY Court (J. Orenstein), referencing the CA Order and other DOJ/FBI applications, issued a comprehensive decision upholding its earlier denial of the DOJ’s application to order Apple to create decryption software for a locked iPhone 5s (in this case, of a drug trafficker) (“EDNY Decision”). On March 7, 2016, the DOJ filed a de novo appeal with the presiding judge, District Court Judge Margo Brodie, claiming Apple is motivated by public relations and that Magistrate Judge Orenstein’s legal analysis went “far afield” from the case, and sets forth an “unprecedented limitation on federal courts’ authority….” (“EDNY Appeal”)
So why are these East Coast/West Coast matters so critical and why do we recommend a close eye follow each through their respective marble halls?
The Boil Down
These two matters taken together demonstrate the DOJ, FBI and Apple uncompromisingly staking their positions on a legal issue that is ultimately more than about accessing an iPhone, encryption technology or terrorism. Namely: whether the Government, in relying on the All Writs Act (AWA), 28 U.S.C. § 1651, as its sole basis to mandate a private entity write new software decrypting security features, or, alternatively, turn over private property for the Government to do the same, seeks unconstitutional authority impossible to limit to a single scenario. If so, this could impact any U.S. company’s ability to comply with applicable privacy policies, guidelines, and laws – both national and international.
The AWA grants authority to U.S. federal courts “to issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” The DOJ argues that the orders are necessary to effectuate the search warrant issued by the court for each iPhone. According to Apple, the DOJ improperly relies upon the AWA and also cannot conscript and commandeer Apple in this manner without infringing upon Apple’s First and Fifth Amendment rights under the U.S. Constitution. In fact, in its March 15, 2016 Reply, Apple characterizes the DOJ’s portrayal of the AWA “as an all-powerful magic wand rather than the limited procedural tool it is.”
The All Writs Act – A Writ, A Wand or A Whip?
The U.S. Supreme Court established in U.S. v. N.Y. Tel. Co., 434 U.S. 159 (1977), three factors for an AWA order to be issued at a court’s discretion. Apple claims the factual scenarios between that case and the DOJ demanding Apple create what it has coined “GovtOS” are materially different.
- The company’s distance or “remove” from the case. In N.Y. Tel. Co., sufficient probable cause existed that the phone company’s facilities were being used to enable criminal enterprise. Apple argues the DOJ cannot show it was directly connected to, or had any ownership interest used in, the terrorist attack/criminal activities. The DOJ counters that Apple is sufficiently close to the San Bernardino phone because its “barriers” are “thwarting” the investigation. This is supposedly because Apple manufactures, plus owns and licenses software on, vets third-party applications for, and receives information from the devices. Also, no software can run on Apple devices without its digital signature, creating “exclusive control”. In its EDNY Appeal, the DOJ states Apple is not so removed because it is actively impeding the investigation since the device has: 1) a passcode that locks the phone preventing government bypass, 2) a remote wipe feature, and 3) an auto-erase feature after multiple failed access attempts. The EDNY Decision contained a cautionary footnote worth noting in light of the DOJ’s justifications for Apple’s proximity: to allow such a bootstrap for a significant factor would permit a government “to compel the manufactures of [Internet of Things] products to help it surveil the products’ users [and] will result in a virtually limitless expansion of the government’s legal authority to surreptitiously intrude on personal privacy.”
- Whether the government’s request places an undue burden. In N.Y. Tel. Co., citing particular factors, the Supreme Court held there was minimal undue burden for the public utility company to record numbers dialed from a phone in a pen-register because it was already collecting the information as a matter of course. The EDNY Decision held, and Apple’s motions argue, the “salient” factors for finding no undue burden exists are absent.
- Apple is not a highly regulated utility with a duty to serve the public – its duty is to its shareholders.
- It is in Apple’s interest as a private company to not assist because of its desire to succeed in a competitive industry by protecting personal devices against improper access and its fear that to assist absent clear legal authority erodes trust and tarnishes its brand.
- Apple does not write decryption software/bypass this security in the normal course of its business.
- Apple has never offered the information needed to bypass this encryption and does not intend to.
- Implementation is not minimal to Apple’s operations; it will take at least four weeks, with six to ten employees tasked for its creation, quality insurance, security testing, and destruction.
The DOJ claims that since Apple writes software code that is sufficiently “in the regular course of business” to compel the company to create new software code. Moreover, it claims each single order is merely for that one device, the decryption code can be destroyed, and the Court should consider no surrounding issues or arguments about other phones. In its March 10, 2016 Opposition the DOJ indicates it could compel Apple to hand over its entire source code and key which would then, it claimed, eliminate any argument of burden. The DOJ argues to make the code phone-specific (no iOS is keyed to a phone), that Apple previously provided data for other devices (they were different iOS and device types), and points out Apple’s cooperation with China (that Apple claims is misrepresented and did not involve data or encryption backdoors). Apple dismantles these in its March 15, 2016 Reply, stressing the pressing burden to maintain the current and future security of its products.
- Whether the company’s assistance is “necessary”. In N.Y. Tel. Co., the writ was a last-resort (i.e. “necessary”) due to wire-placement and the need to surreptitiously install pen-registers for an investigation. The DOJ claims Apple has ensured its assistance is necessary by requiring electronic signatures for any program to run on its devices. Apple argues the government has not employed all digital forensics available warranting its creating a brute-force hacking tool and decryption software.
The Constitutional Angle
The EDNY Decision also held the DOJ failed to establish a threshold statutory element of the AWA in that the “extraordinary relief” sought was not “agreeable to the usages and principles of law,” and to hold otherwise would render the AWA an unconstitutional erosion of the doctrine of separation of powers. Echoing this in its March 15, 2016 Reply Apple stated the AWA “cannot be stretched to fit this case because to do so would be to usurp the legislative function and improperly extend the limited federal court jurisdiction.” The AWA is a procedural tool that must be grounded in applicable law. Apple and the DOJ agree no statute exists compelling a private entity like Apple to write decryption software for government investigations. Yet where the DOJ/FBI believe it can compel Apple’s assistance in decrypting because there is no express law stating it cannot, Apple argues that it is excluded under the federal Communications Assistance for Law Enforcement Act (CALEA) and, as the EDNY Decision held, a comprehensive statutory scheme also implicitly precludes the relief sought. The DOJ reasons in its California filings and EDNY Appeal that because Congress considered the decryption authority sought and declined to enact it, but also did not expressly forbid it, the Government is not precluded from compelling Apple to create encryption software. Yet as the EDNY Decision stated, issuing such a writ permits “a court to confer on the executive branch any investigative authority Congress has decided to withhold, so long as it has not affirmatively outlawed it….” Apple also argues in its March 15, 2016 Reply that the “Founders would be appalled” by the Government’s reasoning because “short of kidnapping or breaking an express law, the courts can order private parties to do virtually anything.”
Finally, Apple argues there is an arbitrary deprivation of it liberties and substantive due process rights because the CA Order conscripts it to develop software on behalf of a government investigation. It also claims that its written and digitally-signed code tells consumers it believes the software is Apple-approved and safe to use under Apple’s standards and values on security and privacy. The CA Order not only undermines these values, but forces Apple to express the government’s view on security and privacy, violating its First Amendment rights against compelled speech and viewpoint discrimination. The DOJ disputes this, vaguely arguing that the code is functional and not speech. Lastly the DOJ claims the order is not seeking speech but “conduct”—the removal of “barriers.” Apple rebuts this in its March 15, 2016 Reply, arguing that the government seeks to compel Apple to engage in offensive speech to help the DOJ/FBI engage in conduct (i.e.. brute-force passcode hacking).
Cooperation with law enforcement as authorized by law is always required and Apple had done just that in the past and until this divide when encryption changed, the law was no longer clear, and the government cried foul. Smart devices contain a wealth of data regarding their users. Yet until there is a clear resolution, and these applications continue to be made under the AWA, there is a justifiable compliance concern for U.S. Companies that are also subject to privacy laws and statutes, guidelines, agreements and notices. Given recent comments by House and Senate members walking back their earlier DOJ/FBI support, this issue, which seems to evolve with each passing week, will likely ultimately be resolved in the courts, not by Congress, and more probably than not in the Supreme Court. We will continue to monitor as these (and other) cases advance, additional arguments are made, and the issue inevitably leaks out of the smart device/iOS encryption landscape and into the applications as well.