Heralded as 'an epic fight pitting privacy against national security', the recent case between Apple and the FBI in the United States has seen a litany of debate, both legal and political.
Apple has been resisting a court order demanding it to unlock a killer's iPhone and reduce their software security measures; the case has raised significant questions as to the future of information security in the private IT sector, with fellow internet-heavyweights Facebook, Google and Twitter weighing in on the debate. Here, we look at the recent developments in the legal (and PR) battle between Apple and the FBI and a freshly minted judgement in New York State supporting Apple's case, before considering whether the same thing could happen in Australia.
Background of FBI v Apple Case
In the wake of an investigation surrounding a terrorist attack in San Bernardino, Apple found their own software security systems under attack by the FBI. After recovering an iPhone belonging to the government employer of one of the attackers who coordinated the attacks in December 2015, the US Department of Justice filed a federal motion to compel Apple to unlock the iPhone and gather its data. A magistrate judge ordered Apple to comply. Apple fought back and has filed a motion to vacate the order. A hearing has been set down for 22 March 2016 and both sides are engaging in a PR battle to build public support for their positions. At the heart of the legal debate lies the issue of whether or not governments can force tech companies to help them unlock phones or access encrypted user data. Hot off the press this week is a judgement from New York State supporting Apple's case.
Magistrate Judge James Orenstein rejected the Justice Department's application to force "Apple to assist" investigators to work around an encrypted password on an iPhone recovered during a drug investigation. The Court considered that the All Writs Act did not 'justif[y] imposing on Apple the obligation to assist the government's investigation against its will'. Significantly, this decision rejected the application of the 1789 legislation to grant broad authority to force tech companies to take positive steps to assist with criminal investigations. The Court was also concerned that accepting the government had this level of power would be to vest law enforcers with statutory authority that the legislature had never granted. In light of this, it is interesting to consider whether and, if so, how an order of this kind would be made in an Australian court.
What might an Australian court do?
Would such a thing happen in Australia? To an extent, this is currently an untested question; however, a mandatory injunction may be one path that Australian law enforcement agencies could test. If a government agency such as the Federal Police were to require a private company to provide assistance to access its encrypted or locked product, they may seek to obtain a mandatory injunction from a court compelling the organisation to do so. Courts in Australia have the power to grant mandatory injunctions which, broadly speaking, can compel a party to engage in a particular course of action. This power, however, is not often exercised by Australian courts. The are two key reasons for this is. Firstly, rarely does a situation arise which is consistent with the typical requirements of mandatory injunctions, such as the common requirement for a contractual obligation or relationship to exist between the parties. Secondly, courts are naturally reluctant to grant relief in a mandatory form, due partly to the onerous nature of compelling a party to do a particular thing.
Australian regulators and law enforcement agencies currently have a range of extensive investigation powers at their disposal, particularly under instruments such as the federal crimes act and criminal code. However, it is not clear that these powers extend to the point that they can be used to compel the creation of something that doesn't exist. In that context, further consideration may be given to whether the courts could use their inherent jurisdiction to make the types of orders discussed above (though, as discussed above, we think this unlikely). While Australian law enforcement agencies may not be able to compel a company such as Apple to unlock phones to get their hands on the local data of such devices, they may still potentially access cloud-based backups of phone data, social media information, obtain metadata from ISPs, use forensic tools to analyse unencrypted data extracted from devices, or obtain manual backups of devices from computer hard drives. Years ago, law enforcement agencies struggled to convince the public to obtain the right to wire tap telephone networks. They went to the legislature to obtain these rights, and today, wire taps are regularly granted by courts. More recently, changes to the Telecommunications (Interception and Access) Act 1979 (Cth) (discussed by us previously here) require Australian telcos and ISPs to retain certain 'metadata' for a period of two years, and allow criminal enforcement agencies to access that metadata in particular circumstances.
It may not be too long until law enforcement agencies ask the legislature again to extend their powers to provide for the compulsion of tech companies to assist with unlocking and accessing encrypted devices. At the heart of this debate is the tension between privacy and national security interests. Recent history has shown us that legislatures are willing to enact laws to give law enforcement agencies a range of powers to cope with a rapidly changing world.