There's an excellent reason why just about everyone in Silicon Valley is alarmed by the FBI's demands for encryption backdoors: we expect the feds will show up at our doorsteps next.
That's why Google, Twitter, Facebook, Microsoft, WhatsApp, and other software companies are backing Apple publicly. They filed a brief in federal court this week warning that requiring a backdoored fbiOS would kick off an unprecedented wave of surveillance demands. They say, with some understatement, that "investigative tools meant for extraordinary cases may become standard in ordinary ones."
This is not merely a convenient intersection of marketing and customer privacy. Given the existence of scores of federal police agencies, it's simple self-preservation. Once an fbiOS precedent is set, the U.S. Marshals, Homeland Security, postal inspectors, Secret Service, and military police will also invoke the All Writs Act to demand that companies build equally extensive backdoors. Local and state police won't want to be left behind.
It's true that, given enough time and resources, any large Silicon Valley firm could comply with a lone All Writs Act demand. They have capable engineering teams. Details like legality and constitutionality aside, Cupertino could puzzle out how to undermine its own security by creating a backdoor to unlock the San Bernardino shooter's iPhone.
But when there's a queue of police agencies already forming, the likelihood of being required to code custom backdoors for everyone should worry even the largest companies. The Manhattan district attorney, Cyrus R. Vance Jr., acknowledges he'd "absolutely" want to invoke an fbiOS precedent in his own criminal investigations.
To put these requests in perspective, there were 3,554 wiretaps authorized last year at an average cost of $40,000, plus thousands of additional surveillance orders not included in that total. In 2013, Apple was forced to create a waiting list because of so many police demands. Jon Matonis, the former CEO of Hushmail, said on Twitter: "We received so many international subpoenas for info that I had to create a subpoena division!" Custom backdoors would be far more tricky and expensive.
Operating system makers like Google and Apple are not the only companies at risk. If Apple can be forced to code fbiOS, then the same All Writs Act could force any software company to craft malicious features designed to spy on users. Would in-app searches for certain terms be required to trigger alerts? Travel to certain locations? Would automatic updates quietly implant backdoors? What criminal would enable them? (Most wiretaps are for drug offenses; expect libertarian-leaning software engineers to engage in creative civil disobedience.)
"It is hard to conceive of any limits on the orders the government could obtain in the future," Apple argued in a recent legal brief. "If Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone's user? Nothing."
The precedent that the FBI hopes to set could put smaller companies like mine out of business. My company, a San Francisco bay area startup that has released a smart news app for iOS and Android, has two founders. We both write code. We don't have a legal department. In fact, by limiting the log data we store, and allowing Recent News to be used anonymously, we're hoping to avoid being hit by legal orders at all.
If a judge chose to slap us with a backdoor order, we have no process to use to comply. My co-founder and I would have to write thousands of lines of code, at virtual gunpoint and on threat of being held in contempt over bugs, based on specifications drafted by prosecutors—who have no knowledge of our iOS or Android technology stack or how our recommendation engine written in Python works. (Normally we release new versions of Recent News to beta testers to flag device-specific bugs. I doubt the FBI would like that.)
The FBI could simply ask Congress to enact a law mandating backdoors—it's done this before, after all. In 1997, the FBI persuaded one House of Representatives committee to outlaw manufacturing, selling, or importing unapproved encryption devices without backdoors for the Feds. The bill died without a floor vote.
The FBI didn't give up. In early 2008, the bureau completed a "high-level explanation" of backdoor legislation, according to documents obtained by the Electronic Frontier Foundation through open records laws. In 2012, the proposal had morphed to sweep in social-networking sites, email providers, and services like Apple's iMessage. But for the last eight years, despite requests from Capitol Hill, neither the Bush nor Obama administration chose to forward the FBI's proposal to Congress.
If the FBI truly needs to conscript Silicon Valley's software developers, it should be forthright about it and ask Congress for that authority. My company and I would oppose any such law, but at least that would allow an open debate. It's unfortunate but telling that a federal police agency is attempting a clandestine power grab through the courts instead.