Apple

Here's How Apple Plans to Beat the FBI

Among other things, Apple alleges that the FBI violates its First Amendment rights by compelling company engineers to write code.

|

downloadsource.fr/Flickr

The tech-policy community is still buzzing about a recent court order compelling Apple to craft a technical tool that would allow FBI investigators to bypass security measures on the iPhone used by San Bernardino shooter Syed Rizwan Farook.

The government's legal argument rests largely on the archaic All Writs Act of 1789, a short law establishing that U.S. courts may "issue all writs [legal orders] necessary and appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law." Straightforward enough. As traditionally interpreted, this law merely allowed the judiciary a bit of flexibility to facilitate lawful legal procedures when the precise means needed were not already on the books. For example, a court might invoke this law to enlist a telephone company's assistance in setting up a special kind of warranted wiretap that Congress had not specifically addressed in legislation. But there are supposed to be limits. For instance, the Act could not compel someone who is "far removed" from the situation to act, nor could it impose an "unreasonable burden" on a third party or "adversely affect" that party's "basic interests."

But in recent years, the Justice Department has strained this 227-year-old provision beyond the reasonable bounds of interpretation in an effort to get around strong security technologies that it sees as hindering investigations. In 2014, reports from the The Wall Street Journal and Ars Technica revealed that courts in New York and California had invoked this obscure law to compel Apple and at least one other unknown device manufacturer to provide "technical assistance" to unlock password-protected phones. This most recent order to Apple has drawn these creative modern applications of a centuries-old law into strong public scrutiny.

Technology companies and civil-liberties activists oppose the order for the respective threats it would deal to security and privacy online. The FBI, on the other hand, has long sought a way to get around strong security and encryption techniques such as those found on newer versions of the iPhone. Regardless of the considerable technical vulnerabilities that these workarounds—often referred to as a "backdoor" or "secure golden key"—may generate, the FBI could end up getting its way either through judicial precedent or legislative action.

If it does, Apple engineers would be enlisted as unwilling iPhone hackers for the feds. Specifically, the FBI wants to force Apple engineers to build custom software that can disable an iPhone's "auto-erase" security function, allow agents to electronically guess the PIN, and remove the time delay in between PIN guesses so that they can access data on Farook's work iPhone. 

Apple filed a 65-page motion to vacate the order late last month, handily addressing the DOJ's questionable use of the All Writs Act and brings in extra constitutional muscle to defend its dissent.

Much of the document reiterates and expands on the points first sketched by Apple CEO Tim Cook in his initial rallying cry to the public: the FBI's order amounts to little more than a government "backdoor" into secure technologies, an outrageous overreach of power, and a dangerous precedent that lacks proper congressional input. The filing at times reads more like a colonial-era broadside against the abuses of the crown than a staid legal motion. (By the second sentence, Apple has already positioned its case as integral to the "basic security and privacy interests of hundreds of millions of individuals around the globe.") But there's a lot of new legal firepower packed in as well.

Here are Apple's key arguments: 

The All Writs Act is not a magic catch-all for the FBI's whims.

Apple's first major legal argument is that the government's use of the All Writs Act far exceeds the limits of the law. Invoking a Supreme Court ruling that the Act does not authorize courts to "issue ad hoc writs whenever compliance with statutory procedures appears inconvenient or less appropriate," Apple's attorneys point out that the remedy to the issue of encrypted communications is one that must be addressed by Congress, not willed into existence by the courts.

In fact, Congress has previously weighed in on the issue of law enforcement's authorities and limitations on procuring evidence from telecommunications providers in the Communications Assistance for Law Enforcement Act of 1994 (CALEA). This law outlined the procedures and boundaries that law enforcement must follow to gather data from third-party technology companies in the course of an investigation, and expressly states that the government cannot "dictate to providers of electronic communications services of manufacturers of telecommunications equipment any specific equipment design or software configuration." Because the FBI order to Apple outlined the specific schematics of the program it is demanding be created, Apple attorneys argue that the agency is in violation of the law.   

Furthermore, because Apple would be considered an "information service provider" under the CALEA, Apple is actually exempt from the burden of mandatory assistance to law enforcement. But even if Apple wasn't exempt from mandatory assistance, CALEA explicitly states that third-party service providers—even those subject to mandatory reporting—cannot be compelled to "decrypt, or ensure the government's ability to decrypt, any communication encrypted by a subscriber or customer unless the encryption was provided by the carrier and the carrier possess the information necessary to decrypt the communication." Apple does not possess the encryption key necessary to decrypt the Farook's iPhone. 

The FBI order places an undue burden on Apple.

Apple argues that the FBI order would violate the stipulations of the All Writs Act even if it could be applied in the manner that the FBI attempted. In its ex parte application for the order against Apple, the government's attorneys argued that asking Apple to "writ[e] a program that turns off non-encryption features" is not an undue burden under the All Writs Act and requires only minimal effort on the tech giant's part. Apple disagrees.

In its motion, Apple argues that the kind of program that the FBI so flippantly ordered would require "significant resources and effort"—somewhere in the ballpark of six to ten Apple engineers toiling for upwards of a month to break the very system they spent so long securing. Then the program would need to be tested, re-coded, and tested again until the engineers found the software to be reasonably functional and secure.

According to iOS forensic scientist Jonathan Zdziarski, such an instrument would likely be subject to further layers of testing by the courts, adding even more to the final cost. After the software is approved by all parties, it would need to be loaded and operated on Apple facilities. Then its engineers might also be tasked with destroying the device and program in such a manner that it can never be intentionally or unintentionally leaked into the wrong hands—a tall order in a world of constant corporate espionage and insecure systems. This is before considering the substantial costs in liability and diminished customer trust that would likely accrue.

Compromising iPhone security adversely affects Apple's basic interests.

In futher violation of the All Writs Act, the FBI court order would "adversely affects" Apple's basic interests, the company argues. It's easy to see why. Unlike many other technology companies that monetize their free services through data brokerage and advertising, Apple makes money by offering high-quality, secure devices that their customers trust. In recent years, Apple's commitment to customer security drew the company to implement strong encryption techniques on popular devices. In 2013, Apple began encrypting all external data stored on devices running iOS 7 by default. By the next year, iOS 8 boasted beefed up security features that were so airtight that Apple itself could not access much customer data. In this version of the software, data stored on iPhones was encrypted in such a way that only the customer could unlock their device to retrieve their information—thereby earning the ire of law enforcement groups like the FBI.

But while the fuzz only focused on the new challenges to their traditional warrant process that these security measures imposed, Apple clearly has a compelling company interest in providing the most secure and reliable products that they can for customers. The FBI is essentially ordering a company to destroy a key trade advantage that the company had "spent years building," Apple argues. If the All Writs Act can indeed be applied in a manner that destroys the core profitability of a U.S. company, other firms abroad would likely sell similar security features to their customers—and the problems for law enforcement would continue.

Code is First Amendment-protected speech.

One of the more interesting arguments put forth by Apple's attorneys is that the court order actually violates Apple's First Amendment rights. The argument's central premise—that code is First Amendment-protected speech—was the subject of endless debates during the first Crypto Wars in the 1990s. In 1991, a programmer named Phil Zimmerman rocked the computer science and intelligence communities by releasing an email encryption technology to the public called "Pretty Good Privacy" (PGP). The symmetric-key algorithm at the heart of PGP was before then mostly only employed by researchers and agents of the state. By publishing the PGP source code on the Internet for anyone to access and apply, Zimmermann challenged the existing legal infrastructure that criminalized exporting encryption use, which was categorized as a "strong munition."

The U.S. government dropped the criminal investigation against Zimmermann, but the question was again raised in 1995, when a graduate student named Daniel Bernstein published a paper containing the source code for his encryption technique called Snuffle. In publishing the code, Bernstein, like Zimmermann, was targeted by the U.S. government for violating munitions regulations. In Bernstein v. United States (1999), the Ninth Circuit Court of Appeals ruled that the munitions export controls invoked by the government to stop the spread of encryption constituted an impermissible prior restraint on speech and violated the First Amendment.

The Ninth Circuit stopped short of holding that "all software is expressive." Still, Apple's attorneys cite Bernstein v. United States and other rulings holding that certain kinds of computer code are protected by the First Amendment in its defense.

Building on precedents establishing First Amendment protections for computer code, Apple argues that the FBI is impermissibly compelling the company to speak by developing a tool to decrypt Farook's phone. The program that the FBI is demanding would require Apple engineers to write speech (code) under duress and compel engineers to issue a digital signature used only by Apple employees. This, according to Apple's attorneys, is equivalent to having someone sign a document with which they disagree at gunpoint.

The government cannot force its citizens to speak in ways that they do not want, nor can it force scientists to create and sign off on programs beyond their own wills. Therefore, Apple argues, the FBI order violates Apple's First Amendment rights. (Ironically, this line of argumentation forces groups that have traditionally opposed the Citizens United ruling to invoke it.)

Silicon Valley Versus Washington

Apple friends in Silicon Valley have called in their own litigative cavalry to back Apple's motion to dismiss the FBI order. An amicus brief filed by a group of tech titans including Amazon, Dropbox, Cisco, Facebook, Google, Microsoft, and Mozilla emphasizes the catastrophic harms to strong digital security that such orders would engender. Another brief, this one produced by a consortium including Reddit, Medium, LinkedIn, Twitter, and GitHub argues that the order is an "extraordinary and unprecedented effort to compel a private company to become the government's investigative arm" with "no legal basis." And a brief filed by superstar information security experts—many of the same ones that released a highly-influential paper criticizing government backdoors last summer—highlights how measures to assist law enforcement by undermining security will ironically generate extreme harms to public safety.

In the FBI's corner, meanwhile, are briefs filed by other law-enforcement groups and some of the victims of the San Bernardino attack. These briefs respectively reiterate the need for strong investigative practices and justice for the victims of terrorism.

All of these briefs share a common concern for public safety and understanding of the need for law enforcement to have all of the legal tools necessary to protect the public and promote justice. At the same time, it's important to have a data-driven understanding of the scope of the problem. Before the horrific San Bernardino attacks, much of the public discussion about criminals "going dark" through encryption was mostly hypothetical. Indeed, internal emails leaked to the press show the intelligence community outright exasperated by the virtual lack of any terrorist act that could be used to justify a curtailment of strong encryption.

Last month, I dug into reports produced by the Administrative Office of the U.S. Courts to see just how prevalent the problem of encrypted communications has been for law enforcement. The numbers are pretty surprising: from 2001 to 2014, only 147 of the 32,539 domestic wiretaps reported by the courts encountered any kind of encryption at all. That's less than 0.45 percent of the total. And much of the encryption is quite weak anyway. Law enforcement officials were able to crack and decipher the vast majority of these communications. A measly fifteen of them—or 0.046 percent of the total—were encrypted and unable to be deciphered.

So, according to the best public information available, over 99.5 percent of criminals investigations have no problems with criminals "going dark" at all. Surely there are better ways that we can improve criminal investigations without undermining the digital security of our entire nation?

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

36 responses to “Here's How Apple Plans to Beat the FBI

  1. Corporations aren’t people and shouldn’t find protections in the bill of rights. They should have their offices ransacked without warrant and forced to produce speech for the government. -run of the mill progressive totalitarian.

    1. But this is Apple we’re talking about, and even your run of the mill progressive can see that this might adversely impact them at some point. I’m sure they can rustle up some rationale to oppose the government here.

    2. My proggie lawyer friends have been oddly silent about this Apple stuff. I think they’ve finally realized the inconsistency of their position on Citizens United.

  2. ” A measly fifteen of them?or 0.046 percent of the total?were encrypted and unable to be deciphered.”

    …before the juggernaut of privacy lurched its once undisturbed hulk from its malaise of pathetic lethargy.

    Call them fucking invasive pricks but they have become wise to the forward potential of surveillance-resistant tech. The future holds few promises for their goddamn grimy scrabbling claws to reach anywhere into personal lives of collective citizen bodies unless swift precedents are established resoundingly against even the behemoths.

    Give encryption a glass tube into the future and that lab will be as impossible to ban as oxygen.

    Encryption should be as ubiquitous as porn if one truly approves of freedom and liberty.

    1. Spot on.

  3. Apple argues that the kind of program that the FBI so flippantly ordered would require “significant resources and effort”

    Surely a “flippant” order does not apply to an *iPhone*.

  4. So lets assume that the Feds find some way to rule Apple has to do this on some national security issue or some bullshit.

    What happens when the engineers that Apple assigns to the task refuse to cooperate, can the government compel those individuals to create on their behalf?

    1. Speaking as one who has been an engineer at Apple, I don’t believe any of my former colleagues would comply. I would also expect Apple to pay for their legal defense if the FBI attempted to force any of them to do so.

      -jcr

      1. I’ve not worked at Apple but my guess as an outsider is that if the company is willing to stick it’s neck out like this they must have gotten a LOT of pushback from their top engineers and guys like that tend to be very very passionate about their beliefs.

        If I had to guess when the request came in there were a few meetings at which at least several of the people with the requisite knowledge required to do what the FBI is asking basically said something to the effect of “Fuck that, if you try to make me do this you’ll have my resignation by morning” and that as much as anything is why Apple is fighting this.

      2. I’ve got another hypothetical: Suppose the courts side with the Feds and compel Apple to create a work around.

        Couldn’t the engineers just pretend to be “working” on it and tell the FBI “Gee, this is a lot harder than we thought. It’s going to take a lot longer than we thought.” ?

        Sure the engineers could be cited for contempt of court, but the pool of engineering talent who can actually create a work around must be quite limited, right?

      3. Let’s not kid ourselves. Someone will take the job.

        1. Immigrants, because they’ll do jobs that Americans won’t do.

    2. can the government compel those individuals to create on their behalf?

      Their own Constitution specifically prohibits involuntary servitude, so of course not.

      1. That dusty old thing?

      2. Until the government starts conscripting them into the Army. They will then send the most vocal critics from Apple to Gitmo because they are providing material support to the terrorist by not following orders and the others will fall in line since they don’t want to be waterboarded. At least that’s what I heard was Trumps plan.

  5. Seems to me the All Writs Act was made unconstitutional in 1865.

  6. This is a no-brainer. Apple should do whatever the hell the FBI asks them to do because TERRORIZZM!

  7. The All Writs Act is not a magic catch-all for the FBI’s whims…

    Again, why isn’t Magistrate Sheri Pym consistently impugned for all of this? Not that I 100% support the FBI’s case, but I can’t blame them for at least asking Apple to break in. Pym is *the* person I would expect to have looked at the situation, the technology, and the All Writs Act and said, “It’s gonna take an act of Congress to do this.” or “You know, if you guys could find your own asses with two hands and a flashlight, Apple might be willing to help you numbnuts voluntarily.”

    1. Apple might be willing to help you numbnuts voluntarily

      Huh? The whole point is that if Apple helps them “voluntarily”, then you can kiss any notion of privacy good-bye. Permanently.

  8. These briefs respectively reiterate the need for strong investigative practices and justice for the victims of terrorism.

    Well, that’s a complete non-starter then. There is no way this phone can be blocking “justice for the victims of terrorism.” We know who committed the crime and they are dead. We know where they came from and how they did it.

    The only thing they could possibly suggest is on this phone, and only in a highly specious argument at that, is that there could be information about some potential future plot.

    The demand here doesn’t in any way have the sheen of seeking “justice” for anyone, but for promoting the idea of investigating pre-crime.

  9. This, according to Apple’s attorneys, is equivalent to having someone sign a document with which they disagree at gunpoint.

    This should be the main argument, period. But people can be short-sighted, and unable to imagine a case where it would be they, themselves, who would be compelled to act against their own will, and against their own set of principles. And that, in a nutshell, sums up much of what is wrong with the world today.

  10. Questioning The FBI, aka “the government”, isn’t a capitol offense nor a major infraction of the law, is it? Seems as if The Congress has some work to do here, as with clarifying the law.

    1. See Lysander Spooner’s interpretation of the “shall not be questioned” clauses.

  11. No, the first amendment argument put forth by Apple is not one of the more interesting arguments. It (along with the fifth amendment argument they present) is merely pro forma, so that, if needed, they can make some constitutional argument on appeal. Yet it is quite obviously doomed to fail. (If those arguments are correct, then pretty much any governmental mandate that ends up being implemented via software is also unconstitutional, for the exact same reasons. What do you think the likelihood of that is?)

    The real argument put forth by Apple — and one I think is likely to prevail — is the argument that the order vastly overreaches the statute. (And that’s why they spend all but 3 pages of their response on such.)

    Of course, even assuming they prevail, that means nobody should expect a constitutional silver bullet. i.e., it will require ongoing policy and political efforts to prevent the adoption of some new statutory authority for this kind of demand.

  12. Now we know how the French felt under National Socialist occupation (and the Vietnamese under French occupation). Will Apply betray its customers and collaborate with Vichy Amerika?

  13. Who!? Who doesn’t want to write the code!?!?
    Apple is right, but we have already seen local governments force people to bake cakes.

    1. I think you’ve hit the nail on the head here. If government can mandate that you bake and sell cakes to people you do not wish to bake and sell cakes to then why can’t it tell you you have to build software for it, conscript people off of the streets and force them to dig ditches, make you respect your parents, tell you what time you have to go to bed?

  14. If Apple hadn’t screwed up on their implementation of cryptography, we wouldn’t be having this discussion because neither the FBI nor Apple could decrypt them. Instead of playing legal games, Apple should “beat the FBI” by fixing their f*cking phones.

Please to post comments

Comments are closed.