On February 16, 2016, U.S. Magistrate Judge Sheri Pym of the U.S. District Court for the Central District of California issued an Order under the All Writs Act directing Apple Inc. to cooperate with efforts by the Federal Bureau of Investigation to access the contents of an iPhone used by Syed Farook, a deceased alleged gunman in a shooting spree that left 14 dead in San Bernardino, California.
Under the terms of the Order, Apple’s cooperation is to include “reasonable technical assistance” to circumvent certain auto-erase and passcode security functionalities built into the iPhone. The Order does allow Apple to use other means to accomplish the Order’s purposes, if deemed possible (with concurrence by the government).
Evidently, iPhone’s recent operating systems encrypt data on the iPhone in such a manner that repeated efforts (brute force attacks) to unlock the data result in deletion of the data. This is a pretty powerful measure for protecting data against all but those who have the key.
The issue is part of a larger national security debate, in which the government is generally opposed to technology that permits individuals to encrypt or otherwise protect information using technical means that preclude governmental recovery or review. The theory, as exemplified by statutes such as the Communications Assistance for Law Enforcement Act, is that the government should have the ability to retrieve and search digital data, assuming that probable cause or other legal requirements are met.
By one analogy, the concept is similar to the landlord of a building being required to unlock the suite on the 5th floor. On the other hand, digital data can be created and erased at will, so what is inherently wrong with the idea of permitting users to choose to securely encrypt certain data (as an alternative to erasing it, for example)? Indeed, Internet service providers are generally immune from claims concerning user-provided data under the Communications Decency Act, so for websites that want to provide freedom to post content (even content that promotes or constitutes criminal activity), there is not much by way of legal impetus for the websites to record any usage data that could lead law enforcement to identify posters.
Perhaps the stakes are different when we are talking about strongly encrypting broad categories of data on a communications device that is used on a near-constant basis by almost 100 million people in the U.S. Still, as Apple points out below, there’s no “law” against designing technology in such a manner, and the creation of an exception inevitably drives a huge chink in the armor (especially now that the matter has received so much public attention).
Soon after the Order, Apple CEO Tim Cook released a letter to Apple’s customers expressing serious concerns with respect to the technical steps Apple would be required to take. In his letter, Mr. Cook describes the cooperation dictated by the Order as requiring Apple to write software that does not currently exist that would “circumvent[] several important security features, . . .” and he goes on to state that “[i]n the wrong hands, this software – which does not exist today – would have the potential to unlock any iPhone in someone’s physical possession.”
Mr. Cook was careful to mention that Apple has cooperated to the extent possible and legal up to the point of the Order, and he reiterated Apple’s belief that the FBI agents involved are acting with good intentions. However, he also made clear Apple’s position that cooperation under the terms of the Order would set a dangerous precedent:
The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
The Order provides that Apple may apply to the court for relief within 5 days of receipt of the Order if Apple believes compliance would be “unreasonably burdensome.” Although that time period has not expired as of the time of this writing, it seems likely that Apple will challenge the Order. The success or failure of Apple’s efforts to resist the Order may have a significant impact on manufacturers’ ability to develop and maintain security features to protect against unexpected access to customer information and the government’s ability to obtain information protected by technical means under extraordinary circumstances.
