Apple vs the FBI

Privacy vs National Security

Subsentio Legal Team

Following the attack by ISIS-aligned terrorists in San Bernardino, CA, the Federal Bureau of Investigation (FBI) has asked Apple for assistance in decrypting an iPhone belonging to one of the perpetrators. According to the FBI, this initiative would be a one-time-only assist in cracking that specific device, not a “back door” for gaining access to other Apple smartphones or hardware now or in the future. Apple has refused to help.

Apple and other technology companies have a long history of refusing cooperation with law enforcement on the grounds of protecting user privacy. This “anti-surveillance” movement culminated in the introduction of iOS 8 strong encryption in August 2014 for the express purpose of providing unparalleled privacy protection to iPhone customers. With the original iOS 8 and subsequent iterations of that operating system, the customer alone has knowledge of the device password. As a result, Apple stated at the time that going forward it would be technically unable to assist law enforcement in gaining access to an iPhone for the purposes of lawful intercept or forensics – or even help the customer if a password is lost or forgotten.

But the San Bernardino terrorist iPhone presents a different set of challenges. It is an older model that predates iOS 8 strong encryption. The specific problem for law enforcement is that when forensics investigators experience 10 “fails” at cracking the password, the device erases all stored data.

Given the rising technical sophistication of ISIS and other terrorist organizations, and their acknowledged preference for using encrypted communications and devices, the question arises whether strong encryption can, in the wrong hands, be all too easily turned to acts of violence that menace public safety.

This in-depth analysis by the Subsentio Legal Team examines the case of “Apple vs. FBI,” and the potential outcomes for both sides in what promises to be a legal contest that may ultimately be fought before the Supreme Court of the United States.

On February 16, 2016 the US Government obtained a court order from the US District Court in California requiring Apple to help the government (FBI) break into the phone utilized by the San Bernardino shooter Syed Rizwan Farook. The magistrate judge gave Apple five days to respond, but Apple responded within hours by issuing a letter to its customers, and by default the larger public, stating that it intends to fight the court’s order. In the letter Apple’s CEO Tim Cook stated “we oppose this order, which has implications far beyond the legal case at hand.” Apple called for a public discussion and to some extent this call has been answered as there is already a congressional hearing scheduled for March 1. This battle over encryption has been waged since the 90’s with the concept of the “Clipper Chip”.  Clearly this is going to continue to be a hot button topic for many years to come. There are many issues at stake, both legal and technical, that make the likely solution one of compromise and careful consideration.

A Little History

The battle over encryption began in earnest back in the 1990’s when the Clinton White House tried to promote the idea of “key escrow” solutions to access encryption. The NSA developed the “Clipper Chip” which could be used by telecommunications providers to encrypt voice data in their phone products. The chip acted as a master key for accessing the encrypted data and was held by the government or a third party. This initiative failed primarily because it was found that the chip was flawed and not secure. The encryption issue flared up again in 2014 when Google and Apple announced Default Encryption which made user data on devices running iOS and Android software encrypted by default. Before that users could choose to encrypt their data but most did not. In 2015, the Obama administration, much to the chagrin of the FBI and other law enforcement agencies, essentially agreed with Apple, Google and Microsoft that creating a “back door” through the use of keys would put millions of Americans at risk to hacking. This seemed to shelve the debate for a while. Alas, the deadly terrorist attacks in Paris and San Bernardino California as well as the linking of terrorist use of encrypted communications before and during the attacks has brought the issue back to the foreground.

Facts of this Case

The iPhone in question is an older model (5C) which came out in 2013. These models do not feature what Apple refers to as the Secure Enclave available on newer models. This likely makes it easier for Apple to devise a workaround to the encryption protocol on the phone. The encryption security on the phone limits the amount of password guesses to 10 failed attempts after which time the phone erases all data. The FBI would like to be able to input passwords electronically without fear of the data being erased.

The court’s order is based upon the All Writs Act, a federal statute that allows the government to “issue all writs necessary or appropriate in aid of the respective jurisdictions and agreeable to the usages and principles of law.” In plain English, the 227 year old law allows the government to require aid to accomplish the fulfillment of a previous legal request. In this case, the request was to provide the password or some other means to break the encryption on the phone in question. The All Writs Act has been used by the government recently to help combat terrorism and in October of 2014 was used by the US Attorney’s Office in NY to compel an unnamed smartphone manufacturer to bypass the lock screen of a smartphone. That manufacturer had previously been served with a search warrant for an investigation into credit card fraud.

The Issue(s)

According to Apple, to allow the government the ability to compel manufacturers to hack their customer’s phones, sets a precedent that would require all manufacturers to do so in the future. This precedent would undermine the basics of digital security in today’s world. Their argument rests on the idea that once you create a key to an encrypted system that is known that encryption can be defeated by anyone with the knowledge. This is tantamount according to some in the legal world to compelling speech by demanding Apple produce code that enables malicious attacks.

The government likely benefits from the sympathy surrounding the case in question. Nothing galvanizes the American public like a terrorist attack. This case takes the abstract debate over privacy vs national security and makes it concrete. If there ever was a model case for why the government needs the ability to bypass certain encryption standards this is it. In fact Senator Tom Cotton of Arkansas has gone so far as to state that “Apple chose to protect a dead Isis terrorist’s privacy over the security of the American people.” One does not have to be a rocket scientist to see what a lightning rod this issue has become.

Complicating Factors

What hurts the government is all of the recent publicity concerning how it has previously obtained confidential communications data from service providers and other sources as well as the subsequent use of that data. The so called ‘Snowden effect’ plays a large role in whether or not manufacturers and the public at large are willing to trust the government with a key that unlocks encrypted data of a user.

Another important and somewhat overlooked aspect is in regards to the court order itself. The court is not ordering Apple to actually break the encryption, but to disable the feature that wipes the data on the phone after 10 failed attempts. This would allow the government to figure out the password using its own software. Hence the use of the All Writs Act to further the objective of a previous legal request.

However, the use of the All Writs Act is itself a controversial issue. Senator Ron Wyden of Oregon has issued a statement expressing concerns about the consequences of using an “unprecedented reading of a nearly 230-year-old law… that would put at risk the foundations of strong security for our people and privacy in the digital age.”  This battle of the interpretation of the All Writs Act could end up in the Supreme Court as Apple is certainly going to appeal based on statutory interpretation. Many will argue that Congress needs to address this issue by updating the laws to account for these digital age issues. In fact, Congress is preparing no fewer than three separate bills that would deal specifically with encryption. These bills offer solutions such as altogether banning end to end encryption, setting up a commission to review the issue further, and/or making sure that Congress is the decision maker when it comes to encryption policy in the United States. Each of these will certainly meet varying levels of objections from the private sector as well as opponents within the government itself.

President Obama has already stated that attempts to ban end to end encryption will not make it past his desk. The Congress as a gate keeper approach raises all kinds of states’ rights issues and may not even be constitutional. So it would seem that the bill that would allow for the setting up of a commission to review the issue will be the most likely approach that Congress could take in the near term. However, there is no clear cut time table or end result that could be immediately gained from that bill.

There are also arguments about whether it’s even possible for Apple to do what the government is asking them to do. These arguments seem flimsy at best, as Apple is not fighting the order on these grounds and many technologists have offered different ways that Apple could tackle the problem.

How will Congress address this issue from a legislative point of view? If Apple is compelled, by a higher court on appeal, to comply with the order this could open the door for law enforcement to compel other manufacturers to do the same. What about real time interception? This case involves a phone not connected to a network. But the enforcement of this court order could provide law enforcement with the legal grounds to compel providers of electronic communications to offer similar assistance with encrypted communications. Perhaps this will force Congress to address the issue as part of a CALEA amendment. We certainly know of the “going dark,” initiative and law enforcement has been lobbying Congress to give them greater access to OTT providers and encrypted communications in a real time interception scenario.

A search warrant to access the content of a confiscated smart phone, like a “full-content” real-time surveillance order, requires law enforcement to meet the top-level due process standard of probable cause.  The high legal standard makes sense for both investigative techniques because both are highly invasive of privacy.  However, decryption in the context of a real-time intercept is arguably more valuable to law enforcement for two reasons.  First, the real-time approach enables law enforcement to learn relationships among complex networks of suspects and associates.  Second, it lets agents follow a criminal or terrorist plot as it develops over time.  For these reasons real-time surveillance is better suited to combat organized crime.

In light of the above, the policy battle over encryption may require legislation such as a CALEA amendment to strike the right balance between public safety and privacy.  And a complete resolution of the dispute will likely involve both searches of smart phones and intercepts of real-time traffic.