duquesne
Research Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

“Backdoor battle”: can Apple beat the FBI in the federal courts?



Just in case anyone was wondering, the ultimate decision of the US government to drop its San Bernardino shooting iPhone case against Apple settled absolutely nothing. We believe that the FBI is simply biding its time and waiting for the right case to come along, in order to get what it really wants: the authority to order Tech companies to break the security of their products.

The facts will, of course, be different but the legal arguments will be largely unchanged and we can expect the same sort of prosecutorial obsession with encryption and government mandated backdoors. That’s why we decided to republish this article, because Round 2 could start anytime.

Everyone seriously involved in the world of Tech knows about the “backdoor battle” raging between Apple and the FBI.

Almost everyone has an opinion, which is just as well, because, as Apple has correctly pointed out, “this is not a case about one isolated iPhone”. What is at stake is the confidence - and above all, the trust - that people need to have in the information and communications technologies that are shaping our lives in the 21st Century.

This whole affair is extraordinarily complicated, involving a multitude of important but very different issues. In this post, however, we will limit the scope of discussion to the legal arguments that Apple is preparing to make in the federal courts in its crucial “backdoor battle” with the FBI.

A quick recap of the facts

On February 16, 2016, Apple was ordered by a federal Magistrate Judge in California to create software to assist the government in hacking the employer-owned iPhone 5c of one of the San Bernardino killers, which - unlike their computers and personal phones - they neglected (for whatever reason) to destroy.

The ruling requires Apple to supply software to bypass a security feature that erases the phone's data after too many unsuccessful attempts to unlock it. The court also ordered Apple to sign the custom version of the software. Without this digital signature certifying the software’s authenticity, the iPhone would refuse to run it.

The FBI bungles the intitial investigation

Ironically, the FBI itself had dramatically increased the difficulty of accessing data on the work phone. Within the first 24 hours of the investigation, the FBI decided - without consulting Apple or reviewing iOS public guidance - to change the iCloud password associated with the iPhone, foreclosing the possibility of the phone initiating an automatic iCloud back-up, which would have obviated the need to hack it.

Apple provides 24/7 assistance....

In the days and weeks following the attack, Apple devoted substantial resources on a 24/7 basis to support the government’s investigation. The company provided all the information that it possessed relating to the attackers’ accounts and that the FBI formally requested via multiple forms of legal process. It also furnished considerable informal assistance by participating in teleconferences, providing technical assistance and suggesting potential alternatives for the government to attempt to obtain the data.

... but the FBI wants a good deal more

Despite this assistance, the government filed an ex parte application (i.e. without the presence of Apple) and a proposed order – on the basis of the colonial era All Writs Act (AWA) - asking the Magistrate Court to compel Apple to do something it had so far refused to do: create new software, bypassing the key security features of iOS, that would allow the government to hack easily into the phone.

Apple pushes back and the "backdoor battle" begins

Apple immediately announced its intention to contest the ruling, on the grounds that “the order demanded by the government compels Apple to create a new operating system—effectively a “backdoor” to the iPhone—that Apple believes is too dangerous to build.”

On February 26th the company filed a brief with the Magistrate Court, setting out its precise legal arguments to vacate the order, in the hearing that will be held on March 22nd. Most of the current post is devoted to an analysis of the legal arguments presented in Apple’s brief

Preliminary remarks about the All Writs Act

The All Writs Act is a US federal statute - originally part of the Judiciary Act of 1789 and codified in its current form in 1911 - which authorizes federal courts to "issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law."

What the AWA means

As Dimitri Portnoi wrote in the New York University Law Review (Vol. 83, No. 1, 2008): “The AWA applies where a legislative scheme is unclear or incomplete. The language grants courts power to issue “necessary or appropriate” writs, and thus operates as a gap-filler for the casus omissus - the un-provided-for case"

“The AWA’s discretionary power historically has been exercised sparingly. By virtue of its infrequent use and discretionary nature, jurisprudence concerning the issuing of extraordinary writs, or so-called “All Writs Act injunctions,” is sparse, and a clear standard is lacking on the face of the statute.”

Generally speaking, the “meaning” of a law evolves through the accumulation of precedents (aka jurisprudence) in which judges apply the law, often to circumstances not imagined by the lawmakers. Judging a case entirely based on the AWA, given its very broad language and the paucity of clearly applicable precedents, is not going to be easy.

Is the FBI looking for a "test case"?

Still, one should never underestimate the appetite of US federal authorities for “test cases” to create precedents that expand not just the reach of a given law but, even more, their own authority.

Seen in the context of the furious debate over government surveillance versus personal privacy and coming in the emotionally charged aftermath of San Bernardino, the FBI’s “backdoor battle” with Apple based on the AWA looks very much like a carefully chosen test case to do exactly that.

Apple’s Introduction to its brief: setting the stage

Apple’s Introduction to the brief provides some Interesting points that set the stage and frame the debate for the more detailed legal arguments that follow. (Citations from the brief are presented in the bullet points, followed by our comment in italics.)

  • This is not a case about one isolated iPhone… If this order is permitted to stand, it will only be a matter of days before some other prosecutor, in some other important case, before some other judge, seeks a similar order using this case as precedent.”

Numerous prosecutors at all levels of government in the US have already publically expressed their intention, if the FBI wins this case, to ask for similar court orders.

  • "No legal principle would limit the use of this technology to domestic terrorism cases—but even if such limitations could be imposed, it would only drive our adversaries further underground, using encryption technology made by foreign companies that cannot be conscripted into U.S. government service”

Only US companies like Apple are bound by the AWA. Non US companies will seize the market opportunity, because where there is demand, there is always supply.

  • "Once developed for our government, it is only a matter of time before foreign governments (will) demand the same tool.”

Think China, Russia and any number of other less than democratic countries. The same momentum is starting to build around the US vs Microsoft Dublin emails case, where other countries are demanding the same sort of extraterritorial jurisdiction.

  • "If Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding (more): that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing.”

This is an even bigger point than Apple says, not limited to phones. The real risk is turning the IoT (Internet of Things) into an IoS (Internet of Surveillance, through new cases that leverage the precedent to expand government authority to force technology companies to create special software to help them hack into anything and everything.

Presumably, the surveillance enabled code would be distributed to unwitting devices in the form of automatic software updates, which would of course, have to be digitally signed by the software company.

As New York federal Judge James Orenstein wrote in a very recent, similar AWA case won by Apple: “In a world in which so many devices, not just smart phones, will be connected to the Internet of Things, the government’s theory … will result in a virtually limitless expansion of the government’s legal authority to surreptitiously intrude on personal privacy.”

Apple argues that the All Writs Act does not justify the government’s demand

According to Apple, “the All Writs Act does not provide a basis to conscript Apple to create software enabling the government to hack into iPhones”

  • “The Act is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress; it does not grant the courts free-wheeling authority to ... exercise new powers...”
  • "Federal courts themselves have never recognized an inherent authority to order non-parties to become de facto government agents in ongoing criminal investigations”

These are solid points but there is no guarantee that the Magistrate Judge in this case will agree.

In the brief, Apple then developed its argument that the AWA does not justify the court order in two major points: the choice of Congress not to confer the authority demanded by the government and the inapplicability of the major AWA precedent cited by the federal prosecutors.

1. “The All Writs Act does not grant authority to compel assistance where Congress has considered but chosen not to confer such authority”

  • “The authority the government seeks here cannot be justified under the All Writs Act because law enforcement assistance by technology providers is covered by existing laws that specifically omit providers like Apple from their scope”
  • “In CALEA, Congress decided not to require electronic communication service providers, like Apple, to do what the government seeks here.” (note: CALEA = Communications Assistance for Law Enforcement Act, a US wiretapping law passed in 1994)
  • "Congress declared via CALEA that the government cannot dictate to providers of electronic communications services or manufacturers of telecommunications equipment any specific equipment design or software configuration.”

Needless to say, the government maintains that CALEA does not apply because it was mostly about wiretapping assistance from telcos. On this point, the government may well be right.

2. “New York Telephone Co. and its progeny confirm that the All Writs Act does not authorize Courts to compel the unprecedented and unreasonably burdensome conscription of Apple that the government seeks”

  • “The government relies heavily on the Supreme Court’s decision in United States v. New York Telephone Co., 434 U.S. 159 (1977)… (upholding a District Court ruling that) compelled the company to install a simple pen register device (designed to record dialed numbers) on two telephones where there was “probable cause to believe that the company’s facilities were being employed to facilitate a criminal enterprise on a continuing basis.”…
  • “The Supreme Court held that the order … satisfied a three-part test imposed by the Court. … First, the Court found that the company was not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.” Second, the assistance sought was “meager,” and as a public utility, the company did not “have a substantial interest in not providing assistance. Third, “there was “no conceivable way in which the surveillance authorized by the District Court could have been successfully accomplished” without the company’s meager assistance.””

Apple then argued point by point that the government’s demand fails to satisfy the three part AWA test established by the Supreme Court in this crucial precedent.

2a. “Apple’s connection to the underlying case Is “far removed” and too attenuated to compel its assistance”

  • “Apple is a private company that does not own or possess the phone at issue, has no connection to the data that may or may not exist on the phone, and is not related in any way to the events giving rise to the investigation.”
  • "The government’s position has no limits and, if accepted, would eviscerate the “remoteness” factor entirely, as any company that offers products or services to consumers could be conscripted to assist with an investigation, no matter how attenuated their connection to the criminal activity.”

Taken at face value, these appear to be solid arguments. Nonetheless, given the extraordinary level of control exercised by Apple over its products, the Judge could well reject the company’s claim of “remoteness”.

2b. The order requested by the government would impose an unprecedented and oppressive burden on Apple and citizens who use the iPhone.

  • “The government’s request violates the second requirement - that the Act “must not . . . impose an undue burden” - because the government’s unprecedented demand forces Apple to develop new software that destroys the security features that Apple has spent years building”

Everything depends on the definition of “burdensome”. On the one hand, Apple is a very rich company. On the other, it does have a lot to lose since its reputation for security is one of its most valuable assets.

  • “The government’s flawed suggestion to delete the program and erase every trace of the activity would not lessen the burden, it would actually increase it since there are hundreds of demands to create and utilize the software waiting in the wings.”

According to forensic security specialists, the well established legal rules for the admissible use in a court of evidence produced by a “forensic tool” (e.g. the software the government is demanding) would require disclosure of the tool to third parties and additional testing on other devices. In short, the secrecy promised by the government would be impossible.

  • “In addition, compelling Apple to create software in this case will set a dangerous precedent for conscripting Apple and other technology companies to develop technology to do the government’s bidding in untold future criminal investigations.” …. Under the same legal theories advocated by the government here, the government could argue that it should be permitted to force citizens to do all manner of things “necessary” to assist it in enforcing the laws”.

This is a classic, but well justified, “slippery sloop” argument. Mixing in a few more metaphors, the AWA genie would be out of the bottle and the sky’s the limit.

2c. The government has not demonstrated Apple’s assistance was necessary to effectuating the warrant.

  • “The government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks.”

On a formal level, it is certainly true that no such showing has as of yet been made before the court. However, James Comey, the Director of the FBI, testified before the House Judiciary Committee several days ago that the FBI went "to all areas of government to see if anyone can unlock the iPhone," but was unsuccessful. Presumably the government’s brief due on March 10th will address this omission.

On the substantive level, the FBI claim that new Apple software is essential to the investigation is, to say the least, ingenuous. The phone in question is an iPhone 5c, which while encrypted, can (almost certainly) be cracked by taking the phone apart and extracting the memory chip for analysis. The iPhone 6, on the other hand, uses a “secure enclave” where things like encryption keys can be securely stored. Even if the FBI might need Apple’s help for an iPhone 6, this case concerns an iPhone 5c. This is a critical weakness in the government’s case.

Apple argues that the Magistrate Court order is unconstitutional under the First and the Fifth Amendments

  • “The government asks this Court to command Apple to write software…(but) under well-settled law, computer code is treated as speech within the meaning of the First Amendment”

Frankly, the argument that “code is speech” is a somewhat counter intuitive “joker” in this case. Apple would dearly love to win this point, because it would provide strong constitutional protection against future government demands on software companies. Indeed, Apple has signed up two very high profile lawyers with extensive experience in free speech cases as the key members of its legal team.

If the Judge takes into account the future surveillance enabled - and digitally signed - software updates that the government will surely demand from technology companies if it wins, free speech could turn out be a srong argument.

In a well known case involving export controls applied to an encryption program developed by Daniel Bernstein, a Federal District Court in Northern California ruled in 1996 that his code was speech and protected from the export regulations by the First Amendment. The court of appeals ruled in favor of Bernstein in 1999. There is however no clear Supreme Court ruling.

  • “The government' requested order, by conscritpting a private parywith an extraordianarily attenuated connection to the crime to do the government's biudding in a way that is statutorily unauthorized, highly burdensome, and contrary to the party's core principles, violates Apple's substantive due process rights" under the Fifth Amendment.

This Fifth Amendment “due process” claim depends primarily on the validity of Apple’s AWA arguments. Even so, it should not be neglected because there are thousands of case that have been won on the sweeping constitutional principle of “due process of law” which, in the Anglo-American legal tradition, goes all the way back to the Magna Carta.

Conclusion

However the March 22 Magistrate Court hearing turns out, the case is unlikely to stop there. The loser will appeal and Apple CEO Tim Cook has vowed to fight all the way to the Supreme Court.

Overall, Apple has a strong case. Among the detailed points, Apple’s contention that the government has not shown that the company’s help is essential to hack into an iPhone 5c without the new software looks like a “killer argument”.

More broadly, a government win - in what is obviously a “test case” - would establish an extraordinarily dangerous precedent for conscripting not just technology companies but ordinary citizens to do anything and everything considered “necessary” in an investigation.

If Apple does finally lose in the federal courts, there could well be a number of unpleasant consequences including:
  • Authoritarian regimes will demand the same thing
  • Cyber-criminals will get hold of the technology for their own use
  • US local, state and federal authorities will obtain sweeping orders for “assistance” from technology companies
  • With successive similar cases, the Internet of Things – which already has plenty of security issues – will also become the Internet of Surveillance

Still, hope is not lost. If it does lose, Apple will surely build a phone that even it can’t crack, unless Congress forbids it, in which case foreign competitors will get the business.

Let’s hope that Apple wins.

Wednesday, July 5th 2017
Duquesne Advisory
Newsletter To subscribe to the Duquesne Advisory Newsletter, please enter your e-mail address.

Duquesne Advisory

Duquesne Advisory Ltd is a European firm, headquartered in the UK, dedicated to researching, understanding and advising clients worldwide on opportunities and trends in Information and Communications technology.

Research

Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Consulting

The analysts of Duquesne Advisory leverage the Firm’s ongoing market and technology research to undertake high added value consulting engagements for both ICT users and ICT providers. Focused on client service, their approach is rigorous and methodical, and at the same time pragmatic and operational.