A federal magistrate judge in Brooklyn took an admirable stand last week when he questioned the government’s authority to compel Apple to unlock a seized mobile device using the All Writs Act. That’s a general-purpose law passed in 1789 that allows a court to require third parties’ assistance to execute a prior order of the court. Apple cannot be automatically conscripted in government investigations, wrote Magistrate Judge James Orenstein of the US District Court for the Eastern District of New York, because it is “a private-sector company that is free to choose to promote its customers' interest in privacy over the competing interest of law enforcement.” Orenstein’s order isn’t the end of the story, but it’s encouraging to see a court recognize the limits of government power, even in the face of the not-so-absolute All Writs Act.
Faithful readers will remember that this same issue arose last year, when two other federal magistrate judges granted government requests to compel companies to unlock seized devices under the All Writs Act. Here, as in those other cases, the government had a search warrant for the device, but it was thwarted by the device’s lock screen in executing the search.
According to the government, Apple can simply “disable the security” of the device. But that’s not necessarily true. Last year, with the release of iOS 8, Apple introduced new encryption features for mobile devices. If you’re running iOS 8 or later, Apple says that “we can’t unlock your device for anyone because you hold the key—your unique password.”1
Judge Orenstein called on Apple to weigh in about whether it is even capable of bypassing the lock screen in this case. However, according to a Washington Post report, the device is running an older version of iOS that Apple can indeed unlock without the user’s passcode.
Nevertheless, the government’s request raises questions about the limits of what Apple can be forced to do. Judge Orenstein has not been living under a rock, and he notes that we’re in the midst of a raging debate about government regulation of encryption.
As we explained before, the All Writs Act is not a backdoor to bypass other laws. The government cannot impose an unreasonable burden on Apple, and it cannot violate the Constitution. If the government truly wanted Apple to decrypt a phone running iOS 8 or later, it would blow past these boundaries. First, unless Apple is lying about how its system is engineered, it simply can’t grant access to the data on a locked phone—not by reflashing the operating system, and not by pushing a backdoored software update—because it’s locked. That should be the end of it. But if Apple in fact has this capacity, or if the government instead tried to require it to prospectively reengineer the operating system on an unlocked device, All Writs is not the means to do so.
Reengineering iOS and breaking any number of Apple’s promises to its customers is the definition of an unreasonable burden. As the Ninth Circuit put it in a case interpreting technical assistance in a different context, private companies' obligations to assist the government have “not extended to circumstances in which there is a complete disruption of a service they offer to a customer as part of their business.” What’s more, such an order would be unconstitutional. Code is speech, and forcing Apple to push backdoored updates would constitute “compelled speech” in violation of the First Amendment. It would raise Fourth and Fifth Amendment issues as well. Most important, Apple’s choice to offer device encryption controlled entirely by the user is both entirely legal and in line with the expert consensus on security best practices. It would be extremely wrong-headed for Congress to require third-party access to encrypted devices, but unless it does, Apple can’t be forced to do so under the All Writs Act.
Ultimately, Judge Orenstein’s order might signal the opening of a new legal front in the Second Crypto Wars, or, as the Washington Post suggests, it might be something more routine. In either case, the order demonstrates some of the thorny legal issues that will arise if the government keeps pushing for “exceptional access” to encrypted devices and communications. The fight over this particular phone may be moot, if indeed the device is question is running iOS 7 or earlier, but we fear this won’t be the last time an American judge will be asked to order that Apple compromise its security, and possibly everyone’s security in the process.
Signs point to the government abandoning this dangerous course of action. But that’s not enough. It’s high time the government publicly and affirmatively rejects laws or informal agreements that undermine digital security. You can take action by asking President Obama to do just that at SaveCrypto.org.
- 1. Apple cannot bypass the user’s passcode because in recent versions of iOS, the passcode is used to generate a key to fully encrypt the device [.pdf]. According to Professor Matt Green, Apple has engineered its system to prevent the introduction of a backdoor to the passcode.