PaulApple's encryption battle
Here’s how Apple would build crypto-cracking software for the FBI
Forget the 1st Amendment, Apple to plead the 5th in iPhone crypto flap
Arizona prosecutor: We’re not buying any more iPhones over Apple and DOJ dispute
The case for using iTunes, not iCloud, to back up your iPhone
Activists plan rally on Tuesday at dozens of Apple Stores worldwide
View all…On Thursday, Apple filed its formal legal response to the standoff between it and the Department of Justice.
Last week, Apple CEO Tim Cook again reiterated the company’s firm commitment to privacy and its resolve to fight a new court order issued earlier this month.
If the order stands up to legal challenges, Apple would be forced to create a new customized iOS firmware that would remove the passcode lockout on a seized iPhone as part of the ongoing San Bernardino terrorism investigation. In a call with reporters on Thursday, Apple executives dubbed this customized iOS firmware a "government OS" and added that it would have to make an "FBI forensics lab" at its Cupertino headquarters. As expected, Apple’s legal arguments rely on its rejection of 1977 Supreme Court decision United States v. New York Telephone, the prominent case that relies on the All Writs Act in which the authorities were demanding the utility to implement a pen register trap and trace device.
That obscure 18th-Century law is a catchall statute that the government is relying on for its new order.
The All Writs Act essentially allows a judge to order something be done, despite there being no clear Congressional mandate to follow such an order. Theodore Boutrous, an Apple lawyer, wrote: "Apple is a private company that does not own or possess the phone at issue, has no connection to the data that may or may not exist on the phone, and is not related in any way to the events giving rise to the investigation.
This case is nothing like New York Telephone Co., where there was probable cause to believe that the phone company’s own facilities were 'being employed to facilitate a criminal enterprise on a continuing basis.'" “Boundless interpretation” In its court filing, Apple forcefully argues that the government’s interpretation of the All Writs Act goes too far, fails the previous Supreme Court three-part test, and violates Apple’s First and Fifth Amendment rights. As Boutrous continues, the All Writs Act does not allow the government to grant itself new authority. Rather, "The Act is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress." With respect to New York Telephone, the Supreme Court ruled in 1977 that an All Writs Act order could be granted given a three-part test: the company’s distance, or "remove" from the case; whether the government’s request places an "undue burden" on the company; and whether the company’s assistance was "necessary." Apple takes each of these points head-on. First, Apple says that unlike New York Telephone, whose phone services were being used to allegedly further a criminal enterprise on an "ongoing basis," the California company has no direct connection to the crime at hand. Indeed, "any criminal activity linked to the phone at issue here ended more than two months ago when the terrorists were killed," adding that "Apple is no more connected to this phone than General Motors is to a company car used by a fraudster on his daily commute." Second, Apple argues that yes, in fact, forcing it to conscript "six to 10" engineers who would work on this project for weeks or months—which may be multiplied should further orders come in from other prosecutors—does constitute an "undue burden." Unlike in New York Telephone, where the government asked for a pen register—something the telco already did as part of its regular course of business—Apple argues that marshalling these resources would be overly burdensome. As Erik Neuenschwander, Apple’s manager for user privacy, wrote in a court declaration included as part of the new filing: Creating the ability to enter passcodes into a device electronically with no software-imposed delays would entail modifying existing code to remove delays as well as writing new code that manages a connection to another device and, using a communications protocol that would also have to be designed, allows the other device to submit test passcodes and receive and process the result of those tests.
The means for establishing such connection could include Wi-Fi, Bluetooth, or direct cable connection. Apple will also need to either (1) develop and prepare detailed documentation for the above protocol to enable the FBI to build a brute-force tool that is able to interface with the device to input passcode attempts, or (2) design, develop and prepare documentation for such a tool itself.
Further, if the tool is utilized remotely (rather than at a secure Apple facility), Apple will also have to develop procedures to encrypt, validate, and input into the device communications from the FBI. In its earlier filing the government maintained that this is merely a one-off request, which could be destroyed after the San Bernardino investigation closes. But Apple doesn’t buy it: "This enormously intrusive burden—building everything up and tearing it down for each demand by law enforcement—lacks any support in the cases relied on by the government, nor do such cases exist." Crucially, the third part of this test relies on the question of "necessity." This part of Apple’s explicitly points out that the government has not made use of all of the tools at its disposal, such as employing the resources of other government agencies that may be better equipped at such a task, like the National Security Agency. As Boutrous continues: Here, by contrast, the government has failed to demonstrate that the requested order was absolutely necessary to effectuate the search warrant, including that it exhausted all other avenues for recovering information.
Indeed, the FBI foreclosed one such avenue when, without consulting Apple or reviewing its public guidance regarding iOS, the government changed the iCloud password associated with an attacker’s account, thereby preventing the phone from initiating an automatic iCloud back-up. See supra II.C. Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks. If you give a mouse a cookie… Apple lawyers also note that if the government’s order is allowed to stand, there is nothing stopping federal or local authorities from conscripting the company to do other things besides simply break a digital lock. Finally, given the government’s boundless interpretation of the All Writs Act, it is hard to conceive of any limits on the orders the government could obtain in the future.
For example, if Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing. "Apple is exactly right to draw attention to the boundless nature of what the government wants," Andrew Crocker, an attorney with the Electronic Frontier Foundation, told Ars. "It can't in one breath claim this is just about one phone but suggest that the All Writs Act places no limits on how much tech companies can be compelled to reengineer their products. You can expect to see these arguments, particularly the constitutional ones, be developed further in the amicus briefs supporting Apple." Indeed, Rep.
Ted Lieu (D-Calif.), a freshman congressman who has been closely following this case, told Ars by phone that prosecutors and the FBI should withdraw the motion to compel, and allow the American people and Congress to decide the outcome. "This is not just about Apple," he said. "This is about what can the government can do to coerce a private citizen or company to take extraordinary actions in support of the government—there is no limit. What's to keep the government from ordering Amazon to write new software that will notify the government when their customers order books that might make them suspicious? It allows the government to turn anyone into an arm of law enforcement, and that is what is at stake here." Thom Mrozek, a spokesman for the United States District Attorney in Los Angeles, declined further comment. "We will be responding to Apple in court as per the court’s scheduling order," he e-mailed. The government's reply is due March 10, and Apple will be allowed again to respond by March 15. A federal court hearing has been scheduled for March 22 in Riverside, California to address Apple’s legal challenges, which Ars will attend. This story is developing.
If the order stands up to legal challenges, Apple would be forced to create a new customized iOS firmware that would remove the passcode lockout on a seized iPhone as part of the ongoing San Bernardino terrorism investigation. In a call with reporters on Thursday, Apple executives dubbed this customized iOS firmware a "government OS" and added that it would have to make an "FBI forensics lab" at its Cupertino headquarters. As expected, Apple’s legal arguments rely on its rejection of 1977 Supreme Court decision United States v. New York Telephone, the prominent case that relies on the All Writs Act in which the authorities were demanding the utility to implement a pen register trap and trace device.
That obscure 18th-Century law is a catchall statute that the government is relying on for its new order.
The All Writs Act essentially allows a judge to order something be done, despite there being no clear Congressional mandate to follow such an order. Theodore Boutrous, an Apple lawyer, wrote: "Apple is a private company that does not own or possess the phone at issue, has no connection to the data that may or may not exist on the phone, and is not related in any way to the events giving rise to the investigation.
This case is nothing like New York Telephone Co., where there was probable cause to believe that the phone company’s own facilities were 'being employed to facilitate a criminal enterprise on a continuing basis.'" “Boundless interpretation” In its court filing, Apple forcefully argues that the government’s interpretation of the All Writs Act goes too far, fails the previous Supreme Court three-part test, and violates Apple’s First and Fifth Amendment rights. As Boutrous continues, the All Writs Act does not allow the government to grant itself new authority. Rather, "The Act is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress." With respect to New York Telephone, the Supreme Court ruled in 1977 that an All Writs Act order could be granted given a three-part test: the company’s distance, or "remove" from the case; whether the government’s request places an "undue burden" on the company; and whether the company’s assistance was "necessary." Apple takes each of these points head-on. First, Apple says that unlike New York Telephone, whose phone services were being used to allegedly further a criminal enterprise on an "ongoing basis," the California company has no direct connection to the crime at hand. Indeed, "any criminal activity linked to the phone at issue here ended more than two months ago when the terrorists were killed," adding that "Apple is no more connected to this phone than General Motors is to a company car used by a fraudster on his daily commute." Second, Apple argues that yes, in fact, forcing it to conscript "six to 10" engineers who would work on this project for weeks or months—which may be multiplied should further orders come in from other prosecutors—does constitute an "undue burden." Unlike in New York Telephone, where the government asked for a pen register—something the telco already did as part of its regular course of business—Apple argues that marshalling these resources would be overly burdensome. As Erik Neuenschwander, Apple’s manager for user privacy, wrote in a court declaration included as part of the new filing: Creating the ability to enter passcodes into a device electronically with no software-imposed delays would entail modifying existing code to remove delays as well as writing new code that manages a connection to another device and, using a communications protocol that would also have to be designed, allows the other device to submit test passcodes and receive and process the result of those tests.
The means for establishing such connection could include Wi-Fi, Bluetooth, or direct cable connection. Apple will also need to either (1) develop and prepare detailed documentation for the above protocol to enable the FBI to build a brute-force tool that is able to interface with the device to input passcode attempts, or (2) design, develop and prepare documentation for such a tool itself.
Further, if the tool is utilized remotely (rather than at a secure Apple facility), Apple will also have to develop procedures to encrypt, validate, and input into the device communications from the FBI. In its earlier filing the government maintained that this is merely a one-off request, which could be destroyed after the San Bernardino investigation closes. But Apple doesn’t buy it: "This enormously intrusive burden—building everything up and tearing it down for each demand by law enforcement—lacks any support in the cases relied on by the government, nor do such cases exist." Crucially, the third part of this test relies on the question of "necessity." This part of Apple’s explicitly points out that the government has not made use of all of the tools at its disposal, such as employing the resources of other government agencies that may be better equipped at such a task, like the National Security Agency. As Boutrous continues: Here, by contrast, the government has failed to demonstrate that the requested order was absolutely necessary to effectuate the search warrant, including that it exhausted all other avenues for recovering information.
Indeed, the FBI foreclosed one such avenue when, without consulting Apple or reviewing its public guidance regarding iOS, the government changed the iCloud password associated with an attacker’s account, thereby preventing the phone from initiating an automatic iCloud back-up. See supra II.C. Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks. If you give a mouse a cookie… Apple lawyers also note that if the government’s order is allowed to stand, there is nothing stopping federal or local authorities from conscripting the company to do other things besides simply break a digital lock. Finally, given the government’s boundless interpretation of the All Writs Act, it is hard to conceive of any limits on the orders the government could obtain in the future.
For example, if Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing. "Apple is exactly right to draw attention to the boundless nature of what the government wants," Andrew Crocker, an attorney with the Electronic Frontier Foundation, told Ars. "It can't in one breath claim this is just about one phone but suggest that the All Writs Act places no limits on how much tech companies can be compelled to reengineer their products. You can expect to see these arguments, particularly the constitutional ones, be developed further in the amicus briefs supporting Apple." Indeed, Rep.
Ted Lieu (D-Calif.), a freshman congressman who has been closely following this case, told Ars by phone that prosecutors and the FBI should withdraw the motion to compel, and allow the American people and Congress to decide the outcome. "This is not just about Apple," he said. "This is about what can the government can do to coerce a private citizen or company to take extraordinary actions in support of the government—there is no limit. What's to keep the government from ordering Amazon to write new software that will notify the government when their customers order books that might make them suspicious? It allows the government to turn anyone into an arm of law enforcement, and that is what is at stake here." Thom Mrozek, a spokesman for the United States District Attorney in Los Angeles, declined further comment. "We will be responding to Apple in court as per the court’s scheduling order," he e-mailed. The government's reply is due March 10, and Apple will be allowed again to respond by March 15. A federal court hearing has been scheduled for March 22 in Riverside, California to address Apple’s legal challenges, which Ars will attend. This story is developing.