Apple managed to keep its cool on Tuesday when replying to the government’s last, rather incendiary, briefing. In its reply to Judge Pym, Apple laid out its legal arguments for refusing to comply with the FBI’s request for assistance in breaking into the iPhone 5c of San Bernardino shooter Syed Rizwan Farook.
Apple also vigorously defended itself against the government’s claims that the company made iOS more secure in a deliberate attempt to thwart law enforcement, or as a marketing decision, even submitting supplemental declarations from Craig Federighi and a senior director of worldwide advertising. It’ll be interesting to see what issues are emphasized at the hearing, because right now it doesn’t seem like Apple and the Department of Justice see eye to eye on, well, pretty much anything.
Here’s a summary of Apple’s brief, which will be its last word before the first hearing, scheduled for March 22 at 1pm PST.
The All Writs Act is inappropriate
The court’s order for Apple to create a new version of iOS that would be easier for the FBI to crack was issued under the All Writs Act, a law first passed in the late 18th century. This act allows courts to issue warrants that aren’t authorized by more specific laws. But in this case, Apple argues, there is a more specific law called CALEA that can’t be stretched to fit the government’s request. Apple also argues that Congress had a chance to pass even more specific legislation, but declined to act.
Basically, Apple says the government is trying to use the All Writs Act to authorize anything the government wants that isn’t aleady on the books as being illegal.
The government attempts to rewrite history by portraying the [All Writs] Act as an all-powerful magic wand rather than the limited procedural tool that it is.… According to the government, short of kidnapping or breaking an express law, the courts can order private parties to do virtually anything the Justice Department and FBI can dream up. The Founders would be appalled.
Nobody but the FBI thinks this is a good idea
While Apple’s brief focuses on the law, it doesn’t ignore the broader context of the encryption debate. This is bigger than the FBI and Apple disagreeing about if and how to break into Farook’s iPhone, in other words, and even top officials that used to work for the government can see the risk.
“Indeed, the Justice Department and FBI are asking this Court to adopt their position even though numerous current and former national security and intelligence officials flatly disagree with them,” reads Apple’s filing. It goes on to quote several from the community, including former NSA and CIA Director Michael Hayden, who said, “America is more secure—America is more safe—with unbreakable end-to-end encryption.”
The filing also points out that if Apple is forced to weaken its own encryption, real criminals will just seek out other encryption tools. It quotes FBI Director James Comey, who said at a recent Congressional hearing, “Encryption will always be available to bad actors.” At the same hearing, the filing notes, Professor Susan Landau agreed that the order “would weaken us but not change [the availability of strong encryption] for the bad guys.”
Apple also rejects the government’s insistence that this GovtOS could be made, tested, used once, and destroyed without ever getting out. The filing quotes cybersecurity experts both in and out of the government as saying that simply isn’t true, that hackers are always looking to exploit these kinds of weaknesses. One footnote even cites the Mac ransomware attack from just last week, in which malicous software was even cryptographically signed to trick Macs into thinking it was legit.
There’s no limiting principle
Good laws come with limits. In its earlier motion to dismiss the court order, Apple complained that the All Writs Act, since it’s designed to fill in the gaps between statutes, doesn’t have that limiting principle. So if the government is allowed to use the All Writs Act to compel Apple to write a new, crackable version of iOS, this could be precedent for even more alarming scenarios. A drug company be compelled to make lethal injection drugs against its wishes, for example, or Apple could be compelled to make a version of iOS that would allow the government to track a single phone’s location or use it to eavesdrop. If the All Writs Act really is a magic wand, let’s see what it can do, right?
In this new filing, Apple notes that in the DOJ’s last brief, it didn’t touch Apple’s hypotheticals with a 10-foot legal pole. “Indeed, it is telling that the government fails even to confront the hypotheticals posed to it (e.g. compelling a pharmaceutical company to manufacture lethal injection drugs), or explain how there is any conceivable daylight between GovtOS today, and LocationTrackingOS or EavesdropOS tomorrow.”
(In fact, that isn’t purely hypothetical—one of Apple’s footnotes cites a Texas case in which courts wouldn’t allow the government to hack a vehicle’s OnStar system to take photos and report its location. “The government is adept at devising new surveillance techniques,” Apple notes dryly, with so leave us out of it, please left unsaid.)
The All Writs Act can’t circumvent CALEA
CALEA, or the Communication Assistance for Law Enforcement Act, was passed in 1994 to require telecom carriers to assist the government with some wiretapping and surveillance. Since then, it’s been expanded to cover Internet and VoIP traffic as well. Apple’s brief reads:
CALEA defines the circumstances under which private companies must create systems to assist law enforcement in its investigatory efforts, as well as the circumstances where such providers are not and cannot be required to build programs and systems to enable law enforcement access.
In other words, CALEA has limiting principles. That’s good since those limits came from Congress, and they give the lawyers a framework for their arguments.
CALEA has specific language about encryption: Telecom carriers “shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communications encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.” Apple says that Farook chose to encrypt the phone by setting a passcode, and that Apple doesn’t possess the information necesary to decrypt it—that’s what the government is asking for.
To put a finer point on it, since the phone in question was provided by his employer, it’s very likely that his employer required him to use a passcode—which his employer could have easily reset at any time by using even the most basic of multi-device managment practices.
And to put an even finer point on it, while Apple is a “communications company” under CALEA, it is not legally considered a “telecommunications carrier,” and so the language about carriers not being responsible for decrypting doesn’t apply to Apple. So, the filing argues, “If companies subject to CALEA’s obligations cannot be required to bear this burden, Congress surely did not intend to allow parties specifically exempted by CALEA (such as Apple) to be subjected to it.”
In fact, when CALEA was passed, this very question came up in the debate. From Apple’s filing:
During congressional hearings on CALEA, then-FBI director Louis Freeh assured Senator Leahy that CALEA would not impede the growth of new technologies. When Senator Leahy asked whether CALEA would inhibit the growth of encryption, he responded, “this legislation does not ask [companies] to decrypt. It just tells them to give us the bits as they have them. If they are [en]crypted, that is my problem.”
Now Judge Pym has some time to read and consider all of these filings before the scheduled March 22 hearing in Riverside, California. We’ll be keeping a close eye on this, but we want to know what you think. Has Apple made a compelling case to dismiss the order? Let us know in the comments.