PRIVACY | CALEA Limits the All Writs Act and Protects the Security of Apple's Phones

PRIVACY | CALEA Limits the All Writs Act and Protects the Security of Apple's Phones

Director of Privacy at the Stanford Center for Internet and Society

PRIVACY |  CALEA Limits the All Writs Act and Protects the Security of Apple's Phones

The government filed a brief yesterday to compel Apple to circumvent its standard security features on the S5 iPhone the government recovered from San Bernadino terrorist Syed Farook.  The government argued that the All Writs Act (AWA) authorized the court to require Apple to provide such technical assistance because the AWA has not been limited by Congress and “there is no statute that specifically addresses the issue of Apple’s assistance.”  Motion, p. 22.  The government questioned Apple's motives for refusing to cooperate and stated that it was not burdensome for Apple to do even if it had to write some software to do comply.

The case has generated tremendous interest and there are many legal and policy points to be made on both sides, but the primary assertion of the government that there is no statute limiting the AWA is not so.  The Communications Assistance for Law Enforcement Act (CALEA) is exactly that statute. The government acknowledges that CALEA exists, but it says: “Put simply, CALEA is entirely inapplicable to the present dispute [because] Apple is not acting as a telecommunications carrier, and the Order concerns access to stored data rather than real time interceptions and call-identifying information.”  Id., at 23.

Put simply, this is entirely wrong.  CALEA is not limited in its applicability to telecommunications carriers at all as the government has represented to the court.  It applies to manufacturers and providers of telecommunications support services as well.  Apple is a manufacturer of telecommunications equipment, namely the S5 phone in the government’s possession.  Apple is entitled to the protections and limitations of CALEA just as it must comply with manufacturer requirements in the statute.

Second, those protections and limitations in CALEA are important and the government leaves out of its brief the most important section. Specifically, CALEA limits the government’s authority to dictate to carriers or manufacturers any specific equipment design or software configuration, including device security.

Section 1002(b)(1) provides:

(1) Design of features and systems configurations. This subchapter does not authorize any law enforcement agency or officer—

  • A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or
  • B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
If CALEA doesn’t allow the government “to require any specific design of equipment, facilities, services, features or system configurations” from any manufacturer, then by definition, CALEA limits by statute what a court can order by fiat or writ under the AWA.  Therefore, the February 16th Order the government procured from the court cannot circumvent CALEA by relying on the AWA.  CALEA is not just about "interceptions" as the government suggests; it is about protecting the design and deployment of secure technologies and forbidding the government from dictating how, among other things, phones are made.

While arguing on one hand that CALEA doesn’t apply, the government then says that CALEA's encryption limitation actually supports it position because Congress required any telecommunications carrier that provides an encryption service and holds the decryption keys to decrypt communications if able to do so. Motion, p. 23, n.9.  In other words, CALEA itself contemplates some technical assistance. Here again the government has it backwards.

Section 1002(b)(3) of CALEA provides:

(2)  Encryption

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

CALEA actually permits the strongest encryption (or any other security feature or configuration) to be deployed by equipment manufacturers or carriers and it precludes the government from dictating that such encryption contain a “back door.”  CALEA relieves providers of any obligation to be able to decrypt anything unless a telecommunications carrier itself provides the encryption service and holds the keys.  In other words, Congress specified the ONLY assistance that would be required in regard to any encryption-based security features deployed by a manufacturer or provider and precluded the government from dictating any other design change or configuration.

The threshold question here is whether CALEA means what it says and therefore is a limitation on the AWA. CALEA should preclude the government from requiring Apple to change a standard security feature in its phones to accommodate government access to the device.  If CALEA is such a limitation on the AWA, then the court will not need to address the many other difficult constitutional and policy questions being raising, nor will the court have to examine or define the limitations of the burden Apple can be required to bear in providing technical assistance.  Those can be left for another day and another phone.

In the end, the government’s snark in its brief that  “Apple has attempted to design and market its products to allow technology, rather than the law, to control access to data” is too clever by half because it is the law as Congress wrote it that permitted Apple to deploy secure phone technology in the first place and that precludes the government from requiring Apple to undermine it.

About The Author:

Albert Gidari is the Director of Privacy at the Stanford Center for Internet and Society. He was a partner for over 20 years at Perkins Coie LLP, achieving a top-ranking in privacy law by Chambers. He negotiated the first-ever "privacy by design" consent decree with the Federal Trade Commission on behalf of Google, which required the establishment of a comprehensive privacy program including third party compliance audits. Mr. Gidari is a recognized expert on electronic surveillance law; and, long an advocate for greater transparency in government demands for user data, he brought the first public lawsuit before the Foreign Intelligence Surveillance Court, seeking the right of providers to disclose the volume of national security demands received. Mr. Gidari earned an LLM from University of Washington School of Law, his law degree from George Mason University School of Law, and his undergraduate degree from Tulane University.

    Blogger Comment
    Facebook Comment