The government filed a brief yesterday to compel Apple to circumvent its standard security features on the S5 iPhone the government recovered from San Bernadino terrorist Syed Farook. The government argued that the All Writs Act (AWA) authorized the court to require Apple to provide such technical assistance because the AWA has not been limited by Congress
Director of Privacy at the Stanford Center for Internet and Society
The government
filed a brief yesterday to compel Apple to circumvent its standard security features on the S5 iPhone
the government recovered from San Bernadino terrorist Syed Farook. The
government argued that the All Writs Act (AWA)
authorized the court to require Apple to provide such technical assistance
because the AWA has not been limited by Congress and “there is no statute that
specifically addresses the issue of Apple’s assistance.” Motion, p. 22.
The government questioned Apple's motives for refusing to cooperate and
stated that it was not burdensome for Apple to do even if it had to write some
software to do comply.
The case has
generated tremendous interest and there are many legal and policy points to be
made on both sides, but the primary assertion of the government that there is
no statute limiting the AWA is not so. The Communications
Assistance for Law Enforcement Act (CALEA) is exactly that statute.
The government acknowledges that CALEA exists, but it says: “Put simply, CALEA
is entirely inapplicable to the present dispute [because] Apple is not acting
as a telecommunications carrier, and the Order concerns access to stored data
rather than real time interceptions and call-identifying information.” Id.,
at 23.
Put simply,
this is entirely wrong. CALEA is not limited in its applicability to
telecommunications carriers at all as the government has represented to the
court. It applies to manufacturers and providers of telecommunications
support services as well. Apple is a manufacturer of telecommunications
equipment, namely the S5 phone in the government’s possession. Apple is
entitled to the protections and limitations of CALEA just as it must comply
with manufacturer requirements in the statute.
Second, those
protections and limitations in CALEA are important and the government leaves
out of its brief the most important section. Specifically, CALEA limits the
government’s authority to dictate to carriers or manufacturers any specific
equipment design or software configuration, including device security.
Section
1002(b)(1) provides:
(1) Design
of features and systems configurations. This subchapter does not
authorize any law enforcement agency or officer—
- A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or
- B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
If CALEA doesn’t
allow the government “to require any specific design of equipment, facilities,
services, features or system configurations” from any manufacturer, then by
definition, CALEA limits by statute what a court can order by fiat or writ
under the AWA. Therefore, the February 16th Order the government procured
from the court cannot circumvent CALEA by relying on the AWA. CALEA is
not just about "interceptions" as the government suggests; it is
about protecting the design and deployment of secure technologies and
forbidding the government from dictating how, among other things, phones are
made.
While arguing
on one hand that CALEA doesn’t apply, the government then says that CALEA's
encryption limitation actually supports it position because Congress required
any telecommunications carrier that provides an encryption service and holds
the decryption keys to decrypt communications if able to do so. Motion, p. 23,
n.9. In other words, CALEA itself contemplates some technical assistance.
Here again the government has it backwards.
Section
1002(b)(3) of CALEA provides:
(2)
Encryption
A
telecommunications carrier shall not be responsible for decrypting, or ensuring
the government’s ability to decrypt, any communication encrypted by a
subscriber or customer, unless the encryption was provided by the carrier and
the carrier possesses the information necessary to decrypt the communication.
CALEA actually
permits the strongest encryption (or any other security feature or
configuration) to be deployed by equipment manufacturers or carriers and it
precludes the government from dictating that such encryption contain a “back
door.” CALEA relieves providers of any obligation to be able to decrypt
anything unless a telecommunications carrier itself provides the encryption service
and holds the keys. In other words, Congress specified the ONLY
assistance that would be required in regard to any encryption-based security
features deployed by a manufacturer or provider and precluded the government
from dictating any other design change or configuration.
The threshold
question here is whether CALEA means what it says and therefore is a limitation
on the AWA. CALEA should preclude the government from requiring Apple to change
a standard security feature in its phones to accommodate government access to
the device. If CALEA is such a limitation on the AWA, then the court will
not need to address the many other difficult constitutional and policy
questions being raising, nor will the court have to examine or define the
limitations of the burden Apple can be required to bear in providing technical
assistance. Those can be left for another day and another phone.
In the end,
the government’s snark in its brief that “Apple has attempted to design
and market its products to allow technology, rather than the law, to control
access to data” is too clever by half because it is the law as Congress wrote
it that permitted Apple to deploy secure phone technology in the first place
and that precludes the government from requiring Apple to undermine it.
About The Author:
Albert Gidari
is the Director of Privacy at the Stanford Center for Internet and Society. He
was a partner for over 20 years at Perkins Coie LLP, achieving a top-ranking in
privacy law by Chambers. He negotiated the first-ever "privacy by
design" consent decree with the Federal Trade Commission on behalf of
Google, which required the establishment of a comprehensive privacy program
including third party compliance audits. Mr. Gidari is a recognized expert on
electronic surveillance law; and, long an advocate for greater transparency in
government demands for user data, he brought the first public lawsuit before
the Foreign Intelligence Surveillance Court, seeking the right of providers to
disclose the volume of national security demands received. Mr. Gidari earned an
LLM from University of Washington School of Law, his law degree from George
Mason University School of Law, and his undergraduate degree from Tulane University.
This article was originally published at Stanford's Center for Internet Society's Blog
under Creative Common License 3.0
under Creative Common License 3.0