This week, the Department of Justice (DOJ) officially withdrew its request for an order that would have forced Apple to create software to help law enforcement bypass the security features of an iPhone linked to one of the San Bernardino shooters. After months of insisting that Apple’s assistance was essential, it turns out the FBI was able to hack into the iPhone on its own once an unidentified entity showed them the way. Courts will probably view future claims that the FBI “needs” to conscript Apple to do its own bidding with a highly skeptical eye – and rightfully so. The case also demonstrates why lawmakers should be skeptical of claims that the government must weaken security by mandating an encryption backdoor. Just as no ship is unsinkable, no device is unbreakable – and the government should not be in the business of making our devices any weaker than they already are.
The end of the Apple/FBI case in California is a win for cybersecurity and privacy – but a temporary one. It’s only a matter of time before another judge considers whether or not the All Writs Act (AWA) can be used to force Apple or another company to weaken the security of their devices in aid of ongoing investigations. In fact, less than a month ago, a New York magistrate judge faced a similar legal question involving an iPhone from a drug trafficking case; his answer was an emphatic “no.”
The DOJ appealed Magistrate Judge James Orenstein’s opinion to the district court, so now all eyes have shifted from the West Coast to the East Coast to see what happens next in this debate. CDT’s in-depth analysis of Judge Orenstein’s fairly complex opinion can be found here. For now, here’s what you need to know about what it says and what it could mean for the potentially hundreds of other cases that will follow it:
The AWA Does Not Permit the Requested Order
The AWA is part of the Judiciary Act of 1789 (enacted over 220 years ago). It enables all federal judges to issue orders (a.k.a. “writs”), at their discretion, if three distinct requirements are satisfied. Judge Orenstein concluded that he could not issue the government’s requested order because it would not be “agreeable to the usages and principles of law,” the statute’s third requirement.
From a legislative history standpoint, Judge Orenstein said that the Communications Assistance for Law Enforcement Act (CALEA) explicitly exempts information service providers like Apple from having to provide the assistance that the government asked for. The government argued that CALEA was irrelevant because it pertains to data “in motion,” whereas the government was asking for Apple’s assistance with retrieving data stored on a device – data “at rest.” Judge Orenstein replied that even if Congress did not regulate data “at rest” through CALEA, it did so elsewhere through other statutes such as the Stored Communications Act – none of which impose an obligation on Apple to provide the type of assistance that the government asked for. Judge Orenstein agreed with Apple’s position that such an omission reflects a legislative choice, given that CALEA is part of a broader legislative scheme that regulates when law enforcement may access electronic data.
Judge Orenstein concluded that the government’s interpretation of the AWA would lead to absurd results.
As a matter of statutory construction, Judge Orenstein concluded that the government’s interpretation of the AWA would lead to absurd results. Put differently, the AWA cannot be used as a way for “the executive branch to achieve a legislative goal that Congress has considered and rejected” but not expressly prohibited. For example, if the President were to send Congress a bill that compelled a certain action, and every member of Congress rejected the bill, under the government’s view of the AWA a court could issue an order compelling that action anyway because Congress did not explicitly prohibit it from doing so. In this case, it would enable courts to ignore the fact that Congress had already debated whether to require companies like Apple to provide the type of assistance the government was requesting, but chose not to do so. Thus, the government’s interpretation of the AWA would confer legislative authority of epic proportions on federal courts – something the drafters of the AWA clearly did not intend to do, given that more than half of the delegates who enacted it were also signatories of the Constitution and its separation of powers mandate.
Even if the AWA DID Permit the Requested Order, the Order Should Not Be Issued
The AWA only states that a court may issue orders that meet the statutory requirements. The Supreme Court in United States v. New York Telephone Co. (1977) laid out additional factors that courts should consider before exercising their discretionary authority. Judge Orenstein concluded that each of the additional factors counseled against issuing the requested order, particularly when he considered the unreasonable burden that the order would impose on Apple.
To begin with, Apple convinced Judge Orenstein that it was in its interest as a company to not provide the assistance that the government had asked for, because doing so would tarnish Apple’s brand as a leader in protecting its customers’ data and thereby be “offensive” to its business of providing secure devices to the public. In addition, Judge Orenstein believed that bypassing the iPhone’s passcode security would divert time and technology from advancing Apple’s normal business operations not only in this case, but also in the countless cases that would assuredly follow.
Judge Orenstein concluded that the government’s order posed a grave threat to Apple’s autonomy.
Importantly, Judge Orenstein concluded that the government’s order posed a grave threat to Apple’s autonomy. The proposed order before Judge Orenstein contained no limiting principle that would constrain the lengths that a court may go to in the future in order to carry out its jurisdiction. Without a limiting principle, there’s no telling what a court could compel Apple to do next – perhaps turn on an iPhone’s microphone to enable law enforcement officials to listen in on nearby conversations or even remotely activate a laptop’s web cam?
Given the time, financial, and moral burdens that the government’s order would impose on Apple, Judge Orenstein concluded that the AWA should not be used to convey such authority.
Prosecutors agreed with Apple’s request to delay this case given the FBI’s then-ongoing attempt to unlock the San Bernardino iPhone without Apple’s assistance. The DOJ committed to informing the court no later than April 11th whether or not it will be moving forward with the case, which may depend on whether the technique used to unlock the San Bernardino iPhone could work on the phone in Brooklyn, as well.
If the case goes forward, Judge Margo Brodie will consider the DOJ’s appeal and decide whether to accept, reject, or modify Judge Orenstein’s opinion. The opinion will be tough to reject, given the fact that it is logically sound, well-organized, and supported by case law and legislative history. However, even if Judge Orenstein’s opinion is struck down in New York, it may influence the hundreds of additional cases that will be brought by federal, state, and local law enforcement in the future. We can only hope that cybersecurity and privacy come out on top when (or if) the dust settles.